After the security firm Mandiant had its X account compromised earlier this month, the US Securities and Exchange Commission dealt with a similar intrusion this week. Attackers wrested control of the agency’s account for more than half an hour and posted false information during that time about a highly anticipated SEC regulatory decision on a Bitcoin financial product. The incident was concerning, given that it indicated a lack of adequate security protections on the SEC’s account, but also because attackers may have intended to manipulate markets, and their fake post led to fluctuations in the price of Bitcoin.
If you want to avoid these shenanigans on your own X account, we’ve got tips for locking everything down as much as possible.
Meanwhile, thousands of emergency planning documents from US schools, like safety procedures for active shooter emergencies, were exposed on the internet for weeks in a trove of more than 4 million records from the education software provider Raptor. The company, which has now made the database inaccessible, says its software is used by more than 5,300 US school districts and 60,000 schools around the world. And new research from the cryptocurrency tracing firm Chainalysis indicates that vendors selling child sexual abuse material online are successfully using digital tools like “mixers” and “privacy coins” like Monero to launder their profits and avoid scrutiny from law enforcement.
And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.
Online auction site eBay has been ordered to pay a $3 million criminal penalty for harassment of a Massachusetts couple who were critical of the company in their newsletter and news website, according to the US Attorney’s Office of Massachusetts. The charge filed against the company followed the convictions of seven eBay employees and contractors in 2021 and 2022, who in August 2019 harassed and stalked David and Ina Steiner, who ran the ecommerce publication EcommerceBytes. Executives at eBay did not like the critical coverage that eBay was getting.
The company’s campaign against the Steiners included “emotionally, psychologically, and physically terrorizing” them, according to law enforcement officials. Prosecutors successfully argued that this included sending a fetal pig, a bloody pig mask, a funeral wreath, and live cockroaches to their home; publicly and privately threatening the couple online through Twitter accounts they created; and traveling to their home to install a GPS tracker on their vehicle and surveil them. Craigslist posts were also made that invited people to “sexual encounters” at their home.
The US Department of Justice charged eBay with stalking, witness tampering, and obstruction of justice, and the company will also undergo corporate compliance monitoring. A statement of facts, within a deferred prosecution agreement between prosecutors and eBay, lays out a litany of abusive and stalking behavior. These include plotting how to disrupt a police investigation and destroying evidence. “The company’s employees and contractors involved in this campaign put the victims through pure hell, in a petrifying campaign aimed at silencing their reporting and protecting the eBay brand,” said acting United States attorney Joshua S. Levy, when the charge against the firm was announced.
“EBay's actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.
China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.
In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.
It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication Volkskrant claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.
The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.
