The Loneliest [And Largest] Data Breach

Plus: Zoom's CEO wants digital twinsies

Before we begin, here is a quick public service announcement. Haveibeenpwned just added 151 million unique email addresses and passwords to its database of compromised credentials. It’s believed they originated from infostealer malware.

Here’s what you need to do:

  1. Check your email addresses at haveibeenpwned.com. If your info was in the latest batch, keep going with this list. Otherwise, keep reading the newsletter.

  2. Change your passwords ASAP (don’t worry, I’ll wait for you here). Make sure they’re unique (aka use a password manager).

  3. Also, add MFA while you’re resetting those passwords.

  4. Run an AV scan against your system to see if it picks up anything malicious.

If that wasn’t a mood killer, I don’t know what is. If you’re still with me, let’s talk more cyber. Today, we’re covering:

  • Digital Twinsies

  • The loneliest data breach

  • How to hide from Interpol

-Jason

AI Spotlight
Digital Twinsies

As my wife and I watched The Great American Baking Show this morning, we saw ads for AI-related tech. She commented how there’s so much hype in AI right now. And she’s right. You can’t read anything (especially my content, sorry not sorry) where AI doesn’t dominate the discussion.

But of course, there are some people who take AI hype to the next level. Like Zoom CEO Eric Yuan. Because when your stock is down 20% since the peak of COVID, you have to scream AI!

Zoom’s CEO envisions a future where you don’t have to attend Zoom meetings…okay, maybe I reacted too soon. Tell me more Eric Yuan, AI visionary extraordinaire…

Eric wants to create a “digital twin,” a deepfake avatar of you, that can go to Zoom meetings on your behalf. That deepfake could also make decisions for you while you spend time on more important things, like reading the WeekendByte or looking up the latest cat memes.

Eric admits that we’re not there yet with the technology to make this happen. But the larger question for me is, do we want this? Sure, meetings can suck. And most meetings are terribly run (that’s an entire book I could write). But the answer is not to completely step away from meetings and certainly not from decision-making.

My perspective: AI can be a great assistant in meetings but within reason:

  • Before the meeting: Auto-select participants based on the meeting objective. Then, auto-schedule the meeting. Before the meeting, send participants key questions requiring their input to facilitate a better discussion. Summarize that input and send it to the meeting participants as pre-reading with a clear objective for the meeting.

  • During the meeting: Take notes and provide just-in-time information requests, such as pulling prior data from prior reports or recalling information from prior meetings.

  • After the meeting: Provide a summary of the meeting, as well as clear action items and deadlines. It should also follow up on those action items to drive those action items to completion.

AI should support our decision-making, not stand in for it. We don’t need to relinquish decision-making to a digital twin - not significant decisions anyway. It is, after all, one of the key things that makes us human. And it’s one of the things that helps us learn and grow. We shouldn’t let go of critical thinking skills; we should instead adapt to using AI as an agent for information collection and streamlining existing processes.

Deep Dive
The Loneliest Data Breach

On April 7, 2024, USDoD posted a data dump for sale on BreachForums for a cool $3.5 million. The attacker claimed it was sourced from National Public Data, an organization that does background checks…so it definitely doesn’t deal with any sensitive information…

How much data are we talking about? The attacker claims the dump includes 2.9 billion records of American, Canadian, and UK citizens. Yikes…

That sounds bad. What type of info do they have? Oh, just full names, 30 years of address history, and social security numbers…umm…brb freezing my credit for the 17th time this year…

…is it real? BFF to attackers, vx-underground, got access to the data to confirm. Annnnnd, yup, it’s real. Interestingly, they noted that the database does not appear to have information on individuals who use data opt-out services. For everyone else they tested, they found and confirmed the information was valid. Hmmm maybe it’s time to jump on those data opt-out services.

What’s crazy is that this is largely flying under the radar. We only started talking about it in June, nearly two months after it was posted on the hacking forum.

Are we so tired of all these breaches that we stopped paying attention to them? Is it because financial damage doesn’t materialize for most people? I certainly have reached the point where I assume all of my information is out there for the pickings.

Interestingly, two people contacted me last week to let me know their accounts were hacked or their identities stolen. Are we starting to see an inflection point where more scammers pick up this data and use it for their own financial gain? So many questions

Well, either way, at least America’s largest injury law firm, Morgan & Morgan, are on the case…at least someone is paying attention to this data breach for the good of their pockets the people 🤦 

News
What Else is Happening?

💸 In January 2024, New Hampshire residents received a deepfake robocall from President Joe Biden encouraging voters NOT to vote. Months later, a 54-year-old man in New Orleans has been indicted for orchestrating the whole thing. He faces a $6 million fine, while Lingo Telecom, the company that conducted the calls, faces a $2 million fine.

🇷🇺 F’ing Russia is at it again, trying to ruin the fun for everyone. This time, they’re attempting to disrupt the 2024 Olympic Games through disinformation campaigns targeting France, French President Emmanuel Macron, the International Olympic Committee, and the Olympic Games themselves. The disinformation included a feature-length film narrated by a deepfaked Tom Cruise voice and shorter videos meant to inject fear of violence at the Olympics to dissuade spectators from going.

🚨The FBI announced that they obtained an additional 6,000 decryption keys associated with LockBit. This adds to the 1,000 they originally collected from their initial disruption campaign against LockBit.

📲 How do you hide from Interpol? You sabotage the Red Notice system that helps Interpol members locate and arrest criminals. At least that’s what four suspects linked to Belarus, Russia, and Ukraine tried to do. Those four suspects, who are tied to cyber crimes, bribed Moldovan intermediaries and public figures amounting to millions of dollars to “inform wanted criminals of their Red Notice status.”

🏥 Several major London-based hospitals declared a critical incident emergency and canceled non-emergency surgeries after Synnovis, a supplier of various pathology tests and services, was the victim of ransomware. This is another example of third-party risk and a cyber attack's impact on the physical world. There are unconfirmed claims that this was tied to the Qilin ransomware group, whose leaksite interestingly went offline after the attack.

🤖 In the least creepy thing ever, AI researchers built a “future self” chatbot. Their intent was to help inspire wise life choices. Instead, it just inspired a “wtf” response from me. Perhaps I should have used that to have future Jason tell present Jason not to get that Brusters Oreo waffle cone ice cream.

🔍️ Here’s a cool write-up on how an OSINT expert used free tools to find a gang leader wanted by the FBI.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

Reply

or to participate.