“I was invited to their friend’s wedding!” Recycled Yahoo! IDs leak VERY private information

Yahoo! recently began recycling “inactive” user accounts, in an effort to woo new customers – but some customers who have acquired these “second-hand” email addresses say they are receiving a “bonus” of personal emails for to the old owners, some of which offer information that could be used in identity theft.

Yahoo has begun to put in place technical measures aimed at dealing with the problem.
Speaking to Information Week, users said that they received junk mail aimed at the ID’s previous owner – but also sensitive information such as appointment details and flight confirmations, and invitations to weddings.
Yahoo! has responded by introducing a new “Not My Email” button to help users get rid of unwanted emails, and which will eventually reject such unwanted mail. The company also said that it would introduce a programme to allow users to “reclaim” unused accounts.
Speaking to Information Week, one IT security professional, Tom Jenkins, said that the “recycled” addresses offered a “crazy” level of potential for identity theft.

“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t,” Jenkins said. “I know their name, address, and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.”

Yahoo said that it had received complaints from”a very small number of users who have received emails through other third parties which were intended for the previous account holder.”
Yahoo! said prior to the scheme’s launch that it had put in place safeguards to prevent the recycled usernames being used for identity theft.
The internet company claimed that only 7% of inactive IDs are tied to Yahoo! email accounts. The company also said that it had worked with major technology companies such as Google to reduce the risk the IDs could be used for fraud.

Dylan Casey, a senior director for consumer platforms at Yahoo! said, “Can I tell you with 100 percent certainty that it’s absolutely impossible for anything to happen? No. But we’re going to extraordinary lengths to ensure that nothing bad happens to our users.”

Millions of ID records on sale as five big data firms hacked “for months”

An “identity theft service” which specialises in selling personal details gained access to some of the biggest consumer data firms in America, including Lexis Nexis and Kroll – and has had access to their computer systems “for months”, according to a report.

The site stole 3.1 million date-of-birth records and over a million social security numbers – and offered data on famous Americans including Michelle Obama, Beyonce and the director of the CIA. The breach was uncovered in a long investigation by security expert Brian Krebs, and reported on Krebs on Security.
Krebs’s report related to a website –  ssndob[dot]ms – which Krebs said had been offering personal data on any U.S. resident for two years, including addressses, birth dates, and credit and background checks, with prices ranging from 50c to $15.
Krebs said that until now, many had been puzzled where this data came from.

“The miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators,” Krebs writes. “Last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet — a collection of hacked computers that are controlled remotely by attackers.

“This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States.”
Krebs claims that the botnet had access to five servers, two at Lexis-Nexis, and two at Dun and Bradstreet, as well as another server at Altegrity, which provides an employee-screening service called HireRight, according to Information Age.
The firms say they are investigating, according to Krebs.
Infosecurity quoted statements made by Gartner analyst Avivah Litan three years ago regarding the availability of information such as birth dates and social security numbers to criminals, saying, “”I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.”

According to Infosecurity, Latan suggested that data firms were being “phished” to provide data as the basis for ID theft. “They simply get access to these employees accounts and get the keys to the data treasures,” Latan said, “They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.”