Passwords stolen from Google and Facebook
WASHINGTON - Hackers using malicious software have scooped up the usernames and passwords for about two million accounts on some of the most popular sites on the Web, including Facebook and Google, security researchers say.
According to the researchers from the Chicago-based firm Trustwave, hackers used a botnet known as Pony to pull off the massive theft. After being download through a website or e-mail, the software monitors a user's browser and collects login credentials. The massive malware attack has been going on for at least a year, said Mr John Miller, Trustwave's research manager.
Pony is a common malware tool, often sold and rebundled in hacking communities. It collects tens of thousands - sometimes hundreds of thousands - of passwords from websites, e-mail providers and other accounts each day, Mr Miller said. The malware is likely collecting far more information than Trustwave discovered, he said.
The attack is smaller than some recent internet data thefts, such as the 150 million usernames and passwords taken from Adobe last month. But the nature of the attack means there is probably little that the impacted firms can do to stop it because it targets Web users rather than company security systems, said Mr Miller.
The attack has already snagged user credentials from sites such as Facebook, Google, Yahoo, Twitter and LinkedIn, according to Trustwave. It has also grabbed information from firms such as the payroll services provider ADP.
One of the largest payroll companies in the world, ADP administers the benefits and payroll systems for more than 620,000 firms around the world. Mr Miller said the kind of work ADP does makes it an attractive target for hackers. "You can use a Facebook account to spam people with, but ADP has banking information behind it."
ADP said on Wednesday that it is aware of the botnet and had determined that none of its internal networks or servers has been compromised. Still, it is requiring a password reset for 2,400 of its affected clients out of an "abundance of caution".
Twitter, Facebook, Linkedin and Yahoo said they are working with Trustwave to reset the passwords on affected user accounts. Google declined to comment on the malware attack. Mr Miller said the onus ultimately falls on corporations and individuals to run regular antivirus scans on their computers.
WASHINGTON POST
JPMorgan warns some holders of cash cards
NEW YORK/Boston - JPMorgan Chase & Co is warning some 465,000 holders of its prepaid cash cards that their personal data may have been accessed by hackers who attacked its network in July.
The cards are for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits.
JPMorgan said it had detected that the servers used by its site
www.ucard.chase.com had been breached in the middle of September. It then fixed the issue and reported it to law enforcement.
Bank spokesman Michael Fusco on Wednesday said that since the breach was discovered, the bank has been trying to find out exactly which accounts were involved and what information may have been compromised. He declined to discuss how the attackers breached the bank's network.
The bank is notifying the cardholders, who account for about 2 per cent of its 25 million UCard users, about the breach because it could not rule out the possibility that their personal information was among the data removed from its servers.
The bank typically keeps the personal data of its customers encrypted, or scrambled. But during the breach, personal data of those customers had temperarily appeared in plain text in files the computers use to log activity. The bank believes "a small amount" of data was taken, but not critical personal information such as social security numbers, birth dates and e-mail addresses.
Cyber criminals covets such data because it can be used to open bank accounts, obtain credit cards and engage in identity theft.
The warning only affects the bank's UCard users, not holders of debit and credit cards or prepaid Liquid cards.
Mr Fusco said the bank had not found that any funds were stolen as a result of the breach.
Officials from the states of Louisiana and Connecticut said the bank notified them this week that personal information of some of their citizens may have been exposed.
Connecticut Treasurer Denise Nappier said she was "dismayed" that the bank took two and a half months to notify the state of the problem.
"JPMorgan Chase has some work to do, not only to assure the holders of its debit cards, but also to restore the state's confidence in the company's ability to remain worthy of our continued business," Ms Nappier said on Thursday.
REUTERS