All Episodes

June 3, 2024 42 mins

TicketMaster recently acknowledged a massive data breach that has affected more than half a billion customers. Where would it fall on a list of the worst data breaches in US history? We look at instances from LinkedIn to Home Depot.

See omnystudio.com/listener for privacy information.

Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to tech Stuff, a production from iHeartRadio. Hey there,
and welcome to tech Stuff. I'm your host, Jonathan Strickland.
I'm an executive producer with iHeart Podcasts and how the
tech are you? So recently I talked about how the
US Department of Justice has filed a civil antitrust lawsuit

(00:29):
against the company Live Nation Entertainment, which, among many other things,
operates the service Ticketmaster, a service that I would say
has fostered a lot of very strong opinions among concertgoers,
including yours. Truly, I have very strong feelings about Ticketmaster.
But last Friday night, which was the night of May

(00:51):
thirty first, two thy twenty four for those of y'all
listening from the future, Ticketmaster was in the news for
a reason because the company had been the target of
hackers who allegedly stole data belonging to around five hundred
sixty million ticket Master customers. Now, that data reportedly includes

(01:13):
personal information like names, addresses, and phone numbers, as well
as purchase history. So you know, that means the hackers
can check and see if a you know, very public
punk rocker type has secretly been sneaking off to watch
Taylor Swift concerts or something, and also some partial credit
card information like the last four digits on credit cards.

(01:34):
Ticketmaster slash Live Nation initially kept quiet about this revelation,
but then late on Friday confirmed that a data breach
did in fact happen. This is a problem for lots
of reasons. I mean, anytime there's a data breach, that's
a problem, But when you're talking about a data breach
affecting hundreds of millions of people, that just spells a

(01:57):
massive headache moving forward. And we'll talk a lot about
why that is in this episode, But really I thought
I would chat about some of the largest data breaches
in US history, which is a super happy topic, right,
but I thought it was really important to consider how
technology that's meant to make systems more efficient and effective
can also sometimes provide an opportunity for malicious agents, for

(02:21):
hackers to make off with potentially huge amounts of information.
And as we all know, information is valuable. I mean,
it is the currency of the Internet in many ways,
and data breaches are becoming more and more common. The
Identity Theft Resource Center reported that in twenty twenty one,
there were one eight hundred and sixty two data breaches

(02:42):
that it was able to identify. In twenty twenty three,
that number was up to three thousand, two hundred five,
almost double. However, I feel I should clarify that twenty
five of those incidents were data exposures, and two of
them were data leaks, and fifty six were incidents that
weren't categorized at all. They're uncategorized, I don't know the

(03:04):
nature of them, so that leaves us three twenty two
cases of actual data breaches, and the differences between these
different categories are sometimes subtle and a little gray. As
for my source for what constitutes the largest data breaches
in the United States, I decided settle on one source

(03:25):
just for the list. Right, I went into lots of
sources for the details of all these things, but I
used a blog post on upguard dot com. It was
written by Kyle Chen. Now, Kyle Chen lists twenty six
cases of data breaches, and the Ticketmaster case isn't among them.
It hasn't been updated since the Ticketmaster issue. Arguably, Ticketmasters

(03:48):
should be in any list about large data breaches in
the United States because this was a big one. I
imagine when the dust settles, it could end up on
that list where I can't say Chen's definition. The biggest
isn't just in how many records were part of a
data breach, Like that's not the only factor that constitutes
whether or not it merits consideration. Also the nature of

(04:12):
the information and the impact the breach had end up
factoring how it falls on the list. And twenty six
cases is way too many cases for a podcast episode
or even you know, two of them. So I'm just
gonna go with the top ten, and even that's gonna
require me to break this into two episodes, and I'm
gonna work backward to add to the drama. By the way,

(04:33):
Kevin Chin and no point says that this is a
ranked list, so you could argue, I'm just giving you
ten random large data breach stories out of a list
of twenty six, and that's a legitimate criticism. But a
guy's got to start somewhere, right Anyway. I'm doing this
as a list because I've watched a lot of Jenny
Nicholson's older YouTube videos recently, and I absolutely love how

(04:56):
she turns everything into quote an internet friendly numbered li list.
In the quote, I think that's very funny. I mean,
Red Letter Media did the same thing with the Planket
reviews with all the different parts, although that was somewhat
necessitated by the fact that in the early days when
they were posting those super long reviews, YouTube videos were
limited to ten minutes each, so they would upload like

(05:19):
a nine part series to take down the Star Wars
episode one critique or whatever. Anyway, I've decided to go
backward in order to increase the drama. So we're gonna
start with number ten, which is FriendFinder Networks. And this
one's a doozy. So friend Fighter Networks deals with products

(05:40):
and services that include some that are not suitable for
a family friendly podcast. I will use some euphemisms, but
they include stuff like adult entertainment, webcam sites, that kind
of thing. That's part of what friend Fighter Networks operates.
The adult magazine company Penthouse bought friend Fire in early

(06:00):
twenty sixteen, and interestingly, the company operates several dating services,
including one intended to help people find someone with whom
to have casual sexual encounters, that being adult friend Finder.
On one end of the spectrum, and on the other
end of the spectrum, they have a dating service for
devout Christians. So I guess it's a company that really

(06:22):
does believe an equal opportunity to make money off of
various audiences. Anyway, as a company with businesses that are
in the adult entertainment sphere and social networks and also
dating services, FriendFinder Networks has access to a lot of
sensitive user information that includes info that customers absolutely would

(06:44):
prefer remain private or at least under their own control.
So it was a bit of a shock in late
twenty sixteen when news broke that hackers stole data from
the company that stretched back two decades, like there was
information in there that was twenty years old, and it
even included information belonging to people who had long since
deleted their accounts with FriendFinder Networks, but their information remained

(07:09):
on company servers despite the fact that they had deleted
their accounts. That seems like a very bad data ownership policy.
Right to retain information about people who had subsequently deleted
their account with you, that's a real problem. So the
method that these hackers used relied on LFI, which is

(07:30):
local file intrusion or sometimes local file insertion. It kind
of depends upon who you're talking to, but the name
sort of explains how this works. The hacker injects essentially
malicious directions into a system, and they do this usually
by incorporating those directions into a file, so, for example,

(07:53):
a multimedia file. This multimedia file might contain basic directory
commands within the file itself, so essentially it tells the system,
hey execute these commands in this order, and if the
server isn't protected against such relatively simple attacks, if I'm
being honest, then the code can prompt the web server

(08:15):
to configure the file improperly and give backdoor access to
a hacker, which is in fact what happened in this case.
The hackers got access to information stored on the affected servers,
and there were six databases in total that were affected
by this, six massive databases, and the take was huge.
So the hackers made off of information that related to

(08:36):
more than four hundred and twelve million customer accounts. The
information included email addresses, including some belonging to government and
military users, transaction history, account passwords. Some of these passwords
at least were encrypted, but they used a really primitive
hash to do it, an outdated method that was no

(08:57):
longer considered secure, so that was a big, prible problem.
More than three hundred million of the accounts came from
Adult friend Finder, and more than sixty million came from
a webcam site. And I'm sure a lot of customers
got really nervous about this. I mean, the taboo nature
of these sites and services meant a lot of people
were probably sweating over their past activities and hoping they

(09:19):
wouldn't be exposed. Now, keep in mind that one year earlier,
in the summer of twenty fifteen, hackers compromised around thirty
two million accounts from the company Ashley Madison. Ashley Madison
was built around the idea of a dating service that
would let married people secretly find potential partners in order
to have an affair. There was this sense that some

(09:41):
sort of hacker anarchist was going to reveal salacious details
about folks in the wake of these attacks, or that
at the very least, they would make these details available
so that anyone who really wanted to sift through all
the stolen information could dig up whether or not you
know the neighbor down the street was secretly trying to
sneak around behind their partners back or whatever, or the

(10:02):
sexual orientation of people you knew. You could find that
kind of information out based upon the stuff that had
been stolen in these sorts of attacks, and depending on
where you are, that kind of thing can have deadly consequences.
So the information involved with this data breach was extremely sensitive,
particularly from a social perspective. I mean, you're not likely
to come forward and say I was the victim of

(10:24):
identity theft if it also means you have to cop
up to something that is socially taboo, like, there's just
a lot of pressure on you to not come forward.
That the idea of coming forward is actually worse than
someone taking advantage of the information they have on you. So,
while this hack didn't include stuff like credit card information,

(10:45):
just the fact that names were appearing on these customer
lists was a huge problem. It could give other hackers
the opportunity to engage in blackmail or spearfishing and target
people based on what was revealed in their data with friends.
And that's a real issue that's going to come up
again and again in these episodes. Is that idea of yeah,

(11:07):
the data might not include, say, your credit card, but
that's not really the concern here. The concern is how
can someone use your information to victimize you in various ways?
And one of those is spearfishing. So what did FriendFinder
Network do in response to this? Sadly, the answer was
not much. While security researchers alerted the public that they

(11:28):
had detected a vulnerability in the FriendFinder Network system, the
company did not acknowledge the data breach for a full
week and only then began to send out notifications to customers.
And the company didn't have any really helpful advice for
those customers either, saying that people should change their passwords. Now,
according to idstrong dot com, the company had lacks password

(11:51):
requirements in the first place. Passwords weren't even case sensitive,
for example, and they didn't update this, so their password
protocols were still not really at an industry standard. And
here's a real kicker. The company had also been breached
in twenty fifteen. Now, the twenty fifteen breach, because remember

(12:12):
the one we're talking about is really twenty sixteen, But
the twenty fifteen breach was much smaller in scope. Only
three and a half million users were affected. That's still
a lot of people, but it's nowhere close to four
hundred and twelve million. But the types of information that
were stolen included things like partial payment information, and at
least in some of the research I was doing, Like

(12:32):
some sources said that the types of info that were
stolen in the twenty sixteen attack did not include things
like sexual orientation or preferences or that kind of thing.
Other sources said, no, that was part of the twenty
sixteen hack as well. So I don't know what the
full extent was, but a lot of the analysis I've

(12:53):
looked at about this particular breach points out that the
company failed to act properly in the wake of the
twenty fifteen breach, which meant it was essentially set up
for the much larger attack in twenty sixteen. So that's
a pretty damning allegation there, right, that a company had
already been the victim of a massive data breach and

(13:15):
then failed to take the adequate response in order to
prevent an even larger data breach the following year. So again,
just having the basics of your information leaked out would
be a huge problem given the nature of this company,
And despite the company's arguably lack luster response to the breach,
customers kept on being customers. I guess they never had

(13:38):
to learn a lesson because there really weren't massive consequences.
And again maybe this is partly because of the nature
of the services themselves, right, Like for a customer to
put up a big fuss, they would also have to
reveal themselves to be a customer in the first place,
and then the social taboo kicks in again. But unlike
some other companies that were going to talk about in

(13:58):
this episode, the friend Finder Networks didn't see serious setbacks
as a result of this attack. Okay, and we just
got through one, and we've got lots more to go,
So let's take a quick break to thank our sponsors
and we'll be right back. Okay, we're moving on to

(14:24):
number nine on our list. And this one is a
real blast from the past. It's MySpace, and this attack
technically happened in twenty thirteen, but it wasn't discovered and
reported until twenty sixteen, and even twenty thirteen was late
in the game for MySpace now. MySpace was once the
king of social networking platforms, but it had been losing

(14:46):
ground to Facebook since two thousand and nine. News Corps,
which had purchased MySpace for a whopping five hundred and
eighty million dollars in two thousand and five, ended up
selling the company off to Justin Timberlake and a company
called Specific Media in twenty eleven for thirty five million dollars.
So again they purchased it for five hundred eighty million
and then six years later sold it for thirty five million.

(15:09):
Not a good deal. By twenty sixteen, Time Incorporated purchased
Specific Media, and then Meredith Corporation acquired Time Incorporated. Because
there's always a bigger fish, that story gets more and
more complicated too, but we're going to leave that here.
My point is that MySpace had already experienced a dramatic
decline in relevance by twenty thirteen when the attack actually happened,

(15:31):
but still the site had millions of user records and
a hacker was able to get access to them, like
three hundred and sixty million records. The data lifted during
the breach included email addresses, user names, and passwords, which
were encrypted using again an outdated method, and therefore security

(15:52):
experts considered it insecure, and that was a real issue
right now. Looking back on this hack today, there's a
disturbing lack of information as to how it actually happened.
It went undiscovered for nearly three years and only really
came to light when folks realized that data from the
breach was popping up for sale on black market sites
on the Dark Web. As for who was responsible and

(16:14):
the vulnerabilities they exploited, that remains something of a mystery.
MySpace responded to this news by invalidating all the passwords
of all the affected accounts, which would require users to
set up new passwords and also encourage people who weren't
directly impacted to go ahead and update their passwords as well.
In an overabundance of caution, like the friend Finder breach,

(16:36):
there wasn't much a user could do to protect themselves
from the hackers. In fact, I would argue there was
nothing a user could do. It wouldn't matter if they
had used a strong or a weak password, because the
real issue was MySpace was using a very weak hashing
method to encrypt passwords in the first place. So even
if you picked a very strong password, if it's being

(16:57):
stored in an encryption that can easily be broken, then
they can just get to your password anyway, doesn't matter
how strong it was. You did your part. MySpace failed,
is what I'm saying. Now. All that being said, I
do still urge everyone to use unique, strong passwords for
all their sites and services. Unique is really important because

(17:18):
if you're using the same password everywhere, it just takes
one data breach to be able to compromise all of
your stuff. If they have your email and whatever password
you use for that, you know, one like obscure website,
and it happens to be the same password you use
for say your bank, that's bad news for you. Use
unique passwords, get a password vault of some sort a

(17:41):
good one, research this and find one that really works
for you, and make unique, strong passwords for each of
the sites you go to so that you can avoid
this issue. Because data breaches, sadly are not uncommon, they're
getting more common every year, and this will help protect
other elements of your online presence from hackers. Sadly, there's

(18:05):
not very much you can do to protect the systems themselves.
I mean, that's in the control of whatever platform you're using.
And I'm not telling you not to use platforms goodness, nos,
I use tons of them. Just to be as careful
as you can be to mitigate any issues that might
pop up due to data breaches. Also, you know, enable
multi factor authentication if that's available, if it's on there,

(18:27):
use it again. Nothing is absolutely fool proof. I'm not
here to tell you that if you have multi factor
authentication you'll never get hacked. That's not necessarily true. But
the more precautions you take the better. The harder you
make yourself to be a target, the more effort it
takes to actually crack your security, and the less likely

(18:49):
someone's going to actually pursue that. It's not impossible, but like,
why struggle if you can go for all the low
hanging fruit, don't be low hanging fruit still. Now, if
hackers are breaching a company's systems, we're really left to
the competence of that company when it comes to personal security.
So our first two entries on this list are both

(19:09):
web based companies. Right, we had MySpace and we had
the FriendFinder Networks. But up next is a company known
for its brick and mortar operations, and I'm talking about
home Depot, which experienced a massive data breach in April
twenty fourteen. This was an attack that compromised more than
fifty million customers data, including their credit or debit card information,

(19:35):
lifting that information right from inside the stores themselves. And
this attack went unnoticed until the hackers started putting the
credit card info up on sale on the dark web,
at which point home Depot was made aware that they
had been breached. So let's walk through how this attack happened. So,
according to the US Office of the Director of National Intelligence,

(19:56):
the hackers first secured Quote credentials, user names, and passwords
from a third party vendor end Quote, and that gave
them the foothold into home depots computer network. So first
they identified a company that worked with home Depot. They
were able to secure a username and password from this company.
They use that to infiltrate home Depot's computer network. On

(20:19):
top of that, they then were able to essentially take
advantage of a zero day vulnerability that was within Microsoft Windows.
So a zero day vulnerability is a fancy way of
saying that the entity responsible for making whatever the thing
is So in this case, Microsoft Windows is unaware that
the vulnerability even exists. And because they're unaware that there

(20:43):
is a vulnerability, there's no means to prevent or mitigate
attacks that leverage or exploit this vulnerability. Zero day vulnerabilities
are incredibly valuable in the hacker community because there's no
real defense against them, and if you're very careful, you
have the chance to continue to exploit these kinds of

(21:04):
vulnerabilities for a while before anyone notices. So it's called
zero day because that's how much time the you know,
the entity Microsoft in this case has before malicious agents
are able to exploit that vulnerability. So the hackers exploit
Microsoft Windows and they're exploring home Depot systems and they're
able to identify thousands, like seven five hundred points of

(21:27):
sale systems in self checkout lanes at physical home Depot stores.
So again, this was not targeting the online point of
sale operations for home Depot. You know, the website commerce
part of Home Depot was not part of this attack,
And I just think that's good to point out because
I don't think it's as common now, But I remember
when online commerce first became a thing, people were scared

(21:51):
to buy stuff off the internet. They were reluctant to
use their credit card to purchase something online because they
were worried about security, which is understandable, but it turns
out that going to a brick and mortar store is
not necessarily more secure because those systems are also connected
to networks that ultimately get connected to the Internet, and

(22:11):
so if you're able to compromise those networks, then you
can still tap into that kind of system. So the
hackers deployed custom built malware for these points of sale systems,
and they use this malware to record the credit and
debit card information of home Depot customers. They even made
sure that they transmitted that data during home Depot's business

(22:32):
hours so that the company's security team wouldn't notice like
a transmission at an odd hour, like if it was
two in the morning, then the security team was saying, like, hey,
why is our system sending info out at this hour?
That could be a tip off. So they made sure
that all those transmissions happened during normal business operating hours
and that would kind of mask these On top of

(22:55):
all the legitimate transmissions, cybersecurity experts criticized home Depot so
for having insufficient security measures in place. The company estimated
that spent nearly one hundred and eighty million dollars in
the wake of this attack to pay off all the
various costs. On top of that, there was a class
action lawsuit from across forty six states that ended with

(23:15):
Home Depots settling out of court for seventeen point five
million dollars. Now, Home Depot didn't admit, you know, responsibility
for this, but it did promise to invest in security measures,
including hiring a chief of information of security. Now, as
for that seventeen point five million dollar settlement, I just
want to put that into context so that we can

(23:36):
kind of appreciate what that means or doesn't mean. Keep
in mind, around fifty six million customers were affected by
this data breach, So if you were to include all
of them in the class action lawsuit, which obviously not
realistic but you know, we're just doing this as a
thought experiment, then that would mean each person would receive
the princely sum of thirty one cents. That's only if

(23:58):
the various lawyers of all the different states did this case.
Gradis for free. So what I'm saying is that while
Home Depot may have had to spend a lot of
money to deal with the aftermath of this breach, the
settlement I think was a case of getting off lightly
considering the nature of that breach. But I also have
to remind myself that ultimately the real criminal here are

(24:19):
the hackers who pulled off the attack and the folks
on the dark web who purchased the credit and debit
card information. Those are the real criminals. While I can
be disappointed in home Depot's lack of security or lackluster security,
in this case, I don't want to blame the victim
like I do think that there is a responsibility there,
But the real villains are the people who did the stealing.

(24:43):
It's just it's easy to blame big companies as well
when they failed to be good stewards of customer information.
So next up on Chin's list, oh massive data breaches
here in the United States, is another one that happened
in twenty fourteen. This attack targeted the bank JP Morgan
Chase and it impacted around eighty three million bank customers.
Seventy six million of those were households and the other

(25:05):
seven million were small businesses. This attack also reportedly leveraged
a zero day vulnerability, but in this case, it was
a vulnerability in JP Morgan Chase's web applications, so this
gave the hackers the foothold to access kind of a
directory level of server information for JP Morgan Chase. This

(25:25):
then let the hackers identify databases containing customer information Now,
one source I looked at suggested the information included financial
data like credit card information, but that was just in
one source, and every other source, including The New York Times,
says that was not the case. So I feel pretty
confident that that one source was an outlier and had

(25:48):
some misinformation in it. I mean, that's a flag for
all of y'all out there. So it's always good to
double check things and check multiple sources. Sometimes it can
be really difficult to determine what reality is based on
the reporting of various sources. Sometimes even reputable sources get
things wrong. So you know, thinking critically involves a lot

(26:10):
of checking and double checking, and sometimes it involves making
an educated guess as to what is most likely to
be real. So in this case, I think it's most
likely that the information that was stolen was personal information
but not financial information. So the attackers got access to
things like names, email addresses, that kind of thing, which
again doesn't sound like it's as critical as credit card information,

(26:31):
but it's still really useful data if, for example, you
want to create a spear phishing campaign and trick people
into making mistakes, like if you know they are customers
of this particular bank, and you know what their email
address is, and you know their actual name, you can
craft and attack targeting that person that appears to be
coming from the legitimate business and potentially take advantage of

(26:54):
them that way. So the hackers then developed attacks for
these servers they had identified, and they ultimately infiltrated around
ninety servers within the business. The attackers had started back
in June twenty fourteen. JP Morgan Chase would detect the
intrusion a month later in July. The public, however, would
not find out about it until September, when the company

(27:17):
disclosed the attack in a securities filing and various media
outlets reported on it. Now, considering that other major breaches
like the aforementioned home depot attack, there was another one
that hit target, these attacks were fresh in the minds
of consumers because they were national news here in the
United States. The JP Morgan Chase attack was a huge
blow because it revealed that even massive financial institutions, which

(27:41):
had good reputations for being really secure, could also fall
victim to hacker intrusions, which became a brand news source
for anxiety for American consumers and as for the attackers
in this case, there were four identified arguably five. The
fifth one, however, was kind of after the effect, but
the main four included a Russian citizen named Andrew Turin.

(28:04):
There was an American named Joshua Samuel Arn aka Mike Shields.
That's the alias he would use and some of his
nefarious activities according to authorities. And then there were two
Israeli citizens. There was Gary Shalan aka Gary Shallis Lashville.
I know I mangled that name aka Gabriel aka Gabby

(28:29):
aka Philip Moussey aka Christopher Ingeham. Lots of aliases for
Gary Shallon. And then finally there was Ziv Ornstein aka
Aviv Stein aka John Avery. So for four people, that's
a lot of different names, right. Well, these four hackers
were linked to numerous crimes, not just the JP Morgan

(28:52):
chase instance. There were other ones as well, and they
were also operators I believe of online casino or something
along those lines. Anyway, at least one of them, that
being Gary Shallon, was released early. He secured an early
release after agreeing to a plea deal that had him
pay a whopping four hundred three million dollar fine. Now,

(29:13):
if you can afford to pay a four hundred three
million dollar fine to get out of the pokey. I mean,
I guess crime really does pay. Other folks connected to
the scheme were not so fortunate, so for example, Andrew
Tieran received a twelve year sentence at the end of
his trial. So I guess it's you know who you know,
and who you know needs to be a whole lot
of Benjamin Franklin's JP Morgan Chase pledged to beef up

(29:36):
the company's security and would double the investment within five
years from two hundred and fifty million a year to
five hundred million a year. So that's good. Okay, got
a couple more I want to talk about before we
wrap up Part one. I guess of our top ten
largest data breaches in US history, But first let's take
another quick break to thank our sponsors. We are up

(30:08):
to number six on our list of biggest data breaches
in US history. And that would be LinkedIn. Uh, LinkedIn,
that social network site that I almost never log into.
If I were a savvy mover and shaker, I would
make way better use of LinkedIn, But I'm not, and

(30:28):
so I post to my account once every blue moon,
and I keep thinking, Man, I need to make better
use of this resource and really network with people. That
could be so helpful. But I've got only so much
emotional energy for things like social networks. And I still
have a LinkedIn account. I just don't use it very much. However,
because I have a LinkedIn account, this next story affects

(30:49):
me whether I pop on there regularly or not. This
data breach is quite a bit different from the ones
we've talked about so far because this one did not
involve a HA gaining access to LinkedIn's internal systems. There
was no security intrusion in this case. Instead, the hacker
someone at least what's believed is that was a hacker

(31:12):
using the handle Tomliner, but Tomliner could be a middleman
like he might not he or she or they might
not have been the person responsible for the actual hack,
but they did get access to at least some of
the data. Anyway, The quote unquote hacker simply used tools
to scrape data off public profiles on LinkedIn. A ton

(31:33):
of public profiles, like more than ninety percent of the
public profiles on LinkedIn. That would be around seven hundred
million profiles. And here's the crazy thing. Earlier that same year,
the same person claimed responsibility for leaking five hundred million
LinkedIn records, So this was like the second time in

(31:53):
the same year and going from five hundred million to
seven hundred million yaalza. Now, essentially this methodology is the
same as if you were to go manually from LinkedIn
profile to profile and you just jotted down all the
relevant information that you were looking for. You know, stuff
like what's a person's username, what's their full name, what's
their phone number, their email address, you know what other

(32:17):
social networking sites do they use? Anything that would appear
on the person's profile. You would just jot it down.
That would take you an eternity to do seven hundred million,
So you create a tool that will just do this automatically.
So the hacker had used LinkedIn's API that stands for
Application Programmer Interface and they designed these data scraping tools

(32:41):
to harvest user data. This was against LinkedIn's policies, but
there really weren't any measures in place to actually prevent
it from happening. So yeah, LinkedIn says, hey, don't do this,
but they didn't have a way to stop you from
doing it twice in the same year. As it turns out,
now this attack did not compromise stuff like passwords or

(33:01):
financial information, but it did include things like those connected
social applications. So if an affected user had linked their
Facebook account or whatever to their LinkedIn profile, that meant
the attackers would have that information. And again this can
be incredibly helpful if you want to design a phishing attack.
You know, your basic blunt phishing attack might start from

(33:22):
a place where little to nothing is known about your target.
But the more attackers learn about you, the better they
can craft an effective trap. And considering that there were
a lot of executives using LinkedIn to network with each other,
there's some really high value targets mixed in with everybody else.
Like even if it's not an executive, it might be
someone who's an associate of an executive, like an assistant

(33:45):
or a coworker or something like that, a direct report.
And if you're able to know who that person's direct
report is or who they're reporting to, I guess I
should say, then you can craft an attack that might
be very convincing. You know, a classic one is your
boss apparently texting you out of nowhere saying hey, I
need access to five thousand dollars in petty cash. Can

(34:08):
you wire it to me, and then they give you
a link and it turns out it's just someone who's
made the connection. They know who your boss is, and
they're using that to pressure you into doing something you
really shouldn't do. That's a very simple example, but it
happens all the time. So this LinkedIn attack is a
pretty tricky one. And we've seen similar data scraping techniques
across the web, both of the purposes of harvesting user

(34:31):
information and in recent years also using it to train
up AI models. And typically platforms condemn these practices. They
say it violates their policies. They want to protect their
user information. Now, I would argue it's largely really because
user data is valuable, and these platforms would very much
like to prevent other entities from taking advantage of the

(34:54):
same information that the platforms themselves are profiting off of.
It's not so much to protect our privacy as it
is to protect the platform's investment in gathering all the
information in the first place. Like no, this is ours.
This is ours to exploit and to profit from, not yours. Well.
Number five on this list includes an old topic for

(35:15):
tech stuff, which is the infamous Cambridge Analytica case with Facebook. Now,
this one is a little bit complicated, but I'll see
if I can summarize at least the tech side of it,
although it does also include politics. Sorry I wish it didn't,
but it's literally the very nature of this case. So
the LinkedIn attack we just talked about is kind of

(35:37):
similar to this because this attack, the Cambridge Analytica scandal,
really centers on some loopholes in Facebook's API. So it
all starts with a researcher named Alexander Cogan. And Cogan
used Facebook's API to create a survey app, and it
would pay Facebook users a small amount in return for

(35:58):
them taking the survey. They did not know is that
anyone who opted to take this survey was unknowingly giving
Cogan the ability to view that person's friends profiles as
if Cogan were in fact the person taking the survey.
So let me give an example to make this a
little more clear. Let's say I'm your friend on Facebook.
Hi friend, and as your friend, I can see more

(36:21):
of your profile than just some random schmo on the internet. Right,
maybe you've set certain things on your profile to friends only,
so as your friend I can see that. But some
random person wouldn't be able to see that, right, But
then I decide I'm going to go take the survey
so I can make twenty bucks or whatever. And now
Cogan can see your profile as if he were me

(36:43):
because of this loophole and Facebook's API, and so now
Cogan can view all of your friend's only information as
if Cogan were your friend. So Facebook would actually close
off this loophole before the Cambridge Analytica scandal became ann
thing like face. This book made that change in the
years following twenty thirteen when Cogan did this actual work.

(37:07):
But by then the data already existed with Cogan. Cogan
had access to all this information and he worked with
Cambridge Analytica to share it. And so Cambridge Analytica had
access to all this data they shouldn't have. They did
not have the consent of the various people on Facebook
to share the information, and they began to use this
data in various ways during political campaigns, mostly conservative ones.

(37:31):
Cambridge Analytica was a British company. It was a sort
of a campaign strategy company, and their pitch was that
they were using data driven techniques to make it far
more effective to get messaging out to potential voters, and
it was largely for conservative politicians. Facebook was reportedly aware

(37:53):
of these issues, but didn't take any action until a
former Cambridge Analytica employee essentially blew the whistle on the
whole operation and it became a big public scandal. Now,
ultimately it's debatable whether any of Cambridge Analytica's efforts were
actually that effective, but the point is the company got
access to somewhere between fifty and ninety million Facebook profiles

(38:16):
that it should not have been able to access, and
that's a big no no. Now, both Cambridge Analytica and
Facebook would face serious repercussions for this scandal. Facebook would
face hundreds of millions of dollars in various costs, from
fines to a massive class action lawsuit settlement, and in
a separate but related matter, the Federal Trade Commission or FTC,

(38:38):
would find Facebook an astonishing five billion with a B
dollars for failing to practice secure and ethical data privacy policies.
Cambridge Analytica was just kind of related to this. It
was it was a specific instance of a larger problem. Now,
Cambridge Analytica would actually fold as a result of this scandal.

(38:58):
The company ended up essentially liquidating, but you could argue
Cambridge Analytica is not really gone because some other companies
that were related to Cambridge Analytica would continue to exist,
and they bought up the assets of Cambridge Analytica. So yeah,
you could argue it's still out there lurking, it's just
under different names. Now, the political nature of Cambridge Analytica
and the use of psychological profiling techniques really make this

(39:22):
particular data breach stand out. Now, you could argue there
are lots of other breaches, including ones we've already talked about,
that had a much broader scope and involved way more victims, right,
But the involvement of psychological profiling, specifically for the purposes
of affecting political campaigns makes this one seem particularly sinister.

(39:43):
But as I said earlier, number five actually includes Cambridge Analytica.
It's not exclusively Cambridge Analytica. That was just part of it.
The whole of number five on Chen's list is Facebook itself,
specifically with regard to an a April twenty twenty one
incident anchoring the topic, and that is where we're going

(40:05):
to pick up in our next episode. We'll pick up
with number five in Facebook and talk about the twenty
twenty one incident that merited entry upon this list of
the largest data breaches in US history, and then we'll
we'll you know, work our way through four, three, two
and one, and I'll probably have more to say about
ticket Master as well as we get to that. Anyway,

(40:27):
just as a reminder again, there's very little we as
individuals can do about these kinds of things. I mean,
if we work in the security department of these big corporations,
we can try and make sure that the practices we're
using are best practices and that we're not being laxed
at all on computer security. But for the rest of us,
you know, we can just do what we can to

(40:49):
protect ourselves and hope that the companies we do business
with are doing the same. And if they're not, we
can take whatever little measures we might have to mitigate
the impact it's going to have on ourselves. But really
a lot of this is out of our control. This
is why security is an everybody problem, not just on
the individual or on the company. It's everyone involved. And

(41:13):
it only takes one week link to make a real
entry point for malicious agents. So I know that's not
very comforting, but it's good to know the reality of
the situation that we all need to do our part
as best we can. Even that's not going to protect
us from everything, but it will at least limit the
amount of effect these hackers can have, and hopefully we'll

(41:35):
be able to act in such a way to minimize
the impact. If you can do that enough, then you
remove the incentive to attack in the first place. If
it's so hard to get a success in your attack,
you might figure there's a way to make money faster
and easier, some other method. So yeah, let's make it
real hard for the crooks to do crime. If we

(41:57):
do that, maybe they'll look something else. So that's the hope.
I hope that all of you out there are doing well,
and I will talk to you again really soon. Tech
Stuff is an iHeartRadio production. For more podcasts from iHeartRadio,

(42:21):
visit the iHeartRadio app, Apple Podcasts, or wherever you listen
to your favorite shows.

TechStuff News

Advertise With Us

Follow Us On

Host

Jonathan Strickland

Jonathan Strickland

Show Links

AboutStoreRSS

Popular Podcasts

Let's Be Clear with Shannen Doherty

Let's Be Clear with Shannen Doherty

Let’s Be Clear… a new podcast from Shannen Doherty. The actress will open up like never before in a live memoir. She will cover everything from her TV and film credits, to her Stage IV cancer battle, friendships, divorces and more. She will share her own personal stories, how she manages the lows all while celebrating the highs, and her hopes and dreams for the future. As Shannen says, it doesn’t matter how many times you fall, it’s about how you get back up. So, LET’S BE CLEAR… this is the truth and nothing but. Join Shannen Doherty each week. Let’s Be Clear, an iHeartRadio podcast.

The Dan Bongino Show

The Dan Bongino Show

He’s a former Secret Service Agent, former NYPD officer, and New York Times best-selling author. Join Dan Bongino each weekday as he tackles the hottest political issues, debunking both liberal and Republican establishment rhetoric.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2024 iHeartMedia, Inc.