Welcome to The Dashlane Tech Check for June 2, 2017!  I’ll help you catch up on Dashlane-related news and the big news in the tech industry. And just for fun, I’ll include a useful life hack that will keep you safe and secure all year long.


What in the (security) world?

Here’s what made headlines this week in the world of digital identity, security, and privacy:

How fast will hackers use stolen info? Nine minutes says the FTC

Photo credit: Fortune; Photography by Andrew Brookes – Getty Images

The U.S. Federal Trade Commission (FTC) did some research on what happens when stolen data is made public. To find out, researchers from the Office of Technology created a database with names, addresses, email addresses, phone numbers, and one of three types of payment information for 100 fake consumers. The, they posted the database twice on hacker forums and other websites used to publish stolen data. After posting the database a second time, it only took 9 minutes for hackers to try to use the data. Researchers found that there were more than 1,200 attempts to access or use the email and payment information.   

Google blacklists some websites that handle passwords via HTTP, but aren’t infected with malware

Important notice for web developers! According to Bleeping Computer, security experts from Sucuri and Unmask Parasites (UP) found websites that handled passwords and credit card information via an HTTP connection were added to Google’s Safe Browsing blacklist. However, the researchers discovered that some of the blacklisted websites were not infected with malware and were also relatively new sites. “Enabling SSL on your website is a wise decision,” says Sucuri’s Cesar Anjos. “If you have a relatively new website and want to ensure that Google does not blacklist you for accepting form data, be sure to get SSL enabled on your website.”

An Android Auto-Click Adware called “Judy” infects more than 36 million devices

Researchers from Check Point prompted Google to removed dozens of apps from its Play store after they were found responsible for spreading auto-clicking adware to millions of devices. According to Infosecurity Magazine, the “Judy” malware was found in 41 apps in the Google Play store that may have spread the adware to as many as 36.5 million users devices. Ironically, some of the offending apps have been on the Play Store for years and even earned a high reputation among users. The moral of the story: beware of the apps you download, even from reputable app stores.

“Friendly neighborhood hackers” hijacked a mall billboard

In lighter news, hackers posted a “friendly” message on a billboard at Liverpool One shopping center last weekend. The message: “We suggest you improve your security. Sincerely, your friendly neighborhood hackers.” The photo was uploaded to Reddit, but reporters at Motherboard couldn’t independently verify the photo or its contents.

Bikers stole 150 Jeep Wranglers by using hacked keys

This sounds like a plot straight out of a movie, but The Verge is reporting that members of a Tijuana motorcycle club spend three years stealing $4.5 million worth of Jeep Wranglers in and around the San Diego, California area. Starting in 2014, members would look for the target’s Vehicle Identification Number (VIN), access a special database by the manufacturer–it’s currently unclear how the bikers got access–and then “match both the pattern of the physical key as well as a code used to access (and program) the chip inside the key that talks to the car’s computer,” says The Verge. With the duplicate key, the biker simply puts the key in the ignition, reprograms the key’s chip using the code from the manufacturer’s database, and drives it back to Mexico to be sold. So far, three members of the motorcycle club have been arrested.


Breach Alerts

Chipotle Data Breach: New details on time frames and restaurants affected

Embed from Getty Images
 

Chipotle Mexican Grill, Inc. published their findings from an investigation of a payment card security incident originally reported on April 25, 2017. According to the company, “malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017, and April 18, 2017. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.”

Although not all locations were affected, and time frames vary by location, the company has created a free locator tool for users to check for a restaurant affected by the breach and its specific time frame. If you’re concerned that you may be affected by this security incident, click here for additional information.

Kmart hit with second credit card data breach in 3 years

On Wednesday, the parent company of the retail chain Kmart, Sears Holding, confirmed they were hit by a credit card payment data breach originally disclosed on May 16. According to a spokesman for Sears Holdings to the International Business Times, Kmart was hit with “malicious code that was undetectable by current anti-virus systems and application controls.” It’s currently unclear how many locations were hit and how many customers were affected. However, the company says that the malware was removed and no names, addresses, social security numbers, and emails addresses were compromised. But the company does believe that credit card numbers may have been compromised in the incident.


Dashlane News You Shouldn’t Snooze

Dashlane to utilize Android’s new support for password managers

App Developer Magazine discusses how Dashlane is one of only 50 companies, and the only password manager, that has worked with Google to create on another exciting initiative: Instant Apps. Dashlane’s Instant App is our password generator, which can be opened up and used without installing Dashlane. This means that anyone can create a strong password on the fly. Dashlane has worked yet again with Google to deliver Android users the best password and autofill experience on Android,” said Emmanuel Schalit, Dashlane’s CEO. “These releases continue Dashlane’s trend as the leading innovator on the Android platform.”


This Week’s Lifehack to Improve Your Security

How much would you sell your work-related passwords for? $100? $500? $1 million? Even if you wouldn’t sell your credentials, studies show that there a good chance your colleagues would put your personal and company’s data at risk for some fast cash. Read our “Passwords for Sale” blog post to learn more.


Have any thoughts on any of the news I shared? Leave me a comment below and make sure to visit our blog next week for another edition of The Dashlane Tech Check.

Also, don’t forget to follow us on Twitter to always be in the know! In our last Tech Check, a researcher finds two critical flaws in Yahoo Mail, which he dubs “Yahoobleed”.