We can't guarantee that this is the wildest story you'll read all week, but it certainly sets the bar high: Last August, six former eBay employees allegedly sent a series of grotesque and threatening packages to a couple in Massachusetts who ran an ecommerce blog that had been critical of the company. Any more details here would count as spoilers, but suffice to say it only gets worse from there.
That wasn't the only alarming story from the world of cybersecurity this week. A number of specialized dating apps—including services like 3somes, Gay Daddy Bear, and Herpes Dating—left a huge amount of user data exposed on the open internet. The leak affected hundreds of thousands of users, and included things like sexually explicit photos and audio recordings. The records have since been secured, and there's no indication that anyone got to it before the researchers did, but the incident underscores just how important it is to lock down sensitive data when people trust you with it.
Meanwhile, in the latest chapter of IoT Bugs Run Amok, a suite of 19 vulnerabilities confusingly called Ripple20 affects hundreds of millions of devices, including some critical infrastructure components. A fix is available, but it can take years for some of this tech to receive updates.
World of Warcraft Classic players the last several months have had to contend with an enemy more fearful than orcs: bots. Developer Blizzard announced Wednesday that it had banned or suspended 74,000 accounts for botting behavior, which not only makes the game frustrating for normal players but upends its economy.
As if the IRA and GRU weren't bad enough, disinformation researchers this week disclosed a third, years-long Russian effort to sow online discord. Called Secondary Infektion, the group maintained obscurity in part because it was also tremendously ineffective at its job. Silver lining? Very tangentially related: If you want to clean up your own social media history for whatever reason, we have a guide to help you do just that—and another one to help limit how Instagram tracks you.
Body cameras were supposed to curb police brutality; we took a look at why that hasn't played out in practice. And while Zoom initially intended its upcoming end-to-end encryption for paid accounts only, after a wave of pressure from privacy advocates, the videoconferencing service this week announced that the feature will be available to everyone.
But that's not all. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
Sneaky Mac Malware Is Using a Fake Flash Installer to Spread
A new variant of the Shlayer trojan that plagues macOS has picked up some tricks, according to new research from security firm Intego. After it fools users into downloading it by posing as a Flash update—that part, not so new, oldest trick in the book—the malware guides victims through an installation process designed to get around protections Apple recently added to the macOS Gatekeeper feature. The trojan is being distributed through Google search results, so as always be careful what you click.
Pirates Are Stealing and Trading OnlyFans Porn
Motherboard this week took a dive into the underground trade of stolen nudes from OnlyFans, a subscription site where creators post explicit photos and videos of themselves. Scraping tools enable a whole supply chain of thieves, and the content ends up not just in niche forums but on mainstream adult websites.
Google Removed 106 Data-Stealing Chrome Extensions
On the heels of a report from Awake Security, Google has banished 106 Chrome extensions that researchers found collecting sensitive data. While posing as various productivity and security tools, the extensions were reportedly able to evade Google's routine scans, take screenshots of victim's browsing, and even act as keyloggers to steal passwords. While Google has taken proactive steps in the last year or so to improve Chrome extension security, the incident shows that it still has a ways to go.
79 Netgear Devices All Have the Same Zero-Day Vulnerability
Another day, another router bug. This one's a bit of a doozy though; researchers found a zero-day vulnerability affecting 79 Netgear models, affecting firmware dating back to 2007. Netgear is reportedly working on a patch, but it isn't yet available, due in part, the company told CyberScoop, to complications from the Covid-19 pandemic. In the meantime, a whole lot of devices remain at risk of takeover.