Hacker claims theft of India's Samco account data | TechCrunch
A hacker listed the data allegedly breached from Samco on a known cybercrime forum.
© 2024 TechCrunch. All rights reserved. For personal use only.
A hacker listed the data allegedly breached from Samco on a known cybercrime forum.
© 2024 TechCrunch. All rights reserved. For personal use only.
Phone giant AT&T has reset millions of customer account passcodes after a huge cache of data containing AT&T customer records was dumped online earlier this month, TechCrunch has exclusively learned.
The U.S. telco giant initiated the passcode mass-reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.
A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher. TechCrunch alerted AT&T to the security researcher’s findings.
In a statement provided Saturday, AT&T said: “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”
“AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement also said.
TechCrunch held the publication of this story until AT&T could begin resetting customer account passcodes. AT&T also has a post on what customers can do to keep their accounts secure.
AT&T customer account passcodes are typically four-digit numbers that are used as an additional layer of security when accessing a customer’s account, such as calling AT&T customer service, in retail stores, and online.
This is the first time that AT&T has acknowledged that the leaked data belongs to its customers, some three years after a hacker claimed the theft of 73 million AT&T customer records. AT&T had denied a breach of its systems, but the source of the leak remains inconclusive.
AT&T said Saturday that “it is not yet known whether the data in those fields originated from AT&T or one of its vendors.”
In 2021, the hacker claiming the AT&T breach posted only a small sample of records, making it difficult to check if the data was authentic. Earlier in March, a data seller published the full 73 million alleged AT&T records online on a known cybercrime forum, allowing for a more detailed analysis of the leaked records. AT&T customers have since confirmed that their leaked account data is accurate.
The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers.
Security researcher Sam “Chick3nman” Croley told TechCrunch that each record in the leaked data also contains the AT&T customer’s account passcode in an encrypted format. Croley double-checked his findings by looking up records in the leaked data against AT&T account passcodes known only to him.
Croley said it was not necessary to crack the encryption cipher to unscramble the passcode data.
Croley took all of the encrypted passcodes from the 73 million dataset and removed every duplicate. The result amounted to about 10,000 unique encrypted values, which correlates to each four-digit passcode permutation ranging from 0000 to 9999, with a few outliers for the small number of AT&T customers with account passcodes longer than four digits.
According to Croley, the insufficient randomness of the encrypted data means it’s possible to guess the customer’s four-digit account passcode based on surrounding information in the leaked dataset.
It’s not uncommon for people to set passcodes — particularly if limited to four digits — that mean something to them. That might be the last four digits of a Social Security number or the person’s phone number, the year of someone’s birth, or even the four digits of a house number. All of this surrounding data is found in almost every record in the leaked dataset.
By correlating encrypted account passcodes to surrounding account data — such as customer dates of birth, house numbers, and partial Social Security numbers and phone numbers — Croley was able to reverse-engineer which encrypted values matched which plaintext passcode.
AT&T said it will contact all of the 7.6 million existing customers whose passcodes it reset, as well as current and former customers whose personal information was compromised.
OpenAI is making its flagship conversational AI accessible to everyone, even people who haven’t bothered making an account. It won’t be quite the same experience, however — and of course all your chats will still go into their training data unless you opt out.
Starting today in a few markets and gradually rolling out to the rest of the world, visiting chat.openai.com will no longer ask you to log in — though you still can if you want to. Instead, you’ll be dropped right into conversation with ChatGPT, which will use the same model as logged-in users.
You can chat to your heart’s content, but be aware you’re not getting quite the same set of features as folks with accounts. You won’t be able to save or share chats, use custom instructions, or other stuff that generally has to be associated with a persistent account.
That said, you still have the option to opt out of your chats being used for training (which, one suspects, undermines the entire reason the company is doing this in the first place). Just click the tiny question mark in the lower right-hand side, then click “settings,” and disable the feature there. OpenAI offers this helpful gif:
More importantly, this extra-free version of ChatGPT will have “slightly more restrictive content policies.” What does that mean? I asked and got a wordy yet largely meaningless reply from a spokesperson:
The signed out experience will benefit from the existing safety mitigations that are already built into the model, such as refusing to generate harmful content. In addition to these existing mitigations, we are also implementing additional safeguards specifically designed to address other forms of content that may be inappropriate for a signed out experience.
We considered the potential ways in which a logged out service could be used in inappropriate ways, informed by our understanding of the capabilities of GPT-3.5 and risk assessments that we’ve completed.
So … really, no clue as to what exactly these more restrictive policies are. No doubt we will find out shortly as an avalanche of randos descends on the site to kick the tires on this new offering. “We recognize that additional iteration may be needed and welcome feedback,” the spokesperson said. And they shall receive it — in abundance!
To that point, I also asked whether they had any plan for how to handle what will almost certainly be attempts to abuse and weaponize the model on an unprecedented scale. Inference is still expensive and even the refined, low-lift GPT-3.5 model takes power and server space. People are going to hammer it for all it’s worth.
For this threat they also had a wordy non-answer:
We’ve also carefully considered how we can detect and stop misuse of the signed out experience, and the teams responsible for detecting, preventing, and responding to abuse have been involved throughout the design and implementation of this experience and will continue to inform its design moving forward.
Notice the lack of anything resembling concrete information. They probably have as little idea what people are going to subject this thing to as anyone else, and will have to be reactive rather than proactive.
It’s not clear what areas or groups will get access to ultra-free ChatGPT first, but it’s starting today, so check back regularly to find out if you’re among the lucky ones.