From Digital Age to Nano Age. WorldWide.

Tag: cybersecurity

Robotic Automations

UnitedHealth says Change hackers stole health data on 'substantial proportion of people in America' | TechCrunch

Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans’ private healthcare data.

UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may “cover a substantial proportion of people in America.”

The health insurance giant did not say how many Americans are affected but said the data review was “likely to take several months” before the company would begin notifying individuals that their information was stolen in the cyberattack.

Change Healthcare processes insurance and billing for hundreds of thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector; it has access to massive amounts of health information on about half of all Americans.

UnitedHealth said it had not yet seen evidence that doctors’ charts or full medical histories were exfiltrated from its systems.

The admission that hackers stole Americans’ health data comes a week after a new hacking group began publishing portions of the stolen data in an effort to extort a second ransom demand from the company.

The gang, which calls itself RansomHub, published several files on its dark web leak site containing personal information about patients across an array of documents, some of which included internal files related to Change Healthcare. RansomHub said it would sell the stolen data unless Change Healthcare pays a ransom.

RansomHub is the second gang to demand a ransom from Change Healthcare. The health tech giant reportedly paid $22 million to a Russia-based criminal gang called ALPHV in March, which then disappeared, stiffing the affiliate that carried out the data theft out of their portion of the ransom.

RansomHub claimed in its post alongside the published stolen data that “we have the data and not ALPHV.”

In its statement Monday, UnitedHealth acknowledged the publication of some of the files but stopped short of claiming ownership of the documents. “This is not an official breach notification,” UnitedHealth said.

The Wall Street Journal reported Monday that the criminal hacking affiliate of ALPHV broke into Change Healthcare’s network using stolen credentials for a system that allows remote access to its network. The hackers were in Change Healthcare’s network for more than a week before deploying ransomware, allowing the hackers to steal significant amounts of data from the company’s systems.

The cyberattack at Change Healthcare began on February 21 and resulted in ongoing widespread outages at pharmacies and hospitals across the United States. For weeks, physicians, pharmacies and hospitals could not verify patient benefits for dispensing medications, organizing inpatient care, or processing prior authorizations necessary for surgeries.

Much of the U.S. healthcare system ground to a halt, with healthcare providers facing financial pressure as backlogs grow and outages linger.

UnitedHealth reported last week that the ransomware attack has cost it more than $870 million in losses. The company reported it made $99.8 billion in revenue during the first three months of the year, faring better than what Wall Street analysts had expected.

UnitedHealth CEO Andrew Witty, who received close to $21 million in total compensation the full year of 2022, is set to testify to House lawmakers on May 1.

Software Development in Sri Lanka

Robotic Automations

US government says security flaw in Chirp Systems' app lets anyone remotely control smart home locks | TechCrunch

A vulnerability in a smart access control system used in thousands of U.S. rental homes allows anyone to remotely control any lock in an affected home. But Chirp Systems, the company that makes the system, has ignored requests to fix the flaw.

U.S. cybersecurity agency CISA went public with a security advisory last week saying that the phone apps developed by Chirp, which residents use in place of a key to access their homes, “improperly stores” hardcoded credentials that can be used to remotely control any Chirp-compatible smart lock.

Apps that rely on passwords stored in its source code, known as hardcoding credentials, are a security risk because anyone can extract and use those credentials to perform actions that impersonate the app. In this case, the credentials allowed anyone to remotely lock or unlock a Chirp-connected door lock over the internet.

In its advisory, CISA said that successful exploitation of the flaw “could allow an attacker to take control and gain unrestricted physical access” to smart locks connected to a Chirp smart home system. The cybersecurity agency gave the vulnerability severity score of 9.1 out of a maximum of 10 for its “low attack complexity” and for its ability to be remotely exploited.

The cybersecurity agency said Chirp Systems has not responded to either CISA or the researcher who found the vulnerability.

Security researcher Matt Brown told veteran security journalist Brian Krebs that he notified Chirp of the security issue in March 2021 but that the vulnerability remains unfixed.

Chirp Systems is one of a growing number of companies in the property tech space that provide keyless access controls that integrate with smart home technologies to rental giants. Rental companies are increasingly forcing renters to allow the installation of smart home equipment as dictated by their leases, but it’s murky at best who takes responsibility or ownership when security problems arise.

Real estate and rental giant Camden Property Trust signed a deal in 2020 to roll out Chirp-connected smart locks to more than 50,000 units across over a hundred properties. It’s unclear if affected properties like Camden are aware of the vulnerability or have taken action. Kim Callahan, a spokesperson for Camden, did not respond to a request for comment.

Chirp was bought by property management software giant RealPage in 2020, and RealPage was acquired by private equity giant Thoma Bravo later that year in a $10.2 billion deal. RealPage is facing several legal challenges over allegations its rent-setting software uses secret and proprietary algorithms to help landlords raise the highest possible rents on tenants.

Neither RealPage nor Thoma Bravo have yet to acknowledge the vulnerabilities in the software it acquired, nor say if they plan on notifying affected residents of the security risk.

Jennifer Bowcock, a spokesperson for RealPage, did not respond to requests for comment from TechCrunch. Megan Frank, a spokesperson for Thoma Bravo, also did not respond to requests for comment.

Software Development in Sri Lanka

Robotic Automations

US says Russian hackers stole federal government emails during Microsoft cyberattack | TechCrunch

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Russian government-backed hackers stole emails from several U.S. federal agencies as a result of an ongoing cyberattack at Microsoft.

In a statement published Thursday, the U.S. cyber agency said the cyberattack, which Microsoft initially disclosed in January, allowed the hackers to steal federal government emails “through a successful compromise of Microsoft corporate email accounts.”

The hackers, which Microsoft calls “Midnight Blizzard,” also known as APT29, are widely believed to work for Russia’s Foreign Intelligence Service, or SVR.

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” said CISA.

The federal cyber agency said it issued a new emergency directive on April 2 ordering civilian government agencies to take action to secure their email accounts, based on new information that the Russian hackers were ramping up their intrusions. CISA made details of the emergency directive public on Thursday after giving affected federal agencies a week to reset passwords and secure affected systems.

CISA did not name the affected federal agencies that had emails stolen, and a spokesperson for CISA did not immediately comment when reached by TechCrunch.

News of the emergency directive was first reported by Cyberscoop last week.

The emergency directive comes as Microsoft faces increasing scrutiny of its security practices after a spate of intrusions by hackers of adversarial nations. The U.S. government is heavily reliant on the software giant for hosting government emails accounts.

Microsoft went public in January after identifying that the Russian hacking group broke into some corporate email systems, including the email accounts of “senior leadership team and employees in our cybersecurity, legal, and other functions.” Microsoft said the Russian hackers were searching for information about what Microsoft and its security teams knew about the hackers themselves. Later, the technology giant said the hackers also targeted other organizations outside of Microsoft.

Now it is known that some of those affected organizations included U.S. government agencies.

By March, Microsoft said it was continuing its efforts to expel the Russian hackers from its systems in what the company described as an “ongoing attack.” In a blog post, the company said the hackers were attempting to use “secrets” they had initially stolen in order to access other internal Microsoft systems and exfiltrate more data, such as source code.

Microsoft did not immediately comment when asked by TechCrunch on Thursday what progress the company is making in remediating the attack since March.

Earlier this month, the U.S. Cyber Safety Review Board (CSRB) concluded its investigation of an earlier 2023 breach of U.S. government emails attributed to China government-backed hackers. The CSRB, an independent body that includes representatives from government and cyber experts in the private sector, blamed a “cascade of security failures at Microsoft.” Those allowed the China-backed hackers to steal a sensitive email key that permitted broad access to both consumer and government emails.

In February, the U.S. Department of Defense notified 20,000 individuals that their personal information was exposed to the internet after a Microsoft-hosted cloud email server was left without a password for several weeks in 2023.

Software Development in Sri Lanka

Robotic Automations

Lawmakers vote to reauthorize US spying law that critics say expands government surveillance | TechCrunch

Lawmakers passed legislation early Saturday reauthorizing and expanding a controversial U.S. surveillance law shortly after the powers expired at midnight, rejecting opposition by privacy advocates and lawmakers.

The bill, which passed on a 60-34 vote, reauthorizes powers known as Section 702 under the Foreign Intelligence Surveillance Act (FISA), which allows the government to collect the communications of foreign individuals by accessing records from tech and phone providers. Critics, including lawmakers who voted against the reauthorization, say FISA also sweeps up the communications of Americans while spying on its foreign targets.

White House officials and spy chiefs rallied behind efforts to reauthorize FISA, arguing the law prevents terrorist and cyber attacks and that a lapse in powers would harm the U.S. government’s ability to gather intelligence. The Biden administration claims the majority of the classified information in the president’s daily intelligence briefing derives from the Section 702 program.

Privacy advocates and rights groups rejected the reauthorization of FISA, which does not require the FBI or the NSA to obtain a warrant before searching the Section 702 database for Americans’ communications. Accusations that the FBI and the NSA abused their authority to conduct warrantless searches on Americans’ communications became a key challenge for some Republicans initially seeking greater privacy protections.

Bipartisan efforts aimed to require the government obtain a warrant before searching its databases for Americans’ communications. But these failed ahead of the final vote on the Senate floor.

Following the passage in the early hours of today, Senator Mark Warner, who chairs the Senate Intelligence Committee, said that FISA was “indispensable” to the U.S. intelligence community.

The bill now goes to the President’s desk, where it will almost certainly pass into law.

FISA became law in 1978 prior to the advent of the modern internet. It started to come under increased public scrutiny in 2013 after a massive leak of classified documents exposed the U.S. government’s global wiretapping program under FISA, which implicated several major U.S. tech companies and phone companies as unwilling participants.

The Senate was broadly expected to pass the surveillance bill into law, but it faced fresh opposition after the House passed last week its version of the legislation that critics said would extend the reach of FISA to also include smaller companies and telecom providers not previously subject to the surveillance law.

Communications providers largely opposed the House’s expanded definition of an “electronic communications service provider,” which they said would unintentionally include companies beyond the big tech companies and telecom providers who are already compelled to hand over users’ data.

An amendment, introduced by Sen. Ron Wyden, to remove the expanded measure from the bill failed to pass in a vote.

Wyden, a Democratic privacy hawk and member of the Senate Intelligence Committee, accused senators of waiting “until the 11th hour to ram through renewal of warrantless surveillance in the dead of night.”

“Time after time anti-reformers pledge that their band-aid changes to the law will curb abuses, and yet every time, the public learns about fresh abuses by officials who face little meaningful oversight,” said Wyden in a statement.

In the end, the bill passed soon after midnight.

Despite the last-minute rush to pass the bill, a key provision in FISA prevents the government’s programs under Section 702 from suddenly shutting down in the event of lapsed legal powers. FISA requires the government to seek an annual certification from the secretive FISA Court, which oversees and approves the government’s surveillance programs. The FISA Court last certified the government’s surveillance program under Section 702 in early April, allowing the government to use its lapsed authority until at least April 2025.

FISA will now expire at the end of 2026, setting up a similar legislative showdown midway through the next U.S. administration.

Software Development in Sri Lanka

Robotic Automations

US government urges Sisense customers to reset credentials after hack | TechCrunch

U.S. cybersecurity agency CISA is warning Sisense customers to reset their credentials and secrets after the data analytics company reported a security incident.

In a brief statement on Thursday, CISA said it was responding to a “recent compromise” at Sisense, which provides business intelligence and data analytics to companies around the world.

CISA urged Sisense customers to “reset credentials and secrets potentially exposed to, or used to access, Sisense services,” and report to the agency any suspicious activity involving the use of compromised credentials.

The exact nature of the cybersecurity incident is not clear yet.

Founded in 2004, Sisense develops business intelligence and data analytics software for big companies, including telcos, airlines and tech giants. Sisense’s technology allows organizations to collect, analyze and visualize large amounts of their corporate data by tapping directly into their existing technologies and cloud systems.

Companies like Sisense rely on using credentials, such as passwords and private keys, to access a customer’s various stores of data for analysis. With access to these credentials, an attacker could potentially also access a customer’s data.

CISA said it is “taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations.”

Sisense counts Air Canada, PagerDuty, Philips Healthcare, Skullcandy and Verizon as its customers, as well as thousands of other organizations globally.

News of the incident first emerged on Wednesday after cybersecurity journalist Brian Krebs published a note sent by Sisense Chief Information Security Officer Sangram Dash urging customers to “rotate any credentials that you use within your Sisense application.”

Neither Dash nor a spokesperson for Sisense responded to an email seeking comment.

Israeli media reported in January that Sisense had laid off about half of its employees since 2022. It is unclear if the layoffs impacted the company’s security posture. Sisense has taken in close to $300 million in funding from investors, which include Insight Partners, Bessemer Ventures Partners and Battery Ventures.

Do you know more about the Sisense breach? To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

Software Development in Sri Lanka

Robotic Automations

Exclusive: Simbian brings AI to existing security tools

Ambuj Kumar is nothing if not ambitious.

An electrical engineer by training, Kumar led hardware design for eight years at Nvidia, helping to develop tech including a widely used high-speed memory controller for GPUs. After leaving Nvidia in 2010, Kumar pivoted to cybersecurity, eventually co-founding Fortanix, a cloud data security platform.

It was while heading up Fortanix that the idea for Kumar’s next venture came to him: an AI-powered tool to automate a company’s cybersecurity workflows, inspired by challenges he observed in the cybersecurity industry.

“Security leaders are stressed,” Kumar told TechCrunch. “CISOs don’t last more than a couple of years on average, and security analysts have some of the highest churn. And things are getting worse.”

Kumar’s solution, which he co-founded with former Twitter software engineer Alankrit Chona, is Simbian, a cybersecurity platform that effectively controls other cybersecurity platforms as well as security apps and tooling. Leveraging AI, Simbian can automatically orchestrate and operate existing security tools, finding the right configurations for each product by taking into account a company’s priorities and thresholds for security, informed by their business requirements.

With Simbian’s chatbot-like interface, users can type in a cybersecurity goal in natural language, then have Simbian provide personalized recommendations and generate what Kumar describes as “automated actions” to execute the actions (as best it can).

“Security companies have focused on making their own products better, which leads to a very fragmented industry,” Kumar said. “This results in a higher operational burden for organizations.”

To Kumar’s point, polls show that cybersecurity budgets are often wasted on an overabundance of tools. More than half of businesses feel that they’ve misspent around 50% of their budgets and still can’t remediate threats, according to one survey cited by Forbes. A separate study found that organizations now juggle on average 76 security tools, leading IT teams and leaders to feel overwhelmed.

“Security has been a cat-and-mouse game between attackers and defenders for a long time; the attack surface keeps growing due to IT growth,” Kumar said, adding that there’s “not enough talent to go around.” (One recent survey from Cybersecurity Ventures, a security-focused VC firm, estimates that the shortfall of cyber experts will reach 3.5 million people by 2025.)

In addition to automatically configuring a company’s security tools, the Simbian platform attempts to respond to “security events” by letting customers steer security while taking care of lower-level details. This, Kumar says, can significantly cut down on the number of alerts a security analyst must respond to.

But that assumes Simbian’s AI doesn’t make mistakes, a tall order, given that it’s well established that AI is error-prone.

To minimize the potential for off-the-rails behavior, Simbian’s AI was trained using a crowdsourcing approach — a game on its website called “Are you smarter than an LLM?” — that tasked volunteers with trying to “trick” the AI into doing the wrong thing. Kumar explained that Simbian used this learning, along with in-house researchers, to “ensure the AI does the right thing in its use cases.”

This means that Simbian effectively outsourced part of its AI training to unpaid gamers. But, to be fair, it’s unclear how many people actually played the company’s game; Kumar wouldn’t say.

There are privacy implications of a system that controls other systems, especially concerning those that are security-related. Would companies — and vendors, for that matter — be comfortable with sensitive data funneling through a single, AI-controlled centralized portal?

Kumar claims that every attempt has been made to protect against data compromise. Simbian uses encryption — customers control the encryption keys — and customers can delete their data at any time.

“As a customer, you have full control,” he said.

While Simbian isn’t the only platform to attempt to apply a layer of AI over existing security tools — Nexusflow offers a product along a similar vein — it appears to have won over investors. The company recently raised $10 million from investors including Coinbase board member Gokul Rajaram, Cota Capital partner Aditya Singh, Icon Ventures, Firebolt and Rain Capital.

“Cybersecurity is one of the most important problems of our time, and has famously fragmented ecosystem with thousands of vendors,” Rajaram told TechCrunch via email. “Companies have tried to build expertise around specific products and problems. I applaud Simbian’s method of building an integrated platform that would understand and operate all of security. While this is extremely challenging approach from technology perspective, I’ll put my money — and I did put my money — on Simbian. It’s the team with unique experience all the way from hardware to cloud.”

Mountain View-based Simbian, which has 15 employees, plans to put the bulk of the capital it’s raised toward product development. Kumar’s aiming to double the size of the startup’s workforce by the end of the year.

Software Development in Sri Lanka

Robotic Automations

Apple alerts users in 92 nations to mercenary spyware attacks | TechCrunch

Apple sent threat notifications to iPhone users in 92 countries on Wednesday, warning them that they may have been targeted by mercenary spyware attacks.

The company said it sent the alerts to individuals in 92 nations at 12 p.m. Pacific Time Wednesday. The notification, which TechCrunch has seen, did not disclose the attackers’ identities or the countries where users received notifications.

“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” it wrote in the warning to affected customers.

“This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously,” Apple added in the text.

The iPhone maker sends these kind of notifications multiple times a year and has notified users to such threats in over 150 countries since 2021, per an updated Apple support page.

Apple also sent an identical warning to a number of journalists and politicians in India in October last year. Later, nonprofit advocacy group Amnesty International reported that it had found Israeli spyware maker NSO Group’s invasive spyware Pegasus on the iPhones of prominent journalists in India. (Users in India are among those who have received Apple’s latest threat notifications, according to people familiar with the matter.)

The spyware alerts arrive at a time when many nations are preparing for elections. In recent months, many tech firms have cautioned about rising state-sponsored efforts to sway certain electoral outcomes. Apple’s alerts, however, did not remark on their timing.

“We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future,” Apple told affected customers.

Apple previously described the attackers as “state-sponsored” but has replaced all such references with “mercenary spyware attacks.”

The warning to customers adds: “Mercenary spyware attacks, such as those using Pegasus from the NSO Group, are exceptionally rare and vastly more sophisticated than regular cybercriminal activity or consumer malware.”

Apple said it relies solely on “internal threat-intelligence information and investigations to detect such attacks.”

“Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack and should be taken very seriously,” it added.

Software Development in Sri Lanka

Robotic Automations

AT&T notifies regulators after customer data breach | TechCrunch

AT&T has begun notifying U.S. state authorities and regulators of a security incident after confirming that millions of customer records posted online last month were authentic.

In a legally required filing with Maine’s attorney general’s office, the U.S. telco giant said it sent out letters notifying more than 51 million people that their personal information was compromised in the data breach, including around 90,000 individuals in Maine. AT&T also notified California’s attorney general of the breach.

AT&T — the largest telco in the United States — said that the breached data included customers’ full name, email address, mailing address, date of birth, phone number and Social Security number.

Leaked customer information dated back to mid-2019 and earlier. According to AT&T the records contained valid data on more than 7.9 million current AT&T customers.

AT&T took action some three years after a subset of the leaked data first appeared online, which prevented any meaningful analysis of the data. The full cache of 73 million leaked customer records was dumped online last month, allowing customers to verify that their data was genuine. Some of the records included duplicates.

The leaked data also included encrypted account passcodes, which allow access to customer accounts.

Soon after the full dataset was published, a security researcher notified TechCrunch that the encrypted passcodes found in the leaked data were easy to decipher. AT&T reset those account passcodes after TechCrunch alerted AT&T on March 26 to the risk posed to customers. TechCrunch held its story until AT&T could complete the process of resetting affected customer passcodes.

AT&T eventually acknowledged that the leaked data belongs to its customers, including about 65 million former customers.

Companies experiencing data breaches that affect large numbers of people are required to disclose the incident with U.S. attorneys general under state data breach notification laws. In its notices filed in Maine and California, AT&T said it is offering identity theft and credit monitoring to affected customers.

AT&T has still not identified the source of the leak.

Software Development in Sri Lanka

Robotic Automations

Hackers are threatening to publish a huge stolen sanctions and financial crimes watchlist | TechCrunch

A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime.

The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.

World-Check is a screening database used for “know your customer” checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions.The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm.

A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.

Simon Henrick, a spokesperson for the London Stock Exchange Group, which maintains the database, told TechCrunch: “This was not a security breach of LSEG/our systems. The incident involves a third party’s data set, which includes a copy of the World-Check data file. This was illegally obtained from the third party’s system. We are liaising with the affected third party, to ensure our data is protected and ensuring that any appropriate authorities are notified.”

LSEG did not name the third-party company, but did not dispute the amount of data stolen.

The portion of stolen data seen by TechCrunch contains records on thousands of people, including current and former government officials, diplomats, and private companies whose leaders are considered “politically exposed people,” who are at a higher risk of involvement in corruption or bribery. The list also contains individuals accused of involvement in organized crime, suspected terrorists, intelligence operatives, and a European spyware vendor.

The data varies by record. The database contains names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers, and more.

World-Check is currently owned by the London Stock Exchange Group following a $27 billion deal to buy financial data provider Refinitiv in 2021. LSEG collects information from public sources, including sanctions lists, government sources, and news outlets, then provides the database as a subscription to companies for conducting customer due diligence.

But privately run databases, like World-Check, are known to contain errors that can affect entirely innocent people with no nexus or connection to crime but whose information is stored in these databases.

In 2016, an older copy of the World-Check database leaked online following a security lapse at a third-party company with access to the data, including a former advisor to the U.K. government that World-Check had applied a “terrorism” label to his name. Banking giant HSBC shut down bank accounts belonging to several prominent British Muslims after the World-Check database branded them with “terrorism” tags.

A spokesperson for the U.K.’s data protection authority, the Information Commissioner’s Office, did not immediately comment on the breach.

To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

Software Development in Sri Lanka

Robotic Automations

Apex Legends hacker says game developers patched exploit used on streamers | TechCrunch

Last month, a hacker wreaked havoc during an esports tournament of the popular shooter game Apex Legends, hacking two well-known streamers mid-game to make it look like they were using cheats.

A month later, it seems like the hacking saga may have come to a close with the game developers patching the bug exploited by the hacker.

Because of the hack, the organizers had to suspend the tournament on March 17. Two days later, Apex Legends developer Respawn said on its official X account that it had “deployed the first of a layered series of updates to protect the Apex Legends player community.” Then a week later, the company wrote that it had “added another update that is intended to further protect our players and ensure the competitive integrity of Apex Legends.”

Respawn’s posts don’t clearly say that the updates patched the bugs exploited during the tournament. But the hacker behind the cheating scandal told TechCrunch this week that Respawn’s patches fixed the vulnerability that he had exploited to hack the two streamers.

“The exploit I’ve used in [Apex Legends Global Series] is fully patched,” the hacker who goes by Destroyer2009 said in an online chat.

Destroyer2009, who previously told TechCrunch that he had hacked the two streamers “for fun,” said he didn’t want to reveal any technical details of the bug he exploited, even if it is now patched.

“No one likes when severe vulnerabilities in your product are exposed publicly. I asked my friend and we both agreed that we don’t really want to publicly expose what happened from a technical perspective yet,” the hacker said, referring to a friend he worked with to develop the hack.

Contact Us

Do you know more about this hack? Or other video game hacking incidents? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

Referring to an unrelated botched in-game update by Respawn this week, Destroyer2009 said: “[I] don’t think embarrassing them even more is fair.”

Destroyer2009 said he tested his exploit after Respawn’s announcement of the second update on March 26, although he said it’s possible it was patched sooner because he didn’t have a chance to test it before.

Destroyer2009’s hacks were high-profile, disruptive, and caused a big stir in the Apex Legends community. The two streamers targeted, ImperialHal and Geburten, collectively have 2.5 million followers on the game streaming platform Twitch, and several other Apex Legends players and streamers commented on the news of the hacks on their channels.

Yet, Respawn isn’t being forthcoming about the patches it released. TechCrunch asked Respawn and Electronic Arts, the owners of the development studio, to confirm whether the exploit used by Destroyer2009 is indeed patched, and if so, when it was patched.

But neither Respawn nor Electronic Arts responded to TechCrunch’s multiple requests for comment. The two companies did not respond to requests for comment in the last few weeks either.

Meanwhile, Destroyer2009 said he won’t do any more public hacks for now, because “anything more severe than the [Apex tournament hack] accident will be already considered as a real hacking with all the consequences so [probably] will just play the game until it gets boring as usual.”

Software Development in Sri Lanka