Why Do Android Flashlight Apps Need Dozens of Permissions?


This site may earn affiliate commissions from the links on this page. Terms of use.

No one should be downloading a flashlight app in the Year of Our Lord 2019 — that’s why both Google and Apple have integrated the ability into their devices as part of the base operating system. Avast security researcher Luis Corrons decided to evaluate the security of flashlight apps after the wave of concern around the Russian-owned Faceapp software. According to his work, there are still 937 flashlight applications on Google Play, despite the fact that Flashlight capabilities are baked into the Android OS. Many of these applications request far more permissions from end users than they ever need to function.

Instead of being limited to the functions you’d expect a flashlight to need (access the LED flash itself, download ads from the internet, and lock-screen access so the flashlight can be turned on or off without unlocking the device), many of these apps request far more. The average number of permissions requested by app is 25. 408 applications request 10 permissions or fewer, but 262 of them require 50 permissions or more. The table below shows the worst offenders:

Now, just because an application is requesting a lot of permissions doesn’t necessarily mean it is requesting them for nefarious purposes. But when Corrons dug deeper, the issues kept getting worse. A massive number of applications request permission to kill background processes, access your fine-grained location data, control Bluetooth connections, record audio, download data without notification, and write to your contacts list. A few even process incoming calls.

As Corrons discusses, the reason these apps have such ludicrous permissions isn’t because they’re actually trying to hook you up with Nigerian princes with large fortunes to dispose of. It’s undoubtedly so they can gather data and then sell it to other firms as part of their efforts to endlessly monetize all of human existence. He steps through how some of these apps are developed by studios with multiple multi-million downloads on the app store. All of the apps require the same invasive permissions, and they’re almost certainly funneling data to the same invisible group of partners.

Google, of course, could stop this kind of garbage in its tracks by forcing app developers to only request permissions that they can plausibly prove they need, and by tightening the approval process to make this kind of rampant data-collecting against its own terms of service. Google doesn’t, because that would alert people to how much of their own daily device usage is uploaded to third-party corporations in the first place. The companies that take advantages of loose user permission requirements aren’t exploiting a loophole; they’re using the system in the manner in which it’s intended to operate. Corrons notes that it’s extremely important for users to be aware of what kind of permissions their applications request. This is true, but it also puts the impetus of fixing the problem solely on the end-user.

Google has allowed its app store to be abused by people who are running massive data harvesting regimes — and it’s on Google to fix that problem, not end-users. Nobody should be downloading a flashlight app on a modern device. But Google shouldn’t be allowing applications to request permissions that they have no business requesting, either.

Now Read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Shape Security hits $1B valuation with $51M Series F – gpgmail


Anti-fraud startup Shape Security has tipped over the $1 billion valuation mark following its latest Series F round of $51 million.

The Mountain View, Calif.-based company announced the fundraise Thursday, bringing the total amount of outside investment to $183 million since the company debuted in 2011.

C5 Capital led the round, along with several other new and returning investors, including Kleiner Perkins, HPE Growth and Norwest Ventures Partners.

Shape Security protects companies against automated and imitation attacks, which often employ bots to break into networks using stolen or reused credentials. Shape uses artificial intelligence to discern bots from ordinary users by comparing known information such as a user’s location, and collected data, like mouse movements, to shut down attempted automated logins in real time.

The company said it now protects against two billion fraudulent logins daily.

C5 managing partner André Pienaar said he believes Shape will become the “definitive” anti-fraud platform for the world’s largest companies.

“While we expect a strong financial return, we also believe that we can bring Shape’s platform into many of the leading companies in Europe who look to us for strategic ideas that benefit the entire value-chain where B2C applications are used,” Pienaar told gpgmail.

Shape’s chief executive Derek Smith said the $51 million injection will go toward the company’s international expansion and product development — particularly the capabilities of its AI system.

He added that Shape was preparing for an IPO.

Correction: A draft of the company’s funding news said Shape had raised $173 million to date. The company said this was a typo and has in fact raised $183 million.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Web feature developers told to dial up attention on privacy and security – gpgmail


Web feature developers are being warned to step up attention to privacy and security as they design contributions.

Writing in a blog post about “evolving threats” to Internet users’ privacy and security, the W3C standards body’s technical architecture group (TAG) and Privacy Interest Group (PING) set out a series of revisions to the W3C’s Security and Privacy Questionnaire for web feature developers.

The questionnaire itself is not new. But the latest updates place greater emphasis on the need for contributors to assess and mitigate privacy impacts, with developers warned that “features may not be implemented if risks are found impossible or unsatisfactorily mitigated”.

In the blog post, independent researcher Lukasz Olejnik, currently serving as an invited expert at the W3C TAG; and Apple’s Jason Novak, representing the PING, write that the intent with the update is to make it “clear that feature developers should consider security and privacy early in the feature’s lifecycle” [emphasis theirs].

“The TAG will be carefully considering the security and privacy of a feature in their design reviews,” they further warn, adding: “A security and privacy considerations section of a specification is more than answers to the questionnaire.”

The revisions to the questionnaire include updates to the threat model and specific threats a specification author should consider — including a new high level type of threat dubbed “legitimate misuse“, where the document stipulates that: “When designing a specification with security and privacy in mind, all both use and misuse cases should be in scope.”

“Including this threat into the Security and Privacy Questionnaire is meant to highlight that just because a feature is possible does not mean that the feature should necessarily be developed, particularly if the benefitting audience is outnumbered by the adversely impacted audience, especially in the long term,” they write. “As a result, one mitigation for the privacy impact of a feature is for a user agent to drop the feature (or not implement it).”

Features should be secure and private by default and issues mitigated in their design,” they further emphasize. “User agents should not be afraid of undermining their users’ privacy by implementing new web standards or need to resort to breaking specifications in implementation to preserve user privacy.”

The pair also urge specification authors to avoid blanket treatment of first and third parties, suggesting: “Specification authors may want to consider first and third parties separately in their feature to protect user security and privacy.”

The revisions to the questionnaire come at a time when browser makers are dialling up their response to privacy threats — encouraged by rising public awareness of the risks posed by data leaks, as well as increased regulatory action on data protection.

Last month the open source WebKit browser engine (which underpins Apple’s Safari browser) announced a new tracking prevention policy that takes the strictest line yet on background and cross-site tracking, saying it would treat attempts to circumvent the policy as akin to hacking — essentially putting privacy protection on a par with security.

Earlier this month Mozilla also pushed out an update to its Firefox browser that enables an anti-tracking cookie feature across the board, for existing users too — demoting third party cookies to default junk.

Even Google’s Chrome browser has made some tentative steps towards enhancing privacy — announcing changes to how it handles cookies earlier this year. Though the adtech giant has studiously avoided flipping on privacy by default in Chrome where third party tracking cookies are concerned, leading to accusations that the move is mostly privacy-washing.

More recently Google announced a long term plan to involve its Chromium browser engine in developing a new open standard for privacy — sparking concerns it’s trying to both kick the can on privacy protection and muddy the waters by shaping and pushing self-interested definitions which align with its core data-mining business interests.

There’s more activity to consider too. Earlier this year another data-mining adtech giant, Facebook, made its first major API contribution to Google’s Chrome browser — which it also brought to the W3C Performance Working Group.

Facebook does not have its own browser, of course. Which means that authoring contributions to web technologies offers the company an alternative conduit to try to influence Internet architecture in its favor.

The W3C TAG’s latest move to focus minds on privacy and security by default is timely.

It chimes with a wider industry shift towards pro-actively defending user data, and should rule out any rubberstamping of tech giants contributions to Internet architecture which is obviously a good thing. Scrutiny remains the best defence against self-interest.




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

The Wikimedia Foundation taps $2.5M from Craig Newmark to beef up its security – gpgmail


Last week, users around the world found Wikipedia down after the online, crowdsourced encyclopedia became the target of a massive, sustained DDoS attack — one that it is still actively fighting several days later (even though the site is now back up). Now, in a coincidental twist of timing, Wikipedia’s parent, the Wikimedia Foundation, is announcing a donation aimed at helping the group better cope with situations just like this: Craig Newmark Philanthropies, a charity funded by the Craigslist founder, is giving $2.5 million to Wikimedia to help it improve its security.

The gift would have been in the works before the security breach last week, and it underscores a persistent paradox. The non-profit is considered to be one of the 10 most popular sites on the web, with people from some 1 billion different devices accessing it each month, with upwards of 18 billion visits in that period (the latter figure is from 2016 so likely now higher). Wikipedia is used as reference point by millions every day to get the facts on everything from Apple to Zynga, mushrooms and Myanmar history, and as a wiki, it was built from the start for interactivity.

But in this day and age when anything is game for malicious hackers, it’s an easy target, sitting out in the open and generally lacking in the kinds of funds that private companies and other for-profit entities have to protect themselves from security breaches. Alongside networks of volunteers who put in free time to contribute security work to Wikimedia, the  organization only had two people on its security staff two years ago — one of them part-time.

That has been getting fixed, very gradually, by John Bennett, the Wikimedia Foundation’s Director of Security who joined the organization in January 2018, and told gpgmail in an interview that he’s been working on a more cenrtralised and coherent system, bringing on more staff to help build both tools to combat nefarious activity both on the site and on Wikimedia’s systems; and crucially, put policies in place to help prevent breaches in the future.

“We’ve lived in this bubble of ‘no one is out to get us,’” he said of the general goodwill that surrounds not-for-profit, public organizations like the Wikimedia Foundation. “But we’re definitely seeing that change. We have skilled and determined attackers wishing to do harm to us. So we’re very grateful for this gift to bolster our efforts.

“We weren’t a sitting duck before the breach last week, with a lot of security capabilities built up. But this gift will help improve our posture and build upon on what we started and have been building these last two years.”

The security team collaborates with other parts of the organization to handle some of the more pointed issues. He notes that Wikimedia uses a lot of machine learning that has been developed to monitor pages for vandalism, and an anti-harassment team also works alongside them. (Newmark’s contribution today, in fact, is not the first donation he’s made to the organization. In the past he has donated around $2 million towards various projects including the Community Health Initiative, the anti-harassment program; and the more general Wikimedia Endowment).

The security breach that caused the DDoS is currently being responded to by the site reliability engineering team, who are still engaged and monitoring the situation, and Bennett declined to comment more on that.

You can support Wikipedia and Wikimedia, too.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Apple Says Google Blew iPhone Hacking Report Out of Proportion


This site may earn affiliate commissions from the links on this page. Terms of use.

Apple is used to promoting the security of its products in comparison to the competition, but it was on the defensive last week following a report from Google’s Project Zero. According to Google researchers, iOS was the target of a sophisticated attack for two years until Google alerted Apple in early 2019. However, Apple is now seeking to downplay the severity of the attack, claiming Project Zero has blown the whole thing out of proportion. 

The news of Apple’s iPhone vulnerability broke recently with an in-depth report from Project Zero, a group at Google that specializes in uncovering zero-day hacks that threaten internet users. According to the team, a number of websites had deployed hacks that could install malware with root access on the iPhone. The operators of the sites could steal data, monitor phone locations, and even access the user’s on-device password storage. Google said the attacks operated “over a period of at least two years” and covered almost every version of iOS active during that time. 

Apple issued a press release late last week disputing part of Google’s findings. The iPhone maker strenuously objects to Google’s claim that the attacks operated for two years. In fact, Apple says it was closer to two months. Furthermore, Apple says it already knew about the flaws and was conveniently already working on a fix. It’s impossible to verify that claim, but it does sound suspect. Google’s Project Zero researchers are cited in Apple’s official changelog from February as reporting the flaws. 

The timeline of iOS hacks from Project Zero.

Apple also says the attack focused on the Uyghur community, a group of ethnically Turkic Muslims living in western China. Uyghurs have been targeted for persecution and imprisonment by Chinese authorities for years. The government often uses technological means like the iPhone hack to track and investigate the Uyghur population. 

Apple seems to be suggesting that Google wanted to make the flaws look more severe than they were, but Project Zero has traditionally conducted its business in without favoritism. In response to Apple’s criticism, Project Zero has issued a statement standing by its “in-depth research which was written to focus on the technical aspects of these vulnerabilities.”

Google is used to getting publicly chastised for security vulnerabilities — Android is open source, but Apple has the benefit of quietly patching exploits as it finds them in its closed software. Perhaps the iPhone maker is just a little overly sensitive with its new iPhone unveiling this week.

Now read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Telegram fixes bug that failed to delete ‘unsent’ photos and videos – gpgmail


Mobile messaging app Telegram has fixed a bug allowing users to recover photos and videos “unsent” by other people.

Telegram, which has more than 100 million users, has an ephemeral messaging feature that allows users to “unsend” sent messages from other people’s inboxes, such as when a message is sent by mistake.

But one security researcher, Dhiraj Mishra, who found the privacy issue and shared his findings exclusively with gpgmail, said although Telegram was removing the messages from a user’s device, any sent photos or video would still be stored on the user’s phone.

The researcher found other messaging apps, like WhatsApp, had the same ephemeral “unsend” feature, but when tested, deleted both message and content.

Mishra said the Android version of Telegram would permanently store photos and videos in the device’s internal storage.

“This works perfectly in groups as well,” he told gpgmail. “If you have a Telegram group of 100,000 members and you send a media message by mistake and you delete it, it only gets deleted from the chat but will remain in media storage of all 100,000 members,” he said.

It’s not known if Telegram users have been affected by the privacy issue. But recently we reported several cases of visa holders who have been denied entry to the U.S. for content on their phones sent by other people.

After gpgmail reached out, Telegram fixed the vulnerability. Mishra received €2,500 from the bug bounty for discovering and disclosing the vulnerability.

A spokesperson for Telegram confirmed the bug fix had rolled on September 5.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

DMVs Are Selling Data to Private Investigators, Marketing Firms


This site may earn affiliate commissions from the links on this page. Terms of use.

A new report shows that the DMVs (Department of Motor Vehicles) in many states are taking full advantage of the modern information economy, and they’re making bank doing it. The data we’re required to hand over by law in order to qualify for a driver’s license is being used for very different purposes than you likely intend. Specifically, it’s being sold to private investigators.

That’s the result of a major Motherboard investigation into how DMVs are using the personal data of the citizens they supposedly serve. Like a lot of companies these days, DMVs sell data. Insurance companies buy some of the data, but much of it is being sold to other sources, like private investigators. Such data is apparently popular for surveilling cheating spouses, and the same private investigators that advertise such services are apparently major purchasers.

DMV-Data-Sales

Data and graph by Vice

Multiple DMVs stressed that they don’t sell social security numbers or photographs, as if this represents some kind of meaningful protection. Some contracts with these investigators are for bulk searches; some are targeted searches. The cost per search is as low as $0.01, and these contracts can run for months at a time.

“The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking,” Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. “For survivors, their safety may depend on their ability to keep this type of information private.”

All of this is perfectly legal, thanks to the Driver’s Privacy Protection Act, which was passed in 1994. While that law was specifically intended to increase the protections surrounding DMV databases, it included specific carve-outs for private investigators. Granted, the text of the law states that private investigators are only allowed to access these records for a “permitted” DPPA use, but apparently that’s not an issue.

The exact data sold varies from state to state, but it typically includes at least a name and address. Other data, including zip codes, phone numbers, date of birth, and email address are also included depending on the state. The DMV also sells data to credit reporting companies like Experian and LexisNexis. Delaware has arrangements with more than 300 entities. Wisconsin has more than 3,000.

Why are DMVs going down this road? Money. Delaware brought in $384,000 for itself between 2015 and 2019, while the Wisconsin DMV brought in $17M in 2018 alone, up from just $1.1M in 2015. In Florida, the DMV made an eye-popping $77M just in 2017. The contracts with various DMVs explicitly state that the purpose of these agreements is to generate revenue, and the states are aware that some of the information they sell to third-parties is abused. Whether their controls for catching and locking abusers out of these systems are adequate are an entirely different question.

It is long past time for the United States to pass better privacy laws. There is absolutely no justification for the current free-for-all. There is no standard for how data-sharing agreements should be overseen. Local investigations have found that Florida is selling data to marketing firms, not just private investigators, and some citizens have been hit with an onslaught of robocalls and spam as a result. Florida sells data to Acxiom, one of the largest data brokers in America. Acxiom is not a PI firm, just in case you were wondering. Citizens who have been slammed with robocalls, direct mail, and even door-to-door salesman showing up at their homes as a result of this relentless data-selling have no recourse. There’s no one to complain to, there’s no way to get taken off the lists, and there’s no way to prevent their own data from being endlessly sold. Robocalls have become such an epidemic, people now actively avoid answering the phone unless they know the number of the person calling them.

People often ask questions like “Why should I care if someone sells my data?” but don’t connect the question to the fact that they get 15 robocalls a day. Sexual assault and domestic violence survivors may not have those kind of options. But privacy shouldn’t be a right that depends on whether someone is threatening to harm you physically. Privacy should be the default state, particularly when it concerns the government organizations virtually all of us are required to interface with.

If you ever drive in the United States, you must have a driver’s license. Just as with credit reporting agencies, none of us get any choice in the manner. The legal system allows states and the federal government to create effectively mandatory standards because it recognizes that doing so helps ensure the safety of everyone. But if the legal system is going to require that citizens submit data to the federal and/or state government for licensing and registration purposes, it ought to simultaneously require that said data is kept private and only accessed under strictly controlled conditions. The idea that people “opt in” to these practices simply by existing has been stretched past the breaking point. It’s time for a change.

Now Read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Apple doesn’t want Google ‘stoking fear’ about serious iOS security exploits – gpgmail


Apple has issued a tart response to an extensive report by Google of a serious security flaw in iOS. The flaw, which let an attacker gain root access to a device visiting a malicious website, was reported last week. Apple wants to “make sure all of our customers have the facts,” which is funny, because it’s likely we wouldn’t have any of the facts if Google had not so rigorously documented this issue.

In a brief news post, Apple says that it has heard concerns from its customers and wants to make sure they know they are not at risk.

The attack, Apple says, was “narrowly focused” and not an exploit “en masse.” “The attack affected fewer than a dozen websites that focus on content related to the Uighur community,” Apple wrote.

While it’s true that only a small number of websites were affected, Google said that those websites were visited thousands of times per week — and the attacks were active for about two months. Even a conservative estimate based on these numbers suggests more than a hundred thousand devices could easily have been probed and, if vulnerable, infected. If only 1 in 100 were iPhones, that would be root access to a thousand of the target population. That rock bottom estimate already sounds pretty “en masse” to me.

Furthermore, while it may make the non-Uighurs among us feel better that we were not the targets of this campaign, it’s cold comfort as the targeted demographic could just as easily have been a political or religious institution we do take part in.

Apple takes issue with Google’s suggestion that this offered “the capability to target and monitor the private activities of entire populations in real time.” This was, according to Apple, “stoking fear among all iPhone users that their devices had been compromised.”

Yet Google’s warning in this case seems relevant. An undetectable root exploit for current iPhones deployed via website popular among a targeted population? That should stoke fear among all iPhone users, since it seems clear that they very well could have been compromised before now. After all, there’s no evidence this Uighur-targeted attack was the only one.

Apple points out that “when Google approached us, we were already in the process of fixing the exploited bugs.” That’s great. But who then wrote up a long technical discussion of the issue so that other security researchers, along with consumers, will be aware?

It’s a bit troubling for Apple to say that “iOS security is unmatched” during the discussion of an incredibly dangerous and powerful exploit that was apparently deployed successfully against an ethnic minority by, almost certainly, the only nation-state that has any interest in doing so. Has Apple explained to the Uighurs whose phones were invisibly and completely taken over by malicious software that it’s okay because “security is a never-ending journey”?

Had Google’s Project Zero researchers not documented this problem, we probably would never have heard about it except as an anonymous “security fixes” decimal point in our mobile operating systems.

Journey or no journey, this was a serious security failure that appears to have been successfully and maliciously exploited in the wild. Apple’s sour grapes and defensive language are out of place here, and a mea culpa would have behooved the company better.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Monster.com says a third-party exposed user data, but didn’t tell anyone – gpgmail


An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online.

The server contained résumés and CVs for job applicants spanning between 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience.

Of the documents we reviewed, most users’ were located in the United States.

It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017. Other files found on the exposed server included immigration documentation for work, which Monster does not collect.

A company statement attributed to Monster’s chief privacy officer Michael Jones said the server was owned by an unnamed recruitment partner, which it no longer works with. When pressed, the company declined to name the recruitment partner.

“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,” the company said, adding the exposed server was secured shortly after it was reported in August.

Although the data is no longer accessible directly from the exposed web server, hundreds of résumés and other documents can be found in results cached by search engines.

But Monster did not warn users of the exposure, and only admitted user data was exposed after the security researcher alerted gpgmail to the matter.

“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”

Under local data breach notification laws, companies are obliged to inform state attorney generals where large numbers of users in their states are affected. Although Monster is not duty bound to disclose the exposure to regulators, some companies proactively warn their users even when third-parties are involved.

It’s not uncommon for companies to warn their users of a third-party breach. Earlier this year after hackers siphoned off millions of credit cards from the American Medical Collection Agency, a third-party payments processor, its customers — LabCorp and Quest Diagnostics — admitted to the security lapse.

Monster said that because the exposure happened on a customer system, Monster is “not in a position” to identify or confirm affected users.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Facebook’s lead EU regulator is asking questions about its latest security fail – gpgmail


Facebook’s lead data protection regulator in Europe has confirmed it’s put questions to the company about a major security breach that we reported on yesterday.

“The DPC became aware of this issue through the recent media coverage and we immediately made contact with Facebook and we have asked them a series of questions. We are awaiting Facebook’s responses to those questions,” a spokeswoman for the Irish Data Protection Commission told us.

We’ve reached out to Facebook for a response.

As we reported earlier, a security research discovered an unsecured database of hundreds of millions of phone numbers linked to Facebook accounts.

The exposed server contained more than 419 million records over several databases on Facebook users from multiple countries, including 18 million records of users in the U.K.

We were able to verify a number of records in the database — including UK Facebook users’ data.

The presence of Europeans’ data in the scraped stash makes he breach a clear matter of interest to the region’s data watchdogs.

Europe’s General Data Protection Regulation (GDPR) imposes stiff penalties for compliance failures such as security breaches — with fines that can scale as high as 4% of a company’s annual turnover.

Ireland’s DPC is Facebook’s lead data protection regulator in Europe under GDPR’s one-stop shop mechanism — meaning it leads on cross-border actions, though other concerned DPAs can contribute to cases and may also chip in views on any formal outcomes that result.

The UK’s data protection watchdog, the ICO, told us it is aware of the Facebook security incident.

“We are in contact with the Irish Data Protection Commission (DPC), as they are the lead supervisory authority for Facebook Ireland Limited. The ICO will continue to liaise with the IDPC to establish the details of the incident and to determine if UK residents have been affected,” an ICO spokeswoman also told us.

It’s not yet clear whether the Irish DPC will open a formal investigation of the incident.

It does already have a large number of open investigations on its desk into Facebook and Facebook-owned businesses since GDPR’s one-stop mechanism came into force — including one into a major token security breach last year, and many, many more.

In the latest breach instance, it’s not clear exactly when Facebook users phone numbers were scraped from the platform.

In a response yesterday Facebook said the data-set is “old”, adding that it “appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers”.

If that’s correct, the data breach is likely to pre-date April 2018 — which was when Facebook announced it was making changes to its account search and recovery feature, after finding it had been abused by what it dubbed “malicious actors”.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Facebook said at the time.

It would also therefore pre-date GDPR coming into force, in May 2018, so would likely fall under earlier EU data protection laws — which carry less stringent penalties.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something