August 30, 2019

For at least two years, hackers used compromised websites to install malware on iPhones that could gather and upload a user's photos, contacts, and other data, Google cybersecurity researcher Ian Beer explained in a blog post Thursday evening. "There was no target discrimination: Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, to install a monitoring implant." The exploits were discovered "in the wild," Beer said, meaning they were being used by real cybercriminals in the real world.

The hackers were able to attack "almost every version from iOS 10 through to the latest version of iOS 12," Beer said, though Apple patched the vulnerability in February after Beer and his associates at Google's Project Zero alerted the company to it. "This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years." He did not speculate as to who was behind the attack or which groups it targeted, and he didn't name the hacked websites, saying only they were visited thousands of times a week. Apple told BBC News it did not wish to comment on Beer's post.

iPhone users should download the latest updates for their devices, but "the reality remains that security protections will never eliminate the risk of attack if you're being targeted," Beer writes. "All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them." Peter Weber

June 25, 2017

Anyone who checked the website of Ohio Gov. John Kasich (R) on Sunday morning would have been surprised to find a pro–Islamic State message.

The Ohio Department of Administrative Services said 10 state websites and two servers were affected, and law enforcement is investigating how they were hacked. Kasich's website contained a message that read: "You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries. I love Islamic State." It also said the site had been "hacked by Team System Dz."

A spokeswoman for Kasich told Bloomberg that as soon as they heard about what happened, "we immediately began to correct it, and will continue to monitor until fully resolved." The New York Post reports that the same message, along with music, appeared on the website for the town of Brookhaven, New York, on Long Island. Catherine Garcia

May 6, 2017

French presidential candidate Emmanuel Macron is the subject of a "massive and coordinated hacking operation," his campaign said Friday evening, an attack timed in advance of Sunday's runoff vote between Macron, the centrist frontrunner, and far-right nationalist Marine Le Pen.

Some 14.5 gigabytes of content in about 70,000 files — including emails, business documents, and more — were leaked via a text storage site called Pastebin. The Macron campaign says falsified files were mixed among the real ones "to create confusion and misinformation," comparing the attack to allegations of Russian attempts to manipulate the U.S. presidential election by leaking information from the Hillary Clinton campaign.

Le Pen's staff said they have also been subject to "regular and targeted attacks," a claim that has not been independently confirmed. Both campaigns are prohibited from making any further public statements until voting is over, as French law mandates campaigning cease Friday at midnight through Sunday evening, when results are announced. Bonnie Kristian

December 15, 2016

Yahoo announced Wednesday that more than a billion user accounts could have been compromised in a 2013 hack. Among that number are more than 150,000 U.S. government or military employees, Bloomberg reports: "These employees had given their official government accounts to Yahoo in case they were ever locked out of their email," they write.

Criminals or foreign intelligence services could now have the names, passwords, phone numbers, birthdays, and security questions of government employees, potentially compromising national security. Government employees, even low level ones, are appealing targets for hackers, who will go down the list "one by one," Frank Zou of HoloNet Security told Bloomberg. "They're easy targets."

Government accounts compromised by the Yahoo hack include current and former White House staff, U.S. congressmen, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, international diplomats, and all of the branches of the military. "The difference of Yahoo hack between any other hack is in that it may really destroy your privacy," cybersecurity researcher Andrew Komarov said, "and potentially have already destroyed it several years ago without your knowledge." Jeva Lange

September 13, 2016

A group of Russian hackers who go by the name "Fancy Bear" breached The World Anti-Doping Agency's (WADA) database containing drug test results and medical information from Rio Olympic athletes, WADA confirmed Tuesday. The group, which also goes by "Tsar Team (APT28)," targeted American athletes, including tennis players Serena and Venus Williams and gymnast Simone Biles, and then leaked that the three had been given "medical exemptions to use banned drugs," The New York Times reported. Fancy Bear cited its findings as evidence that "WADA and the IOC's Medical and Scientific Department are corrupt and deceitful."

In a statement Tuesday, the IOC maintained "the athletes mentioned did not violate any anti-doping rules during the Olympic Games." "In fact, in each of the situations, the athlete has done everything right in adhering to the global rules for obtaining permission to use a needed medication," said Travis Tygart, CEO of the U.S. Anti-Doping Agency. "The cyber-bullying of innocent athletes being engaged by these hackers is cowardly and despicable."

WADA said it believes hackers gained access through "spear phishing of email accounts." The hacking group may also be behind recent breaches of the Democratic National Committee and a French television network. The Washington Post reported the group is believed to "report to Russian government intelligence agencies." Becca Stanek

July 27, 2015

It's every publisher's worst nightmare: On the day a massive story is set to run, your website suddenly goes offline. Unfortunately, it's a nightmare that just became a reality for New York magazine. Less than 24 hours after publishing interviews with 35 different women who spoke about being assaulted by Bill Cosby, the magazine's website has gone down due to a distributed denial of service attack allegedly caused by a person affiliated with the hacking group Vikingdom2016.

The alleged hacker, using the handle "ThreatKing," wasn't even aware that New York was publishing the Cosby story today. ThreatKing is simply on a crusade to shut down any publication with "New York" in its name, due to a personal dislike for New York City. "I went to New York two months ago. It was really bad," said ThreatKing in an interview with The Daily Dot. "Someone pranked me. Everyone started laughing and shit. The first 10 hours being there. Some African-American tried to prank me with a fake hand gun." ThreatKing's future New York-centric targets include The New York Times, the website of New York's FBI bureau, and New York University.

ThreatKing told The Daily Dot that the goal is to keep New York offline for 14 hours. In the meantime, you can see excerpts from the Cosby story on New York's Instagram account. Scott Meslow

February 28, 2015

Car-hailing service Uber announced on Friday that a data breach left the personal information of about 50,000 drivers vulnerable, The Wall Street Journal reports.

While the company said it discovered the hack in September, it waited nearly five months to report the breach, an amount of time one data-breach expert called "an unusual delay."

Most states leave notification time requirements vague, but the maximum among those that do offer specifics is 60 days. Uber said it has not received any misuse reports from drivers, and noted that the 50,000 affected make up a small percentage of the hundreds of thousands of drivers working with the company. Sarah Eberspacher

December 17, 2014

Filmmaker Judd Apatow didn't take kindly to the news that Sony canceled The Interview's Dec. 25 release to major theaters. The company has been a target of a series of anonymous hacks over the last few weeks.

We'd bet the epic tweet rant has something to do with the fact that stars James Franco and Seth Rogen are Apatow's protégés. Julie Kliegman

See More Speed Reads