Pre-IPO online fashion marketplace Poshmark announces data breach
Pre-IPO online fashion marketplace Poshmark announces data breach
By William Knowles @c4i
Senior Editor
InfoSec News
August 1, 2019
Poshmark, the largest social commerce marketplace for fashion alerted users on Thursday via email and their blog that “data from some Poshmark users was acquired by an unauthorized third party.”
“The data acquired does not include any financial or physical address information, and we do not believe your password was compromised.” Poshmark recommends that you change your password as a precaution and security best practice.”
According to Poshmark, Canadian users weren’t affected and this data breach was limited to U.S. users only.
The data that was stolen includes “certain user profile information specified for public use such as username, first and last name, gender, and city.” “Certain internal account information such as email address, user ID, size preferences, and one-way encrypted passwords salted uniquely per user (making it nearly impossible to use these passwords to access an account), as well as social media profile information collected when users connect social media accounts to Poshmark” and “Certain internal Poshmark preferences for email and push notifications”
The Poshmark security notice continues to say “We take the trust you have placed in us extremely seriously, and immediately upon learning of this incident, we expanded our security measures even further. We conducted an internal investigation and retained outside experts, including a leading security forensics firm. The security forensics firm we retained ran extensive testing designed to find vulnerabilities in our software and systems. After the testing, the firm reported that it did not find any material vulnerabilities. While our security was already strong, we have implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future.”
How this data breach will affect Poshmark’s reported fall IPO is unclear, Poshmark has tapped Goldman Sachs Group Inc. and Morgan Stanley as its underwriters, according to the WSJ.
The Redwood City-based company was founded in 2011 by Manish Chandra, Tracy Sun, Gautam Golwala and Chetan Pungaliya and has raised about $153 million since its inception in 2011. Its last funding round, an $87.5 million Series E announced in November 2017, gave it a valuation of $600 million, according to its Crunchbase profile. Backers include Mayfield Fund , Menlo Ventures, Temasek Holdings, and GGV Capital.
U.S. Army Cyber Command releases the DoD Identity Awareness and Protection Management Guide
By William Knowles @c4i
Senior Editor
InfoSec News
August 1, 2019
U.S. Army Cyber Command has posted the DoD Identity Awareness and Protection Management Guide for easy downloading.
The Identity Awareness, Protection, and Management (IAPM) Guide is a comprehensive resource to help you protect your privacy and secure your identity data online.
The IAPM Guide is divided into two-page chapters detailing key privacy considerations on the most popular online services, mobile apps, and consumer devices available in the market today. Each chapter provides you with tools, recommendations, and step-by-step guides to implement settings that maximize your security. The guide is updated twice a year, in March and September.
While some of the chapters in the IAPM Guide deal with technical issues, they do not require a technical background to follow.
The US Department of Defense creates this guide as a public service and hopes this guide will help readers keep their identities private and secure.
CISA Statement on Iranian Cybersecurity Threats
By William Knowles @c4i
Senior Editor
InfoSec News
June 24, 2019
Release Date:
June 22, 2019
WASHINGTON – In response to reports of an increase in cybersecurity threats, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs issued the following statement:
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.
“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.
“In times like these it’s important to make sure you’ve shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident – take it seriously and act quickly. You can find other tips and best practices for staying safe online here.
“Anyone who has relevant information or suspects a compromise should immediately contact us at [email protected]”
Riviera Beach Florida City Council Agrees to Pay Cybercriminals Nearly $600K Malware Ransom
By William Knowles @c4i
Senior Editor
InfoSec News
June 20, 2019
Riviera Beach Florida just became the newest member of a club no city or local government hopes to join. Taking only a few minutes and by a unanimous vote of 5-0 on Monday night the board authorized Riviera Beach’s insurer to pay 65 bitcoins valued at approximately $592K USD. Paying off a malware ransom that has crippled all of the city’s information technology infrastructure since May 29th after someone in the police department clicked on a malicious email.
But unlike the 2000 action flick Proof of Life, there’s no guarantee paying the ransom will unlock the affected computer network and all the encrypted files, and while its 2019, Its not likely Cyber-Insurance companies have former 22nd SAS and 75th Ranger Battalion types running around the world with machine guns blazing for a successful hostage rescue of a malware-infected network.
The council held a special meeting earlier in June to authorize $941,000 for 310 new desktop and 90 laptop computers and other hardware. Much of the existing hardware was a half-dozen-years old and vulnerable to another malware attack, so it was time to replace it anyway, Riviera Beach Councilwoman Julie Botel said.
In a 2016 survey, CIO’s for local governments across the country said more than a third of them were using outdated technology, making them more vulnerable to attacks. Riviera Beach will also spend an additional $25,000 coming out of their budget, to cover its insurance policy deductible.
With rising deficits and pension obligations, its understandable how a city like Riviera Beach or Baltimore Maryland can be compromised so easily when there isn’t the budget to hire a full-time information security professional and institute security awareness training for topics like not clicking on shit or scanning random QR codes.
Chad Loder, Founder & CEO of security awareness training firm Habitu8 posted on Twitter recently.
I’m astounded that some companies still purchase the cheapest security awareness training content “to save money”, but will put 2,000 employees each through an hour of terrible training.
You’re not saving money – you’re wasting it.
Chad Loder (@chadloder) – 19 Jun 2019
Cities across the United States and around the world will now have to decide, what is cheaper? hiring a full-time security professional, a part-time person, a managed service provider, or just paying the ransom and hope the files recover completely. However, hope is not a strategy.
With additional reporting from The Palm Beach Post