Thief steals $1 million of Bored Ape Yacht Club NFTs with Instagram hack

A hacker has stolen NFTs worth millions of dollars after compromising the official Instagram account for Bored Ape Yacht Club (BAYC) and using it to post a phishing link that transferred tokens out of users’ crypto wallets.

The hack was disclosed on Twitter by BAYC just before 10AM ET on Monday morning. “There is no mint going on today,” the Tweet read. “It looks like BAYC Instagram was hacked.”

Another tweet from a user unaffiliated with the project claimed to show the image that had been posted from the BAYC account, promoting an “airdrop” — essentially a free token giveaway — for any users who connected their MetaMask wallets.

Unfortunately, BAYC’s warning came too late for a number of holders of the extremely expensive Bored Ape NFTs, along with many other valuable NFTs stolen in the hack. A screenshot posted by one Twitter user showed an OpenSea page for the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all presumably taken from users who connected their wallets after clicking on the phishing link.

The profile page tied to the hacker’s wallet address was no longer visible on OpenSea at time of publication. OpenSea head of communications Allie Mack confirmed to The Verge that the hacker’s account had been banned on the platform, as OpenSea’s terms of service prohibited fraudulently obtaining items or otherwise taking them without authorization.

But given the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms. Seen through NFT platform Rarible, the wallet contained 134 NFTs, among them four Bored Apes and many others items from projects made by Yuga Labs — the creators of BAYC — such as Mutant Apes and Bored Ape Kennel Club.

Independently, each of the stolen Apes is worth well into six figures based on the most recent sale price. The lowest priced Ape, #7203, last sold four months ago for 47.9 ETH — equivalent to $138,000 at current exchange price. Ape #6778 was last sold for 88.88 ETH ($256,200), while Ape #6178 sold for 90 ETH or $259,400. And Bored Ape #6623 was the most valuable of all, sold three months ago for 123 ETH ($354,500) — meaning that collectively the total value of the four stolen Apes is just over $1 million.

It is not known yet how the hacker was able to compromise the project’s Instagram account. In a statement sent to The Verge by email and also posted on Twitter, Yuga Labs said that two-factor authentication was enabled at the time of the attack and that the security of the Instagram account followed best practices. Yuga Labs also said that the team was actively working to establish contact with affected users.

Though NFTs can be bought and sold for huge sums of money, they are often held in smartphone wallets rather than more secure environments because the popular decentralized crypto wallet application MetaMask only supports NFT display on mobile. It also encourages users to manage NFTs through the smartphone app rather than the browser-based extension. This means that the use of Instagram to deliver a phishing link is an effective way to steal NFTs, as the phishing link is more likely to be interacted with from a mobile wallet.

While security advice in the crypto space suggests NFT holders never connect their wallet to an unknown or untrusted third party, the fact that the phishing link was sent through the official BAYC social media account likely convinced the victims that it was legitimate, raising difficult questions about where exactly the fault lies.

Yuga Labs did not respond to an email from The Verge asking whether victims of the hack would be compensated by the project for their losses.

Repost: Original Source and Author Link


Former Amazon employee convicted over 2019 Capital One hack

A former Amazon Web Services (AWS) engineer has been found guilty of hacking into customers’ cloud storage systems and stealing data linked to the massive 2019 Capital One breach. A US District Court in Seattle convicted Paige Thompson of seven counts of computer and wire fraud on Friday, a crime punishable by up to 20 years in prison.

Thompson, who also went by the name “Erratic” online, was arrested for carrying out the Capital One hack in July 2019. The breach was one of the largest ever recorded, exposing the names, birth dates, social security numbers, email addresses, and phone numbers of over 100 million people in the US and Canada. Capital One has since been fined $80 million for allegedly failing to secure users’ data and settled with affected customers for $190 million.

A press release from the Department of Justice (DOJ) states Thompson developed a tool that scanned AWS for misconfigured accounts and then leveraged these accounts to gain access to the systems of Capital One and dozens of other AWS customers. Prosecutors also say Thompson “hijacked” companies’ servers to install cryptocurrency mining software that would transfer any earnings to her personal crypto wallet. She then “bragged” about her misdoings in online forums and over text messages.

At the time, there was some debate as to whether Thompson was an ethical hacker or security researcher due to her unusual candidness about her role in the Capital One attack online — she posted customers’ sensitive data on a public GitHub page and shared the details of the breach on Twitter and Slack. Earlier this year, the Justice Department made it clear that it wouldn’t prosecute security researchers under the Computer Fraud and Abuse Act. But US prosecutors obviously weren’t convinced Thompson’s actions fell under this exception.

“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” US attorney Nick Brown said in a statement. Thompson’s sentencing hearing will take place on September 15th, 2022.

Repost: Original Source and Author Link


Okta ends Lapsus$ hack investigation, says breach lasted just 25 minutes

Three months after authentication platform Okta was breached by hacking group Lapsus$, the company has concluded its internal investigation after finding that the impact was less serious than initially believed.

In a blog post published Tuesday, Okta’s chief security officer David Bradbury noted that the company had been transparent by sharing details of the hack soon after it was discovered but that further analysis had downgraded early assessments of the potential scope.

“As a result of the thorough investigation of our internal security experts, as well as a globally recognized cybersecurity firm whom we engaged to produce a forensic report, we are now able to conclude that the impact of the incident was significantly less than the maximum potential impact Okta initially shared on March 22, 2022,” Bradbury wrote.

Hackers from the Lapsus$ hacker group compromised Okta’s systems on January 21st by gaining remote access to a machine belonging to an employee of Sitel, a company subcontracted to provide customer service functions for Okta. Details of the hack emerged two months later when a member of Lapsus$ shared screenshots of Okta’s internal systems in a Telegram channel — an incident that Bradbury labeled “an embarrassment” for the Okta security team.

More than an embarrassment, the breach was especially worrying because of Okta’s role as an authentication hub for managing access to numerous other technology platforms. For companies using enterprise software like Salesforce, Google Workspace, or Microsoft Office 365, Okta can provides a single point of secure access, letting administrators control how, when, and where users log on — and, in a worst-case scenario, give a hacker access to a company’s entire software stack at once.

In a briefing with press and customers held in March, Bradbury said that the company’s security protocols had limited the hackers’ access to internal systems, a statement that seems to have been borne out by the final investigation.

While Okta’s early report concluded that the maximum period of unauthorized access was no more than five days, the recent forensic report found that the access period was actually just 25 minutes. And where the previous impact assessment capped the maximum number of organizations affected at 366, the new report found that only two Okta customers’ authentication systems had been accessed.

During this brief access period, Lapsus$ had not been able to authenticate directly to any customer accounts or make configuration changes, Okta said.

In light of the forensic report, Okta’s handling of the breach seems to have been done in accordance with best practices for disclosure and response, although the company’s reputation may still have taken a hit.

“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta,” Bradbury said.

Repost: Original Source and Author Link


Okta hack puts thousands of businesses on high alert

Okta, an authentication company used by thousands of organizations around the world, has now confirmed an attacker had access to one of its employees’ laptops for five days in January 2022 and that around 2.5 percent of its customers may have been affected — but maintains its service “has not been breached and remains fully operational.”

The disclosure comes as hacking group Lapsus$ has posted screenshots to its Telegram channel claiming to be of Okta’s internal systems, including one that appears to show Okta’s Slack channels, and another with a Cloudflare interface.

Any hack of Okta could have major ramifications for the companies, universities, and government agencies that depend upon Okta to authenticate user access to internal systems.

“We have concluded that a small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon,” Okta chief security officer David Bradbury wrote in an update Tuesday evening. “We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.”

In an earlier statement on Tuesday afternoon, Okta said that an attacker would only have had limited access during that five-day period — limited enough that the company claims “there are no corrective actions that need to be taken by our customers.”

Here’s what Bradbury says is and isn’t at stake when one of its support engineers is compromised:

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.

Writing in its Telegram channel, the Lapsus$ hacking group claims to have had “Superuser/Admin” access to Okta’s systems for two months, not just five days, that it had access to a thin client rather than a laptop, and claims that it found Okta storing AWS keys in Slack channels. The group also suggested it was using its access to zero in on Okta’s customers.

The Wall Street Journal notes that in a recent filing Okta said it had over 15,000 customers around the world. It lists the likes of Peloton, Sonos, T-Mobile, and the FCC as customers on its website. Based on the given figure of “approximately 2.5 percent,” the number of these customers that have been affected could approach 400.

In a earlier statement sent to The Verge, Okta spokesperson Chris Hollis said the company has not found evidence of an ongoing attack. “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.” Hollis said. “We believe the screenshots shared online are connected to this January event.”

“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Hollis continued. But again, writing in their Telegram channel, Lapsus$ suggested that it had access for a few months.

Lapsus$ is a hacking group that’s claimed responsibility for a number of high-profile incidents affecting Nvidia, Samsung, Microsoft, and Ubisoft, in some cases stealing hundreds of gigabytes of confidential data.

Okta says it terminated its support engineer’s Okta sessions and suspended the account back in January, but claims it only received the final report from its forensics firm this week.

Update, 2:38PM ET: Added Okta’s statement and claims that the hack was very limited, with no corrective actions that need to be taken.

Update, 2:58PM ET: Added the Lapsus$ hacker group’s claim that it had access to a thin client rather than a laptop, that it found Okta storing AWS keys in Slack channels.

Update, 11:30PM ET: Added details from Okta’s updated statement.

Repost: Original Source and Author Link


Okta says security protocols limited hack, but response came too slow

After the disclosure of a hack affecting its authentication platform, Okta has maintained that the effects of the breach were mostly contained by security protocols and reiterated that users of the service do not need to take corrective action as a result.

The statements were made by David Bradbury, chief security officer at Okta, in a video call with customers and press Wednesday morning.

On Monday, hacking group Lapsus$ released images demonstrating that the group had compromised Okta’s internal systems, putting thousands of businesses that rely on the authentication tool on high alert.

“The sharing of these screenshots is an embarrassment for myself and the entire Okta team,” Bradbury said at the start of the call. “Today I want to provide my perspective on what has transpired, and where we are with this investigation.”

In the course of a ten-minute briefing, Bradbury said that the hackers had compromised Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel — a company subcontracted to provide customer service functions for Okta. Using a remote desktop protocol, the hackers were able to input commands into the compromised machine and view the monitor output, enabling them to take screenshots, Bradbury said.

None of Okta’s systems were directly breached, the CSO said, but the Sitel support engineer’s machine was logged into Okta when it was compromised and remained so from the date of compromise on January 16th until the Okta security team became aware and suspended the account on January 21st.

However, due to the use of least privilege access protocols — in which a network user is only allowed to perform the minimum set of actions necessary for their job — the hackers were limited in what they could access through a support engineer’s account, leading Okta to state that no corrective action was needed from users of the service.

Details of the breach were compiled by a forensic investigation firm that had been engaged shortly after the unauthorized access was discovered, but the full report had not been provided to Okta until recently, according to Bradbury.

“I am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January, and the issuance of the complete investigation report just hours ago,” Bradbury said.

While impacts of the breach appear to be less severe than first feared, the Lapsus$ hacker group is emerging as a prolific and persistent threat, having mounted confirmed hacks against a number of large tech companies, and claimed responsibility for other incidents that have not yet been concretely attributed to the group.

On Tuesday – the same day that the Okta hack was confirmed – Lapsus$ also posted source code stolen from Microsoft’s Bing and Cortana products, obtained through compromise of an employee account.

Graphics card manufacturer Nvidia was also hacked by the group in late February, and had employee credentials leaked online. In a similar time frame, Lapsus$ claimed responsibility for a breach of South Korean tech giant Samsung in which source code for Galaxy devices was obtained, and also implied that the group was responsible for a ”cyber security incident” affecting games developer Ubisoft.

Security professionals see the group as a sophisticated and versatile threat actor and are advising potential targets to proactively guard against methods of compromise.

“This group’s ‘all in’ approach to target its victims with ransom, SIM swapping, exploits, dark web reconnaissance, and reliable phishing tactics shows the focus and open toolbox used to accomplish its goals,” said Mark Ostrowski, head of engineering at Check Point Software. “Companies and organizations across the globe should focus on education of these tactics to their users, deploy prevention strategies in all aspects of their cyber security programs, and inventory all points of access looking for potential weaknesses.”

Repost: Original Source and Author Link


Lapsus$ gang claims new hack with data from Apple Health partner

After a short “vacation,” the Lapsus$ hacking gang is back. In a post shared through the group’s Telegram channel on Wednesday, Lapsus$ claimed to have stolen 70GB of data from Globant — an international software development firm headquartered in Luxembourg, which boasts some of the world’s largest companies as clients.

Screenshots of the hacked data, originally posted by Lapsus$ and shared on Twitter by security researcher Dominic Alvieri, appeared to show folders bearing the names of a range of global businesses: among them were delivery and logistics company DHL, US cable network C-Span, and French bank BNP Paribas.

Also in the list were tech giants Facebook and Apple, with the latter referred to in a folder titled “apple-health-app.” The data appears to be development material for Globant’s BeHealthy app, described in a prior press release as software developed in partnership with Apple to track employee health behaviors using features of the Apple Watch. Apple did not a request for comment at time of publication.

Globant acknowledged the hack in a press release later the same day. “According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients,” the company said. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.”

On Telegram, Lapsus$ shared a torrent link to the allegedly stolen data with a message announcing, “We are officially back from a vacation.”

If confirmed, the leak would show a swift return to activity after seven suspected members of Lapsus$ were arrested by British police less than a week ago.

The arrests, first reported on March 24th by BBC News, were carried out by City of London Police after a yearlong investigation into the alleged ringleader of the gang, who is believed to be a teenager living with his parents in Oxford. On the other side of the Atlantic, the FBI is also seeking information on Lapsus$ related to the breach of US companies.

The Lapsus$ gang has been remarkably prolific in the range and scale of companies it has breached, having previously extracted data from a number of well-known technology companies, including Nvidia, Samsung, Microsoft, and Vodafone.

Most recently, Lapsus$ was in the spotlight for a hack affecting the authentication platform Okta, which put thousands of businesses on high alert against subsequent breaches. The latter hack has been an embarrassment for a company that provides security services to other businesses and led to criticism of Okta for a slow disclosure.

Correction, 1:38PM ET: A previous version of this post overstated the connection between the breached data and Apple. The data labelled as “apple-health” was not data from Apple itself, but from an app developed in partnership with Apple. The Verge regrets the error.

Update 5:25 PM ET: Added statement from Globant.

Repost: Original Source and Author Link


Ubiquiti hack may have been an inside job, federal charges suggest

An indictment from the Department of Justice suggests that the Ubiquiti hack reported in January, and subsequent whistleblower claims of a cover-up, were the work of someone who was then an employee of the company. The DOJ alleges that Nickolas Sharp, 36, was arrested on Wednesday on accusations that he used his employee credentials to download confidential data and sent anonymous demands to the company he worked for pretending to be a hacker in an attempt to get a ransom of 50 Bitcoin. You can read the full indictment below.

The indictment doesn’t specifically name Ubiquiti, only referring to a “Company-1.” However, all the details line up. In January, Ubiquiti sent an email to users saying an unauthorized party had accessed its “information technology systems hosted by a third party cloud provider.” In March, someone claiming to be a whistleblower represented the incident as “catastrophic,” alleging that the company couldn’t tell the full extent of the attack because it wasn’t keeping logs and that the attacker had access to Ubiquiti’s Amazon Web Services (AWS) servers.

The indictment says the company is based in New York, which Ubiquiti is, and says that the company’s stock price fell by around 20 percent between March 30th and March 31st after news broke of the incident. According to Yahoo Finance, Ubiquiti’s stock was worth $376.78 on March 29th and fell to $298.30 by March 31st.

Perhaps most notable is the allegation that Sharp posed as a whistleblower to media outlets in late March 2021 — the same time a whistleblower accused Ubiquiti of covering up the data breach’s severity, despite the company’s denial that user data was targeted. We also viewed a LinkedIn profile that appears to belong to Sharp and shows him working for Ubiquiti during the timespan listed in the indictment.

The DOJ alleges that Sharp accessed the company’s Amazon Web Services and Github accounts after applying for a job at another company in December 2020. The indictment says that another employee discovered the breach days after Sharp downloaded “gigabytes” of confidential data and applied AWS policies to limit logging. Sharp was allegedly assigned to the response team meant to assess the incident, and the DOJ says he used this position to try and avoid suspicion.

According to the indictment, Sharp sent an anonymous ransom email that promised not to publish the data and help the company patch a backdoor if he was paid 50 Bitcoin by January 10th, 2021. The DOJ alleges that Sharp released some of the stolen data when the company didn’t pay the ransom.

The DOJ says that it was able to track down Sharp because of one tiny technical glitch — Sharp allegedly used SurfShark VPN to mask his identity while taking data and sending emails, but “in one fleeting instance,” his real IP was identified and logged as connecting to the company’s GitHub. According to the DOJ, this happened when Sharp’s home internet went down, and then reconnected.

According to the indictment, this eventually led to the FBI carrying out a search warrant on Sharp’s house, where he denied using SurfShark and said that someone else used his PayPal account to purchase the subscription. In a final twist, the indictment says that Sharp contacted media outlets posing as a whistleblower after the FBI searched his home and seized electronic devices.

If Sharp is found guilty and the DOJ can prove that the incident unfolded as laid out in the indictment, it’ll certainly cast a new light on the reports of the Ubiquiti hack. The indictment alleges that Sharp started the attack using credentials he had been given to do his job. In March, Ubiquiti held fast to its statement that attackers didn’t access customer data, which doesn’t appear to be contradicted by the information revealed today.

Repost: Original Source and Author Link


Feds reportedly take down top ransomware hacker group REvil with a hack of their own

The government has successfully hacked the hacking group REvil, the entity behind the ransomware that’s been linked to leaked Apple leaks, attacks on enterprise software vendors, and more, according to a report from Reuters. The outlet’s sources tell it that the FBI, Secret Service, Cyber Command, and organizations from other countries have worked together to take the group’s operations offline this month. The group’s dark web blog, which exposed information gleaned from its targets, is also reportedly offline.

Reports about the group going offline started surfacing earlier this week, with TechCrunch writing that its Tor website was no longer available on Monday. There was speculation of a hack, fueled by a forum post from one of the group’s suspected leaders saying that its server was “compromised,” but at the time, it was unclear who was responsible. Reuters cites sources that say the government’s operation against ransomware hackers, including REvil, is still ongoing.

The US is slowly turning the screws on groups associated with ransomware, as the attacks become more and more costly for companies (one company reportedly paid a $40 million ransom to restore its operations). The Treasury pushed sanctions that make it harder to turn hacked machines into cash, and the Department of Justice created a team for investigating crimes committed by cryptocurrency exchanges, citing the impact of ransomware several times in its announcement.

REvil has had plenty of heat on it due to the high-profile or high-impact nature of the attacks it’s linked to. It’s blamed for an attack on an Apple supplier that leaked schematics of the MacBooks that launched this week, as well as attacks on massive meat processor JBS, IT management software developer Kaseya, Travelex, and Acer. The group was named by the US Treasury’s Financial Crimes Enforcement Network as one of the biggest ransomware groups in terms of reported payouts.

REvil has gone offline before — its site disappeared from the dark web in July, just a month after the FBI said the group was responsible for bringing down JBS, a company responsible for a fifth of the world’s meat supply.

It’s always possible that the group could come back, though trying to recover from going down in July is reportedly what opened it up to attacks from the US in the first place. According to Reuters’ sources, one of the group’s members restored a backup and unwittingly included systems compromised by law enforcement. A Russian security expert tells Reuters that infecting backups is a tactic commonly used by REvil itself.

Repost: Original Source and Author Link


Engadget Podcast: Diving into the Apple Watch Series 7 and Twitch’s big hack

This week, Cherlynn and Devindra chat about what to expect from Apple’s upcoming event (new MacBooks, baby!), as well as all of the other launch shindigs from Google, Samsung and Sony. Cherlynn also tells all about her Apple Watch Series 7 review, and why she hates testing sleep tracking gadgets. And to catch up on some big news from last week, Manda Farough from the Virtual Economy Podcast joins to dive into the massive Twitch hack.

Listen below, or subscribe on your podcast app of choice. If you’ve got suggestions or topics you’d like covered on the show, be sure to email us or drop a note in the comments! And be sure to check out our other podcasts, the Morning After and Engadget News!



Video livestream

Hosts: Cherlynn Low and Devindra Hardawar
Guests: Manda Farough
Producer: Ben Ellman
Livestream producers: Julio Barrientos, Luke Brooks
Graphics artists: Luke Brooks, Kyle Maack
Music: Dale North and Terrence O’Brien

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link


Twitch’s source code and streamer payment figures have been leaked in apparent hack

Hackers have accessed Twitch and leaked a vast amount of company data, including proprietary code, creator payouts and the “entirety of” Twitch confirmed the breach in a tweet Wednesday morning, but did not provide further details. 

On top of of the code, the attackers said they stole the the site’s mobile, desktop and console Twitch clients. It also accessed “proprietary SDKs and internal AWS services used by Twitch,” other properties like IGDB and CurseForge, an unreleased Steam competitor from Amazon Game Studios (code-named Vapour) and Twitch SOC internal red-teaming tools. It also shows creator payouts from 2019 until now, including top streamers like Nickmercs, TimTheTatMan and xQc . 

Although we haven’t verified the claim that “the entirety” of Twitch’s source code has been leaked, the files in the 126GB repository do appear to be genuine, and the payout figures for almost 2.4 million streamers seem to be present. The hackers said that the leak, which includes source code from almost 6,000 internal Github repositories, is also just “part one” of a larger release.

It doesn’t appear that information like user passwords, addresses and banking information were revealed, but that can’t be ruled out in a future drop. If you have a Twitch account, you should activate two-factor authentication so that bad actors can’t log into your account if your password has been stolen.

The group also stated that Twitch’s community is a “disgusting toxic cesspool,” so the action may be related to recent hate raids that prompted streamers to take a day off in protest. Twitch has previously said that it’s trying to stop the hate raid problem but that it wasn’t a “simple fix.” 

It’s not clear yet how attackers could have stolen such a large amount of data, especially considering that Twitch is owned by Amazon, which operates one of the largest web-hosting companies in the world.

Update (10/6/21, 11:33am ET): This post has been updated to reflect that Twitch confirmed on Wednesday that the breach took place.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link