Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running Microsoft SharePoint Server is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

Satnam Narang, senior staff research engineer at Tenable, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

Kevin Breen at Immersive Labs called special attention to CVE-2023-21563, which is a security feature bypass in BitLocker, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two Microsoft Exchange vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

Adobe released four patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”

Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.

Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”

Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.

But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.

Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.

I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.

KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.

By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.

In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.

“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”

Sen. Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address.

From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.

And as we saw with Equifax’s consolidated class-action settlement in response to letting state-sponsored hackers from China steal data on nearly 150 million Americans back in 2017, class-actions and more laughable “free credit monitoring” services from the very same companies that created the problem aren’t going to cut it.

WHAT CAN YOU DO?

It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.

But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.

The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.

Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.

Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.

When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.

If you haven’t already done so, consider making 2023 the year that you freeze your credit files at the three major reporting bureaus, including Experian, Equifax and TransUnion. It is now free to people in all 50 U.S. states to place a security freeze on their credit files. It is also free to do this for your partner and/or your dependents.

Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.

Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.

Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.

My advice: Ignore the lock services, and just freeze your credit files already.

One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.

KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.

That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.

KrebsOnSecurity turns 13 years old today. That’s a crazy long time for an independent media outlet these days, but then again I’m bound to keep doing this as long as they keep letting me. Heck, I’ve been doing this so long I briefly forgot which birthday this was!

Thanks to your readership and support, I was able to spend more time in 2022 on some deep, meaty investigative stories — the really satisfying kind with the potential to affect positive change. Some of that work is highlighted in the 2022 Year in Review review below.

Until recently, I was fairly active on Twitter, regularly tweeting to more than 350,000 followers about important security news and stories here. For a variety of reasons, I will no longer be sharing these updates on Twitter. I seem to be doing most of that activity now on Mastodon, which appears to have absorbed most of the infosec refugees from Twitter, and in any case is proving to be a far more useful, civil and constructive place to post such things. I will also continue to post on LinkedIn about new stories in 2023.

Here’s a look at some of the more notable cybercrime stories from the past year, as covered by KrebsOnSecurity and elsewhere. Several strong themes emerged from 2022’s crop of breaches, including the targeting or impersonating of employees to gain access to internal company tools; multiple intrusions at the same victim company; and less-than-forthcoming statements from victim firms about what actually transpired.

JANUARY

You just knew 2022 was going to be The Year of Crypto Grift when two of the world’s most popular antivirus makers — Norton and Avira — kicked things off by installing cryptocurrency mining programs on customer computers. This bold about-face dumbfounded many longtime Norton users because antivirus firms had spent years broadly classifying all cryptomining programs as malware.

Suddenly, hundreds of millions of users — many of them old enough to have bought antivirus from Peter Norton himself back in the day — were being encouraged to start caring about and investing in crypto. Big Yellow and Avira weren’t the only established brands cashing in on crypto hype as a way to appeal to a broader audience: The venerable electronics retailer RadioShack wasted no time in announcing plans to launch a cryptocurrency exchange.

By the second week of January, Russia had amassed more than 100,000 troops along its southern border with Ukraine. The Kremlin breaks with all tradition and announces that — at the request of the United States — it has arrested 14 people suspected of working for REvil, one of the more ruthless and profitable Russian ransomware groups.

Security and Russia experts dismiss the low-level arrests as a kind of “ransomware diplomacy,” a signal to the United States that if it doesn’t enact severe sanctions against Russia for invading Ukraine, Russia will continue to cooperate on ransomware investigations.

The Jan. 19th story IRS Will Soon Require Selfies For Online Access goes immediately viral for pointing out something that apparently nobody has noticed on the U.S. Internal Revenue Service website for months: Anyone seeking to create an account to view their tax records online would soon be required to provide biometric data to a private company in Virginia — ID.me.

Facing a backlash from lawmakers and the public, the IRS soon reverses course, saying video selfies will be optional and that any biometric data collected will be destroyed after verification.

FEBRUARY

Super Bowl Sunday watchers are treated to no fewer than a half-dozen commercials for cryptocurrency investing. Matt Damon sells his soul to Crypto.com, telling viewers that “fortune favors the brave” — basically, “only cowards would fail to buy cryptocurrency at this point.” Meanwhile, Crypto.com is trying to put space between it and recent headlines that a breach led to $30 million being stolen from hundreds of customer accounts. A single bitcoin is trading at around $45,000.

Larry David, the comedian who brought us years of awkward hilarity with hits like Seinfeld and Curb Your Enthusiasm, plays the part of the “doofus, crypto skeptic” in a lengthy Super Bowl ad for FTX, a cryptocurrency exchange then valued at over $20 billion that is pitched as a “safe and easy way to get into crypto.” [Last month, FTX imploded and filed for bankruptcy; the company’s founder now faces civil and criminal charges from three different U.S. agencies].

On Feb. 24, Russia invades Ukraine, and fault lines quickly begin to appear in the cybercrime underground. Cybercriminal syndicates that previously straddled Russia and Ukraine with ease are forced to reevaluate many comrades who are suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those is Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was busted in March after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam is Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.

Ransomware group Conti chimes in shortly after the invasion, vowing to attack anyone who tries to stand in Mother Russia’s way. Within hours of that declaration several years worth of internal chat logs stolen from Conti were leaked online. The candid employee conversations provide a rare glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also reveal how Conti dealt with its own internal breaches and attacks from private security firms and foreign governments.

Faced with an increasing brain drain of smart people fleeing the country, Russia floats a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies.

Chipmaker NVIDIA says a cyberattack led to theft of information on more than 71,000 employees. Credit for that intrusion is quickly claimed by LAPSUS$, a group of 14-18 year-old cyber hooligans mostly from the United Kingdom who specialized in low-tech but highly successful methods of breaking into companies: Targeting employees directly over their mobile phones.

LAPSUS$ soon employs these skills to successfully siphon source code and other data from some of the world’s biggest technology firms, including Microsoft, Okta, Samsung, T-Mobile and Uber, among many others.

MARCH

We learn that criminal hackers are compromising email accounts and websites for police departments worldwide, so that they can impersonate police and send legal requests to obtain sensitive customer data from mobile providers, ISPs and social media companies. That story prompts revelations that several companies — including Apple, Discord and Meta/Facebook — have complied with the fake requests, and draws the attention of Congress to the problem.

APRIL

It emerges that email marketing giant Mailchimp got hacked. The unknown intruders gained access to internal Mailchimp tools and customer data by social engineering employees at the company, and then started sending targeted phishing attacks to owners of Trezor hardware cryptocurrency wallets.

The FBI warns about a massive surge in victims from “pig butchering” scams, in which flirtatious strangers online lure people into investing in cryptocurrency scams. Investigative reports reveal pig butchering’s link to organized crime gangs in Asia that attract young job seekers with the promise of customer service jobs. Instead, those who show up at the appointed time and place are kidnapped, trafficked across the border into neighboring countries like Cambodia, and pressed into a life of indentured servitude scamming others online.

MAY

KrebsOnSecurity reports that hackers who specialize in filing fake police requests for subscriber data gained access to a U.S. Drug Enforcement Administration (DEA) portal that taps into 16 different federal law enforcement databases.

The government of Costa Rica is forced to declare a state of emergency after a ransomware attack by Conti cripples government systems. Conti  publishes nearly 700 GB worth of government records after the country’s leaders decline to pay a $20 million ransom demand.

JUNE

KrebsOnSecurity identifies Russian national Denis Emelyantsev as the likely owner of the RSOCKS botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. Emelyantsev was arrested that same month at a resort in Bulgaria, where he requested and was granted extradition to the United States —  reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

JULY

Big-three consumer credit bureau Experian comes under scrutiny after KrebsOnSecurity reveals identity thieves are reliably seizing control over consumer credit files by simply re-registering using the target’s personal information and an email address tied to the crooks. Two months later, Experian would be hit with a class-action lawsuit over these security and privacy failures.

Twitter acknowledges that it was relieved of phone numbers and email addresses for 5.4 million users. The security weakness that allowed the data to be collected was patched in January 2022.

AUGUST

Messaging behemoth Twilio confirms that data on 125 customers was accessed by intruders, who tricked employees into handing over their login credentials by posing as employees of the company’s IT department.

Among the Twilio customers targeted was encrypted messaging service Signal, which relied on Twilio to provide phone number verification services. Signal said that with their access to Twilio’s internal tools, the attackers were able to re-register those users’ phone numbers to another device.

Food delivery service DoorDash discloses that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. Thanks to data left exposed online by the intruders, it becomes clear that DoorDash was victimized by the same group that snookered employees at Twilio, Mailchimp, CloudFlare, and dozens of other major companies throughout 2022.

Mailchimp discloses another intrusion involving targeted phishing attacks against employees, wherein hackers stole data on more than 200 Mailchimp customers. Web hosting giant DigitalOcean discloses it was one of the victims, and that the intruders used their access to send password reset emails to a number of DigitalOcean customers involved in cryptocurrency and blockchain technologies. DigitalOcean severs ties with Mailchimp after that incident, which briefly prevented the hosting firm from communicating with its customers or processing password reset requests.

Password manager service LastPass discloses that its software development environment was breached, and that intruders made off with source code and some proprietary LastPass data. LastPass emphasizes the intruders weren’t able to access any customer data or encrypted password vaults, and that “there is no evidence of any threat actor activity beyond the established timeline,” and “no evidence that this incident involved any access to customer data or encrypted password vaults.”

SEPTEMBER

Uber discloses another breach, forcing the company to take several of its internal communications and engineering systems offline as it investigates. The intrusion only comes to light when the hacker uses the company’s internal Slack channel to boast about their access, listing several internal databases they claimed had been compromised. The intruder told The New York Times they got in by sending a text message to an employee while posing as an employee from Uber’s IT department. Uber blames LAPSUS$ for the intrusion.

Australian telecommunications giant Optus suffers a data breach involving nearly 10 million customers, including passport or license numbers on almost three million people. The incident dominates headlines and politics in Australia for weeks, as the hacker demands a million dollars in cryptocurrency not to publish the information online. Optus’s CEO calls the intrusion a “sophisticated attack,” but interviews with the hacker reveal they simply enumerated and scraped the data from the Optus website without authentication. After briefly posting 10,000 records from the intrusion, the hacker announces they made a mistake, and deletes the auction.

OCTOBER

A report commissioned by Sen. Elizabeth Warren (D-Mass.) reveals that most big U.S. banks are stiffing account takeover victims. Even though U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner, the report cited figures showing that four of the nation’s largest banks collectively reimbursed only 47 percent of the dollar amount of claims they received.

Joe Sullivan, the former chief security officer for Uber, is found guilty of two felonies after a four-week trial. In 2016, while the U.S. Federal Trade Commission was already investigating a 2014 breach at Uber, another security breach affected 57 million Uber account holders and drivers. The intruders demand $100,000, but Sullivan and his team paid the ransom under the company’s bug bounty program, made the hackers sign a non-disclosure agreement, and concealed the incident from users and investors. The two hackers involved pleaded guilty in 2019; by this time, it has become a nearly everyday occurrence for victim companies to pay to keep a ransomware attack quiet.

NOVEMBER

A ransomware group with ties to REvil begins publishing names, birth dates, passport numbers and information on medical claims on nearly 10 million current and former customers of Australian health insurer Medibank. The data is published after Medibank reportedly declines to pay a US$10 million ransom demand.

DECEMBER

KrebsOnSecurity breaks the news that InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, saw its database of contact information on more than 80,000 members put up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible were communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

A cybercriminal starts selling account data scraped from 400 million Twitter users, including email addresses and in many cases phone numbers. The seller claims their data was scraped in late December 2021 using the same vulnerability that Twitter patched in January 2022, and that led Twitter to acknowledge the data scraping of 5.4 million user accounts earlier this year. Twitter no longer has a press office, and the company’s Chief Twit has remained silent about the 400 million claim so far, despite many indications that the data is legitimate.

Two days before Christmas, LastPass posted an update on its investigation into the August data breach, saying the intruder was able to use data stolen in the August breach to come back and copy a backup of customer vault data from the encrypted storage container. LastPass’s lackadaisical disclosure timeline and failure to answer follow-up questions has done little to assuage the fears of many users, leaving Wired.com to recommend users abandon the platform in favor of the password managers 1Password and Bitwarden.

Also two days before Christmas, KrebsOnSecurity notifies Experian that anyone can bypass security questions in their application for a free credit report, meaning identity thieves can access your full credit file with just your name, address, date of birth and Social Security number. Unfortunately, this static data on most Americans has been for sale in the cybercrime underground for years. Experian has yet to say whether it has fixed the problem, but expect to see a full report about this early in the New Year.

Millions of people likely just received an email or snail mail notice saying they’re eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this particular offer is legit (if paltry), scammers are likely to soon capitalize on public attention to the settlement money.

In 2017, Equifax disclosed a massive, extended data breach that led to the theft of Social Security Numbers, dates of birth, addresses and other personal information on nearly 150 million people. Following a public breach response perhaps best described as a giant dumpster fire, the big-three consumer credit reporting bureau was quickly hit with nearly two dozen class-action lawsuits.

In exchange for resolving all outstanding class action claims against it, Equifax in 2019 agreed to a settlement that includes up to $425 million to help people affected by the breach.

Affected consumers were eligible to apply for at least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. Or, if you didn’t want to take advantage of the credit monitoring offers, you could opt for a cash payment of up to $125.

The settlement also offered reimbursement for the time you may have spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This was capped at 20 total hours at $25 per hour ($500), with total cash reimbursement payments not to exceed $20,000 per consumer.

Those who did file a claim probably started receiving emails or other communications earlier this year from the Equifax Breach Settlement Fund, which has been messaging class participants about methods of collecting their payments.

How much each recipient receives appears to vary quite a bit, but probably most people will have earned a payment on the smaller end of that $125 scale — like less than $10. Those who received higher amounts likely spent more time documenting actual losses and/or explaining how the breach affected them personally.

So far this week, KrebsOnSecurity has received at least 20 messages from readers seeking more information about these notices. Some readers shared copies of letters they got in the mail along with a paper check from the Equifax Breach Settlement Fund (see screenshot above).

Others said they got emails from the Equifax Breach Settlement domain that looked like an animated greeting card offering instructions on how to redeem a virtual prepaid card.

If you received one of these settlement emails and are wary about clicking the included links (good for you, by the way), copy the redemption code and paste it into the search box at myprepaidcenter.com/redeem. Successfully completing the card application requires accepting a prepaid MasterCard agreement (PDF).

The website for the settlement — equifaxbreachsettlement.com — also includes a lookup tool that lets visitors check whether they were affected by the breach; it requires your last name and the last six digits of your Social Security Number.

In February 2020, the U.S. Justice Department indicted four Chinese officers of the People’s Liberation Army (PLA) for perpetrating the 2017 Equifax hack. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

Equifax surpassed Wall Street’s expectations in its most recently quarterly earnings: The company reported revenues of $1.24 billion for the quarter ending September 2022.

Of course, most of those earnings come from Equifax’s continued legal ability to buy and sell eye-popping amounts of financial and personal data on U.S. consumers. As one of the three major credit bureaus, Equifax collects and packages information about your credit, salary, and employment history. It tracks how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit.

Americans currently have no legal right to opt out of this data collection and trade. But you can and also should and freeze your credit, which by the way can make your credit profile less profitable for companies like Equifax — because they make money every time some potential creditor wants a peek inside your financial life. Also, it’s probably a good idea to freeze the credit of your children and/or dependents as well. It’s free on both counts.

Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then “swatting” them — falsely reporting a violent incident at the target’s address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets’ homes, and to taunt authorities when they arrived.

Prosecutors in Los Angeles allege 20-year-old James Thomas Andrew McCarty, a.k.a. “Aspertaine,” of Charlotte, N.C., and Kya Christian Nelson, a.k.a. “ChumLul,” 22, of Racine, Wisc., conspired to hack into Yahoo email accounts belonging to victims in the United States. From there, the two allegedly would check how many of those Yahoo accounts were associated with Ring accounts, and then target people who used the same password for both accounts.

An indictment unsealed this week says that in the span of just one week in November 2020, McCarty and Nelson identified and swatted at least a dozen different victims across the country.

“The defendants then allegedly accessed without authorization the victims’ Ring devices and transmitted the audio and video from those devices on social media during the police response,” reads a statement from Martin Estrada, the U.S. Attorney for the Central District of California. “They also allegedly verbally taunted responding police officers and victims through the Ring devices during several of the incidents.”

The indictment charges that McCarty continued his swatting spree in 2021 from his hometown in Kayenta, Ariz., where he called in bomb threats or phony hostage situations on more than two dozen occasions.

The Telegram and Discord aliases allegedly used by McCarty — “Aspertaine” and “Couch,” among others — correspond to an identity that was active in certain channels dedicated to SIM-swapping, a crime that involves stealing wireless phone numbers and hijacking the online financial and social media accounts tied to those numbers.

Aspertaine bragged on Discord that he’d amassed more than $330,000 in virtual currency. On Telegram, the Aspertaine/Couch alias frequented several popular SIM-swapping channels, where they initially were active as a “holder” — a low-level but key SIM-swapping group member who agrees to hold stolen cryptocurrency after an account takeover is completed. Aspertaine later claimed more direct involvement in individual SIM-swapping attacks.

In September, KrebsOnSecurity broke the news about a wide-ranging federal investigation into “violence-as-a-service” offerings on Telegram and other social media networks, wherein people can settle scores by hiring total strangers to carry out physical attacks such as brickings, shootings, and firebombings at a target’s address.

The story observed that SIM swappers were especially enamored of these “IRL” or “In Real Life” violence services, which they frequently used to target one another in response to disagreements over how stolen money should be divided amongst themselves. And a number of Aspertaine’s peers on these SIM-swapping channels claimed they’d been ripped off after Aspertaine took more than a fair share from co-conspirators.

On April 30, 2022, a member of a popular SIM-swapping group on Telegram who was slighted by Aspertaine put out the word that he was looking for some physical violence to be visited on McCarty’s address in North Carolina. “Anyone live near here and wants to [do] a job for me,” the job ad with McCarty’s home address read. “Jobs range from $1k-$50k. Payment in BTC [bitcoin].” It’s unclear if anyone responded to that job offer.

In May 2021, KrebsOnSecurity published The Wages of Password ReUse: Your Money or Your Life, which observed that when normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Whereas, when cybercriminals reuse passwords, it often costs them their freedom.

But perhaps that story should be updated, because it’s now clear that password reuse can also put you in mortal danger. Swatting attacks are dangerous, expensive hoaxes that sometimes end in tragedy.

In June 2021, an 18-year-old serial swatter from Tennessee was sentenced to five years in prison for his role in a fraudulent swatting attack that led to the death of a 60-year-old man.

In 2019, prosecutors handed down a 20-year sentence to Tyler Barriss, a then 26-year-old serial swatter from California who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas man.

McCarty was arrested last week in Arizona, and charged with conspiracy to intentionally access computers without authorization. Prosecutors said Nelson is currently incarcerated in Kentucky in connection with unrelated investigation.

If convicted on the conspiracy charge, both defendants would face a statutory maximum penalty of five years in federal prison. The charge of intentionally accessing without authorization a computer carries a maximum possible sentence of five years. A conviction on the additional charge against Nelson — aggravated identity theft — carries a mandatory two-year consecutive sentence.