Top infosec trends in the social media spotlight this week

Twitter has urged its 330 million users to change their passwords after site admins discovered a bug that stored passwords in plain text.

In a blog post yesterday, Twitter’s chief technology officer Parag Agrawal said passwords were being written to an internal log before completing the bcrypt hashing process.

Agrawal said there was no evidence that password information ever left Twitter’s systems or was misused by anyone, but out of “an abundance of caution” users have been asked to consider changing their login details.

Things weren’t quite so rosy for Australia’s Commonwealth Bank (CBA), which this week admitted it had lost historical bank statements belonging to almost 20 million personal accounts in a 2016 incident it chose not to make public.

In a YouTube video posted on Wednesday, CBA’s acting head of retail banking services, Angus Sullivan, said the bank lost two magnetic tapes containing 15 years of data on customer names, addresses, and account numbers for 19.8 million accounts.

The tapes were due to be disposed of, but CBA could not confirm they were securely destroyed, Sullivan said, leading Australian Prime Minister Malcolm Turnbull to lambast the bank for what he called an “extraordinary blunder”.

In video game news, Bluehole Studio has announced that 15 people suspected of developing and selling hacking programs for the hugely popular PlayerUnknown’s Battlegrounds have been arrested and fined a combined total of $5.1 million.

The developer confirmed in a recent Steam post that malicious code, including trojan horse software, was included in some of the programs and was used to steal user information.

“The longstanding rumor that hacking/cheating programs extract information from users’ PCs has been confirmed to be true,” the post reads.

“We’ll continue to crack down on hacking/cheating programs (and their creators) until our players are free to battle it out in a totally fair environment.”

News of PUBG’s clampdown on hackers follows Epic Games’ recent call for players of Fortnite Battle Royale to implement two-factor authentication following a spate of brute-force hacking attempts.

Those interested in reading more about the murky world of video game hacks should check out Wired’s fascinating profile of the infamous Xbox Underground group.

And lastly this week, UNICEF Australia has launched a new revenue-generating initiative in the form of authorized crypto-mining.

The charity’s new ‘Hopepage’ aims to “turn a little computer power into hope for every child”, with users able to select how much processor power they want to donate to help mine for Monero.

UNICEF isn’t the first organization to launch a transparent crypto-mining effort. In February, media outlet Salon started asking ad-blocking users to dedicate their CPUs to its own Monero harvesting program as they browsed the site.

It might be too early to call, but – authorized or not – crypto-mining still doesn’t quite sit right with the Swig team. (Would an environmental charity consider this as an option, given the vast amounts of energy required to harvest virtual currency?)

However, with nearly 9,000 people reported to be assisting with UNICEF’s efforts at the time of writing, the Hopepage might just be an indicator of things to come…

Until next week, May the 4th Be With You.