ReportWire

Tag: data leak

  • Exclusive: Event startup Partiful wasn’t stripping GPS locations from user-uploaded photos

    [ad_1]

    Social event planning app Partiful, which calls itself “Facebook events for hot people,” has firmly replaced Facebook as the go-to platform for sending party invitations. But what Partiful also has in common with Facebook is that it’s collecting a tsunami of user data, and Partiful could have done better at keeping that data secure.

    On Partiful, hosts can create online invitations with a retro, maximalist vibe, allowing guests to RSVP to events with the ease of ordering a salad on a touch-screen. Partiful aims to be user-friendly and trendy, propelling the app to #9 on the iOS App Store’s Lifestyle charts. Google called Partiful the “best app” of 2024. 

    Now, Partiful has evolved into a powerful Facebook-like social graph, easily mapping who your friends are and who your friends’ friends are, what you do, where you go, and all of your phone numbers.

    As Partiful grew more popular, some users became skeptical of the company’s origins. One New York City promoter announced that it was boycotting Partiful because its founders and some staff are former employees of Palantir, Peter Thiel’s data mining company, which produces the software that powers ICE’s master database for the Trump administration’s deportation crackdown.

    Given some of the speculation around the app, TechCrunch set up a new account and tested Partiful. We soon found that the app was not stripping the location data of user-uploaded images, including public profile photos.

    TechCrunch found it was possible for anyone, using only the developer tools in a web browser, to access raw user profile photos stored in Partiful’s backend database hosted on Google Firebase. If the user’s photo contained the precise real-world location of where it was taken, anyone else could have also viewed the precise coordinates of where that photo was taken.

    Almost all digital files, like the pictures you take on a smartphone, contain metadata, which includes information like the file size, when it was created, and by whom. In the case of photos and videos, metadata can include information about the kind of camera used and its settings, as well as the precise latitude and longitude coordinates of where the image was captured.

    The security flaw is problematic because anyone using Partiful could have revealed the location of where a person’s profile photo was snapped. Some Partiful user profile photos contained highly granular location data that could be used to identify the person’s home or work, particularly in rural areas where individual homes are easier to distinguish on a map.

    It’s common practice for companies that host user images and videos to automatically remove metadata upon upload to prevent privacy lapses like this. 

    TechCrunch verified the bug ourselves by uploading a new Partiful profile photo that we had previously captured from outside of the Moscone West Convention Center in San Francisco, which contained the photo’s precise location. When we checked the metadata of the photo stored on Partiful’s server, it still contained the exact coordinates of where the image was taken down to a few feet.

    TechCrunch’s profile photo containing GPS coordinates uploaded to Partiful.Image Credits:TechCrunch
    a photo showing a Google Maps dot where the photo of outside Moscone West was taken.
    The location of where our Partiful profile photo was taken on a Google Map.Image Credits:TechCrunch

    After discovering the security flaw, TechCrunch alerted Partiful co-founders Shreya Murthy and Joy Tao by email, as Partiful does not have a public means for reporting security flaws. TechCrunch shared a link to a Partiful user’s raw profile photo containing that user’s real-world location at the time the photo was taken, a residential address in Manhattan.

    Tao told TechCrunch on Friday that the vulnerability was “already on our team’s radar, and was recently prioritized as an upcoming fix.” 

    Partiful initially provided a timeline to fix the flaw by “next week,” but given the sensitivity of the data involved, Partiful fixed the bug by Saturday at TechCrunch’s request.

    TechCrunch confirmed Saturday that metadata was removed from existing user-uploaded photos. The profile photo that we uploaded with our real-world location also had the metadata removed. 

    Partiful disclosed the security lapse in a tweet shortly before the publishing of this story.

    When asked by TechCrunch if Partiful has the technical means, such as logs, to determine if there was any direct or bulk access to user profile photos stored in its database, Partiful spokesperson Jess Eames said this was “still under investigation but we have found no evidence of this yet.”

    Eames said the company “regularly perform security reviews with experts in the field, not just as a one-time action but as part of our ongoing processes.” Partiful did not provide TechCrunch with the name of the experts when asked.

    Partiful has raised over $27 million from investors since its founding in 2022, including a $20 million Series A funding round led by Andreessen Horowitz. TechCrunch asked Partiful’s co-founders if they had commissioned a security review of their product before launch, but would not say.

    [ad_2]

    Zack Whittaker, Amanda Silberling

    Source link

  • Sensitive data stolen from Maryland Department of Transportation reportedly up for auction – WTOP News

    [ad_1]

    A ransomware group claims it hacked the Maryland Department of Transportation and is now selling sensitive, personal data on the dark web.

    A ransomware group claims it hacked the Maryland Department of Transportation and is now selling sensitive, personal data on the dark web.

    The website Daily Dark Web first reported the auction. The Rhysida ransomware group claims it has the full names, birth dates and home addresses of transportation agency employees. It shared images of a Maryland driver’s license, passport, Social Security card and other sensitive documents.

    Part of the text reads, “Open your wallets and be ready to buy exclusive data.”

    The auction for the data ends in less than a week and the starting price is 30 Bitcoin, which is worth more than $3 million.

    In a statement to WTOP, Maryland Transit Administration spokesperson Veronica Battisti said, “The Maryland Transit Administration can confirm incident-related data loss at this point in our investigation.”

    “At this time we are unable to disclose specific or additional details regarding what data has been lost because of the sensitivity of the ongoing investigation. If it is found that personal information has been taken, the affected individuals will be notified by the State in accordance with State law and we will take appropriate actions and provide guidance on recommended actions,” Battisti said in a statement to WTOP.

    The state’s information technology department is working with third-party cyber experts to investigate the breach.

    According to the Cybersecurity and Infrastructure Security Agency, Rhysida has been targeting the education, health care, manufacturing, information technology and government sectors since 2023.

    Editor’s Note: The article has been updated to clarify that the investigation is ongoing as to whether personal information has been taken. 

    Get breaking news and daily headlines delivered to your email inbox by signing up here.

    © 2025 WTOP. All Rights Reserved. This website is not intended for users located within the European Economic Area.

    [ad_2]

    Linh Bui

    Source link

  • Google Investors Surprisingly Chill About Major Data Breach

    [ad_1]

    The stock of Google’s parent company ended Friday’s trading session relatively unchanged, as investors digested news of a major data leak and broader market developments.

    Alphabet Inc. (GOOG)’s shares closed at $213.53, up slightly from the day’s prior end price, despite Google‘s global security alert advising its 2.5 billion Gmail users to update their information following a data breach involving one of its Salesforce databases.

    The company immediately issued a network-wide alert telling users to change their password immediately.

    Despite all that, investors in Google had either not fully digested the news during Friday trade, or were watching see what fallout might continue over the weekend, before pricing in any hit to the company’s value.

    So what was affected in the breach?

    Though consumer Gmail and Cloud accounts were not directly compromised, the incident has triggered an aggressive wave of phishing and impersonation attacks targeting users across the platform.

    The leak, which exposed hundreds of thousands of sensitive documents and personal data, has underscored growing concerns about cybersecurity risks facing major tech firms.

    Still, despite major data breaches at all the tech giants, seemingly in an endless game of round robin, investors continue to believe the potential of these companies outweighs most security concerns.

    Alphabet said in a statement it is investigating the breach and implementing additional security measures, but the incident has added to scrutiny of data management practices across the industry.

    “The safety and privacy of user data are paramount,” it read. “We are working diligently to address these issues and prevent future incidents.”

    Cybersecurity concerns ramp up

    Meanwhile, investors are still nervously cautious about signs of economic slowdown and Federal Reserve signals hinting at future interest rate cuts.

    Despite the turbulence, Alphabet’s stock maintained its position, reflecting investors’ ongoing confidence in the company’s core advertising and cloud businesses. But questions about data security continue to cloud its outlook.

    As the debate over digital privacy and cybersecurity intensifies, Alphabet’s response and its ability to restore trust will be closely watched by shareholders and regulators alike. Google sought this week to reassure consumers and investors.

    The breach exposed thousands of sensitive records, including personal details, corporate documents, and government information.

    The leaked data spread across multiple sources and was easily accessible via search engines. It includes confidential information such as legal files, financial records, and private communications.

    Company data policies under new scrutiny

    Experts warn that such exposure not only jeopardizes individual privacy but also heightens the risk of corporate espionage, identity theft, and national security threats.

    In its statement, Google emphasized that it is actively investigating the incident and has deployed additional security measures to identify and mitigate the breach’s impact.

    Cybersecurity analysts warn that the proliferation of data leaks reflects broader systemic issues in how companies handle sensitive information, as the industry remains largely unregulated and prone to cyberattacks. The incident serves as a stark reminder of the urgent need for stronger data protection standards and increased transparency around data management practices.

    As consumers and businesses grapple with the potential fallout, authorities worldwide are calling for stricter oversight of data security protocols to mitigate the risks posed by such breaches in an increasingly interconnected world.

    [ad_2]

    Riley Gutiérrez McDermid

    Source link

  • WhatsApp data leak: 500 mn users’ phone numbers from 84 countries, including India, up for sale

    WhatsApp data leak: 500 mn users’ phone numbers from 84 countries, including India, up for sale

    [ad_1]

    Meta-owned instant messaging platform WhatsApp users’ personal information, such as mobile phone numbers, has allegedly been breached and is up for sale on a well-known hacking community forum.

    According to a Cybernews report, some people posted an advertisement on the hacking community forum on November 16 and were selling a 2022 database of around 487 million WhatsApp users’ mobile numbers. The report, which has been confirmed by multiple sources, is likely to be true.

    This database of WhatsApp users contains data from 84 countries (including India) and suggests that almost one-fourth of all WhatsApp’s estimated two billion active monthly users are at possible risk.

    Reportedly, there are more than 6 million records of Indian WhatsApp users on sale. Apart from the Indian users, the report also claims that there are more than 32 million mobile numbers of US users, 45 million contacts from Egypt, 35 million from Italy, 29 million from Saudi Arabia, 20 million from France and nearly 20 million from Turkey.

    According to the report, hackers were selling the US dataset for $7,000, the UK for $2,500, and Germany for $2,000.

    This type of personal user information, such as leaked phone numbers, is mostly used for marketing and phishing, impersonation, and fraud attacks.

    [ad_2]

    Source link