ADP Payroll Data Breech
May. 4th, 2016 06:20 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneI've kind of stopped posting about these as it's just so damn depressing and never ending, but ADP is different. They handle payroll for SO MANY companies across the USA that it needs to be mentioned.
The method was depressingly simple. ADP had a web portal for its clients, which makes sense. But if a company had not registered on said portal, they were vulnerable: fraudsters were able to siphon confidential info from a variety of sources, create an account for said ADP customer, and all of the client's payroll information was instantly available. And Robert's your mother's brother.
http://krebsonsecurity.com/2016/05/fraudsters-steal-tax-salary-data-from-adp/
In other hacking news, there's a free web site called Have I Been Pwnd that I've mentioned before. I mention it because there was a similar for-profit business called Pwnedlist that did largely the same thing. They just closed their business as they got pwned, and as their business model was that clients would pay subscriptions and get informed if their data ever appeared in a dump, they would be notified. Well, they got notified because Pwnedlist got hacked through a major bad programming vulnerability that gave anyone who wanted it admin access to accounts that didn't belong to them.
By contrast, Have I Been Pwned only stores the compromised email address and what site's hack it was taken from. Nothing of value. And in the case of sensitive dumps, like Ashley Madison users, you have to register at the site to find out if your email was contained in that dump.
For an interesting read, you should take a look at HIBP's Twitter feed. He describes new dumps received as the number of accounts compromised and the number of emails that are ALREADY IN THE SYSTEM. I've been fortunate: I have three active email accounts, the two used regularly for email were both compromised in the Adobe hack, which is no big deal as those accounts didn't have credit card information attached and they were passwords not used elsewhere. My other email account of any importance is only used for Paypal, and it has not been compromised.
The method was depressingly simple. ADP had a web portal for its clients, which makes sense. But if a company had not registered on said portal, they were vulnerable: fraudsters were able to siphon confidential info from a variety of sources, create an account for said ADP customer, and all of the client's payroll information was instantly available. And Robert's your mother's brother.
http://krebsonsecurity.com/2016/05/fraudsters-steal-tax-salary-data-from-adp/
In other hacking news, there's a free web site called Have I Been Pwnd that I've mentioned before. I mention it because there was a similar for-profit business called Pwnedlist that did largely the same thing. They just closed their business as they got pwned, and as their business model was that clients would pay subscriptions and get informed if their data ever appeared in a dump, they would be notified. Well, they got notified because Pwnedlist got hacked through a major bad programming vulnerability that gave anyone who wanted it admin access to accounts that didn't belong to them.
By contrast, Have I Been Pwned only stores the compromised email address and what site's hack it was taken from. Nothing of value. And in the case of sensitive dumps, like Ashley Madison users, you have to register at the site to find out if your email was contained in that dump.
For an interesting read, you should take a look at HIBP's Twitter feed. He describes new dumps received as the number of accounts compromised and the number of emails that are ALREADY IN THE SYSTEM. I've been fortunate: I have three active email accounts, the two used regularly for email were both compromised in the Adobe hack, which is no big deal as those accounts didn't have credit card information attached and they were passwords not used elsewhere. My other email account of any importance is only used for Paypal, and it has not been compromised.
