An anonymous reader quotes a report from BleepingComputer: AT&T says a massive trove of data impacting 71 million people did not originate from its systems after a hacker leaked it on a cybercrime forum and claimed it was stolen in a 2021 breach of the company. While BleepingComputer has not been able to confirm the legitimacy of all the data in the database, we have confirmed some of the entries are accurate, including those whose data is not publicly accessible for scraping. The data is from an alleged 2021 AT&T data breach that a threat actor known as ShinyHunters attempted to sell on the RaidForums data theft forum for a starting price of $200,000 and incremental offers of $30,000. The hacker stated they would sell it immediately for $1 million.

AT&T told BleepingComputer then that the data did not originate from them and that its systems were not breached. "Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T told BleepingComputer in 2021. When we told ShinyHunters that AT&T said the data did not originate from them, they replied, "I don't care if they don't admit. I'm just selling." AT&T continues to tell BleepingComputer today that they still see no evidence of a breach in their systems and still believe that this data did not originate from them.

Today, another threat actor known as MajorNelson leaked data from this alleged 2021 data breach for free on a hacking forum, claiming it was the data ShinyHunters attempted to sell in 2021. This data includes names, addresses, mobile phone numbers, encrypted date of birth, encrypted social security numbers, and other internal information. However, the threat actors have decrypted the birth dates and social security numbers and added them to another file in the leak, making those also accessible. BleepingComputer has reviewed the data, and while we cannot confirm that all 73 million lines are accurate, we verified some of the data contains correct information, including social security numbers, addresses, dates of birth, and phone numbers. Furthermore, other cybersecurity researchers, such as Dark Web Informer, who first told BleepingComputer about the leaked data, and VX-Underground have also confirmed some of the data to be accurate. Despite AT&T's statement, BleepingComputer says if you were an AT&T customer before and through 2021, it's "[safe] to assume that your data was exposed and can be used in targeted attacks."

Have I Been Pwned's Troy Hunt writes: "I have proven, with sufficient confidence, that the data is real and the impact is significant."

An anonymous reader writes: Mozilla Firefox 124 looks like a small update that only updates the Caret Browsing mode to also work in the PDF viewer and adds support for the Screen Wake Lock API to prevent devices from dimming or locking the screen when an application needs to keep running. The Firefox View feature has been updated as well in this release to allow users to sort open tabs by either recent activity (default setting) or tab order. Also, Firefox 124 expands Qwant's availability to all languages in the France region along with Belgium, Italy, Netherlands, Spain, and Switzerland.

This release also adds support for using HTTP(S) and relative URLs when creating WebSockets, as well as support for the AbortSignal: any() static method, which takes an iterable of abort signals and returns an AbortSignal (more details are available here). For Android users, Firefox 124 enables the Pull to Refresh feature, which is now more robust than ever, by default and adds support for the HTML drag and drop API when using a mouse, which accepts plain text or HTML text by the drop operation from external apps.

For macOS users, this release uses the fullscreen API for all types of full-screen windows, promising a better match to the expected macOS user experience for full-screen spaces, the Menubar, and the Dock. If you want to disable this feature, you'll need to set the full-screen-api.macos-native-full-screen preference to false in about:config. For Windows users, this release adds the ability to populate the Windows taskbar jump list more efficiently. According to Mozilla, this change should allow for a "smoother overall browsing experience."

Ethiopia's biggest commercial bank is scrambling to recoup large sums of money withdrawn by customers after a "systems glitch." From a report: The customers discovered early on Saturday that they could take out more cash than they had in their accounts at the Commercial Bank of Ethiopia (CBE). More than $40m was withdrawn or transferred to other banks, local media reported.

It took several hours for the institution to freeze transactions. Much of the money was withdrawn from state-owned CBE by students, bank president Abe Sano told journalists on Monday. News of the glitch spread across universities largely via messaging apps and phone calls. Long lines formed at campus ATMs, with a student in western Ethiopia telling BBC Amharic people were withdrawing money until police officers arrived on campus to stop them.

An anonymous reader quotes a report from InfoWorld: C++ creator Bjarne Stroustrup has defended the widely used programming language in response to a Biden administration report that calls on developers to use memory-safe languages and avoid using vulnerable ones such as C++ and C. In a March 15 response to an inquiry from InfoWorld, Stroustrup pointed out strengths of C++, which was designed in 1979. "I find it surprising that the writers of those government documents seem oblivious of the strengths of contemporary C++ and the efforts to provide strong safety guarantees," Stroustrup said. "On the other hand, they seem to have realized that a programming language is just one part of a tool chain, so that improved tools and development processes are essential."

Safety improvement always has been a goal of C++ development efforts, Stroustrup stressed. "Improving safety has been an aim of C++ from day one and throughout its evolution. Just compare the K&R C language with the earliest C++, and the early C++ with contemporary C++. My CppCon 2023 keynote outlines that evolution," he said. "Much quality C++ is written using techniques based on RAII (Resource Acquisition Is Initialization), containers, and resource management pointers rather than conventional C-style pointer messes." Stroustrup cited a number of efforts to improve C++ safety. "There are two problems related to safety. Of the billions of lines of C++, few completely follow modern guidelines, and peoples' notions of which aspects of safety are important differ. I and the C++ standard committee are trying to deal with that," he said. "Profiles is a framework for specifying what guarantees a piece of code requires and enable implementations to verify them. There are documents describing that on the committee's website -- look for WG21 -- and more are coming. However, some of us are not in a mood to wait for the committee's necessarily slow progress."

Profiles, Stroustrup said, "is a framework that allows us to incrementally improve guarantees -- e.g., to eliminate most range errors relatively soon -- and to gradually introduce guarantees into large code bases through local static analysis and minimal run-time checks. My long-term aim for C++ is and has been for C++ to offer type and resource safety when and where needed. Maybe the current push for memory safety -- a subset of the guarantees I want -- will prove helpful to my efforts, which are shared by many in the C++ standards committee." Stroustrup previously defended the safety of C++ against the NSA, which recommended using memory-safe languages instead of C++ and C in a November 2022 bulletin.

Two investment advisors have reached settlements with the US Securities and Exchange Commission for allegedly exaggerating their use of AI, which in both cases were purported to be cornerstones of their offerings. From a report: Canada-based Delphia and San Francisco-headquartered Global Predictions will cough up $225,000 and $175,000 respectively for telling clients that their products used AI to improve forecasts. The financial watchdog said both were engaging in "AI washing," a term used to describe the embellishment of machine-learning capabilities.

"We've seen time and again that when new technologies come along, they can create buzz from investors as well as false claims by those purporting to use those new technologies," said SEC chairman Gary Gensler. "Delphia and Global Predictions marketed to their clients and prospective clients that they were using AI in certain ways when, in fact, they were not." Delphia claimed its system utilized AI and machine learning to incorporate client data, a statement the SEC said it found to be false.

"Delphia represented that it used artificial intelligence and machine learning to analyze its retail clients' spending and social media data to inform its investment advice when, in fact, no such data was being used in its investment process," the SEC said in a settlement order. Despite being warned about suspected misleading practices in 2021 and agreeing to amend them, Delphia only partially complied, according to the SEC. The company continued to market itself as using client data as AI inputs but never did anything of the sort, the regulator said.

An anonymous reader shares a report: The Apex Legends Global Series is currently in regional finals mode, but the North America finals have been delayed after two players were hacked mid-match. First, Noyan "Genburten" Ozkose of DarkZero suddenly found himself able to see other players through walls, then Phillip "ImperialHal" Dosen of TSM was given an aimbot. Genburten's hack happened part of the way through the day's third match. A Twitch clip of the moment shows the words "Apex hacking global series by Destroyer2009 & R4ndom" repeating over chat as he realizes he's been given a cheat and takes his hands off the controls. "I can see everyone!" he says, before leaving the match.

ImperialHal was hacked in the game immediately after that. "I have aimbot right now!" he shouts in a clip of the moment, before declaring "I can't shoot." Though he continued attempting to play out the round, the match was later abandoned. The volunteers at the Anti-Cheat Police Department have since issued a PSA announcing, "There is currently an RCE exploit being abused in [Apex Legends]" and that it could be delivered via from the game itself, or its anti-cheat protection. "I would advise against playing any games protected by EAC or any EA titles", they went on to say.

As for players of the tournament, they strongly recommended taking protective measures. "It is advisable that you change your Discord passwords and ensure that your emails are secure. also enable MFA for all your accounts if you have not done it yet", they said, "perform a clean OS reinstall as soon as possible. Do not take any chances with your personal information, your PC may have been exposed to a rootkit or other malicious software that could cause further damage." The rest of the series has now been postponed, "Due to the competitive integrity of this series being compromised," as the official Twitter account announced. They finished by saying, "We will share more information soon."

Multinational technology giant Fujitsu confirmed a cyberattack in a statement Friday, and warned that hackers may have stolen personal data and customer information. From a report: "We confirmed the presence of malware on multiple work computers at our company, and as a result of an internal investigation, we discovered that files containing personal information and customer information could be illegally taken out," said Fujitsu in its statement on its website, translated from Japanese.

Fujitsu said it disconnected the affected systems from its network, and is investigating how its network was compromised by malware and "whether information has been leaked." The tech conglomerate did not specify what kind of malware was used, or the nature of the cyberattack. Fujitsu also did not say what kind of personal information may have been stolen, or who the personal information pertains to -- such as its employees, corporate customers, or citizens whose governments use the company's technologies.

SofiaWW writes: Microsoft has announced that the next subscription-free version of its Office suite will launch later this year. A commercial preview of Office LTSC 2024 will be available from next month, with a full launch scheduled for later in the year.

The Office Long-Term Servicing Channel is supported for five years, and it holds great appeal for the many businesses that are not keen on the idea of software subscriptions. There will also be a consumer-focused version of the suite, Office 2024, available via a traditional 'one-time purchase' model. Further reading: Microsoft Really Doesn't Want You To Buy Office 2019 (From 2019).

The Guardian reports that this week "Bernie Sanders, the independent senator from Vermont who twice ran for the Democratic presidential nomination, introduced a bill to establish a four-day US working week." "Moving to a 32-hour workweek with no loss of pay is not a radical idea," Sanders said on Thursday. "Today, American workers are over 400% more productive than they were in the 1940s. And yet millions of Americans are working longer hours for lower wages than they were decades ago. "That has got to change. The financial gains from the major advancements in artificial intelligence, automation and new technology must benefit the working class, not just corporate chief executives and wealthy stockholders on Wall Street.

"It is time to reduce the stress level in our country and allow Americans to enjoy a better quality of life. It is time for a 32-hour workweek with no loss in pay."
The proposed bill "has received the endorsement of the American Federation of Labor and Congress of Industrial Organizations, United Auto Workers, the Service Employees International Union, the Association of Flight Attendants" — as well as several other labor unions, reports USA Today: More than half of adults employed full time reported working more than 40 hours per week, according to a 2019 Gallup poll... More than 70 British companies started to test a four-day workweek last year, and most respondents reported there has been no loss in productivity.
A statement from Senator Sanders: Bill Gates, the founder of Microsoft, and Jamie Dimon, the CEO of JP Morgan Chase, predicted last year that advancements in technology would lead to a three or three-and-a-half-day workweek in the coming years. Despite these predictions, Americans now work more hours than the people of most other wealthy nations, but are earning less per week than they did 50 years ago, after adjusting for inflation.
"Sanders also pointed to other countries that have reduced their workweeks, such as France, Norway and Denmark," adds NBC News.

USA Today notes that "While Sanders' role as chair of the Senate Health, Education, Labor, and Pensions Committee places a greater focus on shortening the workweek, it is unlikely the bill will garner enough support from Republicans to become federal law and pass in both chambers."

And political analysts who spoke to ABC News "cast doubt on the measure's chances of passage in a divided Congress where opposition from Republicans is all but certain," reports ABC News, "and even the extent of support among Democrats remains unclear."

"Dell's strict new RTO mandate excludes fully remote workers from promotion," reports Business Insider.

The site calls it "one of the most abrupt changes to remote work policies," noting that Dell "has had a hybrid working culture in place for more than a decade — long before the pandemic struck." "Dell cared about the work, not the location," a senior employee at Dell who's worked remotely for more than a decade, told Business Insider last month. "I would say 10% to 15% of every team was remote." That flexibility has enabled staff to sustain their careers in the face of major life changes, several employees told BI. It has also helped Dell to be placed on the "Best Place to Work for Disability Equality Index" since 2018. But in February Dell introduced a strict return-to-office mandate, with punitive measures for those who want to stay at home.

Under the new policy, staff were told that from May almost all will be classified as either "hybrid," or "remote." Hybrid workers will be required to come into an "approved" office at least 39 days a quarter — the equivalent of about three days a week, internal documents seen by BI show. If they want to keep working from home, staff can opt to go fully remote. But that option has a downside: fully remote workers will not be considered for promotion, or be able to change roles.
Workers have said Dell's approach might be intended to lower headcount without having to pay severance by inducing some employees to quit. But reached by Business Insider for a comment, Dell defended their approach as instead "critical to drive innovation and value differentiation."

But Professor Cary Cooper, an organizational psychologist and cofounder of the National Forum for Health and Wellbeing at work, tells the site Dell could be following a "pack mentality" among tech companies — or reacting to a sluggish world economy. "Senior execs somehow think that people in the office are more productive than at home, even though there's no evidence to back that up."

Business Insider added that Dell's approach "differs from founder and CEO Michael Dell's previous support for remote workers," who famously said "If you are counting on forced hours spent in a traditional office to create collaboration and provide a feeling of belonging within your organization, you're doing it wrong."

An anonymous reader quotes a report from BleepingComputer: McDonald's restaurants are suffering global IT outages that prevent employees from taking orders and accepting payments, causing some stores to close for the day. The outages started overnight and are impacting restaurants globally, including those in the USA, Japan, Australia, Canada, the Netherlands, Italy, New Zealand, and the UK. "We are aware of a technology outage, which impacted our restaurants; the issue is now being resolved," McDonald's said in a statement to BleepingComputer. "We thank customers for their patience and apologize for any inconvenience this may have caused. Notably, the issue is not related to a cybersecurity event." In an updated statement, McDonald's says that the outage was caused by a third-party provider during a configuration change. "Many markets are back online, and the rest are in the process of coming back online. This issue was not directly caused by a cybersecurity event; rather, it was caused by a third-party provider during a configuration change."

Microsoft has been pushing Bing pop-up ads in Chrome on Windows 10 and 11. The new ad once again encourages Chrome users (in bold lettering) to use Bing instead of Google search. From a report: "Chat with GPT-4 for free on Chrome! Get hundreds of daily chat turns with Bing Al," the ad reads. If you click "Yes," the pop-up will install the "Bing Search" Chrome extension while making Microsoft's search engine the default.

If you click "Yes" on the ad to switch to Bing, a Chrome pop-up will appear, asking you to confirm that you want to change the browser's default search engine. "Did you mean to change your search provider?" the pop-up asks. "The âMicrosoft Bing Search for Chrome' extension changed search to use bing.com,'" Chrome's warning states. Directly beneath that alert, seemingly in anticipation of Chrome's pop-up, another Windows notification warns, "Wait -- don't change it back! If you do, you'll turn off Microsoft Bing Search for Chrome and lose access to Bing Al with GPT-4 and DALL-E 3. Select Keep it to stay with Microsoft Bing."

Two of the biggest manufacturers of locks used in commercial safes have been accused of essentially putting backdoors in at least some of their products in a new letter by Senator Ron Wyden. 404 Media: Wyden is urging the U.S. government to explicitly warn the public about the vulnerabilities, which Wyden says could be exploited by foreign adversaries to steal what U.S. businesses store in safes, such as trade secrets. The little known "manufacturer" or "manager" reset codes could let third parties -- such as spies or criminals -- bypass locks without the owner's consent and are sometimes not disclosed to customers. Wyden's office also found that while the U.S. Department of Defense (DoD) bans such locks for sensitive and classified U.S. government use in part due to the security vulnerability reset codes pose, the government has deliberately not warned the public about the existence of these backdoors.

The specific companies named in Wyden's letter are China-based SECURAM and U.S.-based Sargent and Greenleaf (S&G). Each produces keypad locks which are then implemented into safes by other manufacturers. The full list of locks that contain backdoor codes is unknown, but documentation available online points to multiple SECURAM products which do include them, and S&G confirmed to Wyden's office that some of its own locks also have similar codes.

France Travail, the government agency responsible for assisting the unemployed, has fallen victim to a massive data breach exposing the personal information of up to 43 million French citizens dating back two decades, the department announced on Wednesday. The incident, which has been reported to the country's data protection watchdog (CNIL), is the latest in a series of high-profile cyber attacks targeting French government institutions and underscores the growing threat to citizens' private data. From a report: The department's statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed. Passwords and banking details aren't affected, at least. That said, CNIL warned that the data stolen during this incident could be linked to stolen data in other breaches and used to build larger banks of information on any given individual. It's not clear whether the database's entire contents were stolen by attackers, but the announcement suggests that at least some of the data was extracted.

Google announced a major change to its Safe Browsing feature in Chrome today that will make the service work in real time by checking against a server-side list -- all without sharing your browsing habits with Google. From a report: Previously, Chrome downloaded a list of known sites that harbor malware, unwanted software and phishing scams once or twice per hour. Now, Chrome will move to a system that will send the URLs you are visiting to its servers and check against a rapidly updated list there. The advantage of this is that it doesn't take up to an hour to get an updated list because, as Google notes, the average malicious site doesn't exist for more than 10 minutes.

The company claims that this new server-side system can catch up to 25 percent more phishing attacks than using local lists. These local lists have also grown in size, putting more of a strain on low-end machines and low-bandwidth connections. Google is rolling out this new system to desktop and iOS users now, with Android support coming later this month.

According to a new study from the Institute for the Future of Work, contemporary technology often has a negative impact on workers' quality of life. The think tank surveyed over 6,000 people to learn how four categories of workplace technologies affected their wellbeing. TechSpot reports the findings: The study found that increased exposure to three of the categories tended to worsen workers' mental state and health. The three areas that negatively impact people most are wearable and remote sensing technologies, which covers CCTV cameras and wearable trackers; robotics, consisting of automated machines, self-driving vehicles, and other equipment; and, unsurprisingly, technologies relating to AI and ML, which includes everything from decision management to biometrics. Only one of the categories was found to be beneficial to employees, and it's one that has been around for decades: ICT tech such as laptops, tablets, phones, and real-time messaging tools.

Connor Jones reports via The Register: Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months. Keen readers of El Reg may remember the story breaking toward the end of October 2023 after Akira posted Stanford to its shame site, with the university subsequently issuing a statement simply explaining that it was investigating an incident, avoiding the dreaded R word. Well, surprise, surprise, ransomware was involved, according to a data breach notice sent out to the 27,000 people affected by the attack.

Akira targeted the university's Department of Public Safety (DPS) and this week's filing with the Office of the Maine Attorney General indicates that Stanford became aware of the incident on September 27, more than four months after the initial breach took place. According to Monday's filing, the data breach occurred on May 12 2023 but was only discovered on September 27 of last year, raising questions about whether the attacker(s) was inside the network the entire time and why it took so long to spot the intrusion.

It's not fully clear what information was compromised, but the draft letters include placeholders for three different variables. However, the filing with Maine's AG suggests names and social security numbers are among the data types to have been stolen. All affected individuals have been offered 24 months of free credit monitoring, including access to a $1 million insurance reimbursement policy and ID theft recovery services. Akira's post dedicated to Stanford on its leak site claims it stole 430 GB worth of data, including personal information and confidential documents. It's all available to download via a torrent file and the fact it remains available for download suggests the research university didn't pay whatever ransom the attackers demanded.

Bill Toulas reports via BleepingComputer: Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid to researchers in 2022, the amount is still significant, showcasing a high level of community participation in Google's security efforts.

The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program's launch in 2010 has reached $59 million. For Android, the world's most popular and widely used mobile operating system, the program awarded over $3.4 million. Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports. During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables. Google's other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.

Contributors from Apple, Google, Microsoft, and Mozilla, writing for BrowserBench: Since the initial version of the Speedometer benchmark was released in 2014 by the WebKit team, it has become a key tool for browser engines to drive performance optimizations as users and developers continue to demand richer and smoother experiences online.

We're proud to release Speedometer 3.0 today as a collaborative effort between the three major browser engines: Blink, Gecko, and WebKit. Like previous releases (Speedometer 2 in 2018 and Speedometer 1 in 2014), it's designed to measure web application responsiveness by simulating user interactions on real web pages. Today's release of Speedometer 3.0 marks a major step forward in web browser performance testing: it introduces a better way of measuring performance and a more representative set of tests that reflect the modern Web.

This is the first time the Speedometer benchmark, or any major browser benchmark, has been developed through a cross-industry collaboration supported by each major browser engine: Blink/V8, Gecko/SpiderMonkey, and WebKit/JavaScriptCore. It's been developed under a new governance model, driven by consensus, and is hosted in a shared repository that's open to contribution. This new structure involves a lot of collective effort: discussions, research, debates, decisions, and hundreds of PRs since we announced the project in December 2022.

Speedometer 3 adds many new tests. We started designing this new benchmark by identifying some key scenarios and user interactions that we felt were important for browsers to optimize. In particular, we added new tests that simulate rendering canvas and SVG charts (React Stockcharts, Chart.js, Perf Dashboard, and Observable Plot), code editing (CodeMirror), WYSIWYG editing (TipTap), and reading news sites (Next.js and Nuxt.js).

Over 15,000 Roku customers were hacked and used to make fraudulent purchases of hardware and streaming subscriptions. According to BleepingComputer, the threat actors were "selling the stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases." From the report: On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack. A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com. The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses. This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.

"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice. "As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. "After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions." Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident. Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.

A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers. Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold. The seller of these accounts provides information on how to change information on the account to make fraudulent purchases. Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes. After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.