NASA's Jet Propulsion Laboratory (JPL) has created the largest open-source archive of PDFs as part of DARPA's Safe Documents program, with the aim of improving internet security. The corpus consists of approximately 8 million PDFs collected from the internet. From a press release: "PDFs are used everywhere and are important for contracts, legal documents, 3D engineering designs, and many other purposes. Unfortunately, they are complex and can be compromised to hide malicious code or render different information for different users in a malicious way," said Tim Allison, a data scientist at JPL in Southern California. "To confront these and other challenges from PDFs, a large sample of real-world PDFs needs to be collected from the internet to create a shared, freely available resource for software experts." Building the corpus was no easy task. As a starting point, Allison's team used Common Crawl, an open-source public repository of web-crawl data, to identify a wide variety of PDFs to be included in the corpus -- files that are publicly available and not behind firewalls or in private networks. Conducted between July and August 2021, the crawl identified roughly 8 million PDFs.

Common Crawl limits downloaded data to 1 megabyte per file, meaning larger files were incomplete. But researchers need the entire PDF, not a truncated version, in order to conduct meaningful research on them. The file-size limit reduced the number of complete, untruncated files extracted directly from Common Crawl to 6 million. To get the other 2 million PDFs and ensure the corpus was complete, the JPL team re-fetched the truncated files using specialized software that downloaded the whole files from the incomplete PDFs' web addresses. Various metadata, such as the software used to create each PDF, was extracted and is included with the corpus. The JPL team also relied on free, publicly available geolocation software to identify the server location of the source website for each PDF. The complete data set totals about 8 terabytes, making it the largest publicly available corpus of its kind.

The corpus will do more than help researchers identify threats. Privacy researchers, for example, could study these files to determine how file-creation and editing software can be improved to better protect personal information. Software developers could use the files to find bugs in their code and to check if old versions of software are still compatible with newer versions of PDFs. The Digital Corpora project hosts the huge data archive as part of Amazon Web Services' Open Data Sponsorship Program, and the files have been packaged in easily downloadable zip files.

An anonymous reader quotes a report from Ars Technica: Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on. The attacks enable a new way to exploit two previously disclosed side channels, a class of attack that measures physical effects that leak from a device as it performs a cryptographic operation. By carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm. [...]

On Tuesday, academic researchers unveiled new research demonstrating attacks that provide a novel way to exploit these types of side channels. The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader -- or of an attached peripheral device -- during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs. Power LEDs are designed to indicate when a device is turned on. They typically cast a blue or violet light that varies in brightness and color depending on the power consumption of the device they are connected to.

There are limitations to both attacks that make them unfeasible in many (but not all) real-world scenarios (more on that later). Despite this, the published research is groundbreaking because it provides an entirely new way to facilitate side-channel attacks. Not only that, but the new method removes the biggest barrier holding back previously existing methods from exploiting side channels: the need to have instruments such as an oscilloscope, electric probes, or other objects touching or being in proximity to the device being attacked. In Minerva's case, the device hosting the smart card reader had to be compromised for researchers to collect precise-enough measurements. Hertzbleed, by contrast, didn't rely on a compromised device but instead took 18 days of constant interaction with the vulnerable device to recover the private SIKE key. To attack many other side channels, such as the one in the World War II encrypted teletype terminal, attackers must have specialized and often expensive instruments attached or near the targeted device. The video-based attacks presented on Tuesday reduce or completely eliminate such requirements. All that's required to steal the private key stored on the smart card is an Internet-connected surveillance camera that can be as far as 62 feet away from the targeted reader. The side-channel attack on the Samsung Galaxy handset can be performed by an iPhone 13 camera that's already present in the same room. Videos here and here show the video-capture process of a smart card reader and a Samsung Galaxy phone, respectively, as they perform cryptographic operations. "To the naked eye, the captured video looks unremarkable," adds Ars.

"But by analyzing the video frames for different RGB values in the green channel, an attacker can identify the start and finish of a cryptographic operation."

The company that currently owns the Atari name and trademarks has decided to give owners of the old Atari Video Computer System (aka the Atari 2600) something new to do. From a report: Mr. Run and Jump is a new Atari-published platformer that is coming to vintage Atari consoles in cartridge form, complete with a box and instruction manual. Preorders for the cartridge begin on July 31 for $59.99. The version of Mr. Run and Jump coming to the 2600 is a primitive version of a much different-looking game with the same name that's coming to PCs and all major game consoles on July 25. We've got to hand it to Atari here -- as a PR gambit for a new game, porting a rough version of your game to a 46-year-old game console and then giving it a physical release complete with box and manual is pretty good.

Atari is billing this release as "the first 2600 cartridge launch for a new Atari title since 1990," though there have also been some limited-run cartridge releases for games like 2005's Yars' Return. There were also a few new 2600-inspired games and remakes, including Vctr Sctr, in Atari's 50th-anniversary collection, which also got a physical release on modern consoles. Although modern game development for the 2600, NES, Game Boy, and other retro consoles are mostly the provenance of homebrew developers working in emulators, physical cartridge releases aren't uncommon. Limited Run Games and other independent and crowdfunded outfits have released plenty of physical cartridges for old consoles, including a Smash Bros-style NES game that includes a Wi-Fi chip to support online play.

In an internal memo sent Monday afternoon to Reddit staff, CEO Steve Huffman addressed the recent blowback directed at the company, telling employees to block out the "noise" and that the ongoing blackout of thousands of subreddits will eventually pass. From a report: The memo, a copy of which was obtained by The Verge, is in response to popular subreddits going dark this week in protest of the company's increased API pricing for third-party apps. Some of the most popular Reddit clients say the bill for keeping their apps up and running could cost them millions of dollars a year. More than 8,000 Reddit communities have gone dark in protest, and while many plan to open up again on Wednesday, some have said they'll stay private indefinitely until Reddit makes changes.

Huffman says the blackout hasn't had "significant revenue impact" and that the company anticipates that many of the subreddits will come back online by Wednesday. "There's a lot of noise with this one. Among the noisiest we've seen. Please know that our teams are on it, and like all blowups on Reddit, this one will pass as well," the memo reads. "We absolutely must ship what we said we would. The only long term solution is improving our product, and in the short term we have a few upcoming critical mod tool launches we need to nail."

theodp writes: "My advice to all the young tech enthusiasts, future engineering managers, and CTOs is simple," writes Vadim Kravcenko in The Surprising Power of Documentation. "Cultivate a love for documentation. You may view it as a chore, an afterthought, or a nuisance. But trust me when I say this: Documentation isn't just a task on your to-do list; it's a pillar for success and a bridge that connects ideas, people, and vision. Treat it not as a burden but as an opportunity to learn, share, and create an impact."

So, what would Goldilocks make of your organization's documentation -- Too much? Too little? Just right? Got any recommended tools and management tips for creating useful and sustainable documentation?

The hackers responsible for the MOVEit cyberattack downloaded confidential information from UK communications regulator Ofcom about companies it regulates, as well as its own employees -- adding to a string of victims which includes IAG SA's British Airways and the British Broadcasting Corporation. From a report: "A limited amount of information about certain companies we regulate -- some of it confidential -- along with personal data of 412 Ofcom employees, was downloaded during the attack," an Ofcom spokesman said by email. "We took immediate action to prevent further use of the MOVEit service and to implement the recommended security measures. We also swiftly alerted all affected Ofcom-regulated companies, and we continue to offer support and assistance to our colleagues."

Reddit has been going through some issues for many on Monday, with the outage happening the same day as thousands of subreddits going dark to protest the site's new API pricing terms. From a report: According to Reddit, the blackout is responsible for the problems. "A significant number of subreddits shifting to private caused some expected stability issues, and we've been working on resolving the anticipated issue," spokesperson Tim Rathschmidt tells The Verge. Reddit's status page reported a "major outage" affecting Reddit's desktop and mobile sites and its native mobile apps. [...] More than 7,000 subreddits have gone private or read-only in response to the API pricing terms, which is forcing the developers of apps like Apollo for Reddit to shut down at the end of the month.

"Kairan Quazi will probably need someone to drive him to work at SpaceX," writes the Los Angeles Times — because "He's only 14." The teen is scheduled to graduate this month from the Santa Clara University School of Engineering before starting a job as a software engineer at the satellite communications and spacecraft manufacturer... The soft-spoken teen said working with Starlink — the satellite internet team at SpaceX — will allow him to be part of something bigger than himself. That is no small feat for someone who has accomplished so much at such a young age...

The youngster jumped from third grade to a community college, with a workload that he felt made sense. "I felt like I was learning at the level that I was meant to learn," said Kairan, who later transferred to Santa Clara University... Kairan's family told BrainGain Magazine that when he was 9, IQ tests showed that his intelligence was in the 99.9th percentile of the general population. Asked if he's a genius, he recalled his parents telling him, "Genius is an action â it requires solving big problems that have a human impact." Once accepted to the engineering school at Santa Clara University as a transfer student, Kairan felt that he had found his freedom to pursue a career path that allowed him to solve those big problems.

While in college, Kairan and his mother made a list of places where he could apply for an internship. Only one company responded. Lama Nachman, director of the Intelligent Systems Research Lab at Intel, took a meeting with 10-year-old Kairan, who expected it to be brief and thought she would give him the customary "try again in a few years," he said. She accepted him. "In a sea of so many 'no's' by Silicon Valley's most vaunted companies, that ONE leader saying yes ... one door opening ... changed everything," Kairan wrote on his LinkedIn page...

Asked what he plans to wear on his first day, Kairan joked in an email that he plans "to show up in head to toe SpaceX merch. I'll be a walking commercial! Joking aside, I'll probably wear jeans and a t-shirt so I can be taken seriously as an engineer."

An anonymous reader shared this report from Insider: The recent tsunami of tech layoffs could leave a wave of union organizing in its wake. That's according to Skylar Hinnant, a senior QA tester at Microsoft's ZeniMax, who supported a successful union campaign at the gaming unit of the software giant... Within tech companies, roles such as quality assurance testers and contractors are less revered, so those workers are more likely to unionize, Hinnant explained. "In these roles, people will be treated differently, it's sort of derogatory," he added.

Layoffs, cuts in perks, and other benefits, and a slowing of pay increases have marred the tech industry's reputation as a great place to work. That has kicked off a power struggle between employees and management. "When an employer lays off 16,000 employees in a day, that's a power play making employees realize how powerless they are," Rahul Dhaundiyal, a director of engineering at Indeed, told Insider... Dhaundiyal agreed with Hinnant that for lower-level tech workers the call to unionize rings louder. "In certain lower paid jobs where decision-making is top-down, where you are seen as a resource and not a human being to invest in, those kinds of roles end up maximizing disbalance and would unionize first," Dhaundiyal said.

CNN explores tech-company efforts to curtail remote working. "Salesforce is trying to lure staff into offices by offering to donate $10 to a local charity for each day an employee comes in from June 12 to June 23, according to an internal Slack message reported on by Fortune."

CNN notes a recent walk-out at Amazon protesting (in part) new return-to-office policies, as well as Meta's upcoming three-days-a-week in-office mandate. But CNN adds that it's Google that "has long been a bellwether for workplace policies in the tech industry and beyond" — and that recently Google announced plans to factor in-person attendance into its performance reviews. "Overnight, workers' professionalism has been disregarded in favor of ambiguous attendance tracking practices tied to our performance evaluations," Chris Schmidt, a software engineer at Google and member of the grassroots Alphabet Workers Union, told CNN in a statement. "The practical application of this new policy will be needless confusion amongst workers and a disregard for our various life circumstances... "

Schmidt said that even if you go into the office, there's no guarantee you'll have people on your team to work with or even a desk to sit at. "Many teams are distributed, and for some of us there may not be anyone to collaborate with in our physical office locations," Schmidt said. "Currently, New York City workers do not even have enough desks and conference rooms for workers to use comfortably."
A Google spokesperson countered that its policy of working in the office three days a week is "going well, and we want to see Googlers connecting and collaborating in-person, so we're limiting remote work to exception only...."

An anonymous reader quotes a report from KrebsOnSecurity: It's not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware -- as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

Campbell, Calif. based Barracuda said it hired incident response firm Mandiant on May 18 after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to sit at the edge of an organization's network and scan all incoming and outgoing email for malware. On May 19, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on May 20 the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).

In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022. But on June 6, Barracuda suddenly began urging its ESG customers to wholesale rip out and replace -- not patch -- affected appliances. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company's advisory warned. "Barracuda's recommendation at this time is full replacement of the impacted ESG." [...] In addition to replacing devices, Barracuda says ESG customers should also rotate any credentials connected to the appliance(s), and check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators the company has released publicly.

Google is implementing stricter measures to enforce office attendance, including tracking badge data, confronting employees who don't come in as required, and factoring attendance into performance reviews. CNBC reports: Google's chief people officer, Fiona Cicconi, wrote an email to employees at the end of the day on Wednesday, which included doubling down on office attendance, reasoning that "there's just no substitute for coming together in person." "Of course, not everyone believes in 'magical hallway conversations,' but there's no question that working together in the same room makes a positive difference," Cicconi's email read. "Many of the products we unveiled at I/O and Google Marketing Live last month were conceived, developed and built by teams working side by side."

Her note said the company will start including their three days per week as a part of their performance reviews and teams will start sending reminders to workers "who are consistently absent from the office." Cicconi even asked already-approved remote workers to reconsider. "For those who are remote and who live near a Google office, we hope you'll consider switching to a hybrid work schedule. Our offices are where you'll be most connected to Google's community." A separate internal document showed that already-approved remote workers may be subject to reevaluation if the company determines "material changes in business need, role, team, structure or location."

In the U.S., the company will periodically track whether employees are adhering to the office attendance policy using badge data, and executives are currently reviewing local requirements to implement in other countries, one of the documents states. If workers don't follow the policy after an extended period of time, human resources will reach out about "next steps." Going forward, Cicconi said, new fully remote work will only be granted "by exception only." In a statement to CNBC, Google spokesperson Ryan Lamont said, "our hybrid approach is designed to incorporate the best of being together in person with the benefits of working from home for part of the week. Now that we're more than a year into this way of working, we're formally integrating this approach into all of our workplace policies."

Lamont added that the badge data viewed by company leaders is aggregate data and not individualized.

Google has reversed the suspension of an Android TV app that was hit with a copyright complaint simply because it is able to load a pirate website that can also be loaded in any standard web browser. From a report: The Downloader app, which combines a web browser with a file manager, is back in the Google Play Store after an absence of nearly three weeks. As we previously reported, Google suspended the app based on a Digital Millennium Copyright Act (DMCA) complaint from several Israeli TV companies that said the app "allows users to view the infamous copyright infringing website known as SDAROT." But that same website could be viewed on any standard browser, including Google's own Chrome app.

"The app was removed on May 19th due to the DMCA takedown request," developer Elias Saba wrote in a blog post today. "Instead of recognizing the absurdity of the claim that a web browser is somehow liable for all the unauthorized use of copyrighted content on the Internet, Google took a backseat and denied my appeal to have the app reinstated." The free app has been downloaded over 5 million times on Google Play and is available on the Amazon app store for devices such as Fire TVs. In addition to the rejected appeal, Saba filed a DMCA counter notification with Google. That "started a 10-business-day countdown for the [TV companies'] law firm to file legal actions against me," Saba wrote today. "Due to the app being removed on a Friday and the Memorial Day holiday, 10 business days had elapsed with no word from the law firm on June 6th and I contacted Google to have the app reinstated."

Google's aiming to make it easier to use and secure passwords -- at least, for users of the Password Manager tool built into its Chrome browser. From a report: Today, the tech giant announced that Password Manager, which generates unique passwords and autofills them across platforms, will soon gain biometric authentication on PC. (Android and iOS have had biometric authentication for some time.) When enabled, it'll require an additional layer of security, like fingerprint recognition or facial recognition, before Chrome autofills passwords.

Exactly which types of biometrics are available in Password Manager on desktop will depend on the hardware attached to the PC, of course (e.g. a fingerprint reader), as well as whether the PC's operating system supports it. Beyond "soon," Google didn't say when to expect the feature to arrive.

iOS 17 and macOS Sonoma include even more privacy-preserving features while browsing the web. From a report: Link Tracking Protection is a new feature automatically activated in Mail, Messages, and Safari in Private Browsing mode. It detects user-identifiable tracking parameters in link URLs, and automatically removes them.

Adding tracking parameters to links is one way advertisers and analytics firms try to track user activity across websites. Rather than storing third-party cookies, a tracking identifier is simply added to the end of the page URL. This would circumvent Safari's standard intelligent tracking prevention features that block cross-site cookies and other methods of session storage. Navigating to that URL allows an analytics or advertising service at the destination to read the URL, extract those same unique parameters, and associate it with their backend user profile to serve personalized ads.

Enigma software group has won a crucial case in the U.S. Court of Appeals for the Ninth Circuit, allowing it to proceed with its lawsuit against Malwarebytes for flagging its anti-spyware software as a 'potentially unwanted program.' The lawsuit alleges that Malwarebytes has engaged in anti-competitive conduct under the Lanham Act and tortious interference with Enigma's business. TechSpot reports: The ruling has been lambasted by some legal experts, who believe it could hamper cybersecurity service providers from doing their job effectively. Talking to The Register, Eric Goldman, professor at Santa Clara University School of Law, claimed that the Ninth Circuit's decision was erroneous, as it failed to differentiate between facts and opinions properly. According to him, in deciding in favor of Enigma, the Ninth Circuit failed to comprehend how the cybersecurity industry operates, and how security companies use the terms 'malicious' and 'threat.' He also felt that thanks to the judgment, there will now be more disputes over such classifications in the future, making the job of cybersecurity companies tougher than ever before.

Goldman further argued that the Ninth Circuit's decision would mean anti-malware software vendors will now simply minimize their financial and legal risks by leaving out supposed anti-threat programs from their list of suspect apps even if they display dangerous behavior, which could pose a major threat to consumers. Some smaller players could also exit the industry altogether, which would further hurt consumers by reducing competition. Goldman was also critical of the Supreme Court for denying Malwarebytes' appeal, and called out Justice Clarence Thomas in particular for writing what he called a "gratuitous error-riddled statement about Section 230 that spurred many regulators to pursue their censorship agendas." Enigma said in a statement: "Malwarebytes (has) disparaged Enigma's products for commercial advantage by making misleading statements of fact. ... Trying to wrap them in a First Amendment flag does not make them any less offensive or any less actionable."

Eric Goldman, professor at Santa Clara University School of Law, told The Register in an email, "This case is like a wrecking ball for internet law." He added: "The Ninth Circuit already damaged Section 230 by creating an exception to its coverage (for 'anticompetitive animus') that no one understands and has not benefited anyone. Then, when the Supreme Court denied the appeal, Justice Thomas wrote a gratuitous error-riddled statement about Section 230 that spurred many regulators to pursue their censorship agendas. Now, the Ninth Circuit has redefined the standards for what constitutes a statement of 'fact' as opposed to an opinion in a way that hurts businesses in the anti-threat software space and well beyond."

"If each classification could similarly support weaponization in court by businesses unhappy with the classifications, then anti-threat software vendors will avoid the financial and legal risks by lowering their cybersecurity standards or exiting the industry," said Goldman. "That puts all of us at greater risk."

An anonymous reader quotes a report from TechCrunch: Security researchers have linked to the notorious Clop ransomware gang a new wave of mass-hacks targeting a popular file transfer tool, as the first victims of the attacks begin to come forward. It was revealed last week that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files over the internet. The vulnerability allows hackers to gain unauthorized access to an affected MOVEit server's database. Progress Software, which develops the MOVEit software, has already released some patches. Over the weekend, the first victims of the attacks began to come forward.

Zellis, a U.K.-based human resources software maker and payroll provider, confirmed in a statement that its MOVEit system was compromised, with the incident affecting a "small number" of its corporate customers. One of those customers is U.K. airline giant British Airways, which told TechCrunch that the breach included the payroll data of all of its U.K.-based employees. [...] The U.K.'s BBC also confirmed it was affected by the incident affecting Zellis. [...] The government of Nova Scotia, which uses MOVEit to share files across departments, said in a statement that some citizens' personal information may have been compromised. The Nova Scotia government said it took its affected system offline, and is working to determine "exactly what information was stolen, and how many people have been impacted."

It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers are attributing the cyberattacks to a group it tracks as "Lace Tempest." This gang is a known affiliate of the Russia-linked Clop ransomware group, which was previously linked to mass-attacks exploiting flaws in Fortra's GoAnywhere file transfer tool and Accellion's file transfer application. Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration. Mandiant isn't yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are "notable" similarities between a newly created threat cluster it's calling UNC4857 that has as-of-yet "unknown motivations," and FIN11, a well-established ransomware group known to operate Clop ransomware. "Ongoing analysis of emerging activity may provide additional insights," Mandiant said. "It's likely many more victims of the MOVEit breach will come to light over the next few days," adds TechCrunch.

"Shodan, a search engine for publicly exposed devices and databases, showed that more than 2,500 MOVEit Transfer servers were discoverable on the internet."

Millions of storage devices are being shredded each year, even though they could be reused. "You don't need an engineering degree to understand that's a bad thing," says Jonmichael Hands. From a report: He is the secretary and treasurer of the Circular Drive Initiative (CDI), a partnership of technology companies promoting the secure reuse of storage hardware. He also works at Chia Network, which provides a blockchain technology. Chia Network could easily reuse storage devices that large data centres have decided they no longer need. In 2021, the company approached IT Asset Disposition (ITAD) firms, who dispose of old technology for businesses that no longer need it. The answer came back: "Sorry, we have to shred old drives."

"What do you mean, you destroy them?" says Mr Hands, relating the story. "Just erase the data, and then sell them! They said the customers wouldn't let them do that. One ITAD provider said they were shredding five million drives for a single customer." Storage devices are typically sold with a five-year warranty, and large data centres retire them when the warranty expires. Drives that store less sensitive data are spared, but the CDI estimates that 90% of hard drives are destroyed when they are removed. The reason? "The cloud service providers we spoke to said security, but what they actually meant was risk management," says Mr Hands. "They have a zero-risk policy. It can't be one in a million drives, one in 10 million drives, one in 100 million drives that leaks. It has to be zero."

Google has taken a significant step toward a passwordless future with the start of an open beta for passkeys on Workspace accounts. From a report: Starting today, June 5th, over 9 million organizations can allow their users to sign in to a Google Workspace or Google Cloud account using a passkey instead of their usual passwords.

Passkeys are a new form of passwordless sign-in tech developed by the FIDO Alliance, whose members include industry giants like Google, Apple, and Microsoft. Passkeys allow users to log in to websites and apps using their device's own authentication, such as a laptop with Windows Hello, an Android phone with a fingerprint sensor, or an iPhone with Face ID, instead of traditional passwords and other sign-in systems like 2FA or SMS verification. Because passkeys are based on public key cryptographic protocols, there's no fixed "sequence" that can be stolen or leaked in phishing attacks.

Reuters reports: Hackers have stolen data from the systems of a number of users of the popular file transfer tool MOVEit Transfer, U.S. security researchers said on Thursday, one day after the maker of the software disclosed that a security flaw had been discovered. Software maker Progress Software Corp, after disclosing the vulnerability on Wednesday, said it could lead to potential unauthorized access into users' systems.

The managed file transfer software made by the Burlington, Massachusetts-based company allows organizations to transfer files and data between business partners and customers. It was not immediately clear which or how many organizations use the software or were impacted by potential breaches. Chief Information Officer Ian Pitt declined to share those details, but said Progress Software had made fixes available since it discovered the vulnerability late on May 28...

Cybersecurity firm Rapid7 Inc and Mandiant Consulting — owned by Alphabet Inc's Google — said they had found a number of cases in which the flaw had been exploited to steal data. "Mass exploitation and broad data theft has occurred over the past few days," Charles Carmakal, chief technology officer of Mandiant Consulting, said in a statement... "Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data," Carmakal said.
Thanks to long-time Slashdot reader rexx mainframe for sharing the story.