Security incidence reference

This chapter contains references to historical security incidences, why they happened, the implications and what operational security measurements could have been taken to prevent them.

Attention

All Internet service incidences listed here could have been avoided by following the security practices presented in this guide.

Some of the incidences are not directly related to a particular Internet service, e.g. SMS intercepting, but the case reflects the associated security risk it may pose to any Internet service and its user.

Incidences

Number of incidence summaries: 31

Compromised user accounts: 39.29M

Lost assets: 457.19M USD

Bankcrupted companies: 1

Fired employees: 0

Name	Date	Related security assessment points
Apple iCloud	2014-09-01	Service users are encouraged to use two-factor authentication Service login attempts are throttled in multiple ways
Ashley Madison	2015-07-01	A real-time method of maintaining and revoking keys across all servers Sensitive data access by administrators is limited Sensitive data access by administrators is logged Data dumps are cleaned of sensitive information
Asian Android phones	2015-09-01	Team members do not use third-party devices for logging in
Bitly	2014-05-08	Infrastructure services require two-factor authentication Data is stored on encrypted partitions
Bitpay	2015-09-17	Team members follow the basic IT security practices Email is not used for internal communications Team members’ work and personal email accounts require two-factor authentication to log in. A minimum of two parties are required for a large withdraw
Bitstamp	2015-01-04	Potentially dangerous file attachments are handled securely Terminal access to the server requires two-factor authentication Cold wallet maintains most assets offline Withdraws are verified by heuristics
Blockchain.info	2015-06-01	The login process goes through an additional check in abnormal circumstances Sensitive actions should prompt for authentication again Is the name of the service trademarked?
CloudFlare	2012-06-04	Team members’ work and personal email accounts require two-factor authentication to log in.
Coinbase	2014-04-01	The service has a public whitehat or security bounty program Actions sending messages to other users are throttled
Cryptoine	2015-04-04	Cold wallet maintains most assets offline A systematic development method prevents race conditions
Facebook	2011-04-11	Software is written in a manner such that there is no possibility of a cross-site scripting attack
Hacking Team	2015-06-05	Team members use a password manager Sensitive data access by administrators is limited User passwords and two-factor seeds are hashed and salted against bruteforcing
Instagram	2014-12-08	The creation of bogus accounts is prevented
LastPass	2015-06-10	Team members use a password manager User passwords and two-factor seeds are hashed and salted against bruteforcing The login process goes through an additional check in abnormal circumstances
Linode	2012-03-01	The terminal access to the server requires passphrase protected key Terminal access to the server requires two-factor authentication Data is stored on encrypted partitions Cold wallet maintains most assets offline Withdraws are verified by heuristics
MaxCDN	2013-07-02	The terminal access to the server requires passphrase protected key A real-time method of maintaining and revoking keys across all servers Service is HTTPS-only with security HTTP headers
Mt. Gox	2014-02-01	The service is able to perform Proof-of-solvency
NASA	2012-11-15	Work computers have disk encryption
Patreon	2015-09-01	Sensitive data access by administrators is limited Data dumps are cleaned of sensitive information The administration site is not accessible or known to the public Internal servers, services and domains cannot be discovered through public records
PurseIO	2015-07-31	Private pages and data access is protected by authorization framework Publicly exposed ids are not guessable
SMS intercepting trojans	2015-09-01	Service users are encouraged to use two-factor authentication
Sebastian	2013-10-23	Software uses a framework for database queries User passwords and two-factor seeds are hashed and salted against bruteforcing
Slack	2015-03-01	User passwords and two-factor seeds are hashed and salted against bruteforcing Service users are encouraged to use two-factor authentication When the user account is deactivated or changed, the related sessions are dropped
Soho	2015-05-16	Service is HTTPS-only with security HTTP headers Software is written in a manner that it doesn't accept cross-site requests
SquirrelMail	2007-12-18	Software is installed from known good sources
Starbucks	2015-05-21	The service has a public whitehat or security bounty program A systematic development method prevents race conditions
Steam	2015-07-25	Service retains audit logs of sensitive user actions
Tor	2014-01-22	Service is HTTPS-only with security HTTP headers
Twitter	2010-09-26	Software is written in a manner that it doesn't accept cross-site requests
Veeder-Root	2015-01-23	The administration site is not accessible or known to the public
XCode	2015-09-17	Software is installed from known good sources

Indicent index

• Apple iCloud
• Ashley Madison
• Asian Android phones
• Bitly
• Bitpay
• Bitstamp
• Blockchain.info
• CloudFlare
• Coinbase
• Cryptoine
• Facebook
• Hacking Team
• Instagram
• LastPass
• Linode
• MaxCDN
• Mt. Gox
• NASA
• Patreon
• PurseIO
• SMS intercepting trojans
• Sebastian
• Slack
• Soho
• SquirrelMail
• Starbucks
• Steam
• Tor
• Twitter
• Veeder-Root
• XCode