This Week in Hacks: ShinyHunters Hit 7-Eleven, Trump Mobile Exposes Data, and Scammers Target World Cup Fans

(Credit: Getty Images)

I get it, it feels like cybersecurity news is nothing but bad news. And some weeks, it is! But this week, thankfully, there’s some good news in the mix. For example, Discord users can rejoice, as voice chats and video calls are now end-to-end encrypted. And remember a few weeks ago when Microsoft was in hot water for plaintext passwords in Edge? Well, it’s decided to stop doing that. Sometimes there’s reason to breathe a sigh of relief. OK, now let’s get to the bad news.

This shouldn’t surprise anyone following the Trump Phone saga, but reportedly, the Trump Mobile site was exposing users' private data en masse, which is par for the course, I suppose. The issue has reportedly been fixed, but only after it was reported by media outlets, which means the data’s probably already long gone, and probably on the dark web.

Also this week, GitHub was breached, this time through a compromised, employee-owned device. GitHub has had its share of security woes recently, including everything from massive leaks to people using the platform to spread malicious code.

Even so, while the leaks and hacks continue, we’re here to help you secure your devices and protect your data as much as possible. For example, you might be considering planning a trip this summer, right? Well, as soon as the weather gets warmer, the scammers come out to play, and we have tips to help you avoid hotel booking scams, fake toll texts, and more. If your summer travel plans include the FIFA World Cup, you should pay extra attention to the many, many World Cup-related scams out there, and people eager to separate fans from their money. We have your back.

Now, let’s see what else is happening in the infosec sphere this week.

Bitwarden Scrubs ‘Always Free’ and ‘Inclusion’ Values From Its Site as Longtime Execs Step Down

When you trust a company with your information security, you want to believe it will treat all its customers fairly and equally, unless it has a clear empirical or legal reason not to, such as its products not being legally available. When one of those companies starts removing language from its website stating that inclusion is a company value and that it has a commitment to ensuring that some protection will always be free and available to its customers, people take notice.

Fast Company reported that Bitwarden, which announced a significant price hike in February and was already dealing with high-profile executive departures, did exactly this. In the wake of its longtime CEO stepping aside for an advisory role and the rise of a new CEO with more background in finance than in infosec, Fast Company notes that these and other changes to the company’s website have raised concerns among observers. Additionally, considering none of these changes, including the change in leadership, were announced publicly, you can understand why. After Fast Company reported the change, Bitwarden restored the “Always Free” part to the free version of its password manager, but didn’t change anything else.

ShinyHunters Hack 7-Eleven: Franchisee Data and Salesforce Records Exposed

Listen, I know that by no means should I hand it to the cybercriminals, but you do have to acknowledge that the ShinyHunters ransomware gang targets targets of varying types and sizes, from high-profile to somewhat ironic. Well, the group managed to obtain over 600,000 Salesforce records containing 7-Eleven convenience store franchisee data through a breach last month, according to Security Affairs.

According to ShinyHunters’ Tor site, it reached out to 7-Eleven to ransom the data, didn’t get anywhere by the deadline, and published the data. Considering Canvas paid up for ransomed data last week, and ShinyHunters just went after a cybersecurity firm for advising clients not to pay, there’s no real way to tell who’ll pay up for their data versus who lets it get leaked.

Disney Accused of Misusing Facial Recognition Technology

We’ve said before that if you can decline or opt-out of facial recognition, you should. The trade-off between privacy and convenience just doesn’t add up in your favor, and even when you use it for your own devices, it’s actually less secure than other options, and it’s easily fooled. Even so, building massive databases of people’s faces is profitable and useful for huge companies, and the downstream effects on individuals often aren’t part of the equation. Enter Disney, one of the biggest companies in the world, and the fact that, according to The L.A. Times, the giant is facing a $5 million lawsuit accusing it of failing to disclose to guests that it uses facial recognition technology in its parks and venues.

The lawsuit alleges that the company either doesn’t disclose or doesn’t clearly notify guests that face scanning is optional and that guests can opt out. It points out that among the many lines to get into Disney properties, only a few allow entry without face scanning. While they state the use of the tech is optional, it’s framed as a positive, obfuscating the choice and failing to inform guests of the privacy trade-off involved.

About Our Expert

Alan Henry

Managing Editor, Security

My Experience

I've been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag's security team, it's my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.

I've been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I'm back at PCMag to lead our security team and renew my commitment to service journalism. I'm the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.

The Technology I Use

I'm writing this on a computer I built myself. It's powered by an Intel Core i7 with 32GB of RAM, 2TB of storage, and a disturbingly anime-themed NVIDIA GeForce 3070 inside (look, it was on sale). It's connected to a beautiful LG 34-inch ultrawide monitor on my left that I use for gaming (and spreadsheets) and an LG 27-inch 4K monitor in portrait mode on my right that I use for browsing, editing, and reading. Connect all of that to a Logitech Streamcam, an Elgato capture card, an Elgato Stream Deck, and an Elgato Wave:3 using the WaveLink software for mixing, and you might have figured out that I'm also a streamer.

When I'm not at my desk, I usually use a Microsoft Surface Laptop Studio, which is a little heavy for my tastes but incredible as a combination of laptop and tablet that I can use to work and game when I'm traveling. My IT-issued Lenovo Thinkpad is lovely and light, but it's on standby should I need it. My current phone is a Pixel 6 Pro.

I used to be more of an Apple person. These days, I have an iPad Air for art and easy reading and an old MacBook Pro that used to be my daily driver before the Surface entered my life.

I use Firefox for browsing, and keep a cadre of privacy tools installed to minimize my data footprint. I use Proton products both for VPN and secure email, and I trust Bitdefender and MalwareBytes to keep my data safe from harm.

A handful of Sonos speakers power the audio around my home when I'm not wearing headphones. Speaking of which, I have a collection of both wired and wireless headphones, but my daily wear is a set of Sennheiser HD6XXs that I adore. On the go, I resort to a pair of Beats Studio Buds for the true wireless experience (with a set of Comply eartips, for comfort).

If you're a gamer, ask me about my relationship with Destiny 2.

Read the latest from Alan Henry

Read full bio