Identity Theft

The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.

The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.

Additional information:

11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.

The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.

Additional information:

Netcraft reported an ongoing exploit of XSS vulnerability in Yahoo HotJobs site. The attackers have been using an obfuscated JavaScript to steal session cookies of victims, which were in turn sent to a server in the US.
The stolen cookie was a yahoo-wide cookie and therefore by stealing it the hackers could gain control of every service accessible to the victim within Yahoo, including Yahoo! Mail.
Netcraft identified the issue by observing irregular activity by its toolbar users and Yahoo! fixed the vulnerability short after, on Oct 28th.