Social Security numbers of nearly 50,000 Californians disclosed

California health officials have accidentally disclosed the Social Security numbers of nearly 50,000 of the state’s most vulnerable residents.

The numbers were printed on the outside of envelopes sent to elderly patients of the Adult Day Health Care program, many of whom are blind or have Alzheimer’s disease or other cognitive disabilities. The Department of Health Care Services sent the envelopes, which contained change-of-benefit notices, Feb. 1.

Officials have since sent follow-up letters advising recipients to destroy the envelopes and are advising patients to contact credit agencies to put a freeze on new accounts.

“Why isn’t the state doing it for them?” asked Lydia Missaelides, executive director of the California Assn. for Adult Day services, who noted that the disclosure exposed the patients to identity theft.

State employees mistakenly included the Social Security numbers in a list of patient addresses, said Karen Johnson, chief deputy director of the Department of Health Care Services. The department sent the list to an outside contractor, who printed and mailed the envelopes.

-- Jack Dolan in Sacramento

http://latimesblogs.latimes.com/lanow/2010/02/social-security-numbers-of-nearly-50000-californians-disclosed.html

Twitter reveals torrent scam details

Source: http://news.cnet.com/8301-1009_3-10446586-83.html

Twitter has revealed the back story on why it reset passwords this week for many of its users.

The phishing attacks that forced Twitter to change account passwords stemmed from discovery of a scam being run by a torrent Web site creator, explained Del Harvey, Twitter's director of trust and safety, in a blog post Tuesday evening.

Twitter had found that someone for the past few years had been building torrent sites and forums requiring a log-in and password. This person then sold these Web sites and forums to people interested in starting their own torrent download sites.

Unknown to the buyers, these sites actually contained security holes that allowed the cybercrook to gain access to the buyers' log-in information for sites like Twitter. This was done by grabbing log-in attempts to the forums and redirecting them to third-party Web sites where the criminals could capture a user's credentials.

"These sites came with a little extra--security exploits and backdoors throughout the system," Harvey said. "This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up."

A red flag was first raised on Twitter's end when it noticed an abnormally high number of followers for certain accounts. This prompted the company to investigate and eventually reset the passwords for anyone following those suspicious accounts. Twitter noted that although torrent sites have been around a while, this is the first time it's seen an attack using this angle.

"While not all users who were sent a password reset request fall into this category, we felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account," Harvey said.

Twitter advises people who have signed up for third-party torrent accounts to change their passwords at those sites and to refrain from using the same password at multiple sites. More tips on safe tweeting can be found on Twitter's help pages.