Canvas, an educational platform used by thousands of schools globally, including local universities, was shut down by a group of hackers who are threatening to release students’ data if the company or its clients don’t pay their ransom.

Twice this month, a group called ShinyHunters launched cyberattacks on Canvas, a cloud-based platform for classrooms run by Salt Lake City-based company Instructure, as CNN reports. The initial breach occurred in late April, which the company reported to clients on May 1, explaining the issue was being resolved.

The California State University system posted updates about the incident, noting that the platform was down for about 20-30 minutes on May 4. The following day, CSU received a message from Instructure informing them that the group had breached the system and accessed usernames, email addresses, and student ID numbers in late April.

The company reportedly told its clients that “there is no evidence that passwords, Social Security numbers, financial information, or other highly sensitive data were compromised.”

After the second attack on Thursday, students from almost 9,000 schools across the world tried to log onto their school's platforms and were met with a note from the hackers declaring the data of 275 million individuals had been breached, including private messages, according to KQED. The group said it would release the students’ information if it didn’t receive its ransom by May 12.

In addition to the CSU and University of California systems, other local universities that utilize Canvas include Stanford University and Peralta Community College District. Per CNN, Columbia University, Rutgers, Princeton, Kent State, Harvard, and Georgetown are also clients. Students were warned not to click on any links on the website during the attack.

A report page on Instructure’s site said the platform was in maintenance mode Thursday.

Related: Now We Know How Hackers Reprogrammed Peninsula Crosswalks With Fake Elon Musk and Zuckerberg Messages

Image: San Francisco State University's Student Center; Briantrejo/Wikimedia

Anthropic's latest AI model, named Claude Mythos Preview, is capable of hacking into major banking systems, perhaps many at once, and doing massive damage if it fell into the wrong hands. Banks are being encouraged to test it out.

In case you missed the announcement last week, Anthropic has a new high-level AI coding model called Claude Mythos Preview, or just Mythos for short. Immediately upon announcing it, Anthropic also announced Project Glasswing, a joint initiative among multiple companies — Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — to "secure the world’s most critical software."

The reason for Project Glasswing is that Mythos is reportedly capable of hacking into major computer networks at scale, and has indeed "already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser." [Italics theirs]

Security researcher Costin Raiu points specifically to IBM-built banking systems from decades back, telling Reuters this week, "A model like Mythos would have a field day finding exploits" in those systems. "And it's just one example of ancient technologies powering the financial industry," Raiu adds.

Mythos hasn't technically been released, and won't be released to the public because of these potential dangers. Large banks, which are mostly run on legacy software, are being encouraged by the White House to test out Mythos and use it to build up their own defenses against AI-powered exploits.

IBM said last week that Mythos is already "forcing enterprise security teams to rethink their defenses from the ground up."

As TechCrunch reports, Anthropic co-founder Jack Clark confirmed this week that the Trump adminsitration had been briefed on Mythos and its capabilities, which prompted Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell to call a meeting with banking executives this week. The administration told banks they should be ready "to understand and anticipate a wide range of market developments" because of this new AI model.

JPMorgan Chase, which is one of the banks that is doing some preview testing work with Mythos, put out a statement calling the project "a ​unique, early-stage opportunity to evaluate next-generation AI tools for defensive cybersecurity across critical infrastructure."

As Reuters reports, government officials in the UK and Canada have also met with banking institutions to discuss the potential threats posed by Mythos.

Security expert David Lindner tells Fortune that the problem will be doing all the work to fix vulnerabilities in systems that do exist — many of which companies are already aware of. Lindner also warns that Mythos won't stay "unreleased" for long.

"Even if they, quote unquote, don’t release it, China will have a version in five or six months, and there’ll be an open-source version within a year or two," Lindner tells Fortune.

Anthropic calls its Project Glasswing "a starting point," but the potential for future catastrophes seems clear.

"No one organization can solve these cybersecurity problems alone: frontier AI developers, other software companies, security researchers, open-source maintainers, and governments across the world all have essential roles to play," the Anthropic blog post says. "The work of defending the world’s cyber infrastructure might take years; frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, we need to act now."

Related: Trump Administration Still Used Anthropic's Claude In Iran Strikes, Hours After Trump Banned Anthropic

Top image: Anthropic Co-founder and CEO Dario Amodei speaks at the "How AI Will Transform Business in the Next 18 Months" panel during INBOUND 2025 Powered by HubSpot at Moscone Center on September 04, 2025 in San Francisco, California. (Photo by Chance Yeh/Getty Images for HubSpot)

Palo Alto and Menlo Park crosswalks were hacked in April to play fake, satirical messages from Elon Musk and Mark Zuckerberg. Hackers were able to do this because Caltrans just never changed the default factory passwords.

Everyone got a good laugh in April of this year when hackers reprogrammed the audio of Palo Alto and Menlo Park crosswalks to play fake AI-generated voices of Elon Musk and Mark Zuckerberg, in messages that ruthlessly mocked those billionaire boy-kings. “Hi, this is Elon Musk,” one Palo Alto crosswalk said. “Welcome to Palo Alto, the home of Tesla engineering. You know, they say money can’t buy happiness. And, yeah, OK, I guess that’s true; God knows I’ve tried. But it can buy a Cybertruck, and that’s pretty sick, right? Fuck, I'm so alone.”

@bulou.varanisese #FYP #Paloalto #SiliconValley #ElonMusk #Cybertruck ♬ original sound - Frances | Silicon Valley SF

We are now learning there was an additional and quite hilarious fake Elon Musk message at another crosswalk. “You know, it’s funny, I used to think [Trump] was just this dumb sack of shit. But when you get to know him, he’s actually a really sweet and tender and loving,” that fake Musk crosswalk message said. That was followed by a fake Trump voice saying in the background, “Sweetie, come back to bed.”

This information comes to us from the Palo Alto Daily Post, who did a California Public Records Act request to find out if those cities and the crosswalk administrators at Caltrans ever got to the bottom of how the hack happened. It turns out they did get to the bottom of it, and the hack was amazingly simple.

“Caltrans didn’t change the passwords for the crosswalks that the manufacturers set, making them vulnerable to hackers,” the Daily Post reports.

Yes, Caltrans just kept the factory default passwords on these publicly used systems. Additionally, these new crosswalk systems are controlled by Bluetooth, so the hackers likely performed the prank with regular old smartphones. Older crosswalk systems had a central box which would have required physically breaking into.

NBC Bay Area spoke to San Jose State technology professor Ahmad Banafa on the security, or lack thereof, that allowed hackers such easy access to reprogram the crosswalk signals.

“This is not high-tech hacking, This is basically hacking because somebody left the door open,” Banafa told NBC Bay Area. “The weakest link in any cybersecurity system, in any network, is the human.”

Palo Alto residents were more amused than alarmed by the caper.

“I think it's more of a funny prank,” resident Daniel Martin said to that station. “Now if they told people to cross when the [traffic] light was green, then I would say that was a malicious prank.”

So basically, Menlo Park and Palo Alto simply got lucky that the hackers in this case were more practical jokers than bad players hoping to disrupt city infrastructure. But the security screw-up was still galling, and exposed that those pedestrian and traffic systems could be manipulated to deadly ends if more malicious actors were involved.  

Related: Hackers Reprogram Peninsula Crosswalk Signals to Mock Elon Musk and Zuckerberg [SFist]

Images: Left (Bulou Varanisese via TikTok), (Right) GREEN BAY, WISCONSIN - MARCH 30: Billionaire businessman Elon Musk arrives for a town hall wearing a cheesehead hat at the KI Convention Center on March 30, 2025 in Green Bay, Wisconsin. The town hall is being held in front of the state’s high-profile Supreme Court election between Circuit Court Judge Brad Schimel, who has been financially backed by Musk and endorsed by President Donald Trump, and Dane County Circuit Court Judge Susan Crawford. (Photo by Scott Olson/Getty Images)

• Major food brands are introducing products free of artificial dyes and flavors — including Cheetos and Doritos — alongside their original technicolor-hued varieties, thanks to a push from Health and Human Services Secretary Robert F. Kennedy Jr., but doctors stress that the real danger in processed foods is the salt, sugar, and fat content. [CBS News]
• Jodi Smith, a teacher from Minnesota who recently moved to San Jose for a new job at Oak Grove School District received quite a shock when a mix-up with her background check labeled her as a convict, resulting in the immediate loss of her job. [KGO]

Image: Leanne Maxwell/SFist

You may or may not know someone who's had their Facebook or Instagram account hacked because they didn't use a strong password or two-factor authentication. If you do know someone this happened to, or if it happened to you, then you know what an incredible pain it is to get Meta to help you get your account back. And now some states' attorneys general are pushing back.

The elders among us who still regularly use Facebook for something other than pet obituaries have found themselves increasingly under threat by scammers who want to lock them out of their accounts and then impersonate them while trying to scam their friends out of money.

The scams often take the shape of fake sales of cars or lawn equipment for absurdly low prices — which then leads friends to inquire about the item, and leads to the scammer asking for a couple hundred dollars as a deposit via Zelle or some similar wire service.

This can go on for weeks or longer if the Facebook user victim can't get the company to freeze the account or let them back into it.

This is what happened to Berkeley resident Richard Links, a widower who turned to ABC 7 — and their 7 On Your Side consumer protection segment — for help getting Meta to respond to his hacking case, after his Facebook account was hacked last summer. In his case, the scammer actually used a cruel ploy involving Links's late wife, posting a GoFundMe link on the account using her photo, saying it was a fundraiser for funeral expenses posted by Richard Links.

"It brings up a lot of anger, that someone could be so evil and heartless," Links tells ABC 7. "Stomp on me why don't you, and rub your dirty heels all over me."

The hacker also posted a car for sale and tried soliciting deposits from several of Links's friends.

ABC 7's inquiries ultimately got Meta to respond and restore his account, but it shouldn't take having to go on TV to get the proper customer service response.

In fact, 40 states' attorneys general penned a letter to Meta in March demanding "immediate action" on the problem of account takeovers, as the Associated Press reported at the time.

"Consumers are reporting their utter panic when they first realize they have been effectively locked out of their accounts," the letter says. "Users spend years building their personal and professional lives on your platforms, posting intimate thoughts, and sharing personal details, locations, and photos of family and friends. To have it taken away from them through no fault of their own can be traumatizing."

The attorneys general further said that their offices are becoming de facto places of last resort for frustrated Facebook users. "We refuse to operate as the customer service representatives of your company," the letter said.

Meta issued a rote statement in response to ABC 7's report that says:

"We know that losing and recovering access to your online accounts can be a frustrating experience. We invest heavily in designing account security systems to help prevent account compromise in the first place, and educating our users, including by regularly sharing new security features and tips for how people can stay safe and vigilant against potential targeting by hackers. But we also know that bad actors, including scammers, target people across the internet and constantly adapt to evade detection by social media platforms like ours, email and telecom providers, banks and others. To detect malicious activity and help protect people who may have gotten compromised via email phishing, malware or other means, we also constantly improve our detection, enforcement and support systems, in addition to providing channels where people can report account access issues to us, working with law enforcement and taking legal action against malicious groups."

Related: Instagram and Threads Now Making You Opt In If You Want to See Political Content, or Anything Related to Anything Important

A 38-year-old software engineer for Microsoft was apparently curious, eagle-eyed, and lucky enough to have discovered a pernicious bit of code in the widely used Linux operating system, that someone, somewhere, had gone to some lengths to hide.

His name is Andres Freund. He's originally from Germany, lives in San Francisco, and for his job at Microsoft he works on a piece of open-source database software known as PostgreSQL. The New York Times has the story of how, over the last several months, he rooted out the cause of some odd errors he was seeing while running certain tests, which led to a discovery with massive implications.

Per the Times:

The saga began earlier this year, when Mr. Freund was flying back from a visit to his parents in Germany. While reviewing a log of automated tests, he noticed a few error messages he didn’t recognize. He was jet-lagged, and the messages didn’t seem urgent, so he filed them away in his memory.

It was a few weeks later that Freund found an application used for remotely accessing computers was using more processing power than normal, and then he discovered some odd code buried in a set of data compression tools called xz Utils. All you need to understand, as the Times explains, is that this is a part of the Linux operating system, "which is probably the most important piece of open-source software in the world."

The operating system is updated and policed by a group of volunteers worldwide, and someone, possibly a high-level Chinese hacker, had over years gained the trust of these Linux caretakers and infiltrated their ranks. This person had then, fairly recently, inserted code that would have given them a backdoor into servers worldwide, including the backbone systems of major banks, hospitals, corporations, you name it.

Freund found enough evidence that he compiled it and sent to to a group of Linux developers last week, and his memo reportedly "set the tech world on fire," per the Times. A fix was developed within hours and rolled out — and while the backdoor code had been recently added in an update to Linux, the update had not been widely adopted.

The culprit, according to researchers, was a hacker who went by the name Jia Tan or JiaT75, and began suggesting updates to xz Utils two years ago. This person, who could have come from China, Russia, or elsewhere, slowly worked their way into the ranks of Linux overseers known as "maintainers," and inserted the pernicious backdoor code sometime earlier this year.

Ars Technica first covered the hack in great detail last week, reporting that the malicious code had not yet gone out to "production" version of the Linux software, but it would have eventually. It didn't, says Will Dormann of security firm Analygence, "only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

And, as Ars Technica reports, JiaT75 had in recent weeks gone on the developer site for Ubuntu to lobby for their updated code to be incorporated into the production versions of the software.

Alex Stamos, a former security officer at Facebook and Yahoo and now the chief trust officer at cybersecurity firm SentinelOne, spoke to the Times, saying, "This could have been the most widespread and effective backdoor ever planted in any software product," and calling the code like "a master key to any of the hundreds of millions of computers around the world" that run this widely used remote-access software.

The code also would have enabled the person, and by extension whatever entity they're working for, to do widespread damage without getting caught.

Freund's employer, Microsoft, should probably be giving him a raise. And the CEO of the company, Satya Nadella, has publicly praised his "curiosity and craftsmanship."

It is certainly scary to think that other efforts like this could be happening at any time. And the story goes to show how the modern internet is, in fact, "held together with the digital equivalent of Scotch tape and bubble gum," as the Times puts it, and often by ragtag volunteer coders.

Photo: Hackers, United Artists, 1995

Numerous news organizations are reporting that BART police files have been hacked and posted onto the dark web, including allegations of child abuse against officers, and perhaps your information if you’ve ever been cited by BART Police for a crime.

BART police officers may be especially on edge these days, in light of  a Tuesday report from NBC News that a hacker group has apparently ransomwared BART’s internal systems and leaked an "enormous trove of sensitive files" onto the dark web. NBC News has reviewed the hacked and leaked information, and estimates that there are 120,000 internal BART files out there, apparently mostly Human Resources department-type files, "including specific allegations of child abuse" according to that organization.

The Bay Area News Group has some follow-up reporting that an established, well-known ransomware group Vice Society is taking credit for the hack. That particular hacker group is known for hacking  hospitals, schools, and various other public agencies, hoping to exchange the hacked data for ransom payments.

BART insists that ridership will not be affected by the hack, though in doing so, they seem to acknowledge that yes this hack did happen. “To be clear, no BART services or internal business systems have been impacted,” BART spokesperson Alicia Trost told the Bay Area News Group. “As with other government agencies, we are taking all necessary precautions to respond.”

Cybersecurity experts tell NBC News that the fact these files are now online strongly indicates that BART refused to pay the ransom.

At first glance, this does not sound as bad as the 2011 BART Police Officers Association hack by an Anonymous-affiliated hacker (though SFist has not reviewed the hacked data). That 2011 hack released more than 100 officers’ email addresses, passwords and personal data.

But if you’ve ever been cited by BART police for a crime, then yes, there is a chance that information is among the leaked data.

More salaciously, according to NBC News, “At least six scanned, unredacted reports detailing suspected child abuse are among the files. Those reports state the name and birthdates of endangered children, and in some cases give descriptions of an adult and the alleged abuse.”

There are apparently also mental health records for officers referred for mental health evaluations among the data, names and driver’s license numbers of BART contractors, and hiring documents for BART police applicants.

And once this information is on the dark web, the toothpaste is effectively out of the tube. “It’s often the case that other people scrape the data,” cybersecurity analyst Brett Callow tells the Bay Area News Group. “Once the data is posted on these sites there is no way of knowing where it will end up or what other people may do with it.”

Related: 49ers Forced to Notify Nearly 21,000 People That They Had Their Personal Data Obtained by Hackers [SFist]

Image: BART Police Department via Facebook

Phone numbers, home addresses, and (yikes!) internet browsing histories have been handed right over to hackers who approached tech companies while posing as police, and what’s more, most of the hackers were teenagers.

Information security is admittedly a hard game, and tech companies do have a legitimate conflict between protecting users’ privacy and protecting the public at large from violent nutjobs. Plenty have criticized Facebook for allowing militias to organize on the platform, but at the same time, we criticize them when they hand data over to law enforcement. It’s a fine line to walk, and hackers have a new way of making those distinctions even more difficult.

The Verge reports that hackers are posing as law enforcement and requesting data, and apparently both Apple and Facebook did fall for it and comply. In these cases, the hackers were able to breach law enforcement databases and email systems, so the email requests did appear to be perfectly legitimate requests.  

According to the Hill, “The companies provided user details such as addresses, phone numbers and IP addresses in mid-2021,” and that “It’s unclear how much data was turned over.”  

Law enforcement generally needs a legitimate court order or subpoena to get such data. But there’s also an exception called an Emergency Data Request (EDR) wherein law enforcement  — or someone posing as law enforcement  — can claim that harm or danger is somehow imminent, and totally bypass subpoena requirements. And if a hacker group has pilfered law enforcement email credentials, apparently then it is off to the races collecting individual user data.

Neither Facebook/Meta nor Apple directly acknowledged being duped, but Facebook said they’d put safeguards in place in light of the findings. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” Meta’s policy and communications director Andy Stone told The Verge.

Apple, for their part, merely pointed to their Legal Process Guidelines which say that the law enforcement agency affiliated with the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

“May be.”

What is simultaneously hilarious and terrifying about this scheme is that the hackers are apparently teenagers. Krebs on Security laments "The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim," and connects such low-tech means of data extortion to the recent major hackings of tech companies by the hacker collective called LAPSUS$.

Krebs interviewed an 18-year-old hacker who goes by KT, who'd managed to pull another person’s internet browsing history from the messaging and chat platform Discord. “One of the phony EDRs shared by KT targeted an 18-year-old from Indiana, and was sent to the social media platform Discord earlier this year,” Krebs reports. “The document requested the Internet address history of Discord accounts tied to a specific phone number used by the target. Discord complied with the request.”

For their part, Discord was apparently far more reactive than Apple or Facebook. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor,” the company said in a statement to Krebs. “We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

So, yeah, when you hear about hacks, breaches, and ransomware attacks, do not automatically assume it was the Russians. It may have just been deplorable teenagers.

Related: Hackers Seize Jack Dorsey's Twitter, Make Bomb Threats, Praise Hitler [SFist]

Image: United Artists

At least one U.S. company, but probably more, is among several firms that a Santa Clara-based cybersecurity firm says has been infiltrated via some sort of password theft scheme that appears to be targeting the Department of Defense.

The latest international attempt to infiltrate the U.S. Department of Defense appears to have been to some degree successful, and according to KTVU, the password theft scheme targeted at least 370 different companies worldwide. That’s the assessment of Santa Clara-based cybersecurity firm Palo Alto Networks, and KTVU reports that the hackers did breach “nine global organizations across the defense, education, energy, health care and technology sectors.”

The reporting is all quite purposefully vague, and none of the companies who were breached are named. But according to CNN, “at least one of those organizations is in the U.S.”

“As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet,” Palo Alto Networks said in a Sunday statement. “Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.”

CNN has more detail, and plain English. “The hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks,” CNN reports. “The intruders could then be well placed to intercept sensitive data sent over email or stored on computer systems until they are kicked out of the network.”

The breach targeted companies using something called Zoho ManageEngine servers. If you or your company uses those, well, you’re advised to update that software and look for any signs of a breach.

Related: Tesla Successfully Thwarts Russian Ransomware Attack [SFist]

Image:Mika Baumeister via Unsplash

A Tesla employee succeeded in thwarting a recent attempted malware hack of its computer systems, after bringing the attempt quickly to the attention of company brass and the FBI.

The incident began with an offer of $1 million to the Russian-speaking Tesla employee to assist in infecting Tesla's systems with malware. According to a Justice Department statement that does not mention the company by name, the suspect behind the hack attempt was a Russian national named Egor Igorevich Kriuchkov, who bragged about having extorted $4 million from another American company through a similar ransom scheme. Kriuchkov's intent, according to the DOJ, was to access sensitive company data and threaten to make it public if a ransom was not received.

In a tweet, Tesla CEO and newly minted World's Fourth Richest Man Elon Musk confirmed that Tesla had been the target of the attack, responding to a post by the Teslarati blog.

The employee at the center of the story worked at Tesla's Gigafactory Nevada, and is a non-US citizen, as Teslarati reports. Kriuchkov allegedly reached out to the employee on WhatsApp, asking to meet with him. There was then apparently a non-business trip to Lake Tahoe with Kriuchkov, the employee, and some other colleagues, followed by a more serious meeting in which Kriuchkov made his bribe offer regarding the malware, and gave the employee a burner phone to use.

After informing the company and cooperating with the FBI, the employee wore a wire to a meeting with Kriuchkov on August 19 in which Kriuchkov gave him an $11,000 advance for his work. Two days later, it appears the FBI contacted Kriuchkov, which prompted him to flee Reno to Los Angeles, from where he apparently intended to flee the country.

As the SF Business Times reports, Kriuchkov was arrested in Los Angeles on Saturday, August 22. He is currently being held by federal authorities pending trial.

The previously target of Kriuchkov and his hacker team was reportedly Minneapolis-based CWT Travel, a company that specializes in business travel and event management. According to a report, per Teslarati, CWT paid the hackers a $4.5 million ransom.

Related: Feds Announce Charges Against Three People In Twitter Hack, Including Florida Man and Juvenile

The major hacking and data breach at Twitter two weeks ago has already produced three alleged culprits, and federal authorities on Friday announced charges against the three, as well as the online moniker of a hacker still at large who is believed to have been the mastermind.

The July 15 hack involved 130 Twitter accounts belonging to celebrities and prominent users, and the hackers ultimately sent tweets — perpetuating one of many longstanding bitcoin scams — from 45 of the accounts, and succeeded in netting about $100,000 in bitcoin under the false promise of being able to "double" people's "investments," according to the criminal complaints.

U.S. attorney announced charges against two men and an unnamed juvenile, and said the three had all been taken into custody — however the alleged mastermind, who went by “Kirk#5270” on Discord, is still out there somewhere. As KPIX reports, the two men arrested have been identified as Mason Sheppard, a.k.a. “Chaewon,” 19, of Bognor Regis, in the United Kingdom; and Nima Fazeli, a.k.a. “Rolex,” 22, of Orlando, Florida. The juvenile was also reportedly in the state of Florida, and has been turned over to authorities there.

According to FBI San Francisco Assistant Special Agent in Charge Sanjay Virmani, the three are facing "either federal or state criminal charges, including computer intrusion, fraud, money laundering, wire fraud, and identity theft."

Sheppard is facing charges of conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer; while Fazeli is facing a charge of aiding and abetting the intentional access of a protected computer.

"There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence," said U.S. Attorney for the Northern District of California David Anderson in a release. "Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you."

The breach was a major embarrassment for Twitter, and the second prominent hack of high-profile accounts in a year — last summer CEO Jack Dorsey's account was hacked through a "SIM swap," after which the company supposedly tightened its security around mobile logins.

A Discord user named Kirk, whom the New York Times identified two weeks ago as the alleged mastermind through chat logs shared by other users — including, apparently, Sheppard — claimed to others on the platform that he was a Twitter employee, and boasted of special access to internal tools at the company.

While Kirk was not likely an employee — the company now says that the access he'd gained had been obtained through phishing attacks on actual employees — it remains unclear who or where he is thus far. The others involved in the hack were young people, the Times says, some of whom had gotten to know one another over their shared status as owning especially short, rare Twitter handles like @6 and @y.

Kirk was not well known to any of these hackers, and his Discord account only dates back to July 7.

A fifth hacker who went by the handle "lol" and said he lived on the West Coast, spoke to the Times right after the hack, seemingly trying to clear his name — and saying he'd only participated in the brokering of a few Twitter handles early in the day, before Kirk began tweeting from accounts belonging to Kanye West, Barack Obama, Elon Musk and others. Kirk had offered him and Sheppard, who goes by the name "ever so anxious," to serve as middlemen in the sale of a collection of much coveted "OG" Twitter handles, for which he said they could take a cut.

Ultimately, though, Kirk appears to have profited the most via the fraudulent bitcoin offer on the celebrity accounts, which was live for an hour or two before Twitter caught on, with 400 transactions that added up to $100,000.

Update: "Kirk" appears to be the juvenile, now identified as 17-year-old Graham Ivan Clark of Tampa, who is being charged as an adult in the case. As the New York Times reports, Clark is facing "30 felony charges in the hack, including fraud." Andrew Warren, the Florida state attorney overseeing Clark's prosecution, said, "This was not an ordinary 17-year-old," which can only be taken as a compliment.

Twitter gave a statement in a blog-post update Thursday, saying, "There has been concern following this incident around our tools and levels of employee access. To run our business, we have teams around the world that help with account support. Our teams use proprietary tools to help with a variety of support issues... We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason. While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated."

The company also says it us "improving our methods for detecting and preventing inappropriate access to our internal systems."

Related: Twitter Mulls A Paid Subscription Model, As Congress Calls Jack Dorsey In To Testify

Fresh off a highly embarrassing data breach, Twitter would like your credit card information — but Congressional Republicans want to grill Jack Dorsey first.

Twitter’s stock price has completely rebounded after one of the most terrifying, high-profile hacks of the tech boom era, which is odd considering there is no indication Twitter has beefed up its security in any preventative way since. (It’s also not the first time Twitter employees have apparently sold out access to individual users’ accounts.) Undaunted by the black eye of a historic breach that happened just one week ago, the company’s CEO Jack Dorsey announced today that Twitter is considering charging for subscriptions according to a CNN/KPIX report. Because sure, we’re all dying to give our credit card information to a company that got publicly hacked senseless last week. The announcement comes as Twitter’s revenue is down 23 percent compared to this time last year, as advertisers have understandably pulled back their spending habits amidst a global pandemic.

This is probably not a full subscription model where you would have to pay money just to be on Twitter, but instead likely a set of additional features and gizmos that would be available to premium subscribers. CNN’s reporting points out that Twitter put up a job listing in early July for “a new team, codenamed Gryphon," saying "We are building a subscription platform, one that can be reused by other teams in the future. This is a first for Twitter!” So it may be features like the long-denied Edit button, access to concert streams or live sports, or maybe a way for incels to DM you more directly asking for nudes.

“We want to make sure any new line of revenue is complementary to our advertising business,” Dorsey said on an earnings call this morning. “We do think there is a world where subscription is complementary, where commerce is complementary, where helping people manage paywalls … we think is complementary.”

Yet not everyone has moved beyond the enormously troublesome hack. Congressional Republicans have called on Dorsey to testify this coming Monday at their upcoming antitrust tech CEO grillapalooza, where they’re already hauling in Jeff Bezos, Mark Zuckerberg, Apple’s Tim Cook, and Google’s Sundar Pichai. Normally you’d want to be invited to a party like that! But GOP representatives probably just want to give Dorsey shit for the mild wrist-slappings Twitter has put on Trump’s tweets that push outright lies and incite violence, or how they’ve allowed imaginary cows to tease Republican representatives with impunity on the platform.

“We believe there is bipartisan interest to hear from Twitter about its power in the marketplace, its role in moderating content on its platform, and the causes for its recent highly publicized security breaches,” said Rep. Jim Jordan (R-OH), whom native Ohioans like myself call “Gym Jordan” because of his role in an Ohio State wrestling sexual abuse scandal.

Twitter is not nearly as big or profitable as Amazon, Apple, Google, or Facebook, so it’s hard to see where Twitter fits in with antitrust concerns. Should Dorsey participate on short notice (unlikely), Twitter’s totally free platform has precisely zero implications on the otherwise very legitimate and concerning issue of monopolies in tech.

The problem with Twitter is that they want to build something new before fixing the incredibly scary problem they currently have, which Wall Street will probably reward them for. So despite the COVID-19 dip in advertising revenue, Jack can probably still afford more $22 million coastal houses to do Vipassana and fasting diets while the Russians and Saudis sift through our DMs.

Related: Conspiracy Theorists Now Promoting Rumor That George Floyd Didn't Die On YouTube and Twitter [SFist]

Image: Screenshot via Twitter

It's been a few years since Hollywood was fascinated with hackers and the world of computer-based crime, protest, and hacktivism. But a couple of local filmmakers have just delivered a short film that takes the late-90s/early aughts genre and parodies with Amazon and contemporary SF tech culture as the objects of its dry humor.

It's called "Hacked," and it just went online Monday — it only has 88 views on YouTube as of this writing. It's the work of Grey Keith and Logan Shillinglaw IV, who co-wrote, co-directed, and co-star in the 16-minute film. Keith plays benevolent hacker dick_jacker_69 and Shillinglaw plays Jeff Beezerberg (can you guess which real-life CEO's he's a mashup spoof of?), and essentially it's a little-guy-triumphs-against-corporate-evil story involving a hacker saving his grandmother's house.

The graphics and visual effects are comically chintzy and the humor mostly juvenile, but there's something stupidly endearing about it nonetheless. A for effort! This is like what some Silicon Valley characters might have made in their spare time before they got rich. And the nods to the era of Hackers, Sneakers, and Fight Club — or the even older War Games — have to be intentional.

Also — SPOILER — they blow up Salesforce Tower, which might give some San Franciscans a touch of quite, guilty satisfaction since it's depicted so cartoonishly and we're not meant to believe anyone died. Except for Beezerberg.

Some hackers compromised Twitter CEO Jack Dorsey's Twitter account on Friday and used the platform to make racial slurs, bomb threats, and otherwise be grossly offensive.

As the New York Times reports, the hackers accessed Dorsey's account using the third-party SMS service CloudHopper that Twitter acquired in 2010, and the tweets have all been deleted. As of 2:22 p.m., the company tweeted that the account was now secure, and no greater breach had been detected.

As The Verge reports, in addition to posting various offensive and incendiary things, the hackers urged people to join a channel on Discord, the Slack competitor that became popular in recent years among gamers. They appeared to identify themselves by the name "Chuckling Squad."

Dorsey's account was similarly hacked in 2016, leading to his account being briefly suspended — at which point alt-right Twitterers and others delighted in the idea that he might have been accidentally "suspended from his own platform."

Just today, a Twitter user with the handle "Clittory Hilton" and an avatar of Hillary Clinton with devil horns tweeted in response to the hackers' posts, "Jack must be banned for hate speech. I can’t believe he would tweet this."

Photo: Rory Cellan

A security researcher has determined that nearly every WiFi device in the world — your phone, your computer, your router, and on and on — has a flaw in their security protocol that makes them vulnerable to hackers that could hijack them, track your activities, or worse.

ZDNet reported on the hack early Monday, saying that it was discovered by computer security academic Mathy Vanhoef and first reported on his website.

Per ZDNet:

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: hackers can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," Vanhoef says.

The vulnerability, Vanhoef says, "can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks."

This includes "devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices," Ars Technica reports.

"Depending on the network configuration, it is also possible to inject and manipulate data, Vanhoef says. "For example, an attacker might be able to inject ransomware or other malware into websites."

Before you think that sticking with HTTPS-protected sites will keep you safe, Vanhoef warns that "this extra protection can (still) be bypassed in a worrying number of situations."

"For example," he writes, "HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps." You can read the full explanation of the vulnerability here.

ZDNet reports that "News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug."

According to Ars Technica, the US-CERT alert was "distributed to about 100 organizations." It read:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

This is ordinarily the part in a news report where we tell you how to keep yourself safe and/or how officials are fixing this. However, news on either of those topics remains sparse, and ZDnet says as of this morning that "Wi-Fi should be considered a no-go zone for anything mission critical."

Ars Technica takes the matter equally seriously, saying that "people should avoid using Wi-Fi whenever possible until a patch or mitigation is in place. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell, and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points."

Previously: Disqus Reports Breach Affecting 17.5 Million Pre-2012 Users