Security News This Week: LastPass Users Had Their Data Stolen—Again
Security News This Week: LastPass Users Had Their Data Stolen—Again
本周安全新闻:LastPass 用户数据再次被窃
A WIRED investigation this week offers insight into a predictive policing program in Bristol, England that has involved 23 separate models over more than a decade, intended to score the likelihood of specific individuals will perpetrate or be victims of different crimes. The investigation draws on data from public records requests and other reporting to reveal a messy law enforcement apparatus that has real implications for the community—but that most people in the area know nothing about.
本周《连线》(WIRED)的一项调查揭示了英国布里斯托尔市一个预测性警务项目的情况。该项目在过去十多年里涉及 23 个不同的模型,旨在评估特定个人实施犯罪或成为犯罪受害者的可能性。这项调查通过公共记录请求和其他报道的数据,揭露了一个混乱的执法机制,它对社区有着实际影响,但当地大多数人对此一无所知。
After the identities of members of Peter Thiel’s private “Dialog” group were exposed last week, the organization claimed that a “criminal” hacker was behind the breach. But evidence shows that members’ personal information—including that of a White House intelligence official and an active-duty special operations officer—was publicly accessible and likely exposed as the result of a Dialog website misconfiguration.
在上周彼得·蒂尔(Peter Thiel)的私人“Dialog”组织成员身份泄露后,该组织声称此次泄露是由“犯罪”黑客所为。但证据显示,成员的个人信息(包括一名白宫情报官员和一名现役特种作战军官的信息)在网上是公开可访问的,很可能是由于 Dialog 网站配置错误导致的泄露。
As Anthropic and the White House continued to negotiate a path for its latest Claude Mythos 5 and Fable 5 models, the company’s critics pointed out that Anthropic seems to be rapidly accumulating power—a strategy that the company says is necessary for AI safety and responsible development. On Friday evening, the White House gave Anthropic permission to make Mythos 5 available again to a select group of US companies and government agencies.
随着 Anthropic 公司与白宫继续就其最新的 Claude Mythos 5 和 Fable 5 模型进行谈判,批评人士指出,Anthropic 似乎正在迅速积累权力——该公司称这是 AI 安全和负责任开发所必需的策略。周五晚上,白宫批准 Anthropic 向部分美国公司和政府机构重新开放 Mythos 5 的使用权限。
Amid the turmoil, OpenAI this week launched an improved version of its limited-release GPT-5.5-Cyber model as well as a full-scale effort—“Patch the Planet”—to support open source projects on vulnerability patching and other security issues as AI accelerates bug discovery as well as exploit development. And as the AI arms race between China and the US escalates, WIRED met with a slew of China’s top AI experts and found that both sides are worried about the threat of a “Chernobyl moment.”
在动荡之中,OpenAI 本周发布了其限量版 GPT-5.5-Cyber 模型的改进版本,并启动了一项名为“Patch the Planet”的全面计划,旨在支持开源项目进行漏洞修补和其他安全问题的处理,因为 AI 正在加速漏洞发现和漏洞利用开发。随着中美 AI 军备竞赛的升级,《连线》采访了多位中国顶尖 AI 专家,发现双方都对“切尔诺贝利时刻”的威胁感到担忧。
Meanwhile, as the World Cup knockout stage approaches, scams related to the massive soccer tournament are getting harder to spot. And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
与此同时,随着世界杯淘汰赛阶段的临近,与这项大型足球赛事相关的诈骗手段变得越来越难以识别。此外,我们每周都会汇总那些我们未进行深度报道的安全和隐私新闻。点击标题即可阅读全文。祝大家保持安全。
LastPass Suffers Yet Another Compromise Resulting From a Partner Breach
LastPass 因合作伙伴泄露再次遭受攻击
The password manager LastPass has had a string of significant data breaches over the years, and now there’s one more to add to the list. This week, the company informed customers of a breach that included names, phone numbers, email addresses, physical addresses, support case data, and sales-related data. The attack was the result of a breach at the AI business intelligence firm Klue. Attackers compromised access tokens for Klue customers, including LastPass, and then used them to grab data from Salesforce and other integrated platforms. LastPass emphasized that the situation was not a breach of its own infrastructure and did not affect password vaults.
密码管理器 LastPass 多年来经历了一系列重大数据泄露事件,现在名单上又多了一起。本周,该公司通知客户发生了数据泄露,涉及姓名、电话号码、电子邮件地址、物理地址、支持案例数据和销售相关数据。此次攻击源于 AI 商业智能公司 Klue 的泄露。攻击者窃取了包括 LastPass 在内的 Klue 客户的访问令牌,并利用这些令牌从 Salesforce 和其他集成平台获取数据。LastPass 强调,此次情况并非其自身基础设施遭到破坏,且未影响密码库。
“We recommend that customers remain vigilant of potential phishing attacks or social engineering attempts, which could leverage exposed contact details,” LastPass wrote in its customer notification. “Always exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information.”
“我们建议客户对潜在的网络钓鱼攻击或社会工程学尝试保持警惕,这些攻击可能会利用泄露的联系方式,”LastPass 在客户通知中写道。“对于未经请求的通信,包括电子邮件、电话或索取敏感信息的请求,请务必保持谨慎。”
Former Trump Adviser John Bolton Pleads Guilty in Case Over Retaining Classified Data
前特朗普顾问约翰·博尔顿就保留机密数据案认罪
John Bolton, a former national security adviser, pleaded guilty on Friday to a single count concerning mishandling and illegal retention of classified defense information. Bolton, 77, struck a plea deal that could allow him to avoid prison time, though the agreement recommends a prison sentence of no more than five years. US District Judge Theodore Chuang in Maryland will make the determination about sentencing at a hearing scheduled for October 28. Bolton served in the first Trump administration but subsequently became a prominent critic of President Donald Trump. As part of the deal, Bolton also agreed to pay a fine of $2.25 million, but he can withdraw his guilty plea if Chuang decides on a bigger fine or longer prison sentence than what the deal recommends.
前国家安全顾问约翰·博尔顿(John Bolton)周五承认了一项关于不当处理和非法保留机密国防信息的指控。77 岁的博尔顿达成了一项认罪协议,这可能使他免于入狱,尽管协议建议的刑期不超过五年。马里兰州美国地方法院法官西奥多·庄(Theodore Chuang)将在 10 月 28 日举行的听证会上做出判决。博尔顿曾在特朗普第一届政府任职,但后来成为唐纳德·特朗普总统的著名批评者。作为协议的一部分,博尔顿还同意支付 225 万美元的罚款,但如果法官庄决定处以比协议建议更高的罚款或更长的刑期,他可以撤回认罪。
Europol, Microsoft, and Others Disrupt Widely Used Infostealers Facilitating Cybercrime
欧洲刑警组织、微软等机构捣毁了助长网络犯罪的常用信息窃取程序
Microsoft, Europol, and other partners announced on Wednesday that they disrupted infrastructure of the Amadey and StealC infostealers, malware that is central to the cybercriminal ecosystem. The work was part of Operation Endgame, which targets platforms and tools facilitating ransomware and other cybercrime. The action involved identifying, mapping, and then seizing and taking down malware infrastructure, including actions against 326 servers and 142 domains. The operation flagged about $47 million worth of stolen cryptocurrency and recovered up to 27 million stolen access credentials. Microsoft emphasized that the action was enabled by innovative techniques including AI-assisted analysis that showed Amadey and StealC were relying on the same backend infrastructure and could be targeted together.
微软、欧洲刑警组织(Europol)及其他合作伙伴周三宣布,他们捣毁了 Amadey 和 StealC 信息窃取程序的后端基础设施,这些恶意软件是网络犯罪生态系统的核心。此次行动是“终局行动”(Operation Endgame)的一部分,该行动旨在打击助长勒索软件和其他网络犯罪的平台和工具。行动涉及识别、测绘,随后查封并拆除恶意软件基础设施,包括针对 326 台服务器和 142 个域名的行动。此次行动标记了价值约 4700 万美元的被盗加密货币,并找回了多达 2700 万条被盗访问凭证。微软强调,此次行动得益于包括 AI 辅助分析在内的创新技术,该分析显示 Amadey 和 StealC 依赖于相同的后端基础设施,因此可以被同时打击。
Australia Found Nation-State Hackers Inside Critical Infrastructure, Ready to Sabotage
澳大利亚发现国家级黑客潜入关键基础设施,准备进行破坏
Australia’s Security and Intelligence Organisation (ASIO) said this week that it is establishing teams focused on countering nation-state cyberattacks on critical infrastructure after finding actors inside the country’s systems. “We discovered nation-state hackers had compromised the network of an Australian critical infrastructure provider,” ASIO’s director general, Mike Burgess, said in remarks on Wednesday. “ASIO assessed the hackers were preparing for sabotage. … They were mapping out the network and maintaining access so they could cripple it at a time of their choosing.”
澳大利亚安全情报组织(ASIO)本周表示,在发现有黑客潜入该国系统后,该组织正在组建专门应对针对关键基础设施的国家级网络攻击的团队。“我们发现国家级黑客已经入侵了澳大利亚一家关键基础设施提供商的网络,”ASIO 总干事迈克·伯吉斯(Mike Burgess)在周三的讲话中表示。“ASIO 评估认为,这些黑客正在准备进行破坏……他们一直在测绘网络并保持访问权限,以便在他们选择的时间瘫痪该系统。”
Burgess spoke alongside the release of ASIO’s annual threat assessment. “In this case, a state-sponsored group didn’t just achieve access to the Australian critical infrastructure provider, it successfully acquired credentials—login details and passwords—for active users of the networks, including the IT professionals guarding it.”
伯吉斯在发布 ASIO 年度威胁评估报告时发表了上述讲话。“在这种情况下,一个国家支持的组织不仅获得了对澳大利亚关键基础设施提供商的访问权限,还成功获取了网络活跃用户的凭证(登录名和密码),其中包括负责保护该网络的 IT 专业人员的凭证。”