Alright folks, this is starting to smell like bullshit. Not the alleged breach (which smells bad for reasons I'll explain in a moment), but the "AI" line from both Europcar and the PR agency that just emailed me pitching someone's hot take on it. Here's why:

https://twitter.com/BleepinComputer/status/1752460897031684343

Firstly on the legitimacy of the data, a bunch of things don't add up. The most obvious one is that the email addresses and usernames bear no resemblance to the corresponding people names. For example:

We often receive comments to the effect of “we want to purchase a @haveibeenpwned subscription but our company doesn’t allow us to use a credit card”. What is the financial reason behind this?

This is a very small portion compared to those that *do* pay by card, but why is this? To add to this, having spent 14 years at Pfizer I’d see policies like this all the time. But it’s also not like there was a blanket ban: try going on a business trip and asking the person at the noodle shop you’re having lunch at to raise an invoice on 60 day terms 🤣

Let me add some more context to the Dymocks breach, starting with giving them a massive pat on the back for responding so quickly. It was less than 48 hours ago between me contacting someone there via LinkedIn and them having sent disclosure emails to customers. Massive kudos!

https://twitter.com/haveibeenpwned/status/1700054245192417566

What's not as clear from the story is the extent to which the data was already circulating before I was able to get in touch with them. Multiple Telegram channels and a popular *clear web* (not dark web) forum were broadly circulating the data.

Crikey Miele 🤦‍♂️ Ah, so that’s why. Up until 10 minutes ago…

Had a weird thing happen with @AzureApiMgmt that caused the public @haveibeenpwned API to start getting laggy, especially around 1 week ago. It went from ~220ms response times 90 days ago to over 1 second up until yesterday. Scaled out an instance and now we're down to ~70ms. This is despite very consistent performance of the underlying @AzureFunctions app. Something started gradually going south at the APIM level and I'm continuing to look at that with the team there.

Ok folks, here’s the next edition of “Troy’s IoT Hell” 👿

Recently I had to make a call between buying the older Yale Assure locks sold locally here in Aus or the newer one only sold in the US. This was for 2 locks, one for the front door and one for the front (undercover) gate.

https://twitter.com/troyhunt/status/1657900036024602625

I went with the newer ones from the US as they were smaller, looked a lot neater, support Matter (with a coming add on module) and only took a few days for shipping. They look *great*!

Got an unexplainable Azure Function problem which I suspect will have an obvious answer once I start explaining it to other people, so here goes: I have a function with a queue trigger that makes an outbound HTTP call after the queue item is picked up. I can place messages in the queue and see them disappearing moments later, but the outbound call never gets sent.

So @Charlotte_Hunt_ is selling a fridge on Gumtree and immediately starts getting messages like this. The first one gets a bit of “no, we can discuss here” and they disappear. This one… gets a burner address to see how weird shit gets. What’s the angle? There’s always an angle… 🍿

This is interesting reading regarding the .zip TLD. However, it's of near zero consequence to phishing attacks, read it first then I'll explain: medium.com/@bobbyrsec/the… Read it? Good, here's the problem: let's start with the opening para which asserts that you can't quickly tell which URL is legit due to the .zip TLD. That's true, you can't. But which URL in the second image is the real Google blog site?

A couple of quick pieces of commentary now then I'll do some deeper analysis later on: Firstly, the 98% "pwned before" rate clearly indicates the email addresses were taken from other data breaches then used to query the vulnerable API.

https://twitter.com/haveibeenpwned/status/1611109572550471680

Later on today, I'll run a sample set of the data and see if there's any obvious patterns as to where this data come from, but I suspect it'll be credential stuffing lists such as Collection #1.

And now, for my next project: More bits:

What’s the driving force behind many infosec people jumping from Twitter? Unhappy with Elon’s cuts? Or who he’s letting back into the platform? A genuine belief he’s driving it into the ground? Other? Everything seems normal from here, why the exodus? Nothing really not already covered in the above tweet has come through in the responses, I think those 3 really cover it. My 2c:

Not the most pleasant of breaches to sift through, let me add some more background via a thread:

https://twitter.com/haveibeenpwned/status/1592336455527194628

Firstly, there was no response to attempted disclosure via their contact form, no security.txt file and no joy reaching out via Twitter

https://twitter.com/troyhunt/status/1589837012634587136

As it’s newsworthy at present, a quick poll: should there be a government ban on paying a ransom to stop breached data from being publicly leaked? Interesting response here with a very clear (not surprising) bias. A few themes I disagree with, however:

Dear parent friends, I have a school / tech / cyber question for you all: does your child's school provide any guidance around the use of native parental control on their devices? App store restrictions, enforceable screen time limits, purchase approvals, etc. I'm curious based on my own experiences (which I'll share later) and after observing that most parents have absolutely no idea firstly, what they're doing with tech and secondly, that these controls even exist. For free.

A thread on the business of ransomware as it relates to Medibank:

If you look at this situation through the lens of ransomware being a business, you start to understand the motives and how things are likely to play out. Like a normal business, many ransomware crews run websites, usually accessible via Tor (yes, "The Dark Web"). In many ways they look and feel like a normal website, just with a very different modus operandi.

Reading about Mastodon this morning has been highly entertaining 🤣

https://twitter.com/lolennui/status/1588923469206806528?s=61&t=lIR-GpR56AQDi7BXONsK_A

https://twitter.com/cstegman/status/1588923018868592641?s=61&t=lIR-GpR56AQDi7BXONsK_A

Today is *finally* the day! Fibre to the premise being installed, let’s see what this chart looks like by the end of the day. Test from my phone before the upgrade, pretty consistent with what @home_assistant is reporting above. It’s 1000/400 from @Aussie_BB going in, let’s see what actual speeds we can get.

Every year at this time (except the last 2 🦠), our city gets turned into a race track for the #GC500, with pit lane down the end of our street. 3 days of race cars, jet flybys and loud engines. It’s perfect 😊 View from the ground, what a location! 🏎️

Losing my mind a bit with the @bigassfans app. Connect to their broadcast network, finds the device, join it to my network then… nothing. 3 different fans, exactly the same experience. 1/n Fans are definitely on the network as they all show up in @Ubiquiti so join is successful. They're on the 2G band (I believe that's all they support) and have stable connections. 2/n

I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? Geez there’s some debate about this one! Mostly support but also some misunderstanding so let’s fill some gaps:

Firstly, password managers don’t solve this problem, not when you’re talking about the credentials to logon to your PC. That’s a rare case where you need to type it…