Hackers breached Mailchimp to target crypto holders

Hackers used internal tools from Mailchimp to target customers from a total of 102 users, including hardware cryptocurrency wallet Trezor, reportedThe Verge. Trezor users over the weekend received emails claiming that their accounts were compromised in a data breach. The email included a purported link to an updated version of Trezor Suite, along with instructions to set up a new pin — though in actuality it was a phishing site meant to capture the contents of their digital wallets.

In a tweet on Sunday, Trezor confirmed that the emails were a part of a sophisticated phishing campaign by a malicious actor that targeted MailChimp’s newsletter database. “The Mailchimp security team disclosed that a malicious actor accessed an internal tool used by customer-facing teams for customer support and account administration,” Trezor wrote in a blog post. “The bad actor gained access to this tool as a result of a successful social engineering attack on Mailchimp employees.”

In other words, the hackers managed to trick employees in MailChimp’s customer support team into handing over their log-in credentials, then used the company’s own internal tools to send the emails. The Trezor attack specifically was planned to a “high level of detail”, according to the company’s blog post. Still, in order for the attack to be successful, Trezor users had to download the fake app and submit their wallet credentials. It’s unlikely many made it that far, as Trezor points out in its post, considering that most operating systems would have notified the user that they were downloading software from an unknown source.

MailChimp first became aware of the breach on March 26th, according to a statement by its chief information officer Siobhan Smith given to The Verge. The hackers were able to obtain audience data from 102 different MailChimp clients, meaning that Trezor is far from the only company likely impacted. Decentraland, the in-browser metaverse platform, confirmed on Twitter that its newsletter was among those caught up in the hack.

We’ll likely find out what other companies were involved in the MailChimp hack in the days to follow. The company has already alerted all of its clients who were involved.

TikTok owner ByteDance scraped content from Instagram and others to push predecessor app

To fuel the rise of its app Flipagram, TikTok parent company Bytedance scraped profiles, videos, usernames and other content from Instagram and other social media platforms. Buzzfeed reported that the Chinese company scraped “hundreds of thousands” of accounts for content without users’ consent. Flipagram, which ByteDance acquired back in 2017, allowed users to create short slideshow videos set to music — sort of a simplified version of TikTok and other short-form video apps. The app has since been rebranded as Vigo Video.

The scraping strategy was meant to be a “growth hack” for Flipagram, allowing it to expand its user base, according to former ByteDance employees interviewed by Buzzfeed. Flipagram was scraping up to 10,000 videos per day from high-priority countries, according to one former employee. The three platforms that Flipagram allegedly scraped content from are Instagram, Snapchat and Musical.ly (which is owned by ByteDance and was later absorbed by TikTok). One former Bytedance employee disputes that Instagram was involved in the scrape due to the incompatible sizing of their videos at the time.

The employees also allege that the scraped content from major US social media platforms was then used to build Bytedance’s “For You” algorithm. TikTok has yet to comment on whether Flipagram’s stolen data was used to build TikTok’s “For You” algorithm.

Scraping publicly available data isn’t illegal by itself. Many social platforms find “creative” ways to boost their audience in their early days, like harvesting external content, creating fake profiles or mass-emailing potential users. But companies can also ban unauthorized scraping in their terms and conditions for users, which Instagram and Snapchat both do. Violating such contracts can often lead to lawsuits

There’s an irony to Bytedance in its early days allegedly scraping data from Instagram, since Reels was Instagram’s attempt to capture TikTok’s audience and instead became a receptacle for old TikToks. In order to keep Reels from driving more traffic to its rival app, Instagram recently announced it would no longer promote TikToks. 

DOJ seizes $34 million of crypto from the dark web seller

In what the DOJ calls one of the largest cryptocurrency civil forfeiture filings in US history, the Southern District of Florida has successfully seized around $34 million worth of coins and tokens from a seller on the dark web.

According to a recent release, the illicit crypto was seized from a South Florida resident who used an online alias to sell more than 100,000 illicit items across marketplaces on the dark web. The bulk of the sales is said to be hacked account info from a number of major services including HBO, Netflix, Uber and others.

Prosecutors from the Southern District of Florida say the resident used TOR (The Onion Router) to access the dark web, before using a series of tumblers to convert one cryptocurrency to another in order to hide its source. This series of actions is often called chain hopping and is considered a form of money laundering, which obviously a big no-no at both the federal and state levels. 

Eventually, proceeds from the illicit sales were deposited in random increments at random times in designated crypto wallets, which were later recovered by law enforcement. Between May 16th, 2017 and June 19th, 2017, authorities seized approximately 919.3 Ethereum, 643 Bitcoins, 640 Bitcoin Gold, 640 Bitcoin Cash and 640 Bitcoin SV

The DOJ says the civil forfeiture filing comes as a result of Operation TORnado, which is a joint investigation by the Organized Crime Drug Enforcement Task Forces (OCDETF) across multiple federal, state and local agencies.

However, while that $34 million sum (which was worth as much as $47 million at one point based on court docs) is certainly a lot, given the growing popularity of crypto, it almost certainly won’t be one of the largest seizures for long. 

Valve is increasing Steam Deck shipments

Since Steam Deck went on sale at the end of February, Valve has emailed reservation holders about once a week to tell them they can purchase its handheld PC. That’s meant a lot of people have been patiently waiting to get their hands on the highly sought-after gadget, but that wait could soon be shorter.

On Monday, the company said it was ramping up Steam Deck shipments. By just how much, Valve didn’t specify, but what it did promise is that it would start sending more order availability emails each week. If you’re on the fence about buying a unit, Valve has also updated the Steam Deck’s product page to clarify what timeframes like Q2 and Q3 mean in terms of months. If you were to place a reservation today, the page now says you’ll have the chance to order a unit sometime in October 2022 or later. Bottom line: it sounds like Valve is doing its best to get Steam Deck units to customers more quickly. 

Amazon’s planned worker chat app would reportedly ban words like ‘union’

Amazon’s anti-union stance might spill into the apps for employees. The Intercept says it obtained internal documents detailing a planned worker chat app that, while meant to boost happiness, would include a blocklist focused heavily on silencing pro-union keywords. In addition to forbidding the use of the word “union,” it would also block terms like “compensation,” “pay raise,” “ethics” and even “robots.”

Other bans would focus mostly on keeping things positive, such as “rude” and “stupid.” Most, however, appear centered on working conditions. Amazon supposedly decided on the words at an upper-echelon meeting in November 2021, when they outlined an app that would encourage “Shout-Outs” and offer digital rewards for providing value to the company. 

The program linked to the app will reportedly launch in April. In a statement to The Intercept, however, Amazon spokeswoman Barbara Agrait said the initiative “has not been approved yet” and might be changed or scrapped.

If the program and its associated app launch, they would come at a tense moment. Amazon warehouse workers in Staten Island just voted to unionize, and those at a Bessemer, Alabama facility just had a highly contested rerun election where both sides accused each other of interference. While this app isn’t about to hinder union organizers (they weren’t likely to use Amazon-monitored chats), it could underscore the very labor concerns the company doesn’t want employees to mention.

We have three years to curb emissions to avoid climate catastrophe, UN report finds

The world needs to cut carbon emissions by a quarter by the year 2030 to avoid the most catastrophic impacts of climate change, according to the latest report from the United Nations’ Intergovernmental Panel on Climate Change (IPCC). Governments and industries must make sure to level carbon emissions by 2025. Even then, the world will need to invest in CO2 removal factories and other technologies to remove carbon dioxide from the sky. With all these measures in place, the world can still expect a bare minimum temperature increase of 1.5 degrees Celsius over the next few decades, still, a grim outcome that will eviscerate most of the world’s coral reefs and make many low-lying regions uninhabitable.

The lead author of the report, Sarah Burch, tweeted that even the 1.5 degrees Celsius target is unlikely, a sentiment that other climate scientists have expressed. In order to reach that goal, virtually every industry and country would have to make rapid emissions cuts.

“The average annual greenhouse gas emissions over the last 10 years were THE HIGHEST IN HUMAN HISTORY. We are not on track to limit warming to less than 1.5 degrees,” tweeted Burch.

But the report also expressed a few reasons to be optimistic. First, governments and the private sector at the very least know what they need to do as far as curbing their energy use. The question remains whether stakeholders will actually stick to their emissions targets and make the drastic changes needed to avoid the worst case scenario.

“Having the right policies, infrastructure and technology in place to enable changes to our lifestyles and behavior can result in a 40-70% reduction in greenhouse gas emissions by 2050. This offers significant untapped potential,” wrote IPCC Working Group III Co-Chair Priyadarshi Shukla in the report.

Second, even though average annual global greenhouse gas emissions between 2010 to 2019 were the highest in human history, the rate of growth has slowed. Countries have adopted policies that have decreased deforestation and ramped up the use of renewable energy. The costs of solar, wind energy and lithium ion batteries have also decreased by 85% over the past decade, making it a more viable option than ever before.

The report warned that by 2050, solar and wind power will need to supply the majority of the world’s energy. And the report also echoed the consensus shared by most climate scientists that the world must immediately and rapidly curb its use of fossil fuels. “Coal has to go. Coal without carbon capture and storage has to go down by 76% by 2030. That’s… really fast,” noted Burch.

But attaining global consensus to cut down on fossil fuels is easier said than done. China, the world’s largest greenhouse gas emitter, increased its domestic coal use in the wake of Russia’s invasion of Ukraine, which ramped up energy commodity prices. Leaders in the EU and US have expressed concerns that global demand for coal will only increase, with countries needing to burn more coal due to higher natural gas prices.

State Department’s new bureau makes cybersecurity a part of foreign policy

The Department of State has cut the ribbon on the Bureau of Cyberspace and Digital Policy (CDP), which is now in operation. The move makes cybersecurity a more formal area of focus for US foreign policy following a swathe of attacks linked to Russia and China.

Secretary of State Antony Blinken announced the CDP in October. The bureau comprises three policy units: International Cyberspace Security, International Information and Communications Policy and Digital Freedom.

The office will eventually be led by an Ambassador-at-Large, who will require Senate confirmation. Jennifer Bachus, a career member of the Senior Foreign Service, is running the bureau on an acting basis as senior official and principal deputy assistant secretary.

The bureau could help the US address cybersecurity threats both by itself and through partnerships with allies. A spate of major hacks have been attributed to state-linked actors from Russia and China over the last several years, including several Microsoft Exchange cyberattacks (for which the Biden administration pinned the blame on China). Others include the SolarWinds attack, over which the US has sanctioned multiple Russian companies, individuals and entities.

In February, FBI Director Christopher Wray said the agency had more than 2,000 active investigations related to thefts of US tech or information that were allegedly carried out by China. He claimed the country had a “massive, sophisticated hacking program that is bigger than those of every other major nation combined.” Shortly before Russia invaded the country in February, Ukraine’s government blamed it for a cyberattack against its websites.

President Biden signed an executive order last May that sought to bolster the country’s cybersecurity infrastructure. He followed that up in January with an EO that contained more concrete directives concerning the Defense Department, the intelligence community and national security systems.

The DeLorean EV will be unveiled on August 18th

After years of teasing, the DeLorean Motor Company announced on Monday that it will unveil an all-electric vehicle on August 18th, promising to share its official name at the same time. Details on the concept car are scant, but what the automaker did share is that it worked with Italdesign, best known for its work with Volkswagen, to design the upcoming car. Judging from the DeLorean’s website, the vehicle will feature the iconic gull-wing doors of the DMC-12.

To be clear, the company making the DeLorean EV isn’t the same one that produced the DMC-12. The DeLorean Motor Company of Texas is known for restoring vintage DeLorean vehicles, billing itself as the largest source of parts for the defunct brand that made the original. We’ll also note it’s been talking about electrification since 2011 when it said it was working on making an all-electric DeLorean with a 100-mile range. 

Native Instruments’ Maschine devices are up to $200 off

If you’re in the market for a music-making machine that just about can do it all, then it’s worth taking a peek at Native Instruments’ latest sale. The company is cutting the price of its Maschine hardware by up to $200 and tossing in some free software expansions for good measure. The pick of the bunch is the Maschine+, which is currently $200 off at $1,199. Even better, if you’re an existing customer, you might qualify for a bigger discount. You’ll find out after you log in.

Buy Maschine+ at Native Instruments – $1,199

With the Maschine+, which it released in 2020, NI stuffed its software into a groovebox — you don’t need a PC to use the instrument. It combines a synth, sampler, sequencer and drum machine.

We gave the Maschine+ a score of 83 in our review, finding it to be high-quality hardware with a respectable range of synth software. We appreciated the fact it can be used as a standalone device as well as a MIDI controller. However, we felt the input and output options were limited and that some of the instruments felt dated.

Elsewhere, you can get $100 off the Maschine (now $599) or $50 off the Maschine Mikro (which has dropped to $219). If you do buy one of these devices, be sure to register the serial number in the Native Access software or directly on the Maschine+. You’ll receive an email with a voucher that will allow you to unlock up to eight expansions at no extra cost. 

The sale and free software offer will run until May 5th. Voucher codes will expire if they aren’t used before June 1st.

Buy Maschine hardware at Native Instruments

Follow @EngadgetDeals on Twitter for the latest tech deals and buying advice.