An unsecured backup drive has exposed Attack.Databreach thousands of US Air Force documents , including highly sensitive personnel files on senior and high-ranking officers . Security researchers found that the gigabytes of files were accessible Attack.Databreach to anyone because the internet-connected backup drive was not password protected . The files , reviewed by ZDNet , contained a range of personal information , such as names and addresses , ranks , and Social Security numbers of more than 4,000 officers . Another file lists the security clearance levels of hundreds of other officers , some of whom possess `` top secret '' clearance , and access to sensitive compartmented information and codeword-level clearance . Phone numbers and contact information of staff and their spouses , as well as other sensitive and private personal information , were found in several other spreadsheets . The drive is understood to belong to a lieutenant colonel , whose name we are not publishing . ZDNet reached out to the officer by email but did not hear back . The data was secured last week after a notification by MacKeeper security researcher Bob Diachenko . Among the most damaging documents on the drive included the completed applications for renewed national security clearances for two US four-star generals , both of whom recently had top US military and NATO positions . Both of these so-called SF86 applications contain highly sensitive and detailed information , including financial and mental health history , past convictions , relationships with foreign nationals , and other personal information . These completed questionnaires are used to determine a candidate 's eligibility to receive classified material . Several national security experts and former government officials we spoke to for this story described this information as the `` holy grail '' for foreign adversaries and spies , and said that it should not be made public . For that reason , we are not publishing the names of the generals , who have since retired from service . Nevertheless , numerous attempts to contact the generals over the past week went unreturned . `` Some of the questions ask for information that can be very personal , as well as embarrassing , '' said Mark Zaid , a national security attorney , in an email . The form allows prospective applicants to national security positions to disclose arrests , drug and alcohol issues , or mental health concerns , among other things , said Zaid . Completed SF86 forms are n't classified but are closely guarded . These were the same kinds of documents that were stolen Attack.Databreach in a massive theft Attack.Databreach of sensitive files at the Office of Personnel Management , affecting more than 22 million government and military employees . One spreadsheet contained a list of officers under investigation by the military , including allegations of abuses of power and substantiated claims of wrongdoing , such as wrongfully disclosing classified information . Nevertheless , this would be the second breach Attack.Databreach of military data in recent months . of Defense subcontractor , was the source of a large data exposure Attack.Databreach of military personnel files of physical and mental health support staff . Many of the victims involved in the data leak Attack.Databreach are part of the US Special Operations Command ( SOCOM ) , which includes those both formerly employed by US military branches , such as the Army , Navy , and Air Force , and those presumably still on active deployment . It 's not known how long the backup drive was active .

Like any community , the Internet has dark alleys and sketchy places it is best to avoid . Granted , anyone with a connected mobile device is at risk of having his or her private personal and financial information stolen Attack.Databreach and misused . But dangerous software and applications often lurk in specific corners of cyberspace , where a touch of a button can have disastrous consequences . These sites may have a web address that ’ s similar to legitimate sites but contain misspellings , bad grammar or low-resolution images , according to McAfee Labs , which is the threat research division of Intel Security . Double check URLs to make sure that sites are authentic and not replicas created by scammers to try to steal Attack.Databreach personal information . A scam currently making the rounds is a message that shows up in people ’ s in-boxes purporting to be Attack.Phishing from Netflix . But in reality , it ’ s a “phishing” scheme Attack.Phishing intended to steal people ’ s log-in and credit card information . Apple.com , obviously , is a well-known and trustworthy source of content . The fake address , however , is not visible when the message is viewed on a cell phone . That “ s ” makes all the difference , because it signals that a site has security encryption . Legitimate e-commerce sites use encryption to keep customers ’ payment information safe . To confirm it is a trusted site , look for on a lock symbol in the browser window . Consumers also should try to restrict their downloads to official and reputable app stores , such as the Apple Store , the Google Play Store and Amazon , said Scot Ganow , an attorney with Dayton-based law firm Faruki Ireland Cox Rhinehart & Dusing whose practice focuses on information privacy and security law . More than 1 million Android phones were infected by a yucky type of malware dubbed “ Googlian ” that consumers downloaded from third-party apps and by clicking on malicious links , experts said . The malware campaign has exposed Attack.Databreach people ’ s messages , documents , photographs and other sensitive data and also led to the installation of unwanted apps their devices , according to Check Point , a threat prevention software company .

A maker of Internet-connected stuffed animal toys has exposed Attack.Databreach more than 2 million voice recordings of children and parents , as well as e-mail addresses and password data for more than 800,000 accounts . He said searches using the Shodan computer search engine and other evidence indicated that , since December 25 and January 8 , the customer data was accessed Attack.Databreach multiple times by multiple parties , including criminals who ultimately held the data for ransom Attack.Ransom . The recordings were available on an Amazon-hosted service that required no authorization to access . The data was exposed Attack.Databreach by Spiral Toys , maker of the CloudPets line of stuffed animals . The toys record and play voice messages that can be sent over the Internet by parents and children . The MongoDB database of 821,296 account records was stored by a Romanian company called mReady , which Spiral Toys appears to have contracted with . Hunt said that , on at least four occasions , people attempted to notify the toy maker of the breach Attack.Databreach . In any event , evidence left behind by the ransom demanders made it almost certain company officials knew of the intrusions Attack.Ransom . Hunt wrote : It 's impossible to believe that CloudPets ( or mReady ) did not know that firstly , the databases had been left publicly exposed Attack.Databreach and secondly , that malicious parties had accessed Attack.Databreach them . Obviously , they 've changed the security profile of the system , and you simply could not have overlooked the fact that a ransom had been left Attack.Ransom . So both the exposed database Attack.Databreach and intrusion Attack.Ransom by those demanding the ransom Attack.Ransom must have been identified yet this story never made the headlines . Further ReadingInternet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bugThe breach is the latest to stoke concerns about the privacy and security of Internet-connected toys . In November 2015 , tech news site Motherboard disclosed the hack Attack.Databreach of toy maker VTech in a breach Attack.Databreach that exposed Attack.Databreach the names , e-mail addresses , passwords , and home addresses of almost 5 million adults , as well as the first names , genders and birthdays of more than 200,000 kids . A month later , a researcher found Vulnerability-related.DiscoverVulnerability that an Internet-connected Barbie doll made by Mattel contained vulnerabilities that might allow hackers to intercept real-time conversations . In addition to storing the customer databases in a publicly accessible location , Spiral Toys also used an Amazon-hosted service with no authorization required to store the recordings , customer profile pictures , children 's names , and their relationships to parents , relatives , and friends . In Monday 's post , Hunt acknowledged the help of Motherboard reporter Lorenzo Franceschi-Bicchierai , who published this report . Oddly enough , for a product with such lax security , the service used the ultra-secure bcrypt hashing function to protect passwords . Unfortunately , CloudPets had one of the most permissive password policies ever . It allowed , for instance , a passcode of the single character `` a '' or the short keyboard sequence `` qwe . '' `` What this meant is that when I passed the bcrypt hashes into [ password cracking app ] hashcat and checked them against some of the world 's most common passwords ( 'qwerty , ' 'password , ' '123456 , ' etc . ) along with the passwords 'qwe ' and 'cloudlets , ' I cracked a large number in a very short time , '' Hunt wrote . Further ReadingHow to search the Internet of Things for photos of sleeping babiesThe lesson that emerged long ago is that the security of so-called Internet of things products is so poor that it often outweighs any benefit afforded by an Internet-connected appliance . As the CloudPets debacle underscores , the creep factor involved in Internet-connected toys makes the proposition even worse