about stark vulnerabilities in a mobile data network called SS7 . These flaws allow attackers to listen to calls , i ntercept Attack.Databreachtext messages , and pinpoint a device 's location armed with just the target 's phone number . Taking advantage of these issues has typically been reserved for governments or surveillance contractors . But on Wednesday , German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help d rain Attack.Databreachbank accounts . This is much bigger than a series of bank accounts though : it cements the fact that the SS7 network poses a threat to all of us , the general public . And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts . `` I 'm not surprised that hackers take money that is 'lying on the table ' . I 'm just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network , '' Karsten Nohl , a cybersecurity researcher who h as highlighted Vulnerability-related.DiscoverVulnerabilityvulnerabilities in SS7 , told Motherboard in an email . In short , the issue with SS7 is that the network believes whatever you tell it . SS7 is especially used for data-roaming : when a phone user goes outside their own provider 's coverage , messages still need to get routed to them . But anyone with SS7 access , which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung , can send a routing request , and the network may not authenticate where the message is coming from . That allows the attacker to direct a target 's text messages to another device , and , in the case of the bank accounts , s teal Attack.Databreachany codes needed to login or greenlight money transfers ( after the hackers o btained Attack.Databreachvictim passwords ) . Although some telcos have taken steps to m itigate Vulnerability-related.PatchVulnerabilitythe issue , there are clearly still huge gaps for hackers to exploit . `` Everyone 's accounts protected by text-based two-factor authentication , such as bank accounts , are potentially at risk until the FCC and telecom industry f ix Vulnerability-related.PatchVulnerabilitythe devastating SS7 security flaw , '' Lieu said in a statement published Wednesday . `` I urge the Republican-controlled Congress to hold immediate hearings on this issue . '' In the meantime , and maybe irrespective of whether SS7 problems are ever f ixed,Vulnerability-related.PatchVulnerabilitysocial media companies , banks , and other online services need to stop using SMS-based two-factor authentication . Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS . Twitter does let users sign in with a code from Google Authenticator , an app on your smartphone that provides a more robust form of two-factor authentication , but the site apparently still sends those logging in an SMS code , which , in light of these recent SS7 attacks , totally undermines the extra security protections . Twitter did not immediately respond to a request for comment . Motherboard even recently published a piece telling general readers that they were likely fine with only SMS-based two-factor authentication , which focused on another type of attack and was based on the premise that non-state hackers were not widely using SS7 . That piece , clearly , is out of date . `` It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security , '' Lieu 's statement added .
In one of the more bizarre d ata breaches Attack.Databreachto surface recently , hackers made off with 6 million accounts for CashCrate , a site where users can be paid to complete online surveys , according to a database obtained by Motherboard . In short , CashCrate connects users to companies that need people to test new products and services , or take part in daily surveys in exchange for cash . The data includes user email addresses , names , passwords , and physical addresses . Judging by timestamps in the stolen database , the earliest accounts date way back to 2006 , and come with full passwords . If a user signed up to another service with the same password , hackers could a ccess Attack.Databreachthe victim 's account on another site , as well as their CashCrate account . Accounts from mid 2010 onwards appear to have passwords hashed with the notoriously weak MD5 algorithm , meaning that hackers may be able to crack the hashes and o btain Attack.Databreachthe real login credentials . For-profit breach notification site LeakBase provided Motherboard with a copy of the CashCrate data . To verify that the data was legitimate , Motherboard attempted to create accounts with random email addresses included in the data . In every instance , this was not possible , because the email was already linked to an account on CashCrate . As an indication of CashCrate 's approach to cybersecurity , the site does not use basic web encryption , including on its login page , meaning that credentials could b e exposed Attack.Databreachto anyone in a position to i ntercept Attack.Databreachthem . `` We 're in the process of notifying all our members about the breach . While we 're still investigating the cause , at this point it appears that our third-party forum software w as compromised,Attack.Databreachwhich led to the breach . We 've deactivated it until we 're confident it 's secure , '' a CashCrate spokesperson told Motherboard in an email . `` We have also confirmed that any users who have logged in since October 2013 have passwords that are fully hashed and salted , and we 're looking into why some inactive accounts have plaintext passwords . Those will be hashed and salted immediately , '' the spokesperson added . The lesson : We all sign up to odd or random websites . If possible , it may be worth using a different email address for these more leftfield sites , or even creating dedicated addresses for each . That way , when a breach does occur , any fallout will be mitigated , and hopefully limited to only one or a few sites . That , and you should use a unique password for every site too .