According to Reddit user jolioshmolio, Hong Kong-based sex toy company Lovense's remote control vibrator app (Lovense Remote) recorded a use session without their knowledge. "An audio file lasting six minutes was stored in the app's local folder," reports The Verge. "The user says he or she gave the app access to the mic and camera but only to use with the in-app chat function and to send voice clips on command -- not constant recording when in use." The app's behavior appears to be widespread as several others confirmed it too. From the report: A user claiming to represent Lovense responded and called this recording a "minor bug" that only affects Android users. Lovense also says no information or data was sent to the company's servers, and that this audio file exists only temporarily. An update issued today should fix the bug. This isn't Lovense's first security flub. Earlier this year, a butt plug made by the company -- the Hush -- was also found to be hackable. In the butt plug's case, the vulnerability had to do with Bluetooth, as opposed to the company spying on users.

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

An anonymous reader writes: The FBI has arrested and charged a man for launching DDoS attacks against a wide range of targets, including his former employer, a Minnesota-based PoS repair shop. The man, who bought access to a VPN but didn't use it all the time, was caught after registering email accounts and sending taunting emails to victims, including his former employer. The taunting emails also included a GIF image of a laughing mouse, which eventually tied the man to the DDoS attacks as well. The guy also uploaded the image on Facebook in a post that asked people to join in DDoS attacks on banks as part of Anonymous' Operation Icarus. The suspect also created the fake email accounts using the name of another former colleague, trying to pin suspicions on him. The FBI was not only able to track the man's real IP address, but they also tied him to attacks without a doubt because he used a DDoS-for-hire service that was hacked and its database was shared with the FBI.

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.

It looks like Logitech didn't anticipate the barrage of criticism it received after announcing this week that it would be intentionally bricking its Harmony Link hub next March. The company is now reversing course. Its Harmony Link will still die next summer, but if you own one, the company is happy to give you a free upgrade to the more recent Harmony Hub model. From a report: Originally, Logitech planned to only offer Harmony Link owners with active warranties free upgrades to its new Harmony Hub devices. But for people out of warranty -- possibly the majority of Harmony Link users, as the devices were last sold in 2015 -- they would just get a one-time, 35 percent discount on a new $100 Harmony Hub. However, after customer outrage, Logitech revised it plans and announced that the company will give every Harmony Link owner a new Hub for free. Additionally, users who had already used the coupon to purchase a new Hub will also be able to contact Logitech in order to obtain a refund for the difference in price. However, Logitech is still not planning to extend support for the Harmony Link. The company says, "We made the business decision to end the support and services of the Harmony Link when the encryption certificate expires in the spring of 2018 -- we would be acting irresponsibly by continuing the service knowing its potential/future vulnerability."

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.