You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
Facebook users are too willing to give out their personal information, security firm Sophos has found.
According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.
After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.
Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."
The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."
Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
Facebook groups are under attack. But the attackers say they come in peace and insist they want only to highlight a flaw in the way Facebook handles group administration.
An organization called Control Your Info has taken control of hundreds of Facebook groups. Those groups had administrators that eventually stepped down from their position, creating a power vacuum at the top. According to the organization, when the administrator steps down, anyone can take over a group, view the members' personal information, and change group information to say whatever they want. Control Your Info believes that the way Facebook handles group administration is a major flaw. And it wants to bring that to everyone's attention.
Control Your Info has hijacked Facebook groups.
(Credit: Screenshot by Don Reisinger/CNET)"Hello, we hereby announce that we have officially hijacked your Facebook group," a message written on Monday reads on one hijacked group. "This means we control a certain part of the information about you on Facebook. If we wanted, we could make you appear in a bad way which could damage your image severely."
Janis Roukkos, a representative from Control Your Info wrote that his organization wants to get social-networking users to "think about the safety in your social-media life to the same extent you do in your real life." Although the Control Your Info is in control of that specific group now, Roukkos wrote that Control Your Info will restore the group name (which it changed) and leave the group "by the end of next week." He also promised to not "mess anything up."
That single group isn't alone. A quick search for "Control Your Info" in Facebook yields hundreds of groups that have been hijacked by the organization. All the group names have been changed to "Control Your Info," the logos have been changed to the organization's image, and the messages are all the same. The only difference is which Control Your Info representative is writing about the organization's intentions to each group.
Control Your Info's blog sheds some more light on the organization's problem with Facebook. According to Control Your Info, "Facebook Groups suffer from a major flaw. If (an) administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.
"When you're admin of a group, you can basically do anything you want with it," the blog post continued. "You can change (its) name, and the groups members won't even get a notification of it. You can send (messages) to all members and edit info. This is just one example that really shows the vulnerabilities of social media."
Once again, Control Your Info attempted to justify its actions. The organization said the "project is strictly not for profit and done for a good cause."
Facebook did not immediately respond to request for comment.
In the meantime, what do you think about Control Your Info's practices? Is it really teaching folks about social-media security? Let us know in the comments below.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
Hackers launched a distributed denial-of-service (DDOS) attack that sporadically downed popular blog network Gawker Media over the weekend and on Monday, the company confirmed in a blog post early Tuesday morning.
When CNET News spoke to Gawker Media representatives on Monday, they were not yet sure what was causing the outages but had not ruled out malicious behavior.
The attacks appear to have been launched at Consumerist, a blog that Gawker sold to Consumer Reports last year but which is still hosted on the same servers. The motivation behind them is not yet clear.
The New York-based Gawker Media has sold or merged a number of its blog titles over the past few years, but it remains the parent company of several extremely high-profile blogs--often with an edgy gossip angle--like Gizmodo, Jezebel, and the eponymous Gawker.com.
DDOS attacks occur when hackers swamp a site with excess pings from multiple sources to bring it down; they can knock out entire hosting companies.
Mark Cuban
A U.S. District judge in Dallas has thrown out the insider-trading lawsuit filed against Mark Cuban, the Broadcast.com co-founder and owner of the HDNet channel.
Cuban, who also owns the Dallas Mavericks of the National Basketball Association, may not be in the clear just yet, according to a report in Bloomberg. While U.S. District Judge Sidney Fitzwater on Friday granted Cuban's request to dismiss the suit, filed in November, he will allow the U.S. Securities and Exchange Commission to refile charges if it meets a certain criteria.
One of the biggest celebrities to come out of the technology sector, Cuban is accused of promising to keep confidential a private stock sale after being told of the sale by the CEO of Mamma.com, an Internet search firm in which he held a large stake. On the same day in 2004, when Cuban learned of the sale, he sold his shares before news of the stock sale became public and avoided a $750,000 loss.
Cuban has maintained that he did not promise to keep the information confidential and sold his shares because Mamma.com's stock sale was at a lower price and would have diluted his holding. The judge said in his order that the SEC didn't accuse Cuban of promising not to trade, and that meant he couldn't be held liable for insider trading.
The SEC can refile, but it must allege that Cuban made the promise not to trade on the information.
On Friday, Cuban posted a note to Twitter: "It's been a great day so far, and it's only going to get better."
It is always a case of some considerable concern when a lady reveals too much on Facebook. The site has standards, after all.
The lady in question this time is Lady Shelley Sawers, the wife of Sir John Sawers, the new head of British spy agency MI6.
According to reports in the Mail and numerous other media outlets, the fair lady may not have been quite aware that Facebook can be seen by a rather large number of people if you don't specify that you want to keep your information vaguely private.
Lady Sawers saw fit to wander onto the site and reveal where their London apartment is located and where their children are. This might not appear to be the wisest course of social action if your children happen to be the offspring of the head of an international spying network.
Lady Sawers even posted 19 happy pictures of the family's last vacation.
(Credit:
CC Anonymous9000/Flickr)
These pictures seemed to have spurred the her enthusiasm for uploading, as, the following day, she furnished 26 more, including shots of Sir John in his swimming attire. She apparently displayed several pictures of Sir John hanging with some actors, even one thespian who performed in that apogee of popular English culture, the TV series "Footballers' Wives."
According to the reports, Lady Sawers' Facebook account had no privacy protection. All those in the highly open "London" network could espy the head spy in his swimming cozzie.
Moreover, Sir John, who by tradition will be code-named "C," received notes of congratulations on his wife's Facebook page. One note, for example: "Congrats on the new job, already dubbed Sir Uncle "C" by nephews in the know!"
When the Mail contacted the British Foreign Office to alert them to the socially networked revelations, everything was sharpishly effaced without a trace.
Now, I know that there will be those who will feel critical of Lady Sawers' remarkable trust in the Web's world-wideness.
However, I feel her actions show a considerable faith in her husband's skills in weeding out nefarious bodies from the dark camouflage of life. And her social openness is surely sending a clear message to those who do Britain ill that the fine old country fears nothing and no one.
Cutwail's spam activities on Thursday as Pricewert got shut down.
(Credit: MessageLabs)It's been almost a week since the Federal Trade Commission had the allegedly rogue Pricewert ISP shut down, and it seems like the Internet has indeed been a safer, or I should say slightly less dangerous, place.
The FTC charged that Pricewert's distribution of illegal, malicious, and harmful content and deployment of botnets that compromised thousands of computers caused substantial consumer injury and was an unfair practice, in violation of federal law.
According to Symantec, the Cutwail botnet--one of the most notorious botnets, accounting for up to 35 percent of all spam in May across the globe--experienced a major blow to its track record after the shutdown late Thursday of Internet service provider Pricewert.
Another botnet Pricewert is allegedly involved with is the Pushdo, which was also reportedly affected. Both Pushdo and Cutwail reportedly used 3FN, one of the names Pricewert did business under, as botnet control servers.
According to the data released Monday by TRACElabs, the overall spam volume index has been reduced by 15 percent since Thursday. However the day-by-day number has gradually increased.
This means a couple of things.
First, either the timing of these changes was a coincidence or Pricewert was indeed involved in this nasty business. It's important to note that the company has not yet been convicted of any wrongdoings. The first court hearing is scheduled for June 15.
Second, it's likely that the spammers will soon recover from this heavy blow as many similar companies are based outside of the U.S., where the anti-spam laws are not strictly enforced.
Nonetheless this for now looks like an apparent victory for the authorities and for all the Internet users. In terms of its long-term impact on spam, Symantec's MessageLabs Senior Anti-Spam Technologist Matt Sergeant told CNET News: "For now, we will see spam levels lower than usual, but we expected the swift comeback of Cutwail. The spammers learned that they can't put all their eggs in one basket and need to have backup command and control."
It's indeed wait and see, but so far I personally have received less spam in the last few days. How about you? Share your thoughts about this case and your recent spam experience, in the comment area below.
This case could either be seen as cute or maddening.
Pipi Quinlan, New Zealand's youngest big-time online consumer.
(Credit: Rodney Times)Sarah Quinlan, a New Zealand mom, went to take nap after having made some online bids on toys. When she came back, her 3-year-old had taken over the computer and bought a much more serious toy: a real earth mover for a cool 20,000 New Zealand dollars (about $12,300).
According to Rodney Times, Pipi Quinlan was happily clicking away on the keyboard while her parent was asleep and ended up being the winner of a Kobelco digger, a gigantic earth-moving vehicle.
Sarah had the shock of her life when she found out via e-mail which auction her account had won. She immediately called popular New Zealand auction site TradeMe, and the seller, to explain what happened. She added that her little girl was kind of a girly girl and not generally into earth movers.
TradeMe reimbursed the seller for the successful auction, and the product was relisted.
I'm pretty impressed that TradeMe resolved this matter so quickly. If it were eBay, you'd have to wait up to two weeks to get your fees back.
Lesson learned. However, don't leave your computer without locking it or at least logging off the Web site you were using.
In what's just the latest Facebook phishing scam, hackers on Thursday broke into accounts and sent e-mails to friends urging them to log on to fake Facebook sites, according to new reports and anecdotes from members.
The social-networking site is in the process of cleaning up from the hack and is blocking compromised accounts, Reuters reported. "Victims were directed to log back in to the site, but actually logged into the one controlled by the hackers, unwittingly giving away their passwords," Reuters said, adding that the fake domains include www.151.im, www.121.im and www.123.im.
Facebook did not immediately respond to an e-mail seeking confirmation and information about the hack. The number of users affected remains unknown, but a Facebook spokesman told The New York Times it "is not widespread and is only impacting a small fraction of a percent of users."
In addition to the scam, Facebook security made the news Thursday in relation to upcoming plans for "verified apps" on the site. Under this program, Facebook will review developer apps for a $375 fee to make sure they fit security and transparency standards, and will award a graphic badge to apps that make the cut.
The main investigative committee in the U.S. House of Representatives has reopened a probe of Lime Wire and other peer-to-peer file-sharing companies over the issue of "inadvertent sharing." The move comes nearly two months after it was alleged that Iran took advantage of a computer security breach to obtain information about President Barack Obama's helicopter.
After sensitive information regarding the president's helicopter was leaked, Congress wants to know whether P2P company Lime Wire has made good on helping stop inadvertent sharing.
(Credit: The White House)CNET News has obtained copies of the letters written by the Committee on Oversight and Government Reform to the Department of Justice and the Federal Trade Commission asking them for help investigating the recent rash of security breaches caused when people who use P2P software accidentally share information on networks like Lime Wire or BearShare.
"These reports indicate that very significant risks continue to plague P2P file sharing networks," lawmakers wrote in an April 20 letter to FTC Chairman John Leibowitz. "Therefore, under Rules X and XI of the Rules of the U.S. House of Representatives, we are reopening our investigation of inadvertent file sharing on peer-to-peer networks, including LimeWire."
Some security experts believe the files probably were transferred through a peer-to-peer network.
The Oversight Committee also wrote a letter to Mark Gorton, chairman of the Lime Group, Lime Wire's parent company.
"On July 24, 2007, you testified before the Committee on Oversight ... in a hearing on 'Inadvertent File Sharing on Peer-to-Peer Networks,'" the committee wrote Gorton. "It appears that nearly two years after your commitment to make significant changes in the software, LimeWire and other P2P providers have not taken adequate steps to address this critical problem."
A spokeswoman for the Committee on Oversight confirmed the letters had gone out. Representatives from the Lime Group were unavailable for comment.
The committee cited some recent high-profile security breaches.
On February 28, 2009, a television station in Pittsburgh reported that the blueprints and avionics package for "Marine One," the President's helicopter, was made available on a P2P network by a defense contractor in Maryland.On February 26, 2009, the "Today" show broadcast a segment on inadvertent P2P file sharing, reporting that Social Security numbers, more than 150,000 tax returns, 25,800 student loan applications, and nearly 626,000 credit reports were easily accessible on a P2P network.
On February 23, 2009, a Dartmouth College professor published a paper reporting that over a two-week period he was able to search a P2P network and uncover tens of thousands of medical files containing names, addresses, and Social Security numbers for patients seeking treatment for conditions such as AIDS, cancer, and mental health problems
On July 9, 2008, The Washington Post reported that an employee of an investment firm who allegedly used LimeWire to trade music or movies inadvertently exposed the names, dates of birth, and Social Security numbers of about 2,000 of the firm's clients, including Supreme Court Justice Stephen Breyer. There have been reports alleging file-sharing programs have been used for illegal purposes, such as to steal others' identities.
A copy of the letter from U.S. Congressional committee on oversight to Attorney General.
