Russia is increasingly seeking to encourage and direct hackers to attack British and other western targets, the director of GCHQ has said in her first keynote speech as head of the British intelligence agency. From a report: Anne Keast-Butler said her agency was "increasingly concerned about growing links" between the Russian intelligence services and proxy hacker groups who have long taken advantage of a permissive environment within the country. "Before, Russia simply created the right environments for these groups to operate but now they're nurturing and inspiring these non state cyber actors," she said in a speech to the Cyber UK conference, in what she described as a "globally pervasive" threat. The spy chief, appointed last year to be the first woman to hold the role, referenced the threat from ransomware -- "the most acute and pervasive cyber threat" -- where cybercriminals, typically from Russia, take control of a company's data and systems and demand significant sums to regain access. GCHQ was "doing everything we can" to counter ransomware actors, Keast-Butler said, degrade their ability to attack systems across government and business and to "produce intelligence that means those involved in ransomware are held to account." There is "no hiding place" for cybercriminals she added.

Read more of this story at Slashdot.

Source: www.theguardian.com – Author: Jack Snape A fear of illicit drug test results and psychologist session notes being leaked onto the dark web is helping drive a call from AFL players to improve data collection and storage in the sport. The leaking of Port Adelaide players’ personal information following a data breach late last year […]

La entrada AFL players call for data protection overhaul as concerns include drug test results – Source: www.theguardian.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.theguardian.com – Author: Anna Isaac and Dan Sabbagh The IT company targeted in a Chinese hack that accessed the data of hundreds of thousands of Ministry of Defence staff failed to report the breach for months, the Guardian can reveal. The UK defence secretary, Grant Shapps, told MPs on Tuesday that Shared Services Connected […]

La entrada MoD contractor hacked by China failed to report breach for months – Source: www.theguardian.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Jay Foreman and Mark Cooper-Jones, an English comedian with an interest in geography and a former geography teacher who's also very funny, are the Map Men ("...Map Men, Map Map Map Men Men" ), whose highly entertaining YouTube channel is chock full of educational cartographic goodness. Try any of their (27) videos at random, or all of them—even the ads are worth watching. Their recent episodes on undersea internet cables and country codes wouldn't be a bad place to start for the extremely online.

And when you're done with those, there's Jay Foreman's 15 episodes of Unfinished London and 8 episodes of Politics Unboringed (for UK definitions of "unboringed"). Hours of fun! (N.B. Approximately 6 hours and 36 minutes of fun.)

The U.K. economy has emerged from recession as gross domestic product rose 0.6% in the first quarter, official figures showed Friday, beating expectations. From a report: Economists polled by Reuters had forecast growth of 0.4% on the previous three months of the year. The U.K. entered a shallow recession in the second half of 2023, as persistent inflation continued to hurt the economy. Although there is no official definition of a recession, two straight quarters of negative growth is widely considered a technical recession. The U.K.'s production sector expanded by 0.8% in the period from January to March, while construction fell by 0.9%. On a monthly basis, the economy grew by 0.4% in March, following 0.2% expansion in February. In output terms, the services sector -- crucial to the U.K. economy -- grew for the first time since the first quarter in 2023, the Office for National Statistics said. The 0.7% growth was mainly driven by the transport services industry which saw its highest quarterly growth rate since 2020.

Read more of this story at Slashdot.

The North Yorkshire Council in England announced it will ban apostrophes on street signs as it can affect geographical databases. Resident Anne Keywood told the BBC that she urged the authority to retain apostrophes, saying: "If you start losing things like that then everything goes downhill doesn't it?" From the report: North Yorkshire Council said it "along with many others across the country" had opted to "eliminate" the apostrophe from street signs. A spokesperson added: "All punctuation will be considered but avoided where possible because street names and addresses, when stored in databases, must meet the standards (PDF) set out in BS7666. "This restricts the use of punctuation marks and special characters (e.g. apostrophes, hyphens and ampersands) to avoid potential problems when searching the databases as these characters have specific meanings in computer systems."

Read more of this story at Slashdot.

A rare archaeological object – thought to be the only one of its type in the former Roman Empire – has been discovered in Carlisle, England. The remnants of the Roman bathhouse at the Carlisle Cricket Club have revealed an extremely rare chunk of Tyrian purple dye, the first of its kind ever discovered in northern Europe and possibly the entire Roman Empire. [...] Known as "imperial purple," tyrian purple was an extremely valuable dye in ancient Rome because of its rich, vivid color, which denoted imperial authority, wealth, and status. It took a lot of resources and labor-intensive procedures to produce even small amounts, as it was made from thousands of crushed sea snails (Bolinus brandaris) from the Mediterranean. This rarity and exclusivity meant that it was more valuable than gold, sometimes up to three times as much by weight.

Fun fact: If a buyer wanted to know if there was something fishy about their exquisite dye, they could always see if it passed the smell test -- read the straight poop inside.

MeFite peeedro offers some amusing historical context from a 2019 post:

Tyrian purple dye works were famously odoriferous, as it was made from the liquid collected after thousands of crushed shellfish were left to putrefy in the sun. The rich purple producing cities of Tyre and Sidon were "unpleasant to live in" because of the smell according to Strabo even though the dye works were well outside of the cities. But, unlike a tannery, the finished Tyrian purple cloth smelled just as bad as the process that made it. "Neither the stink nor the color is reduced by washing; perfume would have been necessary to disguise the smell, even after washing and long periods of airing." Pliny the Elder called Tyrian purple "among the most abominable of odors" and wondered how something so smelly could be highly valued. The Roman poet insult comic Martial wrote a diss track full of misogyny and antisemitism about a particular woman saying, in part, that he would prefer to smell a "fleece twice dipped in Tyrian purple" than smell her. Smelling worse than double-dipped fleece of Tyrian purple was quite the sick burn of the day.

No word on if the archaeological find at Carlisle was still a smelly one.

A coordinated multi-nation law enforcement action has led to a takedown of an Austria-based crypto scam where half a dozen suspects were arrested and assets worth hundreds of thousands of Euros were seized. This followed a separate investigation in the United Kingdom, which led to the sentencing of two Brits involved in an international crypto scam worth millions.

Takedown of Austria-based Crypto Scam

The law enforcement agencies from Austria, Cyprus and Czechia have arrested six Austrians responsible for an online cryptocurrency scam that was launched in December 2017. Between 2017 and February 2018, the scammers assured and convinced its victims of having set up a legitimate online trading company that had launched a new cryptocurrency coin. The scammers offered an initial coin offering of 10 million tokens or respective rights to the new currency for sale. Considering the returns on investment from Bitcoin at the time, which was up nearly 39% in Dec. 2017, investors likely saw the opportunity in the new crypto coin and paid them in regular crypto values such as Bitcoin and Ethereum. To gain investors’ confidence and credibility, the Austrian fraudsters also claimed of having developed their own software and algorithm for the sale of the tokens.

“Traditionally, an ICO will build upon transparency and communicate clearly about each team member responsible for it. In this instance, there was a lack of transparency regarding both the team members involved and the algorithm underpinning the cryptocurrency,” said Europol, who coordinated the multi-nation operation.

Two months into the scheme, the perpetrators in February 2018 shuttered all their social media accounts and took offline the fake company’s homepage. Following this, it became obvious to the investors that they were defrauded in an exit scam. Not all victims of this crypto scam have been identified yet, but it is estimated that they lost around EUR 6 million, in totality. The law enforcement agencies raided six houses and seized over EUR 500,000 (approximately $537,120) in cryptocurrencies, EUR 250,000 (approximately $268,560) in fiat currency and froze dozens of bank accounts linked to the perpetrators and their fraudulent crypto scams. Two cars and a luxury property worth EUR 1.4 million was also seized.

Two Brits Jailed for International Crypto Scam

Law enforcement in Europe is further tightening screws against crypto scammers as is evident in another instance where two men who stole more than 5.7 million pounds (approximately $7.1 million) worth of cryptocurrency from victims worldwide were sentenced following an investigation of the South West Regional Organized Crime Unit (SWROCU). [caption id="attachment_67275" align="aligncenter" width="243"] James Heppel (credit: SWROCU)[/caption]   Jake Lee, aged 38, and James Heppel, aged 42, admitted guilt to three counts of conspiracy to commit fraud. Bristol Crown Court sentenced Lee to four years and Heppel to 15 months on May 3. [caption id="attachment_67274" align="aligncenter" width="227"] Jake Lee (Credit: SWROCU)[/caption]   The duo conducted the fraud by spoofing the domain of the online cryptocurrency exchange Blockchain[.]com to pilfer victims’ Bitcoin wallets, stealing their money and login credentials. They together targeted 55 victims across 26 countries, amassing £835,000 in cash, including £551,000 handed over by Lee in January, along with £64,000 in cryptocurrency, a Banksy print valued at £60,000 and three vehicles. [caption id="attachment_67271" align="aligncenter" width="1024"] £551k in cash voluntarily handed over by Lee (Credit: SWROCU)[/caption] A confiscation order of nearly £1 million was issued against Lee to compensate the victims. DS Matt Brain from SWROCU’s Regional Cyber Crime Unit stated, “Our investigation started back in 2018 after colleagues at Avon and Somerset Police arrested Lee on suspicion of money laundering.” “Officers from the force seized digital devices and three laminated Bitcoin wallet recovery seeds. At the same time, our unit had started an investigation into a cryptocurrency scam reported by a Wiltshire victim who had £11k worth of Bitcoin from his Blockchain wallet.”

“We took on the investigation into Lee and when we analyzed his devices, we established he was a central figure involved in a sophisticated domain spoofing fraud and worked to identify numerous victims.”

Brain added that the fact they both pleaded guilty to all counts also showed the strength of evidence that the police secured against them.” Pamela Jain, a prosecutor with the Crown Prosecution Service, noted, “Jake Lee and James Heppel defrauded people in 26 countries, including 11 victims in the UK, by diverting Bitcoin into wallets over which they had control. This was a complex and time-consuming prosecution which involved enquiries with numerous victims and prosecuting authorities all over the world.” Lee has already been served a confiscation order but “confiscation proceedings against James Heppel are ongoing,” Jain said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The UK Ministry of Defense said a breach at a third-party payroll system exposed as many as 272,000 armed forces personnel and veterans.

The post The UK Says a Huge Payroll Data Breach by a ‘Malign Actor’ Has Exposed Details of Military Personnel appeared first on SecurityWeek.

Wherever the blame lies, at the heart of the story are humans operating, ruptured, in an institutional machine. Many of the 42 are still 'deeply injured' by the incident, said Simon, who acts as their unofficial spokesperson. As the whole affair unravelled, the diocese was already under immense strain. The COVID lockdowns set clergy against their bishops, with many priests livid at having to close their churches. Others were angered by moves to invest millions in a new wave of informal congregations meeting in pubs, coffee shops and cinemas. And throughout it all there was division and tension over the church-wide culture war about gay blessings. 'There's so little trust at the moment,' Roger reflected. 'And in London, all the anger and the issues have a face: that face is Martin Sargeant.' from In the Shadow of St Paul's [The Fence; ungated] [CW: suicide, misogyny, homophobia.]

The UK is the first country to ban default passwords on IoT devices.

On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

The UK may be the first country, but as far as I know, California is the first jurisdiction. It banned default passwords in 2018, the law taking effect in 2020.

This sort of thing benefits all of us everywhere. IoT manufacturers aren’t making two devices, one for California and one for the rest of the US. And they’re not going to make one for the UK and another for the rest of Europe, either. They’ll remove the default passwords and sell those devices everywhere.

Another news article.

Ahead of the byelection in Blackpool South, the Guardian takes the temperature in the once prosperous northern coastal town, with many voters expressing complete apathy and disdain for the state of politics.

The area is going to the polls because the former Tory MP Scott Benton resigned after being found guilty of breaching standards rules in a lobbying scandal. Labour is hopeful of taking back the seat, which Benton won with a majority of 3,690 in 2019

• Polls open in England’s local elections with Tories braced for heavy losse

• Analysis: Will Tories dump Rishi Sunak if election results worse than expected?

Continue reading...

💾

© Photograph: The Guardian

💾

© Photograph: The Guardian

The UK government has taken steps to safeguard consumers from cyberattacks by prohibiting common and easily-guessable passwords such as "admin" or "12345". The UK government law comes into effect on 29 April 2024 and will mandate manufacturers, importers, and distributors of consumer connectable products in the UK to follow the obligations and standards set in the 'UK Product Security and Telecoms Infrastructure (PSTI) Act 2022' as well as the 2023 Regulations under the same act. The law aims at setting minimum security standards that must be followed before consumer devices can be sold in the UK, to protect UK homes.

Uk Government Law Was Passed in 2022; Will Come to Effect this Year

These measures are part of the Product Security and Telecommunications Infrastructure (PSTI) Act passed in 2022 as well as additional laws passed in 2023. These are designed to bolster the UK's resilience against cyber attacks and disruptive interference following growing concerns stemming from a series of incidents and proposed counter-legislation. A NordPass study in 2023 revealed that "123456, password, qwerty, Liverpool..." were among the most used passwords in the UK. The study highlights that default and weak passwords remain a relevant concern even today. Besides passwords, the new legislation also seeks to tackle inherent issues in existing incident reporting procedures and update periods. With regards to reporting, the law mandates manufacturers to provide consumers with details on reporting security issues within products, and timely updates until resolution, while the information should be made available without request and free of charge. The law mandated that such information should be "accessible, clear, and transparent." With regards to updates, the law mandates information on minimum update periods to be published and clearly accessible to the consumer in a transparent manner along with an end date. The updated information is required to be understandable for a reader without prior technical knowledge.

UK Government Law Could Fine Violators £10 Million or Up to £20,000 a Day

According to the law, the Office for Product Safety and Standards (OPSS) would be responsible for enforcing the relevant act operating from 29 April 2024. Manufacturers, vendors, or firms that fail to comply with the regulations could face fines of up to £10 million or four percent of their global turnover, as well as up to £20,000 a day in the case of an ongoing violation. This new UK law comes as the EU Cyber Resilience Act draft makes rounds for legislative discussion with the inclusion of recent amendments. The Act obliges manufacturers and retailers to follow minimum security requirements throughout the product lifecycle. Following the passing of the Cyber Resilience Act expected in Early 2024, internet-connected products and software would be required to receive independent assessments to check if they comply with the new standards. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families, and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.

Customer case studies published on onerep.com state that it struck a deal to offer the service to employees of Permanente Medicine, which represents the doctors within the health insurance giant Kaiser Permanente. Onerep also says it has made inroads among police departments in the United States.

But a review of Onerep’s domain registration records and that of its founder reveal a different side to this company. Onerep.com says its founder and CEO is Dimitri Shelest from Minsk, Belarus, as does Shelest’s profile on LinkedIn. Historic registration records indexed by DomainTools.com say Mr. Shelest was a registrant of onerep.com who used the email address dmitrcox2@gmail.com.

A search in the data breach tracking service Constella Intelligence for the name Dimitri Shelest brings up the email address dimitri.shelest@onerep.com. Constella also finds that Dimitri Shelest from Belarus used the email address d.sh@nuwber.com, and the Belarus phone number +375-292-702786.

Nuwber.com is a people search service whose employees all appear to be from Belarus, and it is one of dozens of people-search companies that Onerep claims to target with its data-removal service. Onerep.com’s website disavows any relationship to Nuwber.com, stating quite clearly, “Please note that OneRep is not associated with Nuwber.com.”

However, there is an abundance of evidence suggesting Mr. Shelest is in fact the founder of Nuwber. Constella found that Minsk telephone number (375-292-702786) has been used multiple times in connection with the email address dmitrcox@gmail.com. Recall that Onerep.com’s domain registration records in 2018 list the email address dmitrcox2@gmail.com.

It appears Mr. Shelest sought to reinvent his online identity in 2015 by adding a “2” to his email address. The Belarus phone number tied to Nuwber.com shows up in the domain records for comversus.com, and DomainTools says this domain is tied to both dmitrcox@gmail.com and dmitrcox2@gmail.com. Other domains that mention both email addresses in their WHOIS records include careon.me, docvsdoc.com, dotcomsvdot.com, namevname.com, okanyway.com and tapanyapp.com.

A search in DomainTools for the email address dmitrcox@gmail.com shows it is associated with the registration of at least 179 domain names, including dozens of mostly now-defunct people-search companies targeting citizens of Argentina, Brazil, Canada, Denmark, France, Germany, Hong Kong, Israel, Italy, Japan, Latvia and Mexico, among others.

Those include nuwber.fr, a site registered in 2016 which was identical to the homepage of Nuwber.com at the time. DomainTools shows the same email and Belarus phone number are in historic registration records for nuwber.at, nuwber.ch, and nuwber.dk (all domains linked here are to their cached copies at archive.org, where available).

Update, March 21, 11:15 a.m. ET: Mr. Shelest has provided a lengthy response to the findings in this story. In summary, Shelest acknowledged maintaining an ownership stake in Nuwber, but said there was “zero cross-over or information-sharing with OneRep.” Mr. Shelest said any other old domains that may be found and associated with his name are no longer being operated by him.

“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).

Original story:

Historic WHOIS records for onerep.com show it was registered for many years to a resident of Sioux Falls, SD for a completely unrelated site. But around Sept. 2015 the domain switched from the registrar GoDaddy.com to eNom, and the registration records were hidden behind privacy protection services. DomainTools indicates around this time onerep.com started using domain name servers from DNS provider constellix.com. Likewise, Nuwber.com first appeared in late 2015, was also registered through eNom, and also started using constellix.com for DNS at nearly the same time.

Listed on LinkedIn as a former product manager at OneRep.com between 2015 and 2018 is Dimitri Bukuyazau, who says their hometown is Warsaw, Poland. While this LinkedIn profile (linkedin.com/in/dzmitrybukuyazau) does not mention Nuwber, a search on this name in Google turns up a 2017 blog post from privacyduck.com, which laid out a number of reasons to support a conclusion that OneRep and Nuwber.com were the same company.

“Any people search profiles containing your Personally Identifiable Information that were on Nuwber.com were also mirrored identically on OneRep.com, down to the relatives’ names and address histories,” Privacyduck.com wrote. The post continued:

“Both sites offered the same immediate opt-out process. Both sites had the same generic contact and support structure. They were – and remain – the same company (even PissedConsumer.com advocates this fact: https://nuwber.pissedconsumer.com/nuwber-and-onerep-20160707878520.html).”

“Things changed in early 2016 when OneRep.com began offering privacy removal services right alongside their own open displays of your personal information. At this point when you found yourself on Nuwber.com OR OneRep.com, you would be provided with the option of opting-out your data on their site for free – but also be highly encouraged to pay them to remove it from a slew of other sites (and part of that payment was removing you from their own site, Nuwber.com, as a benefit of their service).”

Reached via LinkedIn, Mr. Bukuyazau declined to answer questions, such as whether he ever worked at Nuwber.com. However, Constella Intelligence finds two interesting email addresses for employees at nuwber.com: d.bu@nuwber.com, and d.bu+figure-eight.com@nuwber.com, which was registered under the name “Dzmitry.”

PrivacyDuck’s claims about how onerep.com appeared and behaved in the early days are not readily verifiable because the domain onerep.com has been completely excluded from the Wayback Machine at archive.org. The Wayback Machine will honor such requests if they come directly from the owner of the domain in question.

Still, Mr. Shelest’s name, phone number and email also appear in the domain registration records for a truly dizzying number of country-specific people-search services, including pplcrwlr.in, pplcrwlr.fr, pplcrwlr.dk, pplcrwlr.jp, peeepl.br.com, peeepl.in, peeepl.it and peeepl.co.uk.

The same details appear in the WHOIS registration records for the now-defunct people-search sites waatpp.de, waatp1.fr, azersab.com, and ahavoila.com, a people-search service for French citizens.

A search on the email address dmitrcox@gmail.com suggests Mr. Shelest was previously involved in rather aggressive email marketing campaigns. In 2010, an anonymous source leaked to KrebsOnSecurity the financial and organizational records of Spamit, which at the time was easily the largest Russian-language pharmacy spam affiliate program in the world.

Spamit paid spammers a hefty commission every time someone bought male enhancement drugs from any of their spam-advertised websites. Mr. Shelest’s email address stood out because immediately after the Spamit database was leaked, KrebsOnSecurity searched all of the Spamit affiliate email addresses to determine if any of them corresponded to social media accounts at Facebook.com (at the time, Facebook allowed users to search profiles by email address).

That mapping, which was done mainly by generous graduate students at my alma mater George Mason University, revealed that dmitrcox@gmail.com was used by a Spamit affiliate, albeit not a very profitable one. That same Facebook profile for Mr. Shelest is still active, and it says he is married and living in Minsk [Update, Mar. 16: Mr. Shelest’s Facebook account is no longer active].

Scrolling down Mr. Shelest’s Facebook page to posts made more than ten years ago show him liking the Facebook profile pages for a large number of other people-search sites, including findita.com, findmedo.com, folkscan.com, huntize.com, ifindy.com, jupery.com, look2man.com, lookerun.com, manyp.com, peepull.com, perserch.com, persuer.com, pervent.com, piplenter.com, piplfind.com, piplscan.com, popopke.com, pplsorce.com, qimeo.com, scoutu2.com, search64.com, searchay.com, seekmi.com, selfabc.com, socsee.com, srching.com, toolooks.com, upearch.com, webmeek.com, and many country-code variations of viadin.ca (e.g. viadin.hk, viadin.com and viadin.de).

Domaintools.com finds that all of the domains mentioned in the last paragraph were registered to the email address dmitrcox@gmail.com.

Mr. Shelest has not responded to multiple requests for comment. KrebsOnSecurity also sought comment from onerep.com, which likewise has not responded to inquiries about its founder’s many apparent conflicts of interest. In any event, these practices would seem to contradict the goal Onerep has stated on its site: “We believe that no one should compromise personal online security and get a profit from it.”

Max Anderson is chief growth officer at 360 Privacy, a legitimate privacy company that works to keep its clients’ data off of more than 400 data broker and people-search sites. Anderson said it is concerning to see a direct link between between a data removal service and data broker websites.

“I would consider it unethical to run a company that sells people’s information, and then charge those same people to have their information removed,” Anderson said.

Last week, KrebsOnSecurity published an analysis of the people-search data broker giant Radaris, whose consumer profiles are deep enough to rival those of far more guarded data broker resources available to U.S. police departments and other law enforcement personnel.

That story revealed that the co-founders of Radaris are two native Russian brothers who operate multiple Russian-language dating services and affiliate programs. It also appears many of the Radaris founders’ businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

KrebsOnSecurity will continue investigating the history of various consumer data brokers and people-search providers. If any readers have inside knowledge of this industry or key players within it, please consider reaching out to krebsonsecurity at gmail.com.

Update, March 15, 11:35 a.m. ET: Many readers have pointed out something that was somehow overlooked amid all this research: The Mozilla Foundation, the company that runs the Firefox Web browser, has launched a data removal service called Mozilla Monitor that bundles OneRep. That notice says Mozilla Monitor is offered as a free or paid subscription service.

“The free data breach notification service is a partnership with Have I Been Pwned (“HIBP”),” the Mozilla Foundation explains. “The automated data deletion service is a partnership with OneRep to remove personal information published on publicly available online directories and other aggregators of information about individuals (“Data Broker Sites”).”

In a statement shared with KrebsOnSecurity.com, Mozilla said they did assess OneRep’s data removal service to confirm it acts according to privacy principles advocated at Mozilla.

“We were aware of the past affiliations with the entities named in the article and were assured they had ended prior to our work together,” the statement reads. “We’re now looking into this further. We will always put the privacy and security of our customers first and will provide updates as needed.”