Trapster hack may have exposed millions of iPhone, Android passwords

Up to 10 million e-mail addresses and passwords possibly pilfered from speed trap service

Millions of e-mail addresses and passwords may have been stolen from Trapster, an online service that warns iPhone, Android and BlackBerry owners of police speed traps, the company announced yesterday.

California-based Trapster has begun alerting its registered users and has published a short FAQ on the breach. "If you've registered your account with Trapster, then it's best to assume that your e-mail address and password were included among the compromised data," the FAQ stated.

But in the next breath, Trapster downplayed the threat, saying it wasn't sure that the addresses and passwords were actually harvested.

"While we know that we experienced a security incident, it is not clear that the hackers successfully captured any e-mail addresses or passwords, and we have nothing to suggest that this information has been used," Trapster said.

And when replying to follow-up questions today, Trapster claimed that not all its 10 million users were at risk.

"Only a portion of our users were affected," a company spokesman said via e-mail. "We are choosing not to provide a specific figure, but a majority of our users who download the app do not register, which means they did not provide an e-mail address, as it is not a requirement. So the figure is well below the 10 million users which has been reported."

Users must register with Trapster, and provide an e-mail address and password for the new account, in order to report speed traps. According to the Trapster site , more than 5,300 speed traps have been reported to the service so far today.

If criminals did collect the service's complete user list, the breach would be 25 times larger than the Gawker hack last month, when details of more than 400,000 Gawker accounts were published on the Internet.

Assuming just one-in-10 users registers with Trapster, the number of compromised passwords could still be two-and-a-half times bigger than Gawker's.

Trapster provides free apps for the iPhone, Android-based smartphones, the BlackBerry, Windows Mobile phones, and Garmin and TomTom GPS devices. The apps display a map with suspected speed traps -- the traps are reported by users of the service -- and warn when drivers are approaching a potential radar zone.

The danger posed to users is not limited to their Trapster accounts, a security expert pointed out today.

"You may not care very much if your credentials on Trapster have been compromised and may think that not too much harm can come from that," said Graham Cluley, a senior technology consultant with U.K.-based Sophos, in a post Thursday to the security company's blog. "But what if you use the same e-mail address/password combination on other Web sites such as your Twitter account, or Web e-mail address?"

Today, the head of Twitter's Trust and Safety team told Trapster users to change their passwords pronto. "Don't use the same password on multiple sites!" said Del Harvey in a tweet at 1:30 p.m. Eastern.

Some of the usernames and passwords obtained last month in the Gawker hack were quickly used to commandeer Twitter accounts that had been protected by the same passwords. The Twitter accounts were then used to launch a spam campaign on the micro-blogging service.

Another security professional said everyone should simply assume that their Internet passwords will be compromised at some point.

"People really should be changing their passwords twice a year," said Andrew Storms, the director of security operations for nCircle Security, in an instant message interview. "Not because someone could have compromised it, but because someone has compromised it. Maybe we should all just assume all public site passwords will be compromised and accept it as a new fact of life."

Many companies require workers to change their e-mail passwords on a regular basis; Storms argued that the tactic makes sense for everyone.

"We usually get push back about password changes and the answer is typically, 'But it could be compromised,'" he said. "Now we are getting more and more evidence that it has been compromised."

Trapster said it has rewritten the service's code to prevent similar attacks in the future, and has "implement[ed] additional security measures to further protect your data." The company did not spell out what those measures were, however.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingconsumer electronicsMobile Apps and ServicessecuritysmartphonesPhonesprivacy

More about Andrew Corporation (Australia)BlackBerryGarmini2i2nCircleSophosSpeedTomTom

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place