TOTW #2: IoT, Data and Privacy Breaches

Hello, IoTeX community! Here comes the second Thread of The Week, in which we will talk about IoT, Data and Privacy incidents, leaks and breaches. :male_detective::female_detective:

You can share a personal story, something that happened in your country/region or source the incident from the news and the Internet. In your post, please:
:white_small_square: Tell us about the breach, what happened and how
:white_small_square: Consequences and the impact
:white_small_square: How could have it been avoided or solved?
:white_small_square: Could have IoTeX’s technology been used to prevent it and how?

Make sure to include your Telegram ID in your post so we can add you to the weekly Scoreboard combined with IoTrivia & contact you if you are a winner.

:pushpin: A new TOTW will start every Monday at midnight PST
:moneybag: Rewards: Our Brand Ambassadors will pick 2 winners with interesting stories/use cases who will receive IoTeX t-shirts

You can post more than once but make sure to share different stories/use cases, do not duplicate posts. Feel free to comment & reply to posts from other community members. :handshake:


Let me start with the first use case :wink:

In late 2016, personal information of 57 million Uber users and 600,000 drivers got exposed. The hackers were able to access Uber’s GitHub account, where they found username and password credentials to Uber’s AWS account, which should not have been in there in the first place…:woman_facepalming:

Could this have been easily avoided? Certainly! For such a big and influential corporation, it should be crucial to properly manage and store their client’s information. A few ways to do that 1) allow their customers to store their own information and identity without using a centralized server {IoTeX DID} 2) use secure servers {Intel SGX} by encrypting all the data. But the first step for everyone is not to share and post their passwords and usernames online :joy:

TG: @Alina_IoTeX



Dubsmash data breach December 2018

Impact: 162 million users

In December 2018, Dubmash suffered a data breach that exposed 162 million unique email addresses, usernames and DBKDF2 password hashes. In 2019, this data appeared for sales on the dark web and was circulated more broadly. Sales their data to the dark web:scream: it’s too scary

So how to prevent it?
Lets Blockchain solve it or IoTeX especially
This methods look similarly with @Alina hehe :grin:
:lock:So allow their customers to store their information and identity using Decentralized Identifiers (IoTeX DIDs).
How special IoTeX DID is?
Yeah DIDs are designed to function without a central registration authority.
DIDs are registered in blockchain, DIDs should be permanent, persistent, and non-reassignable.
DIDs are made useful through resolution.
And the last reason you should use DID is they can prove ownership
How cool :sunglasses:
:lock:Use configuration management to ensure cloud services are not exposing data to the Internet.
:lock:Prevent phishing
:lock:Use password manager that encrypted your data
:lock:Install anti malware/virus

But remember to investing carefully your chosen third party service before using it!

TG : @strept0


Sometimes I get an email and I see that someone has gained access to my account. Another problem I see in integrated cameras. And basically, you have to say that you can always be the victim of a hacking attack and it does not matter how much effort you put into protecting your data. It’s just a matter of effort.
I believe Iotex can help solve these problems.

Take as an example the integrated cameras found in laptops, smartphones and tablets. With the Iotex hardware you would have an almost unbeatable protection against hacker attacks right from the start and you do not have to worry about being watched. In my opinion, this is a priceless property that is not so easy to find in our time. Given that people are becoming increasingly paranoid these days, I assume that this new possibility will be accepted by society.

And that’s how the whole thing works. Each device is assigned a DID. All records are stored exclusively in the blockchain. It only has the access that owns the key. If you want to send your video to friends, then you simply send the record to its public address.

At this point I’m looking forward to the journey to the moon with Iotex :wink:

TG ID @altcoin_maximalist


My IoT data breach / hack example is from one of my idols, Elon Musk. While he is busy innovating new futuristic electric vehicles and spacecraft, he is also cognizant of the security risks associated with emerging technologies.

His biggest cybersecurity fear? A fleet-wide hack of Teslas – “In principle, if somebody was able to hack, say, all of the autonomous Teslas, they could, say—I mean just as a prank—they could say like ‘send them all to Rhode Island’ from across the United States." Or something much more malicious …

IoTeX can help prevent this issue by authorizing any firmware/software updates applied to Tesla vehicles. As there is no centralized server where a hacker could enter, it would be impossible for them to maliciously hack the entire fleet of vehicles. This is just one instance of how IoTeX can prevent large-scale, systemic breaches/hacks, in addition to protecting the security/privacy of consumers and enterprises.

TG ID: @larry_iotex


导读:物联网(Internet of Things,简称IoT)故名思义就是物物相连的互联网。具体是指通过信息传感器设备,按照约定的协议,把任何物品与互联网连接起来,进行信息通信和交换,以实现智能化识别、定位、追踪、监控和管理的一种网络。


物联网(Internet of Things,简称IoT)故名思义就是物物相连的互联网。具体是指通过信息传感器设备,按照约定的协议,把任何物品与互联网连接起来,进行信息通信和交换,以实现智能化识别、定位、追踪、监控和管理的一种网络。





























1 Like

Well, I’d say, that problems with centralized databases have lots of breaches, but main is human element. And we can see it in almost all the examples given in this topic.

I can give a similar example with a situation in Serbia in the december of 2014. Privatization agency has left in the public domain a link to a database of 5 million citizens of the country, a significant part of whom have never even used the Internet. Names, surenames, IDs, — everything was accessible to intruders.

Of course we can say, that the easiest way to avoid such a problem is not to leave such a link, but Murphy’s law makes such a mistake inevitable sooner or later. So we need a better decision for preventing it.

And cryptography and decentralized databases could help much better, because there would be much less chances for a human mistake and even if such a mistake will take place its consequences will be much less serious. So, I guess IoTeX’s technologies can help in such situation! For instance Trusted Computing can prevent getting access by casual people. Decentralized Identity can prevent getting all data of 5 million people by one time. And so on.

Telegram… @bez_nicka


The case of 50 millions facebook profiles published by :star_struck:The Guardian and The New York Times by march 17, 2018 to have been harvested for Cambridge analytical in a major data scandal, :sneezing_face:which Christopher Wylie claimed that the data was sold to the Cambridge analytical which was reportedly used to develop psychographic profiles of people and deliver pro Trump to them online
This could have been avoided if facebook team have come up with the idea of allowing individual user to store their own information in decentralized database like Iotex DID.:wave: Secondly use of a secure server like Intel SGX 2 :+1: by encrypting all their information and data.
Government should put appropriate regulations in place with stiff penalty for any breaches:writing_hand:
Telegram Id: @tadex01


On 15 July 2019 an anonymous hacker successfully breached the security systems of the Bulgarian National Revenue Agency (’‘NRA’’) and downloaded the personal data of over 5 million Bulgarian citizens. :star_struck: Part of the hacked information (about 11 GB) was leaked to local media. This is one of the biggest personal data breach in Bulgaria up to present date. After the initiated inspection and discovery of highly insufficient measures for protection of personal data the CPDP fined the Bulgarian NRA with a 5.1 million BGN (about 2.5 million EUR). :grinning:

:white_check_mark: This issue could have been pevented by putting in place a firmware software updates by Iotex. Since there would not have been any centralized server where hackers can penetrate
:white_check_mark: Also Iotex would have used decentralized identity DID as a channel of storing the information of Bulgarian National Revenue Agency (’‘NRA’’)

Telegram ID : @SangosanyaM



In May, whatsapp was hacked and spyware was installed on users’ phones. Hackers were able to install surveillance technology on the phones of WhatsApp users who answered their phone calls through the app,

WhatsApp has over 1.5 billion users worldwide which were vulnerable to this data and privacy breaches.
This could have been avoided by thorough privacy management; Which IoTex obviously has

This could have been avoided by applying 'privacy by design ’ and ‘user-centric features’ which are both part of IoTex features.
This allows the users to own their privacy by making them to chose who can view their data including their phone numbers, or who they want to receive call from.
whatsapp having an open source whereby anyone can view one’s phone number is not ideal to start with.
Obviously there are lots of gaps to be covered by IoT as regards data, privacy and security breach.



Hi IoTeX fans :raised_hands::raised_hands::raised_hands::bowing_man::bowing_man::bowing_man:
The market for IoT devices is growing rapidly. Along with the development of the industry, the need for security remains high. Experts have yet to find reliable solutions to IoT security problems. Enterprises are concerned about the potential risks of implementing IoT solutions. Consumers, on the other hand, need stable devices.

Cybersecurity researchers offer a look at five major incidents in the IoT segment.

Mirai DDoS Botnet
Probably the most famous botnet attack using IoT devices is the Mirai DDoS (distributed denial of service attack). It has successfully slowed down or paralyzed the Internet over almost the entire East Coast of the United States. As a result, Dyn, a network service provider, suffered significant losses.

The botnet was deployed for selfish reasons by 21-year-old Paras Jha (New Jersey), Dalton Norman (Dalton Norman, Louisiana) and 20-year-old Josiah White (Pennsylvania). Attackers planned to disable private servers with Minecraft and entice users to their server.

Among the victims are not only Minecraft servers served by the DNS provider Dyn, but also Twitter, Reddit, Yelp, Imgur, PayPal, Airbnb, Pinterest, Soundcloud, Spotify, GitHub, HBO, CNN, Starbucks, Yammer, etc. Without stable mobile communications, subscribers of the largest European telecom operator Deutsche Telekom remained for several hours. Problems with access to the network were observed among users in the United States and Western Europe.

The botnet scanned many open Telnet ports and performed the authentication procedure using 61 default login / password combinations of devices. It turned out that an army of hacked devices was created by students at Rutgers University.
Jeep and virtual hijacking:red_car::red_car::red_car:
In 2016, two hackers, Charlie Miller (Charlie Miller) and Chris Valasek (Chris Valasek), successfully seized control of the Jeep Cherokee. This was the first virtual hijacking. The driver was in the car. After vulnerabilities were detected in the vehicle, the “attackers” took control of the ventilation system flaps, radios, wipers, etc. All this happened while the driver was driving. Soon, the faces of Miller and Valasek appeared on the display of the multimedia system, and the driver lost control of the brakes, accelerator and steering system. In the end, hackers were able to remotely stop the car.

Attackers published a list of the most vulnerable cars, prompting automakers to make software fixes. They recommended brand owners of these machines to pay attention to the need for regular system updates.
Owlet WiFi cardiac monitor for children
Owlet is a heart rate sensor used in infant socks. You can use the device from birth to 18 months. Socks are compatible with iOS and Android 30 and work via Bluetooth 4.0 within a radius of 30 m. Socks control the frequency of heartbeats, oxygen level in the blood, body position during sleep. Parents can set alerts in the smartphone application if the indicators deviate from the norm.

Telegram : @H1xindahouse


My input for Data Hacks is Comodo “global leader in cybersecurity solutions” Forums data Breach.

a hacker exploited a vulnerability ( in vBulletin, a popular forum software used by Comodo. The flaw, allows an attacker to remotely run malicious code on a vulnerable forum. In this case, the exploit was used to dump the entire user database. the hackers stole usernames, names and email addresses, as well as the user’s last IP address used to access the forum. Some social media handles were also stolen in the breach.

Comodo said it has about 245,000 registered forum users.

IoTex Vision: a decentralized Internet of Trusted Things is to deliver data ownership back to the user.

TG: @murugan25589


“Hardware attacks are about access”
Full text

The implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say.

The security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015

Main product of Elemental: the expensive servers that customers installed in their networks to handle the video compression.

Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.

These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

The testers found a tiny microchip, that wasn’t part of the boards’ original design.

The chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”


Apparently it isn’t so easy to find data breach info in Spain, but you can see gubernamental numbers and the objective of the attacks. Also, an interesting finding is that still HALF of the companies are not aware their IoT devices have been hacked, being the principal objective IP cameras (Spanish source). Anyway, I found a recent one to a Spanish bank.

It is still to be determined or made public, but, somehow, data from one of the principal Spanish banks, Caja Rural, was leaked. To see how big the entity is, it has 2.299 offices, 8.148 employees and is worth 59.394 million euros in total actives. So the security should be considerably good.

637 clients data, including:

  • Full name
  • ID
  • ‘Hash’ of their pasport to the online bank services
  • Phone number
  • Complete adress
    were leaked to the internet.

If the data had been on IoTeX network it would have been ciphered and, in addition, with a proper DID access to the data could have only been possible if user devices and password to the IoTeX Network account were stolen or remotely accessed.



Once, several years ago, government agencies in Ukraine were hacked thanks to the PETIA virus.
The virus covered 90% of all institutions; specialists tried to eliminate this virus as soon as possible.
As a result, a lot of confidential data was lost, power plants stopped working for a day, etc.
Thanks to the IoTeX decentralization and reliable confidentiality, such attacks can be avoided in all areas of activity. Therefore, I believe that the IoTeX is moving in the right direction!



I see from internet

1 Like

Hi guys! We are extending this discussion topic for another week, until Monday, December 16 midnight PST in order to give everyone more time to participate. :kissing_closed_eyes:


Recently, I read an article that smart TVs take screen prints every second and send them to the server. In terms of the amount of data collected, TV manufacturers are catching up with Google and Apple.
Many TV manufacturers say they do not violate user privacy because ACR data is technically not personal information because all family members use TVs. However, data mining makes it possible to post-factum separate user profiles from each other. Data mining is performed by specialized firms. They analyze the browsing history of users, linking the history of watching TV with the activity of the user on the phone, tablet and laptop, including shopping in stores.
90% of TV buyers voluntarily agree to take screen prints and send data to the server. Since the settings for disabling these options are often hidden in the TV menu. Surveys of users showed that most of them really do not realize the full extent of profiling and do not see anything wrong with the fact that the company finds out what series they like to watch on TV. Some say that “Google already knows everything about us,” so there’s nothing to hide.
Identification and trust are critical aspects of the security of the Internet of things. The use of proven technologies for device identification, communication encryption, and data integrity protection is the key to security.
I think IoTeX technologies could be used in smart TVs, similar to how they are used in the Ucam private camera. What do you think about this?



Thanks for sharing!
Yes, IoTeX technologies certainly can be used there. I can make a post of how to do that. However, TV manufacturers would only use them if all users are aware and demanding the features.
There should be someone who can take a leap of it. I really appreciate if everyone here can share with more people about IoTeX’s vision.


I will use the popular Equifax data breach of 2017 as a use case, that exposed the personal information of millions of customers to hackers. Equifax is one of three major credit reporting agencies (CRAs) in the US.

On September 7, 2017, Equifax reported that hackers had exploited a vulnerability in its US website application to gain access to certain files from mid-May through July 2017.

Quoting the news:

“The hackers accessed personal data, including Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers. They also stole credit card numbers for approximately 209,000 US consumers, as well as dispute documents with personal identifying information for approximately 182,000 US consumers. Some UK and Canadian residents may have also had personal data compromised.”

Due to the volume of data involved and the importance of the company, this was a really serious data breach that could be totally avoided with using the IoTeX technology:

  1. Thanks to it’s distributed nature, there would be no “intermediary” (i.e. “Equifax”) server to hack

  2. Thanks to private computation hardware like Avoboard, the same “scores” that Equifax calculated could be calculated by keeping all the required user data totally private “by hardware” at the time of the computation without the need for storing them

  3. Users identification data, along with data required for the credit score computation could instead be stored on secure servers architecture, accessible through the IoTeX DID architecture.

The whole “Equifax intermediary” would have no reason to exist, or at least no reason to store anything on their servers with the consequent responsibility for privacy protection, that instead would be totally protected by military-grade encryption provided by blockchain DID access, secure storage, and no need for any party to get access to those data once the person had been identified by an authority and data verified in the first place.

TG: @zimne