In this week’s Cyber Blurbs Roundup, we take a look at LastPass’s latest blunder, the end of an era for an electronics retailer, a lazy intern at SolarWinds, and TikTok’s massive payout.

Here we go:

LastPass Caught Using Trackers

Just a few weeks removed from announcing plans to strip its free tier of most of its value, LastPass is giving many of its users one more reason to jump ship.

The Guardian Project recently published findings from its Exodus Privacy app, noting that LastPass uses seven web trackers in the Android version of the mobile app. Trackers are pieces of software that are designed to collect data about you and your web usages. The privacy advocates list AppsFlyer, Google Analytics, Google CrashLytics, Google Firebase Analytics, Google Tag Manager, MixPanel, and Segment as the code signatures found in the application.  

Though LastPass encrypts your passwords from being viewed by any tracker, the trackers in question allow third-party companies to receive data about the websites you visit. LastPass, for its part, says this isn’t anything unusual (via CNET). What’s more, LastPass says users may opt out through the settings menu.

"These trackers are industry standard mobile analytics tools and are used for a limited purpose -- to collect aggregated statistical data about how LastPass is used to help us improve and optimize the product to deliver the best user experience," LastPass said in a statement. 

But while LastPass says it’s doing nothing wrong, the study found that other password managers, such as 1Password and KeePass, do not include trackers of any kind. 

Fry’s Electronics is No More

And now a moment of silence for one of the staples of the electronic retail industry. After nearly 36 years in business, and about four to five years of folks asking themselves if “that other electronics store” was still open, we now have our answer: Fry’s Electronics is closing its doors for good. 

The company announced the news last week, stating that it came as a result of “changes in the retail industry and the challenges posed by the COVID-19 pandemic.” 

Fry’s had 31 stores located across nine states in the US (which may explain why some of you reading this are confused). Making use of those storefronts as is may be a challenging endeavor for companies looking for a new home, both because of their sheer size as well as the unique decisions the company took in designing certain locations. From the Mayan-themed store in San Jose, the alien invasion-themed location in Burbank, California, or the space station location out in Webster, Texas, it’s clear that companies will probably think twice before moving in. 

Though Fry’s cites the pandemic as a key factor in the company’s demise, its largest, most similar competitor seems to be doing just fine. Best Buy recently reported its best quarter in 25 years, with the company seeing a 23% increase in sales at many of its stores from August through the end of October when compared to the same period last year. Best Buy reported a 174% increase in online sales during that stretch as consumers shifted their spending habits toward home entertainment and productivity.

TikTok Settles in Privacy Class Action Lawsuit

TikTok parent company ByteDance has agreed to fork over $92 million to settle a class-action lawsuit that accused the company of illegally collecting and using personal data belonging to underage TikTok users. 

The social media app is also expected to change its data-collection policies, as well as provide greater transparency into those policies. That, despite the massive dollar amount in question, may be the biggest takeaway from this lawsuit. 

The total class, per the settlement, is defined as 89 million US users. With the attorneys receiving a third of the $92 million, approximately $61 million will be reserved for the users impacted. We’ll spare you the math: that means, assuming they all make a claim, a whopping $0.96 per user. Illinois users will be allowed to claim six shares, bringing their total to $5.75. 

The class-action lawsuit consisted of more than 20 individual cases, many of which argued that the popular social media platform violated state and federal laws, including the Computer Fraud and Abuse Act and the Video Privacy and Protection Act. 

According to the suit, TikTok “used automated software, proprietary algorithms, AI, facial recognition, and other technologies to commercially profit from Plaintiffs’ and Class Members’ identities, unique identifying information, biometric data and information, images, video and digital recordings, audio recordings, clipboard data, geolocation, names, e-mail addresses, passcodes, social media accounts, messaging services, telephone numbers, and other private, non- public, or confidential data and information.”

TikTok denied any wrongdoing, but opted to settle in order “to focus [its] efforts on building a safe and joyful experience for the TikTok community,” according to a statement (via ArsTechnica). 

SolarWinds Blames the Intern

Just a few months removed from the catastrophic cyber attack that may have put numerous federal agencies at risk, we may have some insight on how this all potentially took place. And it’s far more embarrassing than you may have imagined.

Speaking to the House Oversight and Homeland Security Committees during a joint hearing Friday, former SolarWinds CEO Kevin Thompson pointed the finger at one of most obvious suspects: the lazy intern.

“solarwinds123”

That’s the password an intern used to protect an update server, according to Thompson (via Gizmodo). Worse yet, the password — in clear violation of the company’s security policies, per Thompson — was posted on the intern’s private GitHub account.

To be clear, the data breach has not been directly linked to the Swiss-cheese password. Security researchers have been able to access and deposit files onto the server, potentially paving the way for malicious actors to do the same.

The password was said to have been used as far back as 2018.