Frustrating for both users and administrators, password management can be a challenge to manage in any organization. One lost or stolen password may be the crack in your organization’s foundation, allowing an attacker to slip in.

Conventional password recommendations have held that regular changes and lengthy and complex passwords would keep attackers at bay. Many guidelines have been published, but in recent years, conventional wisdom has been changing.

One such guideline, initially published in 2017 but updated in 2020, is the NIST Password Guideline Standards (NIST Special Publication 800-63 Revision 3). A significant change included the removal of the prior recommendation for regular password changes.

The Good and Bad of Password Resets

Despite NIST recommendations to not regularly rotate a user’s passwords, this does not mean there are still no valid reasons to use password resets. Below are some pros and cons of when password resets make sense and where they may fall short.

Pros	Cons
Regular password resets mean a stolen password is suitable for a limited time.	A user is more likely to use a typical password pattern leading to insecure passwords.
When a breached password is found, forcing a password reset ensures users do not continue to use insecure passwords.	An organization can avoid future resets by checking for breached passwords on a password change.
Lost devices should necessitate a password change to ensure that a cached password is not used.	Multi-factor verification makes a lost device more a nuisance than a security issue, especially with encrypted devices.

With all of these potential scenarios, how do password resets schedule or unscheduled cause real economic and productivity damage?

The Ever-Increasing Overhead of Password Resets

Many users dread a password reset. There is always a cost, whether it is due to a procedure or a problem. Imagine the scenario where a user is about to start the workday but needs to rotate their password due to company policy. This is not uncommon, as many users wait until the last minute for a password change, leading to locked-out accounts and longer-than-expected password resets tickets.

In studies, the Gartner Group found that between 20% and 50% of all help desk calls are for password resets. Not only that, each password reset can typically take between 2-30 minutes for a fix. The time and cost savings that a helpdesk could realize with a decrease in password resets means an increased focus on the more complex problems.

The increased interconnectivity of systems often compounds these time commitments. For an authentication system like Active Directory, a password reset would mean that the user account password change must be replicated to all connected Domain Controllers (DC).

With more remote workers, this may mean that the DCs are geographically spread out, leading to longer replication times. Adding additional subsystems in the mix, some even with manual synchronization, can compound the problem even more!

Any user facing the prospect of 30 minutes or longer time to resolution for a password reset will do whatever they can to avoid that. How might users avoid password reset issues? Instead of choosing a strong password, they may opt for one easily remembered, such as a repeating pattern. Or, they may write down the password, often leaving it in an insecure location.

Reset Password Sends Productivity Down the Drain

What happens when a user misses the window to reset their password or forgets the latest password because of how many recent changes there have been? Not only does the user need to reach out to the already overworked helpdesk, but they are stuck waiting for a resolution rather than working in the meantime.

Plus, when a user is locked out, the password reset takes priority over other vital tasks since that user can no longer work. Any organization’s priority would be to get that individual productive once again. Thus, a password reset necessarily diverts a helpdesk’s attention.

As recent years and studies have shown, the move to more remote work is not lessening. 58% of Americans reported having the opportunity to work from home at least one day a week. A potential benefit is more flexible work hours.

There are many benefits to flexible working hours, both for employees and employers, but this also means that when a password reset is required, it may be outside helpdesk hours. Without assistance, the employee is stuck until the next day, potentially leading to even more productivity loss.

How Password Resets Hurt the Bottom Line

Moreover, passwords can be an expensive burden for organizations of all sizes. Forrester Research states that the average help desk labor cost for a single password reset is about $70. This does not consider the lost productivity for a user, compounded by the many password resets done in a given year.

According to a Yubico-sponsored report the average user spent 10.9 hours a year on password resets, leading to an average loss of $5.2 million a year in productivity for a 15,000-user organization (based on a $32-an-hour average). The Yubico report focused on the end-user, but that’s not only where the time investment lay.

For IT helpdesks, a Onelogin study found that over 37% of companies spent more than 6 hours a week on password resets. That is time a helpdesk employee could be focused on other more critical tasks, or even lead to an organization needing fewer helpdesk employees overall!

Self-Service Password Resets Save the Day

With all of these challenges, what can an organization do to lessen the impact of password resets? One step would be to implement the latest NIST guidelines and do away with regular password resets. But, a user will inevitably forget a password, or an unrelated breach may also lead to a compromise.

The best way for an organization to save time, money, and productivity is to empower the users with a self-serve password reset solution. Specops uReset offers a variety of features to allow users to reset their passwords without the need for a time-consuming and potentially expensive IT helpdesk call.

Update the cached credentials of remote users to ensure the continuity of work
Accessible from any web browser, the Windows login screen, or the uReset mobile application
Verify identities with a choice of over 15 identity providers
User enrollment enforcement and auto-enrollment options

Password resets, while a necessity in some cases, are highly capable of self-service with a lessened impact on the helpdesk and an organization’s bottom line. Luckily, you can test out Specops uReset in your Active Directory to experience a secure self-service password reset solution.

Sponsored and written by Specops Software

The international ransomware group LockBit claims to have stolen 76 gigabytes of data from the California Department of Finance. The data is said to include confidential and financial documents, and other sensitive information.

(TNS) – California officials are investigating a cybersecurity incident at the Department of Finance after a global ransomware group claimed it stole confidential data and financial documents from the agency.

The California Office of Emergency Services on Monday said in a statement that the state Cybersecurity Integration Center is actively responding to a cybersecurity incident involving the California Department of Finance .

Cal OES describes the threat as an “intrusion” that was proactively identified through coordination with state and federal security partners.” The statement did not provide any specifics about the nature of the incident, who was involved or whether information or data had been taken.

Screenshots from the group’s website show it claims to have stolen 76 gigabytes of data, including “databases, confidential data, financial documents, certification, court and sexual proceedings in court, IT documents and more … ”

The DOJ reported LockBit appeared in January 2020 and has threatened at least 1,000 victims in the United States and internationally. It described the group as “one of the most active and destructive ransomware variants in the world.”

Source: themarkup.org
November 22, 2022 08:00 ET
Updated November 23, 2022 15:00 ET

The Markup found services including TaxAct, TaxSlayer, and H&R Block sending sensitive data By Simon Fondrie-Teitler, Angie Waller, and Colin Lecher

Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned.

The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner, Meta.

Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.

When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refund to the nearest hundred. The pixel also sent the names of dependents in an obfuscated, but generally reversible, format.

TaxAct, which says it has about three million “consumer and professional users,” also uses Google’s analytics tool on its website, and The Markup found similar financial data, but not names, being sent to Google through its tool.

TaxAct wasn’t the only tax filing service using the Meta Pixel. Tax preparation giant H&R Block, which also offers an online filing option that attracts millions of customers per year, embedded a pixel on its site that gathered information on filers’ health savings account usage and dependents’ college tuition grants and expenses.

TaxSlayer, another widely used filing service, sent personal information to Facebook as part of the social media company’s “advanced matching” system, which gathers information on web visitors in an attempt to link them to Facebook accounts. The information gathered through the pixel on TaxSlayer’s site included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return. As with TaxAct, specific demographic information about a user was obfuscated but still usable for Facebook to link a user to an existing profile. TaxSlayer has said it completed 10 million federal and state tax returns last year.

The Markup also found the pixel code on a tax preparation site operated by a financial advice and software company called Ramsey Solutions, which uses a version of TaxSlayer’s service. That pixel gathered even more personal data from a tax return summary page, including information on income and refund amounts. This information was not sent immediately upon visiting the page but only when visitors clicked dropdown headings to see more details of their report.

Even Intuit, the company that runs America’s dominant online filing software, employed the pixel. Intuit’s TurboTax, however, did not send financial information to Meta but rather usernames and the last time a device signed in. The company kept the pixel entirely off pages beyond sign in.

“We take the privacy of our customers’ data very seriously,” Nicole Coburn, a spokesperson for TaxAct, said in an email. “TaxAct, at all times, endeavors to comply with all IRS regulations.” Angela Davied, a spokesperson for H&R Block, said the company “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”

Megan McConnell, a spokesperson for Ramsey Solutions, said in an email that the company “implemented the Meta Pixel to deliver a more personalized customer experience.”

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” the statement said. “As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.”

After The Markup contacted TaxSlayer, spokesperson Molly Richardson said in an email that the company had removed the pixel to evaluate its use. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” she said, adding that Ramsey Solutions “decided to remove the pixel” as well.

Rick Heineman, a spokesperson for Intuit, said the company’s pixel “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” although Intuit “may share some non-tax-return information, such as username, with marketing partners to deliver a better customer experience,” like not showing Intuit ads on Facebook to people who have accounts already. The company said it’s in compliance with regulations but has modified the pixel to no longer send usernames.

Mandi Matlock, a Harvard Law School lecturer focused on tax law, said The Markup’s findings showed taxpayers “providing some of the most sensitive information that they own, and it’s being exploited.”“This is appalling,” she said. “It truly is.” On Monday, after TaxAct was contacted by The Markup for comment, the company’s site no longer sent financial details like income and refund amount to Meta but continued to send the names of dependents. The site also continued to send financial information to Google Analytics. Also as of Monday, TaxSlayer and Ramsey Solutions had removed the pixel from their tax filing sites and TurboTax had stopped sending usernames through the pixel at sign in. H&R Block’s site was continuing to send information on health savings accounts and college tuition grants.As of Wednesday, after this story was published, TaxAct had removed the pixel from its tax filing web application, but was still sending financial information to Google Analytics, and H&R Block told The Markup it removed the pixel from its tax filing website “to stop any client tax information from being collected.” The Markup verified that it had been removed.

How the Meta Pixel Tracks Users

Meta makes the pixel code freely available to anyone who wants it, allowing businesses to embed the code on their sites as they wish. Using the code helps both Facebook and the businesses. When a customer comes to a business’s website, the pixel might record what items the customer browsed, say, a T-shirt, for example. The business can then target its ads on Facebook to people who looked at that shirt, allowing the business to find an audience that may already be interested in its products.Meta wins financially too. The company says it can use the data it gleans from tools like the pixel to power its algorithms, providing it insight into the habits of users across the internet. The strategy has been successful for Facebook. In 2018, the company told Congress that there were more than two million pixels across the web—a massive data-harvesting operation most internet users never see. “The practice is ubiquitous,” said Jon Callas, director of public interest technology at the Electronic Frontier Foundation, who said he was left in “shock but not surprise” at The Markup’s findings. Some of the sensitive data collection analyzed by The Markup appears linked to default behaviors of the Meta Pixel, while some appears to arise from customizations made by the tax filing services, someone acting on their behalf, or other software installed on the site.For example, Meta Pixel collected health savings account and college expense information from H&R Block’s site because the information appeared in webpage titles and the standard configuration of the Meta Pixel automatically collects the title of a page the user is viewing, along with the web address of the page and other data. It was able to collect income information from Ramsey Solutions because the information appeared in a summary that expanded when clicked. The summary was detected by the pixel as a button, and in its default configuration the pixel collects text from inside a clicked button. The pixels embedded by TaxSlayer and TaxAct used a feature called “automatic advanced matching.” That feature scans forms looking for fields it thinks contain personally identifiable information like a phone number, first name, last name, or email address, then sends detected information to Meta. On TaxSlayer’s site this feature collected phone numbers and the names of filers and their dependents. On TaxAct it collected the names of dependents.The data collected by the matching feature is sent in an obfuscated form known as a hash, which Meta states is used in order to “help protect user privacy.” But the company can generally determine the pre-obfuscated version of the data—in fact Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles. This pixel feature was turned off by default when The Markup set up a test pixel attached to a business account but could be turned on by clicking a toggle during setup.When TaxAct sent dollar amounts like adjusted gross income to Meta, they were transmitted as parameters to a “custom event,” which are sent only if the pixel is configured beyond the default by a website operator or another application the website operator adds to their site. TaxAct did not respond to questions about whether and why it configured the pixel in this manner.There are limits to the types of data Meta says it will collect through the pixel. The company says it doesn’t want sensitive information sent to it, including financial data, and that it uses automated filtering to block potentially sensitive data. Its help center states that it prohibits sending information including bank account or credit card numbers or “information about an individual’s financial account or status.” Still, one specific type of prohibited data, income, was exactly what two tax sites sent to Facebook, The Markup found. Data sent to Facebook by TaxAct suggests it was also previously sending a parameter labeled “student_loan_interest,” which is now being filtered by the pixel before being sent.From January to July of this year, The Markup tracked websites’ use of the pixel as part of the Pixel Hunt, a partnership with Mozilla Rally. For the project, participating users installed a browser extension that provided The Markup with a copy of all data shared with Meta via the pixel.The Markup initially discovered sensitive information was shared by the tax preparers through data shared by Pixel Hunt participants. The Markup then signed up for accounts on the companies’ web applications and used the “Network” section of Chrome DevTools, a tool built into Google’s Chrome browser, to replicate and confirm the data.Earlier this year, with the help of Pixel Hunt participants, The Markup found sensitive data sent to Facebook on the Education Department’s federal student aid application website, crisis pregnancy websites, and the websites of prominent hospitals.Meta collects so much data even the company itself sometimes may be unaware of where it ends up. Earlier this year Vice reported on a leaked Facebook document written by Facebook privacy engineers who said the company did not “have an adequate level of control and explainability over how our systems use data,” making it difficult to promise it wouldn’t use certain data for certain purposes.At the time, a company spokesperson told Vice that Facebook has “extensive processes and controls to manage data and comply with privacy regulations.”In response to The Markup’s questions about the tax websites’ use of the pixel, Dale Hogan, a spokesperson for Meta, pointed to the company’s rules on sensitive financial information. “Advertisers should not send sensitive information about people through our Business Tools,” Hogan wrote in an emailed statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”Google spokesperson Jackie Berté said in an email that the company “has strict policies against advertising to people based on sensitive information” and that Google Analytics data “is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user.”

The IRS Closely Regulates Tax Data

Nina Olson, the executive director of the nonprofit Center for Taxpayer Rights, was the national taxpayer advocate at the Internal Revenue Service between 2001 and 2019, a position in the agency meant to represent the interests of taxpayers. As part of her role at the IRS, she said, she contributed to the development of regulations that govern disclosures of tax information. Olson said the IRS regulations controlling the way private tax filing services can use data are intentionally “very strong.”Under the regulations she helped develop, tax preparers—including e-filing companies—can use the information they receive from taxpayers only for limited purposes; for anything beyond immediately facilitating filing, the preparer has to get signed consent from the user that explains the recipient and the precise information being disclosed.The government goes so far as to prescribe even the font size of requests for disclosure, saying it must be “the same size as, or larger than, the normal or standard body text used by the website or software package.” The penalties for disclosing data without consent are potentially steep: Fines and even jail time are possible, although Olson said she wasn’t aware of any criminal cases that have been pursued.The Markup reviewed the tax preparation websites for disclosures that specifically mentioned Meta or Facebook but did not find them. Instead, some companies included relatively broad disclosure agreements.TaxAct, for example, requested users approve sending their tax information to its sister company, TaxSmart Research LLC, so it could “develop, offer, and provide products and services” for users. It also stated “TaxSmart Research LLC may use service providers and business partners to accomplish these tasks.” H&R Block, meanwhile, included nearly the same disclosure request so “H&R Block Personalized Services, LLC” could provide products of its own. Those sites provided the user with the option to decline to share tax information, although data was shared with Facebook regardless of what option users chose, according to The Markup’s tests.Any disclosure from a tax preparer must provide the exact purpose and recipient to be in compliance, Olson said. “Do they have a list saying they’re going to disclose the refund amounts, and your children, and your whatever to Facebook?” she said. If not, she said, they may be in violation of regulations.The IRS declined to comment or answer questions about whether any of the sites sharing tax information were in violation of tax law.

No Way Out for Taxpayers

American taxpayers have few options but to turn to private companies to file their returns.Unlike other countries, the United States has a heavily privatized system for filing taxes, one that often requires the use of third-party tax preparers. While in those other countries the government handles the calculations, and taxpayers simply approve the numbers, after a successful lobbying push from private companies, tax preparers in the U.S. effectively act as middlemen between taxpayers and the government.Tax preparation is now big business: Market researchers have estimated that it’s a more than $11 billion industry in the United States.A free preparation and filing option exists, but it’s limited to people making $73,000 or less and can be difficult to use. Companies offer their tax software at no charge through an agreement with the IRS but have been criticized for not making the option easily available.The IRS even effectively directs taxpayers attempting to file for free to some of the companies The Markup found using the pixel. A handful of tax preparation services are part of the agreement, known as the Free File Alliance—including TaxAct and TaxSlayer. TurboTax and H&R Block have been part of the program in the past. Harvard’s Matlock said The Markup’s findings showed the almost inevitable consequences of relying on for-profit companies to handle a government requirement. It’s a process that provides users little choice but to hand over their data to Facebook if they want to comply with the law, she said.“It’s frustrating because taxpayers have been pushed into the arms of these private, for-profit companies simply to comply with their tax filing obligations,” she said. “We have no choice, really, in the matter.”

Updated Nov. 23, 2022
This story has been updated to note when individual filing services stopped sharing customer tax data through the Meta Pixel.

Graham CLULEY October 13, 2022

Boffins at the University of Glasgow, in Scotland, have developed a system which they claim demonstrates a new type of cybersecurity threat: a “thermal attack.”

According to the researchers, the falling price of heat-detecting thermal imaging cameras and advances in machine learning have made it more feasible to guess what passwords a target may have entered on a keyboard, up to a minute after typing them.

Dr Mohamed Khamis led the development of ThermoSecure, a system that used a thermal imagine camera to identify what keys were last touched by an individual, and then guessed passwords and PINs entered on keyboards and ATM keypads.

In a press release announcing their findings, the experts described a possible attack scenario.

A passerby carrying a thermal camera can take a picture of a keyboard that reveals the heat signature of where fingers have recently made contact.

The brighter an area appears in the thermal image, the more recently it was touched. By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password and estimate the order in which they were used. From there, attackers can try different combinations to crack users’ passwords.

To put their system to the test, the researchers took 1,500 thermal photos from different angles of recently-used QWERTY keyboards.

The team then “trained an artificial intelligence model to effectively read the images and make informed guesses about the passwords from the heat signature clues using a probabilistic model.”

According to the research, 86% of passwords were correctly revealed when thermal images were taken within 20 seconds, 76% when images were taken within 30 seconds of entry, and a still impressive 62% after 60 seconds.

As you can probably imagine, success rates increased as passwords grew shorter. 12-symbol passwords were guessed up to 82% of the time, eight-symbol passwords were guessed on 93% of occasions, and six-symbol passwords were broken in 100% of attempts..

The researchers reported that they could even tackle longer passwords of 16 characters with a 67% success rate within 20 seconds.

And there’s bad news for slower “hunt-and-peck” typists who enter their passwords more slowly as they search for the right key to press. According to the researchers, non-touch typists tend to leave their fingers on keys for longer, creating heat signatures that reside for a longer period of time.

Dr Khamis believes it is “very likely” that criminals are developing systems similar to ThermoSecure to steal passwords.

“Access to thermal imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible too,” he said.

My advice?

It’s generally better to use longer hard-to-guess passwords or passphrases than shorter passwords – but you knew that already, right?
If you’re nervous, use a backlit keyboard. These produce more heat, making it trickier for thermal readings to be taken accurately.
In a similar vein, the material used to make your keycaps makes a difference. ABS keycaps (made of Acrylonitrile Butadiene Styrene) retain heat for longer than those made of PBT (Polybutylene Terephthalate).
Ensure that your accounts are secured by additional methods of authentication (such as 2FA or biometrics) rather than just a single password.
Keep an eye open for anyone lurking nearby with a thermal imaging camera!

Too young to drive, old enough to bribe AT&T staff, apparently

A man who lost $24 million in cryptocurrency in an elaborate SIM swapping scam has won a multi-million-dollar judgment against the thief, who was 15 at the time of the hustle.

According to court documents [PDF] filed Friday in federal New York City court, Ellis Pinsky agreed to pay Michael Terpin $22 million for his starring role in the SIM swap and crypto heist. Pinsky was a New York high school student at the time of the theft in 2018, and it’s said he paid back $2 million about a year later to his victim.

Pinsky, now 20, has also agreed to testify against AT&T, according to Terpin. In a LinkedIn post earlier today, the blockchain investor told his followers of his civil lawsuit win:

[Pinsky] will be held responsible for $22 million (the amount he and his fellow gang members stole, minus a $2 mm credit for paying us back a small portion in 2019). Equally importantly is his agreement to provide evidence and testimony against AT&T in our upcoming May 2023 trial in federal court in Los Angeles.

Pinsky has not, to the very best of our knowledge, been charged with any crime, and it’s presumed this is because he was a minor at the time of the theft, and because he cooperated immediately with the Feds a couple of years ago when investigators homed in on him. In a Rolling Stone interview over the summer, Pinsky – dubbed Baby Al Capone by the media – admitted he swiped millions in crypto-coins from Terpin via a SIM swap.

According to that article, Pinsky said he wrote a Python script that would search social media for people who appeared to work for cellular networks, and would privately message them. Pinsky would, we’re told, offer those employees a small amount of Bitcoin to perform SIM swaps, aka port outs.

This basically reassigns a victim’s phone number to the SIM in the scammer’s phone so that the scammer receives that number’s calls and texts. Once that happens, the crook can request a password reset for the target’s webmail account, with the one-time verification code texted to the thief. Now in control of the email account and phone number, the thief can start going through all of the victim’s online accounts and apps, resetting passwords with the links and texts going to the webmail or hijacked phone number, logging in, and stealing any (say) cryptocurrencies found.

Which, according to Pinsky, is what he did to Terpin: after an AT&T worker did the SIM swap, he and an accomplice found a file in an Outlook account loaded with crypto wallet information, which was then used to siphon off the money. Specifically, it’s claimed, Pinksy and his co-conspirator stole 3 million TRIG coins, each worth more than $7 at the time, and laundered them into Bitcoins. TRIG has since crashed to less than 20 cents a coin.

The other side

Terpin sued AT&T for $240 million in 2018 for repeatedly failing to protect his cellphone from the teenage scammer. It’s been a long, drawn-out case, full of legal maneuvering on both sides, but here’s the gist of what Terpin said happened to his phone — and in court rooms since then.

According to Terpin’s first lawsuit [PDF], in June 2017 a fraudster posing as Terpin convinced an AT&T employee at a store in Connecticut to transfer Terpin’s phone number to another SIM card — after 11 earlier attempts at the scam in other stores had failed.

The miscreant then used his access to Terpin’s phone number to gain access to his cryptocurrency holdings, and transferred millions of dollars to a different account.

Terpin complained to AT&T, and the carrier agreed to put additional security policies in place where any future changes would require someone to not only provide ID but also supply a special six-digit code that only he and his wife knew.

Despite this, in January 2018, fraudsters again hijacked his phone number and, again, broke into his cryptocurrency accounts, ultimately stealing $24 million worth of digital coins. “The purloined telephone number was accessed to hack Mr Terpin’s accounts, resulting in the loss of nearly $24 million of cryptocurrency coins,” the lawsuit stated.

In February 2020, a judge dismissed AT&T’s effort to dismiss the case, noting that Terpin had provided sufficient proof that the US telco giant should defend its position in front of a jury.

Later that year, a judge threw out a $200 million damages claim Terpin had filed against AT&T, but allowed the rest of the case to move forward. It is slated for a federal court in Los Angeles in May.

Interestingly enough, Pinsky told Rolling Stone he returned all he could from the Terpin heist – 562 Bitcoins, his share of the spoils with his co-conspirator – a couple of years ago when he realized the jig was up. In 2020, that BTC would be worth $2 million, which Terpin alluded to in his statement above. At their peak in November last year, those Bitcoins would be worth about $40 million, and today: about $11 million. In any case, Pinksy’s now agreed to pay Terpin, one way or another, $22 million. ®