Jump to content

Search the Community

Showing results for tags 'data breach'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely identify each customer’s mobile device. On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected. A sales thread tied to the allegedly stolen T-Mobile customer data. We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote. “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.” The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data. Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes. They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s. The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number. “If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.” Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers. “Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.” T-Mobile declined to comment beyond what the company said in its blog post today. In 2015, a computer breach at big three credit bureau Experian exposed the Social Security numbers and other data on 15 million people who applied for financing from T-Mobile. Like other mobile providers, T-Mobile is locked in a constant battle with scammers who target its own employees in SIM swapping attacks and other techniques to wrest control over employee accounts that can provide backdoor access to customer data. In at least one case, retail store employees were complicit in the account takeovers. WHO HACKED T-MOBILE? The Twitter profile for the account @Und0xxed includes a shout out to @IntelSecrets, the Twitter account of a fairly elusive hacker who also has gone by the handles IRDev and V0rtex. Asked if @IntelSecrets was involved in the T-Mobile intrusion, @und0xxed confirmed that it was. The IntelSecrets nicknames correspond to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted. Like Kenny “NexusZeta” Schuchmann, who pleaded guilty in 2019 to operating the Satori botnet. Two other young men have been charged in connection with Satori — but not IntelSecrets. How do we know all this about IntelSecrets/IRDev/V0rtex? That identity has acknowledged as much in a series of bizarre lawsuits filed by a person who claims their real name is John Erin Binns. The same Binns identity operates the website intelsecrets[.]su. On that site, Binns claims he fled to Germany and Turkey to evade prosecution in the Satori case, only to be kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his alleged capture and torture by the Turks. Since then, Binns has filed a flood of lawsuits naming various federal agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA. Speaking to the researcher Alon Gal (@underthebreach), the hackers responsible for the T-Mobile intrusion said they did it to “retaliate against the US for the kidnapping and torture of John Erin Binns in Germany by the CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure.” T-Mobile Investigating Claims of Massive Data Breach
  2. Carnival Cruise hit by data breach, warns of data misuse risk Carnival Corporation, the world's largest cruise ship operator, has disclosed a data breach after attackers gained access to some of its IT systems and the personal, financial, and health information belonging to customers, employees, and crew. Carnival is included in both S&P 500 and FTSE 100 stock market indices, has more than 150,000 employees in roughly 150 countries, and provides leisure travel to roughly 13 million guests each year. The company operates nine of the world's leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours). Data misuse risk warning "Unauthorized third-party access to a limited number of email accounts was detected on March 19, 2021," the cruise line operator giant says in a data breach notification letter recently sent to affected customers. However, Carnival's SVP & Chief Communications Officer Roger Frizzell told BleepingComputer after the article was published that the attackers gained access to "limited portions of its information technology systems." "It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew. "The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing." According to Carnival, the accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information like Social Security or national identification numbers. The cruise line operator also warned impacted customers, employees, as well as Carnival Cruise Line, Holland America Line, Princess Cruises, and medical operations crew that they found evidence indicating "a low likelihood of the data being misused." Hit by ransomware twice in one year BleepingComputer previously reported that a ransomware attack also hit Carnival in August 2020, an incident confirmed by the cruise line operator in an 8-K form filed with the US Securities and Exchange Commission (SEC). Two months later, Carnival said in a separate SEC filling the ransomware gang behind the August attack gained access to the personal information of both customers and employees during the attack. Roughly 37,500 individuals were impacted affected by the August ransomware attack, according to info filed by Carnival with the Office of Maine's Attorney General. The August ransomware attack came after a data breach disclosed in March 2020 that also led to the exposure of customers' personal and financial info after threat actors gained access to Carnival employees' email accounts. In December 2020, Carnival was hit by a second (previously undisclosed) ransomware attack with "investigation and remediation phases" still ongoing, according to a 10-Q form filed with the SEC in April 2021. "There is currently no indication of any misuse of information potentially accessed or acquired and we continue to work with regulators to bring these matters and other reportable incidents to conclusion," Carnival said about the December 2020 ransomware incident. BleepingComputer reported at the time that the German cruise line and Carnival subsidiary AIDA Cruises was dealing with mysterious "IT restrictions" that led to the cancellation of their New Year's Eve cruises. Costa Crociere, another Carnival subsidiary, was also affected by an IT outage around the December ransomware attack that prevented customers from booking trips via the cruise line's online reservation system. AIDA Cruises, Costa Crociere, and Carnival Corporation did not reply to BleepingComputer emails regarding the disruptions and trip cancellations. Update: Added info provided by Roger Frizzell, Carnival's SVP & Chief Communications Officer. Carnival Cruise hit by data breach, warns of data misuse risk
  3. Largest US propane distributor discloses '8-second' data breach America's largest propane provider, AmeriGas, has disclosed a data breach that lasted ephemerally but impacted 123 employees and one resident. AmeriGas servers over 2 million customers in all 50 U.S. states and has over 2,500 distribution locations. This month's data breach was reported by the propane giant to the Office of the New Hampshire Attorney General. Data breach lasted '8 seconds', impacted 123 employees This month, AmeriGas has issued a data breach notification letter to the New Hampshire Attorney General's Office. The data breach, however, originated at J. J. Keller, a vendor responsible for providing Department of Transportation (DOT) compliance services to AmeriGas. These services include helping AmeriGas with conducting driving record checks, drug and alcohol testing for drivers, and other DOT-imposed regulatory checks. On May 10th, J. J. Keller detected suspicious activity on their systems associated with a company email account. As such, the vendor promptly began investigating their network to discover that a J. J. Keller employee had fallen victim to a phishing email, leading to a compromise of their account. During this brief access window threat actor(s) could view certain files present within the employee's compromised account. After resetting the employee's account credentials, J. J. Keller promptly began their forensic activities to determine the full scope of this breach. By May 21st, J. J. Keller notified AmeriGas that this eight-second breach exposed records of 123 AmeriGas employees present in the files viewable to the attacker. "According to J.J. Keller, during the 8-second breach, the bad actor had access to an internal email with spreadsheet attachments containing 123 AmeriGas employees' information, including Lab IDs, social security numbers, driver's license numbers, and dates of birth." "To date, we are unaware of any actual or attempted misuse of this personal data as a result of this incident," disclosed AmeriGas in a sample data breach notification letter dated June 4th, 2021. Also exposed in the breach, was the information of just one New Hampshire resident, who has since been notified of the incident and been provided with free credit monitoring services. At this time, there is no indication that any employee information was copied or misused. Second security incident concerning AmeriGas this year This incident marks the second data breach incident concerning AmeriGas this year. In March 2021, AmeriGas had disclosed an attempted data breach, in which a company customer service agent was fired for potentially misusing customer credit card information. According to AmeriGas, some customers phoning AmeriGas customer service had verbally disclosed their credit card information to this representative who may have misused this information to make unauthorized purchases. At the time the company had said: "We recently detected that there were unauthorized disclosures of credit card information to one of our customer service agents." "We do not know whether your credit card information was shared but are writing in an abundance of caution. " "We investigated the issue as a precaution to further secure your information." "The agent involved has been terminated and we have already implemented additional safeguards," the company had disclosed at the time. Cyber-attacks and incidents against critical energy companies are continuing to grow, prompting the need for stepping up security controls and awareness training across organizations. Largest US propane distributor discloses '8-second' data breach
  4. Intuit notifies customers of hacked TurboTax accounts Financial software company Intuit has notified TurboTax customers that some of their personal and financial information was accessed by attackers following what looks like a series of account takeover attacks. In a breach notification letter sent to affected customers earlier this month, the company said that this was not a "systemic data breach of Intuit." In account takeover attacks, cybercriminals gain access to their victims' accounts using credentials stolen from other online services following past data breaches. This type of attack works incredibly well against targets who use the same login credentials for multiple sites or services. TurboTax accounts hacked using reused credentials Intuit discovered during a security review that an undisclosed number of TurboTax accounts was breached and customer info was exposed. The company's investigation revealed that the threat actors used credentials (usernames and passwords) obtained from "a non-Intuit source" to gain access to the accounts. "By accessing your account, the unauthorized party may have obtained information contained in a prior year's tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver's license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return," Intuit explained. "We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information," the company added. After discovering the attacks, Intuit temporarily disabled the breached TurboTax accounts. Users who had their accounts deactivated must contact Intuit's Customer Care department at 1-800-944-8596 and say "Security" when prompted. Afterward, Intuit employees will walk them through an identity verification procedure designed to help reactivate the accounts. Previous alerts of threat actors taking over TurboTax accounts This is not the first time attackers have successfully hacked into TurboTax users' accounts and stole financial and personal information. TurboTax customers were previously targeted in at least three other series of account takeover attacks in 2014/2015 and again in 2019. Just as after the previous three incidents, Intuit provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to impacted customers. Intuit and TurboTax spokespersons were not available for comment when contacted by BleepingComputer earlier for further info on the breach dates and the number of impacted accounts. Intuit notifies customers of hacked TurboTax accounts
  5. McDonald's discloses data breach after theft of customer, employee info McDonald's, the largest fast-food chain globally, has disclosed a data breach after hackers breached its systems and stole information belonging to customers and employees from the US, South Korea, and Taiwan. As the world's global foodservice retailer, McDonald's serves almost hundreds of millions of customers every day in more than 39,000 locations in over 100 countries, including roughly 14,000 restaurants in the US alone. No customer payment information exposed Today, the company said that threat actors breached its systems in multiple markets worldwide, as discovered following an investigation conducted by external security consultants. McDonald's also told US employees that the attackers could only steal business contact info belonging to US employees and franchises that wasn't personal or sensitive, as first reported by WSJ. The threat actors also stole personal information (including names, emails, phone numbers, and addresses) from customers in South Korea and Taiwan, However, the number of customer documents exposed in the incident was small, and the breach did not impact customers' payment info in any way. "While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data," McDonald's said in a statement to BleepingComputer. "Based on our investigation, only Korea and Taiwan had customer personal data accessed, and they will be taking steps to notify regulators and customers listed in these files. "No customer payment information was contained in these files. In the coming days, a few additional markets will take steps to address files that contained employee personal data. " The fast-food chain is currently notifying affected customers and relevant authorities in all impacted markets. McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense. These tools allowed us to quickly identify and contain recent unauthorized activity on our network. A thorough investigation was conducted, and we worked with experienced third parties to support this investigation. — McDonald's Not the first rodeo This is not the first time McDonald's had to deal with a security incident in recent years. In 2017, the company was forced to fix a cross-site scripting (XSS) vulnerability affecting its official website and exposing customers' plain text passwords. As revealed by security researcher Tijme Gommers who discovered the bug, attackers could've exploited the security flaw by crafting a malicious link. When clicked by a target, it would extract and decrypt password data from a local cookie and send it to the attacker in cleartext. Extracting any user's passwords was possible because McDonald's stored password information in a cookie file protected using the same key and initialization vector for all users. In related news, gaming giant Electronic Arts (EA) also confirmed on Thursday that threat actors hacked its network and stole "a limited amount of code and related tools." Update: Added McDonald's statement. McDonald's discloses data breach after theft of customer, employee info
  6. Hackers breach gaming giant Electronic Arts, steal game source code Hackers have breached the network of gaming giant Electronic Arts (EA) and claim to have stolen roughly 750 GB of data, including game source code and debug tools. EA confirmed the data breach in a statement sent to BleepingComputer saying that this "was not a ransomware attack, that a limited amount of code and related tools were stolen, and we do not expect any impact to our games or our business." BleepingComputer spoke to the threat actor selling EA's data who claims to have stolen the full FIFA source, EA game clients, and points used as in-game currency. In-game points have been known to be used by cybercriminals for money laundering purposes. When asked how they gained access to EA's network they would not provide further details. Stolen EA data worth $28 million The attackers claim to have access to all of EA's services, telling customers willing to pay $28 million for the stolen data that they will also gain "full capability of exploiting on all ea services," as first reported by Motherboard. In all, the hackers claim to have stolen a massive trove of data from EA's network, including: FrostBite game engine source code and debug tools FIFA 21 matchmaking server code FIFA 22 API keys and SDK & debug tools debug tools, SDK, and API keys proprietary EA games frameworks XBOX and SONY private SDK & API key XB PS and EA pfx and crt with key They also shared screenshots of directory listings and source code as proof that the stolen information is legitimate. BleepingComputer found the attackers' posts promoting the stolen data on various marketplaces and hacking forums using Kela's Dark Beast intelligence service. EA data up for sale (BleepingComputer) No game or business impact expected "We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen," an EA spokesperson told BleepingComputer. "No player data was accessed, and we have no reason to believe there is any risk to player privacy. "Following the incident, we’ve already made security improvements and do not expect any impact on our games or our business. "We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation." EA is a game developer and publisher behind multiple high-profile brands such as Madden NFL, EA SPORTS FIFA, Battlefield, The Sims, and Need for Speed. EA also has over 450 million registered players worldwide and posted GAAP net revenue of $5.5 billion for the fiscal year 2020. Hackers breach gaming giant Electronic Arts, steal game source code
  7. Japanese government agencies suffer data breaches after Fujitsu hack Offices of multiple Japanese agencies were breached via Fujitsu's "ProjectWEB" information sharing tool. Fujitsu states that attackers gained unauthorized access to projects that used ProjectWEB, and stole some customer data. It is not yet clear if this breach occurred because of a vulnerability exploit, or a targeted supply-chain attack, and an investigation is ongoing. Attackers accessed at least 76,000 email addresses Yesterday, the Ministry of Land, Infrastructure, Transport and Tourism and the National Cyber Security Center (NISC) of Japan announced that attackers were able to obtain inside information via Fujitsu's information-sharing tool. Fujitsu also said that attackers had gained unauthorized access to projects that used ProjectWEB, and stolen proprietary data. Fujitsu's ProjectWEB enables companies and organizations to exchange information internally, with project managers and stakeholders, for example. ProjectWEB login screen (Hatena Blog) By gaining unauthorized access to government systems via ProjectWEB, attackers were able to obtain at least 76,000 e-mail addresses, and proprietary information, including the e-mail system settings, as confirmed by the Ministry of Land, Infrastructure, Transport, and Tourism. As of 2009, the tool was in widespread use by approximately 7,800 projects, according to a Fujitsu document seen by BleepingComputer: Fujitsu ProjectWEB overview illustrating different use cases of the info-sharing tool The exposed email addresses included those of external parties, such as members of the Council of Experts, who have been individually notified. Japanese press reported Narita International Airport, located near Tokyo, was impacted as well since Fujitsu attackers managed to steal air traffic control data, flight schedules, and business operations. Additionally, Japan's Ministry of Foreign Affairs suffered from a data leak in which some study materials were exposed to unauthorized actors. As such, Cabinet Secretariat's national cybersecurity center (NISC) issued multiple advisories [1, 2] alerting government agencies and critical infrastructure organizations using Fujitsu's tool to check for signs of unauthorized access and information leakage. Fujitsu suspends ProjectWEB online portal As seen by BleepingComputer, Fujitsu has suspended its ProjectWEB portal while the scope and cause of this incident are being fully investigated. The URL to the login portal has been timing out when access is attempted: https://pjshr170.soln.jp/IJS02E8/pjwebroot/login.jsp Fujitsu ProjectWEB portal shut down after the breach Source: BleepingComputer Since the ProjectWEB portal was hosted on the "soln.jp" domain, one way to check if your organization has been impacted, or was a customer at some point, is to look for traces of the domain or the aforementioned URL in your network logs. Fujitsu states they will be notifying the relevant authorities and work with their customers to identify the cause of the breach, in a press release. BleepingComputer reached out to Fujitsu with specific questions related to the incident, and we were told: "Fujitsu can confirm unauthorized access to 'Project WEB,' a collaboration & project management software, used for Japanese-based projects." "Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities. As a precautionary measure, we have suspended [the] use of this tool, and we have informed any potentially impacted customers," a Fujitsu spokesperson told BleepingComputer. Although disclosure of technical details behind this attack is pending, the incident has echoes of the Accellion file sharing tool hack which impacted hundreds of customer organizations. Source: Japanese government agencies suffer data breaches after Fujitsu hack
  8. Air India data breach impacts 4.5 million customers Air India disclosed a data breach after personal information belonging to roughly 4.5 million of its customers was leaked two months following the hack of Passenger Service System provider SITA in February 2021. The Indian national carrier first informed passengers that SITA was the victim of a cyberattack on March 19. "This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers," Air India said in a breach notification sent over the weekend. "This incident affected around 4,500,000 data subjects in the world." The airline added that the breach impacted the data of passengers registered between August 2011 and February 2021. Nevertheless, after investigating the security incident, it was found that no credit card information or password data was accessed during the breach. However, Air India urges its passengers to change their credentials to block potential breach attempts and ensure their data security. "The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data," Air India added [PDF]. "However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor." The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers. — Air India Data breach impacts Star Alliance members Almost a dozen more air carriers besides Air India informed passengers that some of their data was accessed during a breach of SITA's Passenger Service System (PSS), which handles transactions from ticket reservations to boarding. SITA also confirmed the incident saying that it reached out to affected PSS customers and all related organizations in early March. At the time, a SITA spokesperson told BleepingComputer that the breach impacts data of passengers from multiple airlines, including: Lufthansa - combined with its subsidiaries, it is the second-largest airline in Europe in terms of passengers carried; Star Alliance member and Miles & More partner Air New Zealand - flag carrier airline of New Zealand Singapore Airlines - flag carrier airline of Singapore SAS - Scandinavian Airlines (disclosure here); Cathay Pacific - flag carrier of Hong Kong Jeju Air - the first and largest South Korean low-cost airline Malaysia Airlines - flag carrier airline of Malaysia Finnair - flag carrier and largest airline of Finland Some of these air carriers (including Air India) are part of the Star Alliance, a global airline network with 26 members, including Lufthansa, the largest in Europe. Star Alliance told BleepingComputer that its members also share customer details relevant to awarding traveling benefits. The information is limited to membership names, frequent flyer program membership numbers, and program tier status. Source: Air India data breach impacts 4.5 million customers
  9. First Horizon bank online accounts hacked to steal customers’ funds Bank holding company First Horizon Corporation disclosed the some of its customers had their online banking accounts breached by unknown attackers earlier this month. First Horizon is a regional financial services company with $84 billion in assets that offers banking, capital market, and wealth management services. First Horizon Bank, the company's banking subsidiary, operates a network of hundreds of bank locations in 12 states across the Southeast. Attackers accessed personal info, stole funds First Horizon discovered the attack in mid-April 2021 and said that it only impacted a limited number of customers. As discovered during the investigation, the unknown threat actors could breach the customers' online bank accounts using previously stolen credentials and by exploiting a vulnerability in third-party software. "Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 on-line customer bank accounts," First Horizon added in an 8-K form filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday. The attackers were also able to gain access to customer information stored in the breached accounts and drain funds from some of them before their intrusion was discovered. The financial services firm revealed that they "fraudulently obtained an aggregate of less than $1 million from some of those accounts." Customers reimbursed after breach The bank holding firm reimbursed all the impacted customers for their stolen funds after discovering the data breach. First Horizon also notified relevant data regulators and law enforcement agencies and opened new banking accounts for affected customers. The company also remediated the software vulnerability exploited by the attackers during the incident and reset the passwords for impacted accounts. "Based on its ongoing assessment of the incident to date, the Company does not believe that this event will have a material adverse effect on its business, results of operations or financial condition," First Horizon concluded. While First Horizon did not provide any info on the exploited third-party software, massive collections of stolen user credentials potentially reused on multiple sites have been sold or leaked for free by various threat actors for years. The most recent examples are tens of millions of user records containing personal data and credentials belonging to ParkMobile, BigBasket, and Nitro PDF customers shared for free on hacking forums. First Horizon Bank division IBERIABANK Mortgage disclosed another data breach spanning almost two years and exposing customers' personal info a day after its parent company merged with First Horizon Bank on July 3rd, 2020. A First Horizon spokesperson was not available for comment when contacted by BleepingComputer earlier today for more details regarding the breach disclosed earlier this week. Source: First Horizon bank online accounts hacked to steal customers’ funds
  10. DigitalOcean data breach exposes customer billing information Cloud hosting provider DigitalOcean has disclosed a data breach after a flaw exposed customers' billing information. An email sent out to affected customers by DigitalOcean states that a "flaw" allowed an unauthorized user to access customers' billing details between April 9th, 2021, and April 22nd, 2021. "An unauthorized user gained access to some of your billing account details through a flaw that has been fixed. This exposure impacted a small percentage of our customers," reads the email sent to customers. The email states that the exposed information includes a customer's billing name, billing address, payment card expiration, last four digits of credit card, and the payment card's bank name. DigitalOcean data breach email Source: Twitter DigitalOcean states that they have fixed the flaw and disclosed the breach to data protection authorities. It is not clear what agencies were notified. Tyler Healy, VP Security at DigitalOcean, told TechCrunch that this flaw exposed only 1% of billing profiles. BleepingComputer has reached out to DigitalOcean with further questions but has not heard back at this time. DigitalOcean also suffered a data breach last year when they made a document containing information about customer's accounts available via a public link. Source: DigitalOcean data breach exposes customer billing information
  11. 5.6 Million Records that Appear to Belong to ‘Reverb’ Users Leaked Online A researcher has discovered a large set of data consisting of ‘Reverb’ user details. A contractor may have managed the cluster, or it could have been stolen from elsewhere. The data that was exposed is very sensitive, including names, emails, IPs, PayPal details, and phone numbers. Researcher Bob Diachenko has published a staggering finding on Twitter involving an unprotected ElasticSearch cluster that held 5.6 million data records. The entries are generic but match some elements found on Reverb shops, so the data appears to have been derived from the popular music instruments online marketplace. As for what data was leaked, this includes the full names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address, and more. JUST COMPLETED ANALYSIS OF THE SAMPLES: SEEMS LIKE IT WAS DATA OF 5.6M @REVERB USERS EXPOSED VIA UNPROTECTED ES CLUSTER, INCL: FULL NAME, EMAIL, POSTAL ADDRESS, PHONE, LISTING/ORDER COUNT, PAYPAL EMAIL.. IP IS DOWN NOW. NOT SURE IF CLUSTER WAS MANAGED BY REVERB OR SOMEONE ELSE. PIC.TWITTER.COM/W7V2YKN0OR — Bob Diachenko (@MayhemDayOne) April 23, 2021 In a private chat with Diachenko, the researcher told us that he first discovered the database on April 5, 2021, which is when specialized search engines indexed it. Since then, the database was taken offline, so it is no longer accessible, but in the meantime, the researcher hasn’t been able to figure out if the cluster was managed by Reverb or someone else. This could have been a snatch from elsewhere, but until Reverb gets back to us with a comment on this, we have no way to tell. The consequences of this breach are dire, and as Diachenko privately shared with us, there are some big-name shops included in the exposed set. The fact that there’s a PayPal account email accompanied by phone numbers, for example, opens up the way for SIM-swap-based 2FA bypassing. Also, phishing, scamming, and general trickery are obviously greatly empowered by this set. For this reason, Reverb should have already sent notifications of a breach to its users, but as far as we can tell, something like that hasn’t happened. The researcher told us that Troy Hunt will get a list of all the exposed emails soon, so expect haveibeenpwned.com to add the relevant list, helping the compromised users found out if their details are included in the set or not. Our advice to all Reverb users would be to reset your password on the platform as well as anywhere else you may be using the same credentials. Next, send a message to Reverb’s support and ask for clarifications on how this incident impacts you. For now, there is no confirmed breach on the Reverb platform, but you’d better be safe than sorry. Source: 5.6 Million Records that Appear to Belong to ‘Reverb’ Users Leaked Online
  12. Eversource Energy data breach caused by unsecured cloud storage Eversource, the largest energy supplier in New England, has suffered a data breach after customers' personal information was exposed on an unsecured cloud server. Eversource Energy is the latest energy delivery company in New England, powering 4.3 million electric and natural gas customers throughout Connecticut, Massachusetts, and New Hampshire. In a data breach notification shared with BleepingComputer, Eversource Energy is warning customers that the unsecured cloud storage server exposed their name, address, phone number, social security number, service address, and account number. Eversource data breach notification For those affected by the data breach, Eversource is offering a free 1-year identity monitoring service through Cyberscout. After receiving the data breach notification, an Eversource customer called Cyberscout to learn more about the breach. Ultimately, they were sent an internal frequently asked questions document used by Cyberscout employees to answer inquiries about the breach. According to the FAQ shared with BleepingComputer, Eversource performed a security review on March 16th and found a "cloud data storage folder" that was misconfigured so that anyone could access its contents. When they discovered the unsecured folder, they immediately secured it and began investigating what data was stored on the folder. This folder contained unencrypted files created in August 2019 that included the personal information of 11,000 Eversource eastern Massachusetts customers. At this time, Eversource states that there is no indication that any of this data was acquired or misused by unauthorized people. While this may be true, BleepingComputer recommends that users sign up for the free identify theft monitoring offered by Eversource to be alerted if their social security number is fraudulently used. Affected users should also be on the lookout for possible phishing emails pretending to be from Eversource, or other companies, that utilize the exposed data to harvest further information. Over the past two years, ransomware attacks and network breaches have targeted numerous utility companies, including EDP Renewables North America, Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), and the Enel Group. Even more concerning, threat actors recently breached a water treatment system in Oldsmar, Florida, and attempted to increase the concentration of sodium hydroxide (NaOH) cleanser to hazardous levels These breaches, and even EverSource's less malicious breach, underscore how utilities need to increase their security posture to prevent these types of leaks and attacks in the future. Thx to webster341 and i486DX for sharing their notifications and the FAQ. Source: Eversource Energy data breach caused by unsecured cloud storage
  13. Celsius email system breach leads to phishing attack on customers Cryptocurrency rewards platform Celsius Network has disclosed a security breach exposing customer information that led to a phishing attack. Today, Celsius CEO Alex Mashinsky stated that Celsius' third-party marketing server was compromised, and threat actors gained access to a partial Celsius customer list. "An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers." "The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their personal wallet address," disclosed a Celsius advisory. After gaining access to the customer list, the threat actors impersonated Celsius Networks in phishing texts and emails that promoted a new Celsius Web Wallet. As an incentive to get people to visit the site, the text states Celsius is offering $500 in the CEL cryptocurrency if they create a wallet and enter a special promo code. Celsius phishing text message Source: Twitter Clicking on the link led recipients to the phishing site celsiuswallet[.]network, which is now down, that asked visitors to create a Celsius Web Wallet. When you attempted to create this fake wallet, the site asked visitors to link their other online wallets and input those wallet's seed phrases. Once this seed phrase is provided, the threat actors can import your wallet and steal any cryptocurrency within it. Celsius phishing site Source: Twitter VirusTotal shows that the celsiuswallet[.]network phishing domain initially had a DNS SOA record that indicated it was registered at the Njalla registrar. Njalla SOA Njalla is a registrar located in Sweden that is a favorite for certain threat actors, such as the Fancy Bear and Cozy Bear Russian hacking groups. The domain is 1 day old and registered through NJALLA. Njalla is a preferred registrar from Fancy Bear and Cozy Bear. This alone already shows the people behind this website have at least a little knowledge about Russian MO. — Rickey Gevers (@UID_) January 12, 2021 A recent scam site using Njalla called 'Solar Leaks' was created to allegedly sell data stolen during the SolarWinds attacks. Source: Celsius email system breach leads to phishing attack on customers
  14. The Montefiore Medical Center Had Its Fourth Breach in 7 Months NY-based clinic Montefiore is circulating yet another notice of a data breach to its patients. This is again a case of internal patient data violation by one of the medical center’s employees. It is strange that an entity that strives so much for patient data safety is failing on it repeatedly. Source: Wikipedia, Credits: Hugo L. González Patients of the Montefiore Medical Center in New York have received the fourth notice of a data breach that affects them in just seven months. The culprit is reportedly an employee who abused his access to the clinic’s systems. The data accessed by that person includes patient names, medical record numbers, physical addresses, email addresses, dates of birth, and the last four digits of their social security numbers (SSNs). Credit card details and clinical details weren’t accessed. The Montefiore Medical Center states that this happened in violation of its privacy policies and that all employees access only what they need for work-related reasons. Upon discovering the abuse, the employee was immediately suspended and will face the relevant legal consequences. The clinic discovered the violation thanks to the ‘FairWarning’ software that is deployed on its systems, monitoring the type of access that its employees engage in and alerting the administration about risky cases. Although this sounds like a properly safeguarded system, that was the fourth breach notification that Montefiore had to distribute to patients. Here’s a summary of all recent notices: April 2021 notice – Inappropriate access by employee occurring between January 2020 and February 2021. No numbers of affected individuals were given. January 2021 notice – Incident occurred between June 2020 and November 2020, involving the illegal access of data by an employee. 1,787 patients were impacted. December 2020 notice – Employee accessed patient data and attempted to engage in insurance fraud. The incident affected 670 patients. September 2020 notice – Employee stole 4,000 patient records between January 2018 and July 2020. In all cases, Montefiore fired the employees and reported them to the authorities to launch a criminal investigation. However, we see rampant violations and repeated insider incidents even though the medical center uses monitoring tools and is serious about it. Also, Montefiore’s announcement mentions that all employees go through criminal background checks before they are given access to the clinic’s systems. If an entity with a strict code of conduct, monitoring systems in place, and detailed background checks suffers four data breaches from internal access violations, we can only imagine what happens with other medical service providers who follow more relaxed or even non-existent privacy protection and data security policies. In conclusion, whatever clinic you may have visited in the past, and no matter what data protection procedures they claim to follow, be vigilant and treat all incoming communications with alertness. Abuse is always a probability – and given enough time, a certainty. Source: The Montefiore Medical Center Had Its Fourth Breach in 7 Months
  15. Swedish Sports Body Hacked by Russians, Officials Say The organization that oversees Sweden’s national sports federations was hacked by Russian military intelligence in 2017-18, officials said Tuesday, in a data-breaching campaign that also affected some of the world’s leading sporting bodies, including FIFA and the World Anti-Doping Agency. Swedish prosecutors said the “repeated and comprehensive breaches” of the Swedish Sports Confederation by GRU resulted in athletes’ personal details, such as medical records, being accessed and that information being published by Swedish media. The hacking was discovered following an investigation by the Swedish Security Service in cooperation with the security services of other countries. But the investigation has been discontinued because “the necessary preconditions for taking legal proceedings abroad or extradition to Sweden are lacking,” public prosecutor Mats Ljungqvist said. The data breaches were said to have taken place from December 2017 to May 2018. At that time, Sweden was putting together a bid to host the 2026 Winter Olympics. Among the athletes who had private information accessed was women’s national team soccer player Olivia Schough. “This is a serious crime against humanity and values where personal information that can be sensitive was spread without the slightest thought about how it can affect individuals,” said Bjorn Eriksson, the chairman of the Swedish Sports Confederation. Ljungqvist said the data breaches were part of a larger, systematic campaign by Russian hackers against international sports organizations, such as FIFA, WADA, the United States Anti-Doping Agency and the Court of Arbitration for Sport. The United States issued indictments in 2018 for alleged Russian hacking of Olympic and soccer bodies. The hacking campaign began after Russia’s state-backed doping program was exposed in 2015. Source: Swedish Sports Body Hacked by Russians, Officials Say
  16. Risk startup LogicGate confirms data breach Image Credits: Jan Willem Kunnen (opens in a new window)/ Getty Images Risk and compliance startup LogicGate has confirmed a data breach. But unless you’re a customer, you probably didn’t hear about it. An email sent by LogicGate to customers earlier this month said on February 23 an unauthorized third party obtained credentials to its Amazon Web Services-hosted cloud storage servers storing customer backup files for its flagship platform Risk Cloud, which helps companies to identify and manage their risk and compliance with data protection and security standards. LogicGate says its Risk Cloud can also help find security vulnerabilities before they are exploited by malicious hackers. The credentials “appear to have been used by an unauthorized third party to decrypt particular files stored in AWS S3 buckets in the LogicGate Risk Cloud backup environment,” the email read. “Only data uploaded to your Risk Cloud environment on or prior to February 23, 2021, would have been included in that backup file. Further, to the extent you have stored attachments in the Risk Cloud, we did not identify decrypt events associated with such attachments,” it added. LogicGate did not say how the AWS credentials were compromised. An email update sent by LogicGate last Friday said the company anticipates finding the root cause of the incident by this week. But LogicGate has not made any public statement about the breach. It’s also not clear if the company contacted all of its customers or only those whose data was accessed. LogicGate counts Capco, SoFi and Blue Cross Blue Shield of Kansas City as customers. We sent a list of questions, including how many customers were affected and if the company has alerted U.S. state authorities as required by state data breach notification laws. When reached, LogicGate chief executive Matt Kunkel confirmed the breach but declined to comment citing an ongoing investigation. “We believe it’s best to communicate developments directly to our customers,” he said. Kunkel would not say, when asked, if the attacker also exfiltrated the decrypted customer data from its servers. Data breach notification laws vary by state, but companies that fail to report security incidents can face heavy fines. Under Europe’s GDPR rules, companies can face fines of up to 4% of their annual turnover for violations. In December, LogicGate secured $8.75 million in fresh funding, totaling more than $40 million since it launched in 2015. Source: Risk startup LogicGate confirms data breach
  17. Indian Brokerage Firm Upstox Suffers Data Breach Leaking 2.5 Millions Users' Data Online trading and discount brokerage platform Upstox has become the latest Indian company to suffer a security breach of its systems, resulting in the exposure of sensitive information of approximately 2.5 million users on the dark web. The leaked information includes names, email addresses, dates of birth, bank account information, and about 56 million know your customer (KYC) documents pulled from the company's server. The breach was first disclosed by independent researcher Rajshekhar Rajaharia on April 11. It's not immediately clear when the incident occurred. Reacting to the development, the company, however, said it had recently upgraded its security systems following reports of "unauthorized access into our database" while stressing that users' funds and securities remained protected. As a precaution, besides initiating a secure password reset of users' accounts, Upstox said it restricted access to the impacted database, implying it was a case of a misconfigured AWS server, in addition to incorporating multiple security enhancements at its third-party data warehouses and ring-fencing the network. The company refrained from specifying the exact number of client accounts that may have been exposed. News of Upstox's security breach comes weeks after an India-based digital wallet service MobiKwik dealt with a major security incident after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on cybercrime forums. Other Indian companies such as BigBasket, Dunzo, Edureka, Paytm Mall, and Byju's-owned WhiteHat Jr too have reported data breaches in recent months. Source: Indian Brokerage Firm Upstox Suffers Data Breach Leaking 2.5 Millions Users' Data
  18. Clinical Pathology Laboratories says 2.2M patients exposed in AMCA breach LabCorp and Quest Diagnostic have already reported that patient information was exposed in that breach. The AMCA breach has affected millions of lab patients. Frank Bienewald/Getty Images Clinical Pathology Laboratories is the latest medical testing company to fall victim to a data security breach at billing service American Medical Collection Agency. CPL has discovered that 2.2 million patients' may have had their names, addresses, phone numbers, birth dates and other personal information stolen. In a statement reported Wednesday by TechCrunch, CPL also said that 34,500 patients may have had their credit card or banking information compromised. The AMCA sent letters to those patients notifying them of the breach. AMCA became aware of the breach on March 21, investigated it and informed CPL the following month, according to the lab's statement. CPL said patients' Social Security numbers weren't involved in the incident. CPL doesn't provide AMCA with healthcare records such as laboratory results or clinical history, according to the statement. In June, LabCorp said the personal and financial data on as many as 7.7 million customers were exposed in the AMCA breach. Quest Diagnostics also said 11.9 million of its patients were impacted. CPL, LabCorp and Quest all conduct lab tests requested by doctors, such as blood work. CPL and AMCA didn't immediately respond to a request for comment. Source: Clinical Pathology Laboratories says 2.2M patients exposed in AMCA breach
  19. Singapore’s e2i tightens security after third-party data breach Potentially affected personal data may include names, NRIC, contact details, educational qualifications and employment details. Singapore’s National Trades Union Congress’ (NTUC) Employment and Employability Institute (e2i) is tightening its email security following a malware-induced data security breach that may have resulted in the unauthorised access of 30,000 individuals’ personal data. The job matching and skills upgrading services provider revealed on 5 April that it was made aware on 12 March of a data incident arising from malware that infected a mailbox belonging to an employee of an appointed third-party vendor, contact centre services provider i-vic International. “The incident may have resulted in an unauthorised access to the affected mailbox that contained personal data of approximately 30,000 individuals who had used e2i’s services,” the institute said in a statement. The potentially affected personal data may include names, NRIC, contact details, educational qualifications and employment details. After being made aware of the incident, e2i immediately launched an investigation and has reported the data breach to the Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT). The third-party vendor has also filed a police report for the incident. Following the initial investigation, working with the vendor to ascertain the nature and extent of personal data that has been potentially affected, e2i and I-vic International have followed up with mitigation measures to tighten the security of email and network systems. The institute said it and its vendor would also be undertaking constant checks to monitor closely for any potential vulnerabilities. “We are deeply sorry for the anxiety this data incident may bring to our clients,” e2i CEO Gilbert Tan said. “The protection of our clients’ personal data is of utmost importance to us. Though the malware did not target at e2i directly, cybersecurity threats are real and the protection of personal data is of top priority to us. “E2i will be doing constant checks on both e2i’s as well as our vendor’s IT systems. Amid all these measures, I would like to assure that e2i’s operations, services and systems remain unaffected and job seekers can continue to seek employment and employability assistance with e2i,” he added. News of the breach comes almost exactly a month after Singapore Airlines warned its frequent flyer members of a third-party breach affecting up to 580,000 people. Singapore Airlines said in a statement published late on 4 March that it had been informed by air transport communications and information technology provider SITA of a data security breach involving its Passenger Service System (SITA PSS) servers. Just days earlier, Malaysia Airlines informed Enrich frequent flyer members of a “data security incident” via a third-party IT service provider, insisting the breach avoided the national carrier’s core IT infrastructure and systems. Source: Singapore’s e2i tightens security after third-party data breach
  20. US charges California man over Shopify data breach Image Credits: SOPA Images (opens in a new window)/ Getty Images A grand jury has indicted a California resident accused of stealing Shopify customer data on over a hundred merchants, TechCrunch has learned. The indictment charges Tassilo Heinrich with aggravated identity theft and conspiracy to commit wire fraud by allegedly working with two Shopify customer support agents to steal merchant and customer data from Shopify customers to gain a competitive edge and “take business away from those merchants,” the indictment reads. The indictment also accuses Heinrich, believed to be around 18 years old at the time of the alleged scheme, of selling the data to other co-conspirators to commit fraud. A person with direct knowledge of the security breach confirmed Shopify was the unnamed victim company referenced in the indictment. Last September, Shopify, an online e-commerce platform for small businesses, revealed a data breach perpetrated by two “rogue members” of its third-party customer support team that targeted “less than 200 merchants.” Shopify said it fired the two contractors for engaging “in a scheme to obtain customer transactional records of certain merchants.” Shopify said the contractors stole customer data, including names, postal addresses and order details, like which products and services were purchased. One merchant who received the data breach notice from Shopify said the last four digits of affected customers’ payment cards were also taken, which the indictment confirms. Another one of the victims was Kylie Jenner’s cosmetics and make-up company, Kylie Cosmetics, the BBC reported. The indictment accuses Heinrich of paying an employee of a third-party customer support company in the Philippines to access parts of Shopify’s internal network by either taking screenshots or uploading the data to Google Drive in exchange for kickbacks. Heinrich paid the employee in thousands of dollars’ worth of cryptocurrency, and also fake positive reviews claiming to be from merchants to whom the employee had provided customer service but had not left feedback. The indictment alleges that Heinrich received a year’s worth of some merchants’ data. Heinrich allegedly spent at least a year siphoning off incrementing amounts of data from Shopify’s internal network, at one point asking if he could “remotely access” the customer support employee’s computer while they were asleep. In a brief statement, Shopify spokesperson Rebecca Feigelsohn said: “Shopify has cooperated with the FBI to investigate an incident involving the data of a small number of our merchants in September 2020. As previously stated, the perpetrators involved no longer work with Shopify. Because there is an active criminal investigation, we are unable to provide further comment at this time.” Heinrich was arrested by the FBI at Los Angeles International Airport in February and is currently detained in federal custody pending trial, set to begin on September 7. Heinrich has pleaded not guilty. Updated with comment from Shopify. Source: US charges California man over Shopify data breach
  21. Booking.com Fined $558,000 for Late Breach Notification A major hotel bookings site has been fined €475,000 after failing to report a serious data breach within the time period mandated by the General Data Protection Regulation (GDPR). Booking.com suffered the breach back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). After obtaining their login credentials to a Booking.com system, they were able to access the personal details of over 4100 customers who had booked a hotel room in the UAE via the site. Credit card details on 283 customers were also exposed, and in 97 cases the security (CVV) code was compromised. “Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking, the scammers used that data for phishing,” explained Monique Verdier, VP of the Dutch Data Protection Authority (AP). “By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room, and asks if you want to pay for those nights. The damage can then be considerable.” Although the breach does not appear to have been Booking.com’s fault, its response was found wanting. The travel giant, which is headquartered in the Netherlands, was notified of the incident on January 13 2019, but didn’t report it to AP until February 7 — 22 days later. The GDPR mandates strict rules to report within 72 hours. Verdier argued that this was a serious violation of the trust that millions of customers place in the platform to keep their details safe. Online firms’ obligations don’t just extend to best practice cybersecurity controls, she claimed, but also to reacting quickly if and when things do go wrong. “A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the repetition of such a data breach, you have to report this in time,” Verdier said. “That speed is very important: in the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers — to prevent criminals from having weeks to continue trying to defraud customers, for example.” Booking.com will not contest the fine, according to AP. Source: Booking.com Fined $558,000 for Late Breach Notification
  22. Whistleblower: Ubiquiti Breach “Catastrophic” On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication. A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti. “It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” Ubiquiti has not responded to repeated requests for comment. According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.” In its Jan. 11 public notice, Ubiquiti said it became aware of “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” although it declined to name the third party. In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there. “They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said. Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies. Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide. Adam says Ubiquiti’s security team picked up signals in late December 2020 that someone with administrative access had set up several Linux virtual machines that weren’t accounted for. Then they found a backdoor that an intruder had left behind in the system. When security engineers removed the backdoor account in the first week of January, the intruders responded by sending a message saying they wanted 50 bitcoin (~$2.8 million USD) in exchange for a promise to remain quiet about the breach. The attackers also provided proof they’d stolen Ubiquiti’s source code, and pledged to disclose the location of another backdoor if their ransom demand was met. Ubiquiti did not engage with the hackers, Adam said, and ultimately the incident response team found the second backdoor the extortionists had left in the system. The company would spend the next few days furiously rotating credentials for all employees, before Ubiquiti started alerting customers about the need to reset their passwords. But he maintains that instead of asking customers to change their passwords when they next log on — as the company did on Jan. 11 — Ubiquiti should have immediately invalidated all of its customer’s credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems. “Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.” If you have Ubiquiti devices installed and haven’t yet changed the passwords on the devices since Jan. 11 this year, now would be a good time to take care of that. It might also be a good idea to just delete any profiles you had on these devices, make sure they’re up to date on the latest firmware, and then re-create those profiles with new [and preferably unique] credentials. And seriously consider disabling any remote access on the devices. Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today. By market close Tuesday, UI had slipped to $349. Mar. 31, 6:58 p.m. ET: Ubiquiti just published a statement to its user forum saying its experts identified “no evidence that customer information was accessed, or even targeted.” On this point, however, Adam was clear: Ubiquiti never recorded who had access to those files or when, and so it can say there is no evidence because there are no access logs to search through. Ubiquiti’s statement continues: “The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.” “At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.” Source: Whistleblower: Ubiquiti Breach “Catastrophic”
  23. MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users Exposed Popular Indian mobile payments service MobiKwik on Monday came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month. The leaked data includes sensitive personal information such as: customer names, hashed passwords, email addresses, residential addresses, GPS locations, list of installed apps, partially-masked credit card numbers, connected bank accounts and associated account numbers, and know your customer (KYC) documents of 3.5 million users. Even worse, the leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them, in what's likely a breach of government regulations. New guidelines issued by India's apex banking institution, the Reserve Bank of India, prohibit online merchants, e-commerce websites, and payment aggregators from storing card details of a customer online. The rules are set to come into effect starting July 2021. As of July 2020, MobiKwik serves 120 million users and 3 million retailers across the country. The data leak site, which is accessible via Tor browser and boasts of 36,099,759 records, came online after the digital wallet company vehemently denied the incident on March 4 following a report by an independent security researcher Rajshekhar Rajaharia. "A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention," MobiKwik tweeted. "We thoroughly investigated his allegations and did not find any security lapses. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company." However, multiple users have confirmed to the contrary, finding their personal details in the "MobiKwik India data leak" site, lending credence to the breach. "Never *ever* behave like @MobiKwik has in this thread from 25 days ago," Troy Hunt, security researcher and creator of breach notification tool Have I Been Pwned, said in a tweet, calling out MobiKwik's handling of the situation. According to sources close to the incident, the compromise was originally advertised in a database leaking forum on February 24, with a hacker claiming access to 6TB data from an unnamed Paytm competitor. Interestingly, it appears that after Rajaharia disclosed the leak, outed the company's identity, and warned MobiKwik over email, the firm simultaneously took measures to stop the hacker from downloading the data. "We [...] lost access to main company servers, not surprising though... Cant download anything new," the hacker said in a forum post a day later, adding that the partially downloaded data might have been corrupted. "We never wanted any money anyway, so not sad. But one of the biggest hacks of KYC ever shit!!! OR SO WE THOUGHT. So, I guess I grow old saying I used to hack and shit. Rather than actually hacking and shit. Exciting 1 month though!!!," the hacker said, implying that the breach dated back to January, echoing Rajaharia's tweets from March 4. But a month later, in a separate listing on March 27, the hacker claimed, "we recovered all data and it's up for sale," offering up what is alleged to be 8TB of their data for 1.5 bitcoin ($85,684.65). However, in an interesting turn of events, plans to put the data on sale appear to have been suspended until further notice. "Only sell this to company after due verification that we are dealing with company," the hacker said in an update, suggesting an extortion scheme. It's not immediately clear how the threat actor managed to gain unauthorized access to MobiKwik's servers, but the hacker said, "it'll be embarrassing for the company. story for someother time.." (sic) When reached for a response, a MobiKwik spokesperson downplayed the breach, stating that the data shared on the dark web site hasn't been retrieved from its own servers. The company also said it's working with relevant authorities to carry out a security audit of its platform. "Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source." "As a regulated entity, the company takes its data security very seriously and is fully compliant with applicable data security laws. The company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications, which includes annual security audits and quarterly penetration tests to ensure security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe." Source: MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users Exposed
  24. Phished Healthcare Provider Takes Legal Action Against Amazon An American healthcare provider whose data was allegedly exfiltrated to an Amazon storage account by a cyber-attacker has taken legal action against Amazon. As many as 85,688 patient and employee records were compromised last week when a threat actor seemingly based in Ukraine struck SalusCare, the largest provider of behavioral healthcare services in Southwest Florida. The attacker is believed to have gained access to SalusCare's Microsoft 365 environment after an employee clicked a malicious link in a phishing email. The action allegedly triggered malware to exfiltrate SalusCare's entire database to two Amazon S3 storage buckets linked to the same Amazon AWS storage account. After being notified of the alleged illegal activity, Amazon froze access to the two S3 buckets believed to have been used in the attack. SalusCare requested access to the audit logs of the buckets as part of its investigation to determine precisely what data had been breached by the threat actor. However, Amazon refused to supply an audit log or a copy of the data stored in the S3 buckets as they do not belong to SalusCare. The healthcare provider responded to Amazon's refusal by filing a lawsuit in federal court on Wednesday seeking for Amazon to be compelled to provide SalusCare with the audit logs and a copy of the contents of the two S3 buckets. In the lawsuit, SalusCare also sought for Amazon to be ordered to permanently suspend the alleged attacker's access to the two S3 buckets allegedly containing the healthcare provider's swiped data. In its petition to the US District Court in Fort Myers, SalusCare argued that the sensitive data believed to have been stolen in the attack and stored in the buckets could be sold on the dark net and used to commit identity theft. “The files contain extremely personal and sensitive records of patients’ psychiatric and addiction counseling and treatment,” explained SalusCare. “The files also contain sensitive financial information such as social security numbers and credit card numbers of SalusCare patients and employees.” News-Press reports that a judge granted both of SalusCare's requests on Thursday. Source: Phished Healthcare Provider Takes Legal Action Against Amazon
  25. Retailer Fat Face Pays $2 Million Ransom to Conti Gang News Follows 'Private and Confidential' Breach Notification Fat Face Sent to Victims Conti ransom note (Source: Sophos) Left unsaid in Fat Face's "strictly private and confidential" data breach notification to affected customers this week was any indication that the U.K.-based clothing and accessory retailer had paid a $2 million ransom to unlock its systems (see: British Clothing Retailer Fat Face Discloses Data Breach). But as Computer Weekly reported on Friday, based on details of the ransom-payment negotiation obtained by its French sister publication, LeMagIT, Fat Face's data breach traced to it having been hit with a phishing attack on Jan. 10 by the Conti ransomware gang. Responding to a 213 bitcoin - worth $8 million - opening ransom demand, Fat Face's negotiator reportedly argued that due to the COVID-19 pandemic, its revenue was down 75%. Ultimately, Conti agreed to a $2 million payment, saying that it didn't want to bankrupt the retailer, Computer Weekly reports. The attackers triggered their crypto-locking malware one week after gaining access to Fat Face's systems, evading its security defenses, identifying its "Veeam backup servers and Nimble storage," and exfiltrating 200GB of data, according to Computer Weekly. Luckily for Fat Face, the firm had a cyber insurance policy with Beazley Furlonge Ltd. that included coverage for ransom payouts. Or at least that's what the Conti gang said in its negotiations with Fat Face after the retailer said that the $8 million initial ransom demand was too high. “Our demands are lower than your insurance coverage," Conti's negotiator shot back, according to screengrabs published by Computer Weekly. "I have no idea how this can break you when you are insured for 7.5 million pounds. I suppose it's time to contact your insurance company." Fat Face Confirms Payoff From a crisis communications standpoint, Fat Face arguably fumbled its data breach notification earlier this week by failing to disclose that it paid Conti ransomware attackers to decrypt its systems and promise to not dump stolen customer/employee data. The fashion retailer confirmed Friday to Information Security Media Group that it got hit by ransomware, but it did not explicitly say that it paid extortionists in return for the promise of a decryption tool to restore access to its crypto-locked systems. It did not, however, dispute the details in Computer Weekly's report. "Fat Face was unfortunately subject to a ransomware attack which caused significant damage to our infrastructure," a Fat Face spokesman told ISMG on Friday. "Thanks to a monumental effort from the Fat Face team, alongside external security and legal experts, Fat Face was able to quickly contain the incident, restore business operations and then undertake the process of reviewing and categorizing the data involved - a significant task which has taken considerable time." Earlier this week, Fat Face confirmed that it had suffered a breach in January that compromised personal information for customers and employees. It declined to say exactly how many were affected. Affected Fat Face customers began to receive emailed breach notifications early this week, as ISMG first reported. These notifications warned them that attackers had accessed their name, address and email address, as well as the last four digits of their payment card and its expiration date. Fat Face has also offered 12 months prepaid for an identity theft monitoring service for affected customers. But the subject line of the notification email - " strictly private and confidential - notice of security incident" - led some customers to ask if the company was trying to cover up the breach. "Clearly trying to make people stay quiet," one Fat Face customer who shared the email with ISMG said (see: Fat Face's 'Strictly Private' Data Breach Notification). Others said that the breach notification had failed to make clear what risks they might now face. "I'm so confused having read their email, is this data breach something serious that we should take immediate action on, or is it a minor breach?" another customer commented. "Especially unclear given they waited two months to mention it!" ICO 'Making Inquiries' Fat Face noted earlier this week, when it began to notify customers via email about the breach, that it has notified the U.K. Information Commissioner's Office, which enforces the General Data Protection Regulation, about the breach, as well as Action Fraud - which works with England's police forces - and the National Cyber Security Center, which handles national incident response. The ICO on Tuesday told ISMG that it is "making inquiries" into the Fat Face breach. Whereas Fat Face earlier this week declined to share specifics of how exactly it had been hacked, now the retailer says it is declining to release any further breach details owing to an ongoing investigation. "Details of the attack and steps taken are part of a criminal investigation so at this stage we are unable to comment any further," it says. Conti: 2020 Debut Conti first debuted in May 2020, and later in the year, it was tied to numerous attacks, largely against targets in North America and Western Europe (see: How Conti Ransomware Works). Along with Maze, Conti last year was tied to the greatest number of ransomware attacks against healthcare organizations, says cybersecurity firm CrowdStrike (see: Mark of Ransomware's Success: $370 Million in 2020 Profits). Conti has already been tied to multiple healthcare hits this year as well (see: Patient Files Dumped on Darknet Site After Hacking Incidents). Ransomware incident response firm Coveware says that the average final payment to Conti is about $740,000. Based on the cases it has investigated, it says Conti has always delivered a working decryptor after victims pay. But Computer Weekly reports that after the Fat Face attack, many of the company's systems were left deleted or unrecoverable. That includes storage area network data, electronic point of sale systems, SQL servers and Citrix hosts. But Conti claimed to not have had anything to do with that, according to the news report. Conti Teardown Many ransomware watchers suspect that Conti sprang from the Ryuk ransomware gang. "Since its first appearance, Conti was assumed to be the successor to Ryuk with one crucial difference in that the group behind Conti threatens to leak exfiltrated data to strong-arm victims into paying the ransom," according to security firm Sophos. In a technical teardown of the ransomware published last month, Sophos researchers note that Conti's developer has gone to great lengths to create an "elusive" ransomware payload that makes it hard to detect and tough for investigators to recover. "Among the behavior observed by responders, the ransomware immediately begins a process of encrypting files while, at the same time, sequentially attempting to connect to other computers on the same network subnet, in order to spread to nearby machines, using the SMB port," Sophos reports. A typical Conti attack also includes time spent exfiltrating potentially sensitive data. "The attackers spend some time on the target network and exfiltrate sensitive, proprietary information to the cloud - in recent attacks, the threat actors have used the cloud storage provider Mega," Sophos says. Data Leak Site Conti is one of a number of ransomware-wielding gangs that maintains a data leak site. For victims that do not pay a ransom within a specified time frame, gangs will often first name victims in an attempt to shame them into paying the ransom and having their name excised from the site. If victims still don't pay, gangs typically leak stolen data - if they did steal any - in tranches before dumping everything as a warning to future victims that they do follow through. A Conti ransom note published previously by Sophos notes: "Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on (our) news website if you do not respond. So it will be better for both sides if you contact us as soon as possible." According to Israeli threat intelligence firm Kela, the Conti operation has listed more than 300 victims on its data-leaking site, including industrial IoT chipmaker Advantech, industrial and technology business holding company ThyssenKrupp, and the Scottish Environmental Protection Agency. SEPA's systems were crypto-locked last Christmas Eve. The government agency refused to pay the ransom and, on Jan. 13, Conti began leaking stolen data. Source: Sophos Fat Face apparently never appeared on Conti's data leak site, which suggests that the organization may have promptly launched discussions with the ransomware gang. Source: Retailer Fat Face Pays $2 Million Ransom to Conti Gang
  • Create New...