GoDaddy hacked

A major breach of GoDaddy was disclosed on November 22nd affecting some 1.2 accounts, as well as “Managed hosting” accounts that are affiliated with GoDaddy through Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.

Apparently the hackers had access for over two months before the breach was discovered.

One of the biggest flaws exposed in this breach is that GoDaddy was storing your passwords as unencrypted plain text. That means the hackers didn’t even have to go through the trouble of decrypting to gain access to your account, FTP/SFTP, database, etc. GoDaddy is auto-resetting database and some other passwords, as well as SSL certificate keys which were potentially breached.

What Should I Do If I’m Affected?

If you use GoDaddy to host your WordPress site, here are a few (strong) recommendations to protect your website and your hosting account:

1. Reset your WordPress admin password.

2. Implement two-factor authentication for WordPress admin accounts.

3. Review your website’s security logs to see if there are unexpected logins to admin accounts.

4. Force a password change for all users at Contributor or higher level.

5. Log in to GoDaddy and change an FTP or SFTP or other passwords associated with your account or sites.

See details in the iThemes link below for details on all the above.

To be honest, we at ProtectYourWP and SustainableSources have never particularly liked GoDaddy, and though we reluctantly concede that they’ve gotten better in recent years we still suggest that you find a better hosting solution! So when they use the tagline in their advertising “It’s Go Time!”, we feel it’s more appropriate to say “It’s Go AWAY Time!”

Be on Guard for an Increase in Phishing Emails

There’s a good probability that various hackers/scammers will use the breached data to extend their attacks to other services by sending out phishing email.

Articles:

https://ithemes.com/blog/godaddy-hacked/

https://www.infosecurity-magazine.com/news/godaddy-announces-data-breach/

https://www.engadget.com/godaddy-wordpress-security-issue-1-2-million-users-150142622.html

https://techcrunch.com/2021/11/22/godaddy-breach-million-accounts/

https://therecord.media/godaddy-data-breach-impacts-1-2-million-wordpress-site-owners/

Company that routes SMS for all major US carriers was hacked for five years

As of 10/5/21 Syniverse hasn’t revealed whether text messages were exposed.

Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers’ text messages.

filing with the Securities and Exchange Commission last week said that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”

Syniverse said that its “investigation revealed that the unauthorized access began in May 2016” and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”

Syniverse isn’t revealing more details

When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what’s in the SEC filing. Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.

“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse said.

More at: https://arstechnica.com/information-technology/2021/10/company-that-routes-sms-for-all-major-us-carriers-was-hacked-for-five-years/

1.9 million+ records from the FBI’s terrorist watchlist available online

A security researcher discovered that a secret FBI’s terrorist watchlist was accidentally exposed on the internet for three weeks between July 19 and August 9, 2021.

A security researcher Bob Diachenko discovered a secret terrorist watchlist with 1.9 million records that were exposed on the internet for three weeks between July 19 and August 9, 2021.

In July, Diachenko discovered an unsecured Elasticsearch cluster containing 1.9 records of sensitive information on individuals, such as names, country citizenship, gender, date of birth, passport details, and no-fly status.

The list is extracted by the e FBI Terrorist Screening Center (TSC), a database used since 2003 by US feds and other agencies to track individuals who are “known or reasonably suspected of being involved in terrorist activities.”

 The copy of the TSC database was discovered by the expert on a Bahrainian IP address.

“The exposed Elasticsearch cluster contained 1.9 million records,” Diachenko wrote on LinkedIn. “I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.

Each record in the watchlist contained some or all of the following info:

  • Full name
  • TSC watchlist ID
  • Citizenship
  • Gender
  • Date of birth
  • Passport number
  • Country of issuance
  • No-fly indicator”

At the time of this writing is not clear if the unsecured server was operated directly by the a U.S. government agency, a third-party, or in the worst case by a threat actor that obtained it.

Diachenko immediately reported his discovery to the U.S. Department of Homeland Security (DHS) and the instance of the database was taken down about three weeks later. It is a long period a circumstance that suggest that the server was not directly operated by the FBI.

“On July 19, 2021, The exposed server was indexed by search engines Censys and ZoomEye. I discovered the exposed data on the same day and reported it to the DHS.” continues the expert.

“The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it.”

The exposed DA was also indexed by search engines Censys and ZoomEye, this means that other people could have had access to the secret list.

“It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it,” adds Diachenko.

This data leak could have a serious impact on the homeland security, the watchlist includes individual who represents a potential threat for the US even if they have yet to be charged of terrorism and other crimes.

“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families.” says the researcher. “It could cause any number of personal and professional problems for innocent people whose names are included in the list,”

Cases, where people landed on the no-fly list for refusing to become an informant, aren’t unheard of.

Diachenko believes this leak could therefore have negative repercussions for such people and suspects.

“The TSC watchlist is highly controversial. The ACLU, for example, has for many years fought against the use of a secret government no-fly list without due process,” concludes the researcher

Source: https://securityaffairs.co/wordpress/121213/data-breach/fbi-terrorist-watchlist-leak.html

Hacker returns $600M to Poly Network, is offered position as Chief Security Advisor

Last week, a hacker who stole more than $600 million in various cryptocurrencies began returning the ill-gotten gains. The hacker had exploited a weakness in the Poly Network platform of multiple blockchains to pull off the heist. At the time, he had returned almost half of the funds stolen.

This week nearly all of the crypto stolen from Poly Network has been returned, but then something bizarre happened. Instead of turning the thief, who Poly Network refers to as Mr. White Hat, over to authorities, the company hired him to be its Chief Security Advisor and gave him a $500,000 bug bounty for finding the exploit.

Poly Network said that it maintained constant communication with Mr. White Hat as he returned the crypto. He expressed concerns with the platform’s “security and overall development strategy.” The company was impressed enough with his abilities that it offered him a senior-level position at Poly Network. “We are also counting on more experts like Mr. White Hat to be involved in the future development of Poly Network since we believe that we share the vision to build a secure and robust distributed system,” Poly Network wrote in a blog post. “Also, to extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network.”

One of the Biggest Website Hosting Providers, DreamHost, Leaked 814 Million Records Online Including Customer Data

A database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online.  

3 Years of DreamPress Customer and User Data Exposed Online

On April 16th, 2021 security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts. The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account related information.

Upon further research there were multiple references to DreamHost. The well known hosting provider to over 1.5 million websites also offers a simple solution to install the popular blog platform WordPress called DreamPress. According to their website: DreamPress is DreamHost’s managed WordPress hosting. It’s a scalable service that allows users to manage their WordPress sites.

Among the data exposed:

  • Total Size: 86.15 GB / Total Records: 814,709,344
  • The records exposed: Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
  • Email addresses of internal and external users that could be targeted in phishing attacks or other social engineering scams.
  • The database was at risk of a ransomware attack due to the configuration settings that allowed public access.
  • Were also exposed: Host IP addresses and timestamps, build and version information that could allow for a secondary path for malware. Plugin and theme details including configuration or security information that could potentially allow cyber criminals to exploit or gain access deeper into the network.

Source: https://www.websiteplanet.com/blog/dreampress-leak-report/

Experian API Exposed Credit Scores of Most Americans (again)

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Security Researcher Bill Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

Source: https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Breaches R Them

Tons of breaches recently. Apparently, some people on lockdown have been getting busy, as predicted:

A massive database of 8 billion Thai internet records leaks

25 million user records leak online from popular math app Mathway

Wishbone Breach: 40 Million Records Leaked

Home Chef announces data breach after hacker sells 8M user records

British airline easyJet breached, data of 9 million customers compromised

Information of Over 115 Million Pakistani Mobile Subscribers Exposed in a Massive Data Leak

Ransomware attack impacts Texas Department of Transportation

Texas Courts hit by ransomware, network disabled to limit spread

… just a few of the major data breaches and ransomware attacks which were reported in the last week!

And this shouldn’t really surprise you:  86% of data breaches are conducted for financial gain https://www.techrepublic.com/article/86-of-data-breaches-are-conducted-for-financial-gain/

 

28,000 GoDaddy Hosting Accounts Compromised

Public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.

SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

The breach itself appears to have occurred on October 19, 2019.

See https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/ for suggested actions

Note that breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users. If you are a GoDaddy user, be extra wary of any emails you may receive.

Tupperware Cyberattack Stores Away Customer Payment Cards

From Threatpost

The food container company’s main website had a card skimmer that scooped up online customers’ payment card data.

Cybercriminals hacked the official website of Tupperware, the popular food container giant, injecting a payment card skimmer into its checkout page in hopes of stealing the credit-card details of online customers.

The attackers targeted the official Tupperware[.]com website, which averages close to one million monthly visits, as well as various localized versions of the site. Researchers said they first identified the skimmer on March 20 — but there’s no indication of how long the site was compromised before that. Though Tupperware never responded to multiple attempts at contact by researchers, as of March 25, after research was publicly disclosed detailing the card skimmer, the malicious code was removed from the homepage.

“Threat actors compromised the official tupperware[.]com site…by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process,” said researchers with Malwarebytes, in a Wednesday post. “This form collects customer-payment data via a digital credit card skimmer and passes it on to the cybercriminals, with Tupperware shoppers none-the-wiser.”

Continue reading…

Data-Enriched Profiles on 1.2B People Exposed in Gigantic Leak

Although the data was legitimately scraped by legally operating firms, the security and privacy implications are numerous.

An open Elasticsearch server has exposed the rich profiles of more than 1.2 billion people to the open internet.

First found on October 16 by researchers Bob Diachenko and Vinny Troia, the database contains more than 4 terabytes of data. It consists of scraped information from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter and Github URLs, and other data commonly available from data brokers – i.e., companies which specialize in supporting targeted advertising, marketing and messaging services.

Taken together, the profiles provide a 360-degree view of individuals, including their employment and education histories. All of the information was unprotected, with no login needed to access it.

Full article is here.