Breaches R Them

Tons of breaches recently. Apparently, some people on lockdown have been getting busy, as predicted:

A massive database of 8 billion Thai internet records leaks

25 million user records leak online from popular math app Mathway

Wishbone Breach: 40 Million Records Leaked

Home Chef announces data breach after hacker sells 8M user records

British airline easyJet breached, data of 9 million customers compromised

Information of Over 115 Million Pakistani Mobile Subscribers Exposed in a Massive Data Leak

Ransomware attack impacts Texas Department of Transportation

Texas Courts hit by ransomware, network disabled to limit spread

… just a few of the major data breaches and ransomware attacks which were reported in the last week!

And this shouldn’t really surprise you:  86% of data breaches are conducted for financial gain https://www.techrepublic.com/article/86-of-data-breaches-are-conducted-for-financial-gain/

 

28,000 GoDaddy Hosting Accounts Compromised

Public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.

SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

The breach itself appears to have occurred on October 19, 2019.

See https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/ for suggested actions

Note that breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users. If you are a GoDaddy user, be extra wary of any emails you may receive.

Tupperware Cyberattack Stores Away Customer Payment Cards

From Threatpost

The food container company’s main website had a card skimmer that scooped up online customers’ payment card data.

Cybercriminals hacked the official website of Tupperware, the popular food container giant, injecting a payment card skimmer into its checkout page in hopes of stealing the credit-card details of online customers.

The attackers targeted the official Tupperware[.]com website, which averages close to one million monthly visits, as well as various localized versions of the site. Researchers said they first identified the skimmer on March 20 — but there’s no indication of how long the site was compromised before that. Though Tupperware never responded to multiple attempts at contact by researchers, as of March 25, after research was publicly disclosed detailing the card skimmer, the malicious code was removed from the homepage.

“Threat actors compromised the official tupperware[.]com site…by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process,” said researchers with Malwarebytes, in a Wednesday post. “This form collects customer-payment data via a digital credit card skimmer and passes it on to the cybercriminals, with Tupperware shoppers none-the-wiser.”

Continue reading…

Data-Enriched Profiles on 1.2B People Exposed in Gigantic Leak

Although the data was legitimately scraped by legally operating firms, the security and privacy implications are numerous.

An open Elasticsearch server has exposed the rich profiles of more than 1.2 billion people to the open internet.

First found on October 16 by researchers Bob Diachenko and Vinny Troia, the database contains more than 4 terabytes of data. It consists of scraped information from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter and Github URLs, and other data commonly available from data brokers – i.e., companies which specialize in supporting targeted advertising, marketing and messaging services.

Taken together, the profiles provide a 360-degree view of individuals, including their employment and education histories. All of the information was unprotected, with no login needed to access it.

Full article is here.

Adobe exposed nearly 7.5 million Creative Cloud accounts to the public

Full article from Mashable at https://mashable.com/article/adobe-creative-cloud-accounts-exposed/?europe=true

Graphic designers, video editors, and other creatives beware: Nearly 7.5 million Adobe Creative Cloud accounts were exposed to the public.

The database containing the sensitive user info, discovered by security researcher Bob Diachenko and Comparitech, was accessible to anyone through a web browser.

The exposed user data for the nearly 7.5 million accounts included email addresses, the Adobe products they subscribed to, account creation date, subscription and payment status, local timezone, member ID, time of last login, and whether they were an Adobe employee.

Creative Cloud customers should be wary of any suspicious emails they receive claiming to be from the company.

Equifax

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans.

You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.

Not to sound mean about it, but Equifax seriously dropped the ball regarding security here, and should be held fully accountable. So we strongly encourage you and everyone you know to 1) find out if you were affected and 2) if so, file a claim. Here’s where to go:

https://www.equifaxbreachsettlement.com/

Do it now. It only takes a minute or three.

More Leaky Fun

Sigh.  It seems that every time you turn around, some big company (or a small one with a massive collection of data) is found to have been hacked, stolen, or in this case just left wide open for anyone to access your private data.

https://www.wired.com/story/exactis-database-leak-340-million-records/

While not containing financial data or social security numbers explicitly, the type and depth of the data increases the probability of impersonation and profiling – “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.”

Some rules of thumb for keeping your personal data secure include lying on pre-formatted “additional security questions” like “where were you born”,  “in what city did you meet your spouse” and the classic “mother’s maiden name”.  Make up lies or answers which have nothing obvious to do with the question – for instance “what was the make and model of your first car” might be answered with the nickname you and your friends had for the car (C’mon, surely you named your first car, didn’t you?).  And your mother’s maiden name was TheDuneTrilogy.  This way you can be consistent in your answers from site to site, but not give away any real, useful, trackable data about yourself.

May ’18 news bits

It’s been a busy month and my twitter feed isn’t working right tonight as I write this, so I’m not going to be able to put in direct links or accurate quotes.

But it has been an interesting month in the security world! You may have heard about some of these in the news. Some highlights (and lowlights):

Major DDOS cyber crime website shut down –computerweekly.com

“Drupalgeddon” touches off arms race to exploit powerful web servers (the bug was patched in March, but many have not installed the patch).

Site linked to bank hackers is closed down. Site was responsible for selling a tool which enabled some 4 million cyberattacks.

Adobe patches four critical bugs in Flash, Indesign. (do your updates!)

Full article: https://threatpost.com/adobe-patches-four-critical-bugs-in-flash-indesign/131097/

Podcast: How millions of apps leak private data https://threatpost.com/roman-unuchek-on-apps-leaking-private-data/131332/

That’s it for this month! Stay safe out there!

More scary stuff

Lots more brute force attacks this month following the leak of 1.4 BILLION username/password pairs.