Welcome to GearBrain's Weekly Data Breach Report, a collection of known breaches into company databases where someone you don't know got access to your personal information. The frequency at which these break-ins happen appears to be growing, so every week we'll update our report with fresh news on the latest hacks and links on where you can go if there's action to be taken — whether you're concerned about your privacy or not.This week we're looking at a a hacker group who stole 700,000 customer card details from 570 online stores, a security incident involving University of Michigan students, and a $10m ransom threat against an energy company.
- More than 15 percent of used drives sold on eBay still have personal data
- 5 ways to stay secure online
- Two-thirds of hotel websites found to leak personal guest data
Week of July 6 2020: 'Keeper' hacker group breaches 570 online stores
An estimated 700,000 card details were stolen from over 570 retailers
A group of hackers called Keeper is found to have broken into the websites of more than 570 online retailers. Mostly small and medium-sized businesses, the victims had malicious scripts inserted into their websites, which Keeper used to log payment card details entered by shoppers on the checkout page.
As per a report issued by threat intelligence firm Gemini Advisory, the group have been operating since at least April 2017, and are still active today, reports ZDnet. It was also found that almost 85 percent of the target websites operated stores running on top of the Magneto e-commerce platform. Some were small businesses, but others attracted between 500,000 and one million monthly visitors. The stores were located all over the world and sold items like clothing, electronics, wine and jewelry.
Gemini believes the Keep group have collected close to 700,000 card details, of which it found around 184,000 were mistakenly leaked through an insecure server. With card credentials worth an average of $10 each on the dark web, according to Gemini, the Keeper group has likely generated millions of dollars of revenue from the stolen data.
University of Michigan
The University of Michigan said a small number of student email passwords were reset
In what is becoming on increasingly common story, University of Michigan students thought their email accounts had been hacked following a data breach in early July. But what had actually happened, according to the university, was that login credentials from historic data breaches, like those of Chegg, Zynga and LinkedIn, were to blame, reports the Detroit Free Press.
The issue was with students using their University of Michigan email address and password to log into those aforementioned services, which were then compromised, allowing anyone who knows those details to log into the students' university email accounts.
This is what happened when Disney+ launched in late 2019 and users entered email address and password combinations they had already used with another service that had suffered a data breach. The same also happened with the video chat app House Party.
The University of Michigan said it had not suffered a data breach, and reminded students to never use the same password twice. A small number of students had their accounts reset and have been notified, the university said.
EDP Renewables North America
The renewable energy firm was threatened with a $10m ransom
Renewable energy company EDP Renewables North America confirmed this week a ransomware attack had affected the system so fits parent company, Energias de Portugal, reports Security Boulevard.
A letter sent to customers said the attack took place on April 13, allowing hackers to gain access to information stored on the company's servers. EDP didn't become aware of the data breach until almost a month later, on May 8. Hackers left a ransom note demanding for more than $10m worth of bitcoin, in return for a decryption key to restore a claimed 10TB worth of stolen data. This data was claimed by the hackers to include "the most sensitive and confidential information about your transactions, billing, contacts, clients and partners".
However, EDPR says it has found no evidence that client information was accessed. As a precaution, 12 months of free identity protection is being offered to all customers.
Week of June 29, 2020: CNY Works
Non-profit CNY Works reported a data breach that may have involved Social Security numbers
A data breach of non-profit CNY Works, that helps people find jobs, may have may Social Security numbers and names of 56,000 people visible, reports Syracuse.com. The hack came in the form of a ransomware attack, and while CNY Works dis not find any sign that the data was actually viewed, it has started to send letters to those who they affected.
The attack goes back to 2019, after the agency found malware on their network. Although the malware was identified as ransomware, CNY Works said it has yet to receive a request for any payment.
University of California San Francisco
UCSF admitted it paid hackers a ransom of more than $1 million
The University of California San Francisco (UCSF) has admitted that "a security incident" hit its School of Medicine on June 1, but said it did not impact patient care, medical records — or research it's doing on Covid-19.
The malware attack encrypted some of the school's servers, and UCSF made the decision to pay some of the ransom — to the tune of $1.14 million to unlock the data. UCSF is working with law enforcement, which is investigating the incident.
Heartland Farm Mutual
An employee's email at Heartland Farm Mutual was comprised, exposing some client data
An insurance company in Waterloo, Canada has admired that an employee's email was compromised, which opened the door to some personal information of some clients, reports Global News. Heartland Farm Mutual said access to the email was unauthorized, but would not provide details on when the breach occurred. The company is offering to cover credit monitoring for a year of any client that's been affected — and has reached out to them.
Week of June 22: EasyJet lawsuit
More than 100,000 people have joined a lawsuit against low-cost European airline EasyJet, after it was disclosed in May that data of nine million passengers may have been exposed.
Victims may be entitled to as much as £2,000 ($2,500) in compensation, reports Insurance Journal, making the case against EasyJet worth an estimated £18 billion. The airline admitted in May that the email addresses and travel data of nine million customers had been stolen by hackers. The credit card details of roughly 2,200 customers was also accessed unlawfully.
Yahoo data breach: File your claim by July 20
If you are a victim of the massive data breaches that saw the theft of Yahoo user data between 2012 and 2016, you have just a few weeks left to make your claim for compensation. You could be eligible for free credit monitoring service and/or up to $100, as part of a $117.5m class-action settlement.
The years-long data breach saw hackers gain access to roughly three billion Yahoo user accounts. Various breaches saw the theft of email accounts, calendars, passwords, names and contacts of users.
Those affected have until July 20, 2020 to file their claim for compensation at this website.
Twitter sorry to business clients
Twitter has emailed its business customers to apologize about a potential data breach. Billion information for some clients was stored in web browsers' cache, Twitter admitted, making it "possible" that others could have accessed the information. That personal data included email addresses, phone numbers and the last four digits of clients' credit card numbers, reports the BBC.
The breach is said to affect businesses that use Twitter's advertising and analytics platforms, but it isn't yet clear how many businesses are impacted by the mishandling of data.
Week of June 15, 2020: Claire's
Claire's is a retail shop known for its hairbands and earrings. But its online site was hit with breach with hackers accessing payment information for customers, reports Total Retail. The hack took place when a script captured people's payment details as they checked out online. Claire's said it's cleaned up the code from the site, and only affected the online retail side, not its stores.
In March of 2018, Claire's filed bankruptcy, closing more than 150 stores. But it managed to restructure itself by the end of that year.
Online sports retailer Wiggle is admitting that some of its customer accounts were accessed online, with unauthorized people making purchases on the site, reports Cycling Industry News. The breach was discovered recently, although some customers on social media posted that they had found problems as early as May.
Wiggle is fitness site that sells everything from road bikes to swim goggles. The company is now saying that anyone making purchases going forward will have to re-enter their card details — rather than be allowed to use payment information already stored online.
Unless you're a player of Roblox, an online gaming platform, you're unlikely familiar with RBX.Place which is an online location where people can sell their in-game items. But hackers cracked into a database of people who sell items from the game in the real world, reports Motherboard.
Roblox itself is free to download and play — and there are thousands of games that users themselves actually create and then open up to others. There is a currency used in the game called Robux, which can buy things like clothes or other items in the game.
Hackers got a hold of a data from sellers, that includes email addresses, passwords that have been hashed (so you don't see the actual password) and other data.
Week of June 8, 2020: Babylon Health
This week saw UK online health provider Babylon Health admit its video GP app had suffered a data breach. The problem became apparent when a Babylon user found they had been given access to dozens of video recordings of other patients' consultations.
Babylon later said that a small number of other UK users were able to see others' video consultations, too. Babylon user Rory Glover told the BBC: "I was shocked. You don't expect to see anything like that when you're using a trusted app. It's shocking to see such a monumental error has been made."
The London-based company apologized to affected users directly, and later said in a statement: "On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient's consultation recording...This was the result of a software error rather than a malicious attack."
A database containing five billion email addresses and passwords collected by a number of historical data breaches was temporarily exposed online. The incident occurred at UK-based cybersecurity firm Keepnet Labs, which legally collects usernames and passwords exposed by hacks and data breaches, to in a bid to help notify businesses when their credentials have been compromised.
Unfortunately, during scheduled maintenance in March 2020, a third-party IT engineer disabled a firewall for approximately 10 minutes, leading to the billions of usernames and passwords being visible online, and indexed by BinaryEdge, an internet indexing company. The next day, that 867GB trove of data could be freely accessed without a password "via an unprotected port," reports Verdict.
The data included email addresses, passwords and information on what breach each piece of data came from.
Finally this week, Japanese carmaker Honda was it by a cyber attack thought to involve ransomware. Despite reports that some manufacturing efforts were halted to deal with the attack, Honda said no data had been compromised and said the attack caused "minimal business impact".
The company said on Twitter on June 8: "Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable." Honda later said the "virus had spread" and "this is also an impact on production systems outside of Japan."
Although best known for its cars, Honda also produces motorbikes, generators and lawn mowers, among other products.
Week of June 1, 2020: Minted
A data breach of Invitation site Minted exposed personal information of customers from email addresses to passwords. Luckily, those passwords were salted and hashed, meaning the actual characters could not be seen. But other customers also had their birth dates, telephone numbers and addresses seen as well.
The hack took place on May 6, 2020 and Minted knew about the breach a week later. But they did not not start telling customers until the end of that month, with some hearing by email in June. As with all data breaches, you should – if affected — take security steps to lock down your digital data, and also, you know we're going to say it, change your password. Minted also has a toll-free hotline you can call if you have questions.
While travel is practically at a standstill around the world, Amtrak has still managed to be involved in a data breach, finding out about the issue in April, according to Security Boulevard. The breach involved Amtrak's Guest Rewards accounts, and usernames, passwords and some personal information may have been viewed," The National Railroad Passenger Corporation wrote in its notification to Vermont's Attorney General.
Amtrak did state that it was able to cut access after a few hours, and has already reset passwords of anyone they believe has been affected. Amtrak customers who are concerned, can get 12 months of free identity theft monitoring.
Coincheck, a cryptocurrency exchange, stopped both withdrawals and sales briefly while it investigated a potential data breach, reports Cointelegraph. This is the same company that was hit with a hack in 2018, which ended up with $500 million in cryptocurrency stolen.
The data involved this time may have included birth dates, phone numbers and registration addresses as well as selfie IDs, which are photos people take of themselves holding government identification.
Week of May 25: Bank of America
This week Bank of America announced a data breach may have affected business clients' information for the Paycheck Protection Program. The breach happened on April 22, as Bank of America uploaded PPP applications ono the US Small Business Administration's test platform, reports Charlotte Business Journal.
The bank said application information may have been visible to other SBA-authorized lenders and their vendors. The exposed information could include business details like postal addresses and tax identification numbers, plus business owner's information like their name, address, Social Security number, phone number, email and citizenship status.
Bank of America said: "There is no indication that your information may have been viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."
Eight billion Thai internet records exposed
A huge data breach was reported from Thailand this week, involving Advanced Info Services (AIS), the country's largest cell network. Managed by a third party for AIS, the database contained real-time internet records of millions of customers; the data was accidentally made public in May during a scheduled test.
Security researcher Justin Paine said on the breach: "Over the course of the roughly three weeks the database has been exposed the volume of data has been growing significantly. The database was adding approximately 200 million new rows of data every 24 hours." As of May 21, 8.3 billion documents were exposed.
Although the data did not contain personal information, Paine said how viewing it could "quickly paint a picture" of what someone may be doing online, and in real-time.
Finally for this week, a database containing over 26 million LiveJournal user accounts – including their passwords stored in plain text – is being shared for free on multiple hacker forums.
Bleeping Computer reports how the database was first stolen back in 2014, containing 33 million user credentials. Since approximately May 8, links to the data dump have been circulating on forums. According to those sharing it, the database contains email addresses, usernames, LiveJournal profile URLs, and passwords. Although originally stored as MD5 hashes, the passwords appear as plain text.
The database has been shared with Have I Been Pwned, the website that helps users discover if their usernames and passwords have been exposed online. If your details appear on that website, it is crucial that you change the passwords of any online services for which you still use the old, compromised password. Any LiveJournal user (past or present) should also change their password immediately, both on that service, and wherever they have used the same password again.
Week of May 18, 2020: Home Chef
Home Chef has admitted a data breach got hold of records on eight million of its customers. The data includes names, email information, encrypted passwords, and the last four digits of people's credit cards, according to PYMNTS.
Home Chef sells customers weekly subscription meal kits. People are sent ingredients — and recipes — and they prepare their own meals at home.
Home Chef is now telling customers they should change their passwords.
Low-cost airline EasyJet has also been hit with a data breach with hackers getting access to credit and debit card details. They first knew about the hack in January, but were only able to tell people in early April, according to the BBC.
The company, which is known for its incredibly low-cost flights in Europe, said they wanted to figure out how bad the hack had been before telling people. But they say that everyone who has been involved will be told by May 26.
GoDaddy, one of the best known web hosting companies, has been hacked the company has admitted. About 28,000 customers have ha their data stolen through the breach which happened on October 29, 2019 — and continued for six months until April 23, 2020, reports CPO Magazine.
GoDaddy says the hacker has been blocked now, and claims that files were not added or changed on people's accounts. The company has also reset all of user names and passwords of the people involved. They're also suggesting customers check their own hosting accounts to make sure their okay as well.
Week of May 11 2020: Magellan Health
US healthcare giant Magellan Health revealed this week it has been the victim of a data breach and a ransomware attack. The Fortune 500 insurance company said how the attackers first issued a phishing email campaign on its staff.
This then gave the attackers access to Magellan's systems, from which they stole login credentials and passwords of some current staff. Personal data of staff was also stolen, including names, addresses and employee ID numbers. Some Social Security numbers and Taxpayer ID numbers were also taken.
In a letter sent to victims Magellan said: "Once the incident was discovered, Magellan immediately retained a leading cybersecurity forensics firm, Mandiant, to help conduct a thorough investigation of the incident. The investigation revealed that prior to the launch of the ransomware, the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some of your personal information."
This week it was reported that, earlier in the month, Interserve was hit by a cyber attack which saw the data of 100,000 people stolen. Interserve is one of the UK government's "strategic suppliers", and is responsible for maintaining schools and hospitals, as well as transport networks like the London Underground.
Interserve recently helped with the formation of the Nightingale Hospital Birmingham, a field hospital built in a convention center for coronavirus patients.
It was first reported by the Telegraph that the hum resources database of the outsourcing firm was broken into on May 9, and information on current and former staff was stolen. The data included names, addresses, bank details, payroll information, next of kin details, HR records, dates of absences and pension information.
Interserve acknowledged the data breach in a statement and said it is working with the UK's National Cyber Security Centre to remedy the situation.
City Index informed users this week of a data breach which saw the theft of their names, dates of birth, gender and bank details. City Index is a London-based financial trading and spread better service provider.
The company told its users on May 8 that its network "was accessed by an unauthorized third party and client personal data may have been viewed," reports Infosecurity Magazine. City Index added that, upcon discovering the breach, which took place on April 14, it "shut down access to the server connected and launched a full forensic investigation."
City Index users are urged to reset their passwords, and make sure the same password previously used to access their City Index account isn't currently being used for anything else.
Week of April 27: Chegg
Educational technology company Chegg has suffered a third data breach in just three years, as it admits hackers stole the personal details of 700 current and former employees. The data included their names and Social Security numbers. For context, the company had around 1,40 employees at the start of 2020, reports TechCrunch.
Paul Martini, CEO of cloud cybersecurity company ibos, told GearBrain: "This attack may be reflective of a larger coming cybersecurity trend that should worry employers and employees alike. Over the last few months, a massive increase in people working from home has left organizations particularly vulnerable to hackers and if this attack was related to a remote employee, we're going to see a lot of IT people lose sleep..organizations of all sizes face a difficult and dangerous future."
Nintendo confirmed on April 24 that attackers had accessed 160,000 user accounts since earlier in the month. In reaction, the company temporarily disabled the ability to log into the accounts through a Nintendo Network ID. It said the login IDs and passwords were "obtained illegally by some means other than our service,"
This now tallies with a claim by SpyCloud, a cyber security company, that says the hack was likely the result of credential stuffing. This is where usernames and passwords already stolen through a previous data breach at a different company, are then used again by their owner somewhere else, like for a Nintendo account. Hackers repeatedly and automatically use these credentials to log into accounts, and in this case were successful with 160,000 Nintendo accounts, as their owners had used the same passwords before.
According to SpyCloud, 59 percent of people admit to using the same passwords.
UK license plates
It was revealed this week that the details of millions of journeys made by private individuals across the UK could be freely accessed online. This is because a system used to automatically log vehicle license plates as they pass a roadside camera, known in the UK as ANPR, was storing its data on a server with no password.
The data, and therefore journeys and locations of millions of vehicles, could be accessed by entering the IP address of the server into an internet browser. In total, 8.6 million journeys could be viewed. The data specifically came from the ANPR system of Sheffield, a city in the north of England. Hackers could have used the data to track individual vehicles through the city, putting vulnerable people at risk. The name and location data of cameras could also be changed, which could have led to wrongful convictions.
Sheffield City Council and South Yorkshire Police said in a joint statement: "We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach."
Week of April 20, 2020: Small Business Administration
The Small Business Administration's Economic Injury Disaster Loan program may have been hit by a data breach, and affected about 8,000 people who had applied for emergency funds to help offset the impact of the coronavirus pandemic. What's data is now vulnerable? CNN reports that it could include Social Security numbers, birth dates, insurance information, names, their email addresses and even where they live and their citizen status.
Applicants were told if they were involved in the breach on April 13 through a letter — and told they would be given a year of free credit monitoring as a result.
A chain of sandwich shop in New Jersey has found a breach that happened over a series of month to its system. Customer payment information that allowed people to place online orders was involved, and the breach took place between July 15, 2019 and February 18, 2020. Not only were numbers potentially seen, but also security codes, expiration dates, names and addresses. PrimoHoagies told customers that only data from online purchases were involved, not those made inside physical stores, reports the Courier Post.
A children's gaming platform had a breach that released nearly 23 million user names and hashed passwords — information that's been scrambled from its original form.
Webkinz World is a virtual space children can enter, that connects to a plush toy. Inside are games and adventures kids can play — and they need to have a password and user name to get online. The company has demanded that all passwords be updated on the site before people can re-log on to their accounts.
Week of April 13: Quidd
Quid, a digital collectibles trading platform, has suffered a data breach resulting in the login credentials of almost four million users appearing on a dark web hacking forum. The data included Quidd usernames, email addresses and passwords, although these were reportedly hashed, according to Teiss. The email addresses belonged to professionals from companies like Microsoft, Experian, Target and the University of Pennsylvania.
Despite being hashed, it is being reported that hackers have already cracked more than a million of the stolen passwords, and another hacker is currently selling 135,000 of the Quidd passwords.
According to experts Risk Based Security, the data was stolen from Quidd by hacker group ProTag, and was uploaded to the forum on March 12, 2020. Adverts were displayed on the dark web about the stolen database as far back as October 2019.
Wappalyzer, a technology company that lets users scan websites to receive a report of information like the type of server it uses, has been the victim of a cyber attack. The disclosure of the hack comes a week after hackers began emailing Wappalyzer's customers, offering to sell a stolen database for $2,000 in bitcoin.
The database contains Wappalyzer customer email and billing addresses, but the company told ZDnet that it contained information on just 16,000 customers. Wappalyzer says the hack took place on January 20 when an intruder accessed one of its databases, which was left exposed due to a misconfiguration, the company said.
As well as reportedly containing user email addresses, the stolen database includes technographic data, which is data collected by Wappalyzer and sold as part of its product offering to customers.
San Francisco International Airport
SFO contacted users of two of its websites this week to tell them they had been the victims of a cyber attack. The websites are SFOConnect.com and SFOConstruction.com, and are said to both be relatively low-traffic websites. The attack is believed to have taken place in March, reports ThreatPost.
The airport said this week: "The attackers inserted malicious computer code on these websites to steal some users' login credentials. Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO."
It added that it "appears the attackers may have accessed the impacted users' usernames and passwords used to log on to those personal devices."
Week of April 6, 2020: RigUp
A company, focused on the energy sector, helped people find jobs in that market — but is now a victim of a breach that exposed 76,000 files from those clients. Those files reportedly never made it into a public view, luckily, but inside were details dating back to July 2018 including employee resumes, private family photos, W9 forms, insurance policy data, Social Security numbers and more.
Found by vpnMentor, the breach has now been secured. But anyone doing business with RigUp may want to contact the company about what it's doing next to ensure the data it has in its systems is better locked down.
Hackers are taking advantage of people's fears and worries around the coronavirus pandemic, sending phishing texts and emails that promise relief funds from the government, or trackers that turn out to be malware. Emails look to be coming from the World Health Organization, or doctors, and everyone from individuals to businesses are being targeted.
The best thing for anyone to do today, given the fact that most people are online even more than usual, and from typically less secure networks than those used at the office, is to stop opening, or sending attachments — and to go directly to government sites through a search engine, than through a link they've received online.
Hammersmiths Medicine Research
Case in point? A medical facility tapped to do some live Coronavirus vaccines has been victimized by ransomware — with their data stolen and held for hostage. Volunteers whose last names started with D,G, I or J had their records stolen from Hammersmiths Medicine Research, and personal details in them as well including their date of birth, passport information and even in some cases some health records, reports ComputerWeekly. The medical facility has refused to pay the ransom.
Week of March 30, 2020: Marriott
Marriott has a data breach that is impacting more than five million guests, with details from names to birth dates part of the get. The breach took place between mid-January and February of 2020, and happened after someone used log-in details of two employees at a franchise of the hotel chain, said Marriott.
While financial details weren't impacted, like credit cards, guests' loyalty programs, like airline frequent flyer details including those account numbers, were involved along with mailing addresses. Marriott says it will be notifying people who were impacted by the breach. And while they say passwords weren't involved — definitely change yours.
As great as Zoom has turned out to be, connecting people to friends, family, loved ones and co-workers, it has also ended with some not nice bugs — with people Zoombombing. People have been gaining access to Zoom calls, filling the screens with sounds and even pornographic imagery, that's not always appreciated.
To add insult, security researchers have found exploits, including one reported by TechCrunch that allows hackers to take over the webcam and microphone of Mac users.
Zoom says it's actually halting all new features for 90 days while it works to beef up security and privacy. Part of the problem, Zoom notes, is that its user based is up from about 10 million a day before the coronavirus pandemic took hold to about 200 million now.
WhatsApp users are reportedly getting tricked into turning over login credentials to hackers. Those hackers who have broken into social media accounts, like Facebook, are tricking that person's contacts into handing over their own WhatsApp details — which the hacker can then use, reports Android Authority.
This is kind of a version of phishing, and truthfully it can happen to anyone, regarding any of their accounts. It's always a good idea to never send your personal details to people over digital methods like email, text or, yes, WhatsApp.
Week of March 23, 2020 - Mystery database exposes 200M Americans
A databased owned by an unknown party was discovered this week with 800GB of personal user information exposed to the public. The database, which was discovered by a research team by CyberNews, contained personal information belonging to 200 million Americans.
The data included a broad range of personal information, including:
- Full name and title
- Email addresses
- Phone numbers
- Dates of birth
- Credit ratings
- Home address
- Number of children
- Personal and political interests
It is thought that much of the data has come from the US Census Bureau. CyberNews said of the leak: "It's difficult to understate the massive effect this data leak can have on hundreds of millions of people in the US. The data exposed by the unidentified party is a virtual gold mine for anyone with a penchant for cybercrime.
"Merely selling these records on darknet marketplaces at the below-average asking price of $1 per record would net the seller about $200 million. If utilized by cybercriminals to its full destructive potential, however, this data leak can result in untold billions in damages for defrauded users."
Data belonging to current and former employees of General Electric was publicly accessible for 10 days in February. A third party gained access to an email account that contained sensitive information between February 2 and 14, reports ITPro.
The data of current and former workers included:
- Direct deposit forms
- Driver's licenses
- Birth certificates
- Marriage certificates
- Death certificates
- Medical child support orders
- Tax withholding forms
Data Deposit Box
Detailed private information about 270,000 people who have used cloud storage company Data Deposit Box appeared online in late-2019. The data was discovered on December 25 and remained online until January 6.
More than 270,000 files were exposed, according to SecurityMagazine, with some leaked information dating from 2016 to the present day. Data included login credentials (usernames and unencrypted passwords), IP addresses, email addresses and GUIDs (globally unique identifies for resources).
Some information about files stored on the website by users was also accessible. This included file names, type, size and the date they were last modified.
Week of March 16, 2020: Princess Cruises
As if Princess Cruises doesn't have enough going on after being shut down from the coronavirus, the cruise line, owned by Carnival Corp, has now admitted that a possible data breach hit its system from April 11 to July 23, 2019. After gaining access to employee email accounts, Princess Cruises said the hacker was able to then see personal details on other crew members, employees and most keenly guests.
Social security numbers, passport numbers, driver's license information, financial account details and more were potentially visible. The company has posted the details on its web site, and encouraged anyone concerned that they get in touch with the company. And in the meantime, start using a password checker — while you also start changing those passwords. Yes, again.
TrueFire, a site that offers guitar lessons and tutorials online, discovered that it had a breach that spanned about six month — from August 2019 to January 2020. That left the personal data on more than one million users open including credit cards numbers, names, addresses and even security codes, among other details.
Nothing on the site gives any indication about the breach which TrueFire said it discovered on January 10, 2020. But it has sent letters to people who were affected, according to Guitar.com which said it heard form one of the users.
TrueFire is telling users to monitor their credit card statements.
Department of Health and Human Services
The U.S. Department of Health and Human Services reported that it had spent Sunday and Monday fighting against a hacking attempt on its system, reported The New York Times. The department claimed, on Monday, that the attack had not worked — but coming at a time when health groups globally are trying to work on fighting the coronavirus, the attempt was badly timed, at the least.
Officials are trying to figure out who was being the attack, concerned about attempts that could impact information being shared by medical experts to fight the virus spread. But experts have been warning already that cybercriminals have been attempting to take advantage of coronavirus fears to spread malware.
Week of March 9: Eight million eBay and Amazon shopping records exposed
Our lead story this week is of a database, accidentally made public, which contained eight million shopping records from Amazon eBay, PayPal, Shopify and Stripe.
The data, which could be found using a regular search engine, was mistakenly exposed by an unnamed third-party firm conducting cross-border value-added-tax (VAT) analysis. The majority of the data came from UK and European online shopping, and it included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and the last four digits of credit card numbers.
The unencrypted database was indexed by search engines on February 2, then discovered by cybersecurity firm Comparitech a day later, with Amazon immediately notified. The database was then shut down by its owner on February 8.
Dutch government loses data of 6.9m registered donors
External computer hard drives storing data of 6.9 million registered organ donors from February 1998 to June 2010 were admitted lost this week. Last used in 2016, the pair of drives were placed in a secure vault, but this week the Dutch Minister of Health, Wellness and Sport admitted they had gone missing earlier in 2020, reports ZDnet.
The data includes first and last names, gender, date of birth, address at the time of registration, choice for organ donations, ID numbers and a copy of the person's signature. Although missing, Dutch officials said there was no evidence yet of the data being used for identity theft or fraud.
Secret-sharing app Whisper exposes 900 million user records
Whisper, once a hugely popular smartphone app where users could anonymously share secrets, left private and sensitive information about hundreds of millions of people in a public database for years.
The database, which had no password and could be accessed by anyone, included users' nicknames as well as their age, gender, ethnicity, location, and information on what groups they were a part of on the app. Many of Whisper's chat groups are about sexual relationships and orientation. The report claims 1.3 million users in the database listed their age as 15.
Once describing itself as "the safest place on the internet", Whisper launched in 2012, is available for iOS and Android, and although not as popular today it had three billion monthly page views by late 2013. Most of its users are aged 18 to 24 and predominantly female.
As well as users' hometowns, the data included the GPS coordinates of where each user submitted their most recent post.
Week of March 2, 2020: Virgin Media exposes data on almost 1 million people
Details on nearly 1 million people were accessible online for ten months in a Virgin Media database, the company announced Thursday. While passwords and financial details weren't involved, phone numbers, birthdate, email addresses and home addresses were stored in the database.
How did this happen? Virgin Media said the database had been Virgin Media said it shut down access to the database, but not before finding out some details had been "accessed without permission." The company said it had already notified the 900,000 people involved, who appear to be getting text messages.
T-Mobile hack accesses details on customers and employees
What T-Mobile is calling "a malicious attack," compromised details on customers and employees, with a hacker gaining access to details about email accounts, which include customer names, addresses, phone numbers, account numbers, rate plans and billing information. What wasn't involved? Credit card and Social Security numbers.
T-Mobile did say that they were able to shut down the attack, and while they're trying to get a wholesaled of customers, they're encouraging people to reach out if they want to know if their details were involved in the hack. Crucially, T-Mobile is reporting they have no evidence that the data gleaned has been "misused" at this time.
J.Crew hacked in 2019, company says now
Retailer J.Crew may be known for its style hacks, but this time the company was a victim of a different kind of hack, one that left financial information exposed on customers. The attack took place around April 2019, and J.Crew and is just now telling customers about the problem. Compromised are the last four digits of credit card numbers, expiration dates, the kind of payment card involved, plus email and physical addresses, as well as passwords.
What should you do? What you should always do — Change. Your. Password.
Week of February 24, 2020: Clearview AI
Controversial facial recognition company Clearview AI contacted clients this week to admit its entire client list had been stolen by an intruder. The company was the subject to an in-depth New York Times report in January which claimed it held over three billion images of members of the public, gathered up by scraping them from publicly-viewable social media accounts on Facebook, Twitter, YouTube, LinkedIn and others - a breach of their terms and conditions.
Clearview said in a statement that data thefts like this are now "a part of life". As well as the client list, data on how many Clearview each customer had, and how many times they had searched the image database, was also taken.
This week also saw Samsung admit to exposing the personal information of 150 customers on its UK website. The bizarre data leak was blamed on a "technical error", and the data exposed to the public included names, phone numbers, postal and email addresses, and previous orders made through Samsung's UK online store.
Thankfully, the company said user credit card information was not exposed. Customers affected will be contacted, Samsung said.
Slickwraps, a company that makes customized vinyl skins for phones and other devices, admitted this week it had fallen victim to a data breach. The admission came after Slickwraps customers reported they had received an email claiming to be from the company, but which was in fact written by a hacker who had gained access to its customer database.
The email appears to have been sent to 377,428 addresses, and the sender claimed they had gained access to Slickwraps' customer database by reading a now-deleted Medium post written by a seemingly different hacker who explained how they had accessed the database via a vulnerability.
In a blog post, Slickwraps said the data was "mistakenly made public via an exploit" and it included names, plus postal and email addresses. However, it assured customers that their financial data had not been accessed.
Week of February 17, 2020: MGM Resorts data shows up on hacking web site
You can never truly be free of a data breach as some of MGM Resort's former guests are now discovering. The chain announced this week that more than 10.6 million guests were caught in a data breach in 2019, and now have much of their personal information on a hacker's forum — from names to phone numbers, and even including birth dates.
The data base is from guests who stayed at the MGM Resorts prior to 2017, and they include some well-known names from Justin Bieber to Twitter's Jack Dorsey. Those who had originally been caught up in the breach had initially been contacted by MGM Resorts in August 2019.
U.S. Department of Defense (Yes, really)
An agency inside the U.S. Department of Defense (DoD) were affected by a data breach which may have included their Social Security number. The department, the Defense Information systems Agency — or DISA — contacted those involved in mid-February about the breach which happened between May and July 2019, reports Reuters, which saw the letter sent by the agency.
DISA's role, according to its web site, is to manage the way information is shared, managed and transmitted for the DoD, including communications for the president.
ISS World hacked
ISS World, which provides cleaning, catering, management and other support services, has fallen victim to malware, the company is stating on its web site. While customer data doesn't appear, for now, to be affected, businesses that use its IT services are likely finding those options dark as ISS has "disabled access," it said.
ISS owns companies across the world including the U.S.-based catering company Guckenheimer and another catering firm, Apunto, based in Chile.
Week of February 10, 2020: Estée Lauder
This week, a huge and completely unprotected customer database owned by US cosmetic firm Estée Lauder was spotted by cybersecurity researchers at Security Discovery.
The database contained more than 440 million data entries, all appearing in plaintext. These entries included email addresses, references, internal documents, IP addresses, storage information and other data that looks to have come from a company-run content management system.
Customer data wasn't compromised, but the accidental leaking of so much company data is still a major concern. Estée Lauder said in a statement: "On 30 January 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data."
South African financial service group Nedbank said this week that it is investigating a data breach related to Computer Facilities, a direct marketing company. Computer Facilities send SMS and email marketing information to customers on behalf of Nedbank and other clients.
Nedbank said in a statement how "a subset of the potentially compromised data at Computer Facilities included personal information (names, ID numbers, telephone numbers, physical and/or email addresses) of some Nedbank clients."
The company is keen to point out that no Nedbank systems or client bank accounts were compromised "in any manner whatsoever". Forensic experts have been hired to conduct an investigation, Nedbank says.
Nine-year-old’s identity stolen after data breach
Finally, an example of what can happen if your personal information is caught up in a data breach. A recent data breach at Health Share of Oregon led to the identity of nine-year-old boy being stolen, then used to unlawfully open a US Bank Credit Card in his name.
The card arrived at the family home soon after the boy's mother learned of the data breach. Speaking to Katu 2 news, Kristen Matthews said: "This is not OK, especially for a child. This is not OK. I immediately started seeing red because I never signed up for any of this."
The account was later closed by US Bank, but the incident serves as a demonstration of how stolen or mistakenly leaked personal data can be used. Matthews added: "There are other victims out there, though. There could be other cards being sent out to people."
Week of February 3, 2020: Don’t click on the Coronavirus phishing attack
Hackers are preying on fears about the Coronavirus, with a new phishing attack designed to look like an email from the World Health Organization. Needless to say, the message is not from the United Nations agency, but instead an attempt to get people to click on a link that takes them to a pop up asking them to type in their email address and password, according to Sophos.
The specific message actually includes a number of grammatical mistakes — something to watch for if you're getting an email from an official group, such as the World Health Organization. There are also words that are spelled wrong.
While people are concerned about the coronavirus, clicking on a link through an email — that you didn't request —is still not the best course of action. Instead, we recommend going to different web sites directly, and not through a link.
Ashley Madison breach affects still felt
A new attack is affecting those whose names, passwords, credit card details and phone numbers were hacked from the Ashley Madison data breach of five years ago. Now some of the 32 million accounts are being targeted — personally — through emails scam that threatening to expose people if they don't pay a Bitcoin ransom, according to Threatpost, pointing to a post from Vade Secure which discovered the scam.
The demand is for about $1,165 in Bitcoin, which is hidden in an attachment in the email, and also includes a QR code which are often not caught by email filters. The email demands the payment in six days, or the information about the person will be released.
Vade Secure has detected hundreds of these in the past week, and expects to see more of them in the coming months.
St. Louis Community College breach impacts thousands
A data breach at St. Louis Community College in Missouri has affected more than 5,100 people, including details such as birth dates, college IS numbers, names, addresses, phone numbers, email addresses and for 71 people, their Social Security numbers, according to local news site KSDK.com. The college told people about the hack, which occurred through a phishing attack, and that they had been able to lock down accounts again within about 72 hours.
While the school has said it will get in touch with those affected by the hack, anyone who is a student or has an affiliation with the college, should get in touch with them as well.
Week of January 27, 2020: Wawa Inc
Wawa, the US fuel and convenience store, admitted in December 2019 that it had been the victim of a nine-month-long data breach, leading to the theft of customer card data. Now, it is claimed these stolen card records are being sold online.
The Wawa customer records are said to be among a huge batch of 30 million card accounts from over 40 states offered up for sale. They are claimed to be from "a new huge nationwide breach," reports Krebs on Security.
Data exposed by the breach includes debit and credit card numbers, expiration dates, and cardholder names. PINs and CVV numbers were not exposed, Wawa claimed.
We urge readers who use Wawa to keep an eye on their card statements and report any suspicious transactions to their bank or card issuer.
The United Nations
It was reported this week that The United Nations fell victim to a suspected state-funded cyberattack in July, but did not inform the public or affected employees.
According to confidential documents leaked to The New Humanitarian, the attack could have affected up to 4,000 UN employees. Compromised data included staff records, health insurance and commercial contract data.
It is reported that hacked gained access to the data through a flaw in Microsoft SharePoint and used malware to gather up data from UN servers in three of its European offices. Staff were advised to change their passwords, but were not told why.
In 2019, data breaches increased 17 percent
Finally this week, a year-end report by the Identity Theft Resource Center revealed that the number of US data breaches increased by 17 percent in 2019 to 1,473, compared to 2018.
According to the report, the year saw 164,683,455 sensitive records exposed, which was a 65 percent increase on 2018. What's particularly interesting here is how the Marriott hotel data breach of 2018 accounted for 383 million of that year's 471 million stolen records, further demonstrating the marked increase in data theft in 2019.
"The increase in the number of data breaches during 2019, while not surprising, is a serious issue," said Eva Velasquez, president and CEO of the Identity Theft Resource Center. "It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed. The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed."
Week of January 20, 2019: Microsoft exposes 250 million records
Microsoft left 250 million records open on a data — and admitted it in a blog post. The breach was open from December 5, 2019 to December 31, 2019, and contained details about "support case analytics," said the company, and personal details had been "redacted."
While Microsoft wouldn't say how many records were involved, a site called Comparitech, which claims to have uncovered the breach, said there were 250 million records. Inside were conversation details between agents and customers that dated back to 2005 — far earlier than the December 5, 2019 Microsoft admitted to in its statement. And they reached out to Microsoft on December 29, 2019, they said.
Microsoft itself referred to the situation as a "misconfiguration," and that no "personally identifiable information" was exposed to the outside world. However, IP addresses and locations were available to see.
THSuite cannabis dispensary breach
A point-of-sale system used by cannabis dispensaries suffered a data breach — with some leaving buyers information from names to birth dates exposed, and occasionally the employee's name who helped them, according to a new report from VPN Mentor.
More than 85,000 files were exposed which included more than 30,000 records from the following dispensaries: Amedicanna Dispensary, Colorado Grow Company and Bloom Medicinals. But VPN Monitor warned that additional dispensaries could have been involved. The information that was breach differed between the different dispensaries. But in some cases the customers signature was captured, along with birth dates and Medical ID numbers.
VPN Mentor tracked the breach to an Amazon S3 bucket that had been unsecured. The database was closed on January 14, 2020. But any customer of three dispensaries should keep an eye on their email for possible phishing exploits.
UPS Store exposes customer financial records and ID
UPS is emailing customers admitting that some customers records at about 100 stores were exposed through a phishing hack. The attack involved details in emails that had been sent to UPS for printing and other requests, and in some cases included government-issued ID and even some financial details.
The breach happened between September 29, 2019 and January 13, 2020, when a hacker was able to access the email accounts of UPS stores. The company said it's using a third-part cybersecurity firm to help investigate the incident. And in the meantime, UPS is offering affected customers free credit monitoring and identify theft assistance.
Equifax has agreed to put aside at least $380.5 million as compensation for victims of a 2017 data breach which saw 147 million US consumers compromised.
The company has also laid out plans to spend $1 billion on revamping its information security over the next five years. Consumers who believe they were affected by the breach have a week (from January 15) to file a claim for compensation. How much they receive will depend on how many people file.
The 2017 incident, which saw personal data including Social Security Numbers compromised, was blamed by Equifax on a buggy component of a server, for which a patch was available at the time but not applied.
The money will be used to pay for credit monitoring services for affected consumers, and individuals may be entitled to up to $20,000 in compensation, but only if they can provide proof that the data breach affected them financially.
An app aimed and new parents and designed for cataloguing baby photos and videos left masses of data exposed on an insecure server for all to see. The app, called Peekaboo, was found to have exposed more than 100GB of data, including the email addresses of users, but also photos and videos of babies.
An estimated 800,000 email addresses were exposed by the insecure server, along with location data accurate to about 30 feet, effectively revealing where people had used the app on their smartphone. The insecure server was discovered by Dan Ehrlich of computer security company Twelve Security.
Ehrlich told BankInfoSecurity: "I've never seen a server so blatantly open. Everything about the server, the company's website and the iOS/Android app was both bizarrely done and grossly insecure."
The app developer has since secured the server and said it would check its systems for any other security issues.
Western Australian bank P&N Bank informed customers this week of a data breach which exposed their personal information. Data unlawfully accessed include customer names, addresses, email addresses, phone numbers, ages, account numbers, and account balances.
Other personal records like ID and credit card numbers were not accessed, the bank said, adding that it believes the data was targeted on or around December 12, during a server upgrade. A company the bank hired to provide hosting is believed to have been the attackers' entry point, reported ZDnet.
The bank stresses that, at this point, it appears that no customer accounts or funds were accessed or compromised. It is now working with law enforcement and federal authorities to work out exactly what happened. It isn't yet known how many customers were affected.
Week of January 6, 2020: City of Las Vegas
Right as the biggest tech show in the world kicked off, CES 2020, the city that hosted it gave notice that it, in fact, had been victim of a data breach, reported local channel KTNV. The actual breach happened at 4:30 am local time, and Las Vegas warned that some services may be interrupted as a result. But by Wednesday, the city gave the all clear, and tweeted that it didn't think any data was actually taken or lost, but still couldn't point at how the breach happened, and who was responsible.
Google pays $7.5 million
Google is paying $7.5 million for data leaks from its former Google+ platform dating back to 2018, reports Law 360. About half a million people who used the platform had some personal details breached, where third-party developers were able to see profile data. But the company didn't tell anyone for seven months.
Bubba Gump parent company hacked
Landry's the parent company for Joe's Crab Shack, Bubba Gump Shrimp Co. and Morton's The Steakhouse is reporting a data breach on its machines in its restaurants, the company reported. Malware on order entry systems, and not the main payments systems, was able in "some instances," according to Landry's to glean payment card details, although not someone's name. These issues happened as early as January 18, 2019 but stopped by October 17, 2019. Anyone who has eaten at a Landry's chain should, of course, monitor their credit cards for charges.