Welcome to GearBrain's Weekly Data Breach Report, a collection of known breaches into company databases where someone you don't know got access to your personal information. The frequency at which these break-ins happen appears to be growing, so every week we'll update our report with fresh news on the latest hacks and links on where you can go if there's action to be taken — whether you're concerned about your privacy or not.
This week we're looking at a data breach at Peloton exposing all of its users, an unprotected server that revealed a fake Amazon reviews scam, and an issue with Britain's NHS website that exposed citizens' Covid-19 vaccination status.
- More than 15 percent of used drives sold on eBay still have personal data
- 5 ways to stay secure online
- Two-thirds of hotel websites found to leak personal guest data
Netgear Nighthawk Whole Home Mesh WiFi 6 System, 3-Pack
Week of May 10: Colonial Pipeline
A ransomware attack reportedly led to a shut down of a gas pipeline in the U.S.
Anyone living along the southeast coordinator of the United States, has likely seen or felt the impact of a reported ransomware attack that hit Colonial Pipeline. The company first reported the attack late last week, in early May, and had shut down its operations as result, which moves more than 100 million gallons of fuel across parts of the U.S., wrote CBS News. The company was able to restart the pipeline this week, on Wednesday, but has warned people that getting back up to speed with gasoline supplies to stations could take many more days.
Pennsylvania Covid-19 contract tracing
A breach of Covid-19 contact tracing information may have exposed details about thousands of peopleGetty Images/iStock
A breach of Covid-19 contract tracing details may have exposed private data of about 72,000 people, according to a statement from the Pennsylvania attorney general, and reported by the Associated Press. The information was stored with a contact tracing vendor, Insight Global, which has reportedly admitted that people working for it shared Information, including people's names who may have been exposed to Covid-19 as well as symptoms, among possibly other details, via Google accounts that were not authorized. Pennsylvania's Attorney General Josh Shapiro has stated his office is investigating
A software company has put out a report claiming that a significant number of organizations that use Microsoft 365 have suffered an email data breach in the last 12 months.
Egress, a software company that focuses on data breaches, has issued a security report, stating that it believes 85 percent of organizations that use Microsoft 365 have had an email data breach in the last 12 months. The report, Outbound Email: Microsoft 365's Security Blind Spot, noted that 15 percent of organizations that use Microsoft 365 had more than 500 data breach in the last year, as compared to just 4 percent of companies that had not used it.
The report was compiled from interviews with 500 IT leaders and 3,000 remote workers in the US and the UK in financial services, healthcare and legal.
Week of May 3, 2021: PelotonThe Peloton Bike is priced from $1,900 Peloton
It was revealed this week that, in January, security researcher Jen Masters, from Pen Test Partners, reported to Peloton how the up-market exercise bike had a data problem. Masters had discovered that it was possible for anyone to view the personal details of any Peloton user, even if they had their account set to private and had no friends on the exercise platform. Due to an API fault, it was possible to view any Peloton user's age, gender, city, weight and workout statistics.
Mistakes happen, but the bigger issue here was how Peloton did not respond to Masters and did not fix the problem within the industry-standard 90 days Masters gave the company before making his findings public. Peloton has since fixed the issue and apologised for its slow response. "We took action, and addressed the issues based on his initial submissions," Peloton said. "But we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported."
You can read more about this incident in a blog post on the Pen Test Partners website.
Amazon fake reviews scam
This is an interesting data breach, as the exposure of this data also shed light on an Amazon review scam. The exposed 7GB database contained over 13 millions records related to how an Amazon scam review system works. In a bid to gain 5-star reviews for products, sellers contact Amazon users, tell them which products to buy, then refund them the cost through PayPal once a positive, 5-star review has been posted to Amazon. The seller gets a 5-star review for their products, and the customer gets fully refunded for the items they buy.
The database potentially implicates more than 200,000 people in the scam, according to Safety Detectives, which discovered the database on an ElasticSearch server with no password or encryption. Exposed data includes the email addresses and phone numbers of vendors, as well as PayPal account details, email addresses and usernames of reviewers. Over 230,000 Gmail email addresses were also exposed by the unprotected server.
The NHS website could be used to see a person's vaccination status without basic identification information required
Finally this week, Britain's National Health Service website was found to exposed details on whether a citizen has had their Covid-19 vaccine or not. Discovered by the Guardian, the fault was found in an NHS website used to book vaccinations. The issue is how a person's vaccination status was exposed by the website to anyone who either new the persons's NHS number, or basic information about them. In theory, an employer could find out if someone had had their vaccine or not, with knowing only basic identity information about the person.
"This is a seriously shocking failure to protect patients' medical confidentiality at a time when it could not be more important," said Silkie Carlo, the director of privacy group Big Brother Watch. "This online system has left the population's Covid vaccine statuses exposed to absolutely anyone to pry into. Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll."
Week of April 26, 2021: DigitalOcean
Cloud provider DigitalOcean is reporting a breach of some customers' billing details
DigitalOcean, a cloud-based firm for developers, is warning customers about a data breach that exposed information connected to their billing details. The company is stating that the error that allowed the hacker to get inside has been fixed, but over two weeks they were able to see people's names and addresses associated with their bills as well as the last four digits of any card used to pay their accounts as well, reports Tech Crunch.
DigitalOcean is a service that developers will tap to allow the to create and write programs, and have them stored in the company's cloud as they work. And while passwords were not involved in the breach, nor the actual DigitalOcean account, 1 percent of billing profiles were involved and also included expiration dates and the name of the bank that a payment card was connected to as well.
University of California
Some students are finding their data on the dark web after a breach impacting the University of California
A data breach of University of California students' personal details is now showing up on the dark web, according to some students, including at least one alumna, themselves. Some of this information includes Social Security numbers, email and home addresses and also phone numbers, reports The Daily Californian.
The University of California was caught up in the Accellion cyberattack, which precipitated the loss of information of its own community. The UC system is offering a free year of credit monitoring, but some of those affected have raised concerns that this is not sufficient.
JPMorgan Chase Bank
JPMorgan Chase Bank is finding a new phishing attack is hitting customers
A new phishing attack is making the rounds going after customers of JPMorgan Chase Bank. These phishing attempts are building off details found on social media — which appear to be posted by customers — and gleaning those pieces of information to better tune their attacks, reports Infosecurity Magazine.
One of the attacks actually claims to be a credit card statement, telling customers that their details can now be read. That link takes them to a fake web site, that looks like it's coming from Chase, and asks them to type in their user name and password. But the name of the bank is spelled slightly wrong, with a space between the JP and the Morgan, (which is wrong), and the letter "P"not capitalized.
People should take some time to make sure they're taking steps to try and protect themselves from phishing attacks.
Week of April 19, 2021: Apple
It is unlikely that Apple will engage with the $50m random demandiStock
Apple was this week targeted by a $50 million ransomeware attack, after a trove of engineering and manufacturing schematics of its products were stolen from manufacturing partner Quanta. The Taiwanese company manufacturers MacBooks and other products for Apple and the stolen data related to current and future devices, The Record reported.
The leak was reportedly carried out by Russian hacking group REvil, which is also known as Sodinokibi. The stolen images were published online on April 20 to coincide with Apple's Spring Loaded product launch event, after Quanta refused to pay the $50m random demand. The hackers now hope that Apple will pay up, before more images are set to be leaked on May 1.
Douglas Elliman Property Management
Thousands of New York residents learned this month that they may have had their personal information compromised. The data breach stems from Douglas Elliman Property Management, whose three managing directors emailed hundreds of co-operative and condominium boards at the start of the week, advising them about an IT network breach, reports The Real Deal.
Elliman is one of the largest residential property management firms in New York City, representing 390 properties and over 45,000 units as of 2018.
The email said how the firm has detected "suspicious activity" on its IT system on April 7, and had contacted law enforcement. It was said how an unauthorized party gained access to the network, including files containing the personal data or owners and employees. This data may have included names, dates of birth, mailing addresses, Social Security numbers, driver's license numbers, passport numbers and financial information.
Finally, this week saw the reporting of a data breach at the Geico insurance company that left customers' driver's license numbers exposed online for more than a month. The incident was detailed in a data breach notice filed with the attorney general of California, and first reported by TechCrunch.
"We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver's license number through the online sales system on our website," the notice said.
It went on: "We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Geico does not say how many customers may have been affected by the data breach, but says the error has now been fixed.
Week of April 12, 2021: ParkMobile
It's difficult when the app designed to save drivers one of their biggest headaches creates another. But that's exactly what happened when to those who use a very popular app, ParkMobile, which millions of people throughout North American can use to digitally pay for their parking spot on the street. The app's customer data has been breached and is for sale on a crime forum, according to KrebsOnSecurity.
To create an app, drivers have to input the typical — personal — details including phone numbers, email address and in some cases mailing addresses. And because this app helps ensure a driver's specific car has paid for its parking, license plate numbers have been breached as well. ParkMobile apparently knew at least by March 26 about the issue, because they put out a security report. But they did not tell people to go in and change their password. Which we're telling you to do. Now.
The NBA's Houston Rockets, are getting hit with a ransomware attack to reclaim business details about the basketball team, said Bloomberg, which confirmed the news. The team said it prevented some ransomware attempts from being installed on its system, but not all. And the hackers have publicly stated they have some details including contracts, financial information and non-disclosure agreements, and will publish them if they don't get paid. How successful is this particularly hacking group? They reportedly got one victim to pay $85,000.
W2 phishing lures
People are getting phishing emails claiming to be a file regarding a Home Loan, with a link that purports to have their 2020 Tax Returns and a W2 attached. That's the lure. But when people click on the link, they're presented with a form which asks them to put their email details — including password — to get into the file. That, clearly, doesn't open the file as it doesn't exist. Instead, people have just given hackers access to their email account.
Key here is not to click on links in emails almost ever. Even if an email comes from a tested source, these can be spoofed — or faked — and a better course of action is to call the person and confirm that they've actually sent the email you've received.
Week of April 5, 2021: Facebook
This week began with the discovery of the personal details of 533 million Facebook users in a hacking forum. The freely-available data include phone numbers, names and dates of birth from users across 106 countries, with 32 million US citizens implicated. The data came from a vulnerability that was patched by Facebook in August 2019. Facebook has confirmed the legitimacy of the data but says it will not be informing uses that have had their details exposed by the breach.
Instead, users can check if they have been caught up in the breach by entering their phone number into the Have I Been Pwned website, an online tool that cross-references data against data breaches.
Travel website Booking.com has been fined €475,000 (approximately $560,000) due to breaching GDPR law when failing to report a data breach within 72 hours. The company suffered a data breach in 2018 and discovered on January 13, 2019 that the details belonging to 4,100 users had been stolen. But instead of reporting the data breach to regulator within three days, Booking.com waited until February 7 to disclose the incident.
Due to the breach in Europe's data protection laws, Netherlands-based Booking.com was issued with the fine. The Dutch Data Protection Authority said: "This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this on time."
Michigan State University
Michigan State University (MSU) this week said it has been implicated in a data breach stemming from a cyber-attack on Ohio law firm Bricker & Eckler LLP. The firm was hit by a ransomware attack in January 2021, where an unauthorised party gained access to internal systems over the second half of the month. Exposed data may have included names, addresses and some medical-related and educational-related information, plus driver's licence numbers and, in some cases, Social Security numbers.
It was then reported by Lansing State Journal that the data breach saw the exposure of Title IX case information belonging to just under 350 people at MSU, reports Lansing State Journal. Bricker said in a statement: "A limited number of individuals, some of whom are no longer affiliated with MSU, may have been impacted. Those individuals have been contacted and connected with the proper resources."
Week of March 29, 2021: IRS refund
Hackers are reportedly sending emails targeting college students and universities that use a ".edu" email, claiming to be the Internal Revenue Service and offering tax payers a way to check on the status of their refunds.
The emails, which have different subject lines including "Tax Refund Payment" or "Recalculation of your tax refund payment" then have a link, which when clicked takes people to a phishing site. There, they're asked for details including Social Security number, driver's license number, address, birth date, name and more. Tellingly these are data points the IRS does ask for on its own site — which means hackers could use this information to then reroute legitimate refunds to themselves.
Got one of these emails? You can save the email using the "save as" option, and send that as an attachment to email@example.com.
University of Maryland + University of California
A ransomware attack appears to be going on against the University of Maryland and the University of California, according to ZDNet. Screenshots of passports, a federal tax document, an application for tuition remission and more have appeared, presumably grabbed by the hackers, and show Social Security numbers, birth dates, immigration status and other personal details.
In January 2021, Ubiquiti, which makes networking devices like routers, had reported a breach of its systems that had been hosted by a third-party. At the time, the company said that they were "aware of evidence of access to databases that host user data." Now, Krebs on Security, reports that a whistleblower has said the breach was actually "catastrophic," and that the claim of a third-party being the one targeted — and not Ubiquiti — "…was a fabrication."
Instead, hackers got complete access to the Ubiquiti's databases via Amazon Web Services, which is what the whistleblower says the company pointed to as the third party. Hackers then were able to get into all databases, all user database details and more. Those details reportedly could have allowed hackers to authenticate any of Ubiquiti's cloud-based devices. Which is again a reason to : Change. Your. Password.
Week of March 22, 2021: FatFace
British clothing retailer FatFace this week told its customers that it has been the victim of a data breach – then asked them to keep the matter private. The breach occurred on January 17, two months before the company informed its customers that an unspecified amount of data including names, email and postal addresses, and the last four digits and expiry date of their credit cards, had been compromised.
FatFace said the two-month delay in disclosing the breach was due to identifying who was involved in the incident and what data was involved. The company said: "This identification effort was comprehensive and coordinated by our external security experts; it therefore took time to thoroughly analyze and categorize the data to ensure we can provide the most accurate information possible."
The company then asked affected customers to "keep this email and the information included within it strictly private and confidential."
As security expert Graham Clueley said this week: "What a shame FatFace hadn't been quite so cautious about the privacy and confidentiality of its customer".
Next up this week, we have air charter firm Solairus Aviation, which announced on March 23 that it had suffered a data breach. Some employee and customer data was compromised in an incident at third-party vendor Avianis, an aviation business management platform provider.
Data store by Solairus with Avianis included employee and client names, dates of birth, Social Security numbers, driver's licence numbers, passport numbers and financial account numbers. The company said in a message to customers: "Solairus regrets the inconvenience or concern this incident may cause you. Every member of the Solairus community is important, and Solairus values your security and privacy."
Oil and gas company Shell announced on March 16 that it had suffered a data breach related to an incident involving Accellion's file transfer application, which is used by Shell to securely transfer large data files.
Shell said in a statement: "Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cyber security team, and started an investigation to better understand the nature and extent of the incident. There is no evidence of any impact to Shell's core IT systems as the file transfer service is isolated from the rest of Shell's digital infrastructure."
The company did not say how many individuals were affected by the data breach, but said an unknown actor gained access to "various files" during the breach. This included personal data and information "from Shell companies and some of their stakeholders."
Week of March 15, 2021: WeLeakInfo
In a reversal many may say is fair, WeLeakInfo — a site where people once went to buy stolen data — leaked the details on those who have made purchases from them. Data on more than 24,000 users was found in an archived ZIP file, according to TechRadar, and is now on sale.
The information stems from sales made over Stripe, which is an online payment system, and includes names, IP addresses, physical addresses, and some credit card details. There are also the dates the transactions happened, Stripe reference numbers and phone numbers.
New York Unemployment
New Yorkers applying for unemployment may have been caught in a phishing scam that captured not only their details — but also actual personal documents. The scam worked over text and email, and if someone clicked on the link, it sent to them a site that looked exactly like the website where people apply for unemployment through New York. Except this site was a fake, according to CBS.
After logging on as they would for unemployment (which then captured their username and password), the fake site asked for documents, further netting Social Security cards and driver's licenses among other details.
Rule of thumb? When going to state or federal web sites, type the URL into Google — do not click on a link.
Another attack that starts with luring victims to click a rogue link comes through a traffic ticket email. People are sent an email with a subject line that claims they've earned a ticket. There's a link in the email which sends them to a rogue site — where they're told to click on a photo to see proof of their violation, says ZDNet.
That link though actually puts malware on their computer — one called Trickbot, known for being used as a banking trojan — which can steal login details on Windows computers.
Again: please do not click on links in emails.
Week of March 8, 2021: Microsoft
Microsoft said on March 8 how it was still seeing "multiple actors" taking advantage of unpatched systems to attack organizations that used its Exchange Server platform. The update came almost a week after the computer giant first announced it has detected multiple zero-day exploits being used to attack on-premises versions of Exchange Server in what it called "limited and targeted attacks."
The computer giant attributed the attack "with high confidence" to HAFNIUM, a group said to be state-sponsored and operating out of China. The White House later users computer network operators to take further steps to ensure their systems are safe, as patches released by Microsoft were found to still leave serious vulnerabilities. The White House said: "We can't stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures ti determine if they were already targeted."
It was found this week that a cyberattack on cloud hosting and IT service provider Netgain now affects an additional 210,000 Americans. Minnesota-based Netgain Technologies had to take down some of its data centers following a cyberattack in November 2020.
Netgain provides services to several companies in the healthcare and accounting sectors, and admitted in December that health informations of patients from Woodcreek Provider Service was stored on servers affected by the attack. The information included names, addresses, medical record numbers, dates of birth, social security numbers, insurance claims, clinical notes, invoices, bank account numbers, DEA certificates, and some medical records, among other data.
Finally this week, a hacking collective breached a database containing the video feeds of security cameras collected by Verkada, a technology startup based in Silicon Valley. The trove of data included live feeds of 150,000 security cameras situated in sensitive locations like schools, police departments, hospitals, prisons and businesses. Bloomberg reported that high profile firms exposed by the breach included Tesla and Cloudfare.
It was reported that the data breach was carried out by hackers who wanted to demonstrate how easily such surveillance systems could be broken into.
Verkada said: "Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement."
Week of March 1, 2021: Malaysia Airlines
The airlines has admitted to the breach and said it was notified by a third-party IT service provider about the issue which took place between March 2010 and June 2019, according to Bleeping Computer. While passwords were not involved, said Malaysia Airlines, members' contact information, their rewards tier level, their frequent flyer number and their birthdays were part of the breach.
Over Twitter, the airline stated this as well, that its computer systems were not involved in the breach, but instead happened on a third-party's network. And the airline further encouraged members to change their passwords.
The airline passenger system, SITA, got hit by a data breach, the company stated on March 4. Involved in the attack, with SITA said happened February 24, 2021, is passenger data was breached. SITA handles details for multiple areas of the airline industry from baggage to passenger processing and the company claims to have about 90 percent of the airlines in the world as its customers.
Qualys, a cloud security and compliance firm, has confirmed that a hack of Accellion, the one that caught a number of other firms including grocer Kroger, has affected them as well.
While the company says operations were not affected, the exploit did affect information that was "part of our customer support system," said the firm in a statement. The company also found that some files were accessed without permission that had been "hosted on the Accellion FTA server," they said. Qualys also stated it had notified "the limited number of customers impacted by this unauthorized access."
Week of February 22, 2021: Kroger
Kroger recently announced it has fallen victim to a data breach that struck at Accellion, a third-party firm providing a file transfer tool. The grocery store is in the process of contacting customers who might have been affected by the breach, which it says has presented no indication of fraud or misuse of personal information.
Krogen stopped using Accellion's service after being informed of the breach in late-January 2021, reported the incident to the authorities, and began a forensic investigation.
Kroger said: "No credit or debit card information or customer account passwords were affected by this incident...While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution Kroger has arrange to offer credit monitoring to all affected individuals at no cost to them."
NurseryCam, a service that lets parents view their children through a webcam while at nursery, has suffered a data breach. Informing its users of the incident this week, NurseryCam said it did not believe the incident had resulted in children or staff being watched by anyone without permission, but has switched off its server as a precaution.
The company said attackers had exploited a loophole in its system that allowed them to gather up the usernames, passwords, names and email addresses of parents who had used the service to watch their children remotely, the BBC reports. NurseryCam director Dr Melissa Kao said: "The person who identified the loophole has so far acted responsibly...he stated he has no intention to use this to do any harm".
The UK-based company is based in Guildford, Surrey and provides its services to around 40 nurseries across the country.
Clubhouse, the popular social media app that lets users join audio-only group chats, has suffered a data breach (of sorts). While no personal user data has been stolen, a third-party developer discovered a way to stream audio conversations on their website, despite Clubhouse being iPhone-only and invitation-only. This goes against Clubhouse's claims that audio conversations cannot be recorded, and the user has since been permanently banned from the app.
This incident led to Stanford cybersecurity researchers discovering that user ID numbers and chatroom IDs were being transmitted by Clubhouse in plaintext without any encryption. Clubhouse IDs can be connected to user profiles, leading to identities being traced.Due to these issues, David Thiel, chief technology officer of the Stanford Internet Observatory, warned that users should consider Clubhouse conversations to be "semi-public"
Week of February 15, 2021: Kia Motors American
Kia Motors America, based in California, was hit with a heavy ransomware attack to the tune of 404 bitcoin — which at the time attackers claimed was worth about $20 million. (404 of course is a reference to an error message meaning a link is not turning up a requested page on the web.) Today, bitcoin is hovering at about $51,811 which makes that value jump to $20.9 million. And the attackers actually warned that the amount would jump to 600 bitcoin if the payment was not made in a "specific time frame," according o details obtained by Bleeping Computer.
With the payment, hackers promised to release a tool which would unlock the data — and also to not leak data as well. Kia Motors America however told Bleeping Computer they had not seen evidence that they were in fact victims of a ransomware attack.
Law firm Jones Day
A law firm, Jones Day, has suffered a data breach that involves internal communication within the firm, as well as client data, according to Bloomberg Law.
The breach occurred from the file transfer platform, FTA, used by the firm and provided by Accellion. And at least one other law firm has in recent weeks also been affected by the same breach as well. Accellion has admitted that FTA was hit by a cyberattack, and had notified customers on December 23, 2020.
Up to 20 months of personal information on drivers in California may have been breached during an attack on the state's DMV. The hack came via a third-party breach, one that hit Automatic Funds Transfer Services, according to SF Gate.
Involved are details one would expect the DMV would have drivers' names, addresses and license plate numbers, but not information such as Social Security numbers.
Week of February 8, 2021: Cryptocurrency theft with SIM-swapping
This week, Europol announced the arrests of eight people for their alleged involvement in a series of SIM-swapping attacks targeting high-profile victims in the US. These follow two earlier arrests of people believed to be of the same criminal network. The group is alleged to have targeted thousands of victims throughout 2020, including famous influencers, sports stars, musicians and their families. Europol claims the group is believed to have stolen over $100 million worth of cryptocurrency from the victims, after gaining illegal access to their phones.
SIM-swapping is described by Europol: "It involves cybercriminals taking over use of a victim's phone number by essentially deactivating their SIM and porting the allocated number over to a SIM belonging to a member of the criminal network. The is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques."
'Compilation of Many Breaches'
An unprecedented 3.27 billion cleartext username and email addresses were leaked on a popular hacking forum this week, putting a huge proportion of internet users at risk to credential-stuffing attacks on their private accounts. Reported by Cyber News, the incident involved the leaking of databases containing usernames and passwords caught up in many previous leaks and data breaches, including those of Netflix and LinkedIn. The incident is known as the COMB, or the Compilation of any Breaches.
Cyber News explained: "This does not appear to be a new breach, but rather the largest compilation of multiple breaches...The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat."
Credential stuffing is where criminals use databases like this to repeatedly guess at the usernames and passwords of online accounts. Once one has been cracked, they can use that email address and password combination on other services, assuming the victim used the same details more than once. The leak is believed to be twice as large as 2017's Breach Compilation, which included 1.4 billion email addresses and passwords from 252 previous breaches, including Minecraft, Badoo, Bitcoin and Pastebin.
Cyberpunk developer CD Projekt
CD Projekt, the Polish developer of the Cyberpunk 2077 video game, fell victim to a cyberattack this week. Hackers broken into the company's servers and claim to have stolen source code relating to its Cyberpunk 2077, Gwent and Witcher 3 video games. A ransom note left by the hackers and published this morning (February 9) by CD Projekt's Twitter account also claims they have obtained "all of your documents relating to accounting, administration, legal, HR, investor relations and more". The hackers say these documents "will be sent to our contacts in gaming journalism," and that the game developer's servers have been encrypted.
The hackers then appear to have put the stolen code up for auction, with a starting price of $1million and a buy-it-now option for $7million. The hackers later claimed to have received an offer for the data, according to cybersecurity firm Kela.
In a statement released alongside a copy of the ransom note, CD Projekt said it discovered the cyber attack on February 8 and admitted that some of its "internal systems" had been compromised. The statement said: "An unidentified actor gained unauthorized access to our internal network, collected data belonging to CD Projekt capital group, and left a ransom note...Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data."
Week of February 1, 2021: USCellular
USCellular admitted to a hack of a program that leaked names, addresses, billing information and others details of existing customers. The breach happened in January 2021, and occurred when retail workers in a store downloaded a rogue program to a computer — which then tunneled into USCellular's system, specifically a customer relationship management program.
The company filed a notice with the Office of the Vermont Attorney General, but also reached out to customers involved, alerting them to the breach and to the fact that their login details had been changed as well as PIN numbers. The affected computer has been take offline, and employee login details have also been changed.
People who filed for unemployment in Washington state may have been caught up in a data breach that revealed personal details on 1.6 million claimants from throughout 2020. The breach is being blamed on an outside software service, Accellion, according to GeekWire.
The attack itself occurred on December 25, 2020, and the data affected included people who had filed for unemployment through December 10, as well as some state employees. Details from someone's name to their Social Security number, driver's license, bank information and where they had worked prior to filing was also exposed. People who believe they may have been involved can go to a state web site with more details about the breach, put up by the Office of the Washington State Auditor, for further information.
A car dealership based in Illinois had its database breached, with details on more than 3 million customers involved. The breach, reported by Infosecurity, involved DriveSure, and included information including names, email addresses, phone numbers, the car that is owned, home addresses, car damage and more. It also involved more than 93,000 hashed passwords.
The hack was discovered after the data was uploaded to a dark web forum on December 19, 2020, and included three folders of information including .mil and .gov email addresses.
Week of January 25, 2021: Bonobos
Men's clothing store Bonobos suffered a massive data breach earlier this month, which saw the exposure of millions of customers details in a 70GB database. The trove of data, lifted from Bonobos' website, included customer addresses, phone numbers, the last four digits of credit card numbers, order information and password histories, reports Bleeping Computer.
The data included the addresses and phone numbers of seven million customers or orders, and 3.5 million partial credit card numbers. The retailer, which was bought by Walmart in 2017 for $300 million, says the data was stolen from an online backup rather than from the website itself. The company said: "What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment. We contacted the host provider to resolve this issue as soon as we became aware of it." Customers of Bonobos are urged to change their passwords immediately, and to change their login details of any other services or accounts they use with the same password.
Online gaming platform VIP Games was found this week to have exposed 23 million data records on a misconfigured server, researchers from WizCase discovered. The data belonged to 66,000 users and included usernames, email addresses, social media IDs, bets, device details, IP addresses and hashed passwords.
VIP Games has in the region of 20,000 daily players and offers online versions of popular classic card and board games like Ludo and Dominoes. Chase Williams from WizCase wrote: "If such data had fallen into the hands of cybercriminals, it could have been exploited for identity theft, fraud, phishing, scamming, espionage and malware infestation. The leak was discovered as part of WizCase' research project that randomly looked for open servers and sought to understand what data these servers contained."
Crytocurrency services are a popular target for hackers, and the latest victim is India-based BuyUCoin, which appears to have had an insecure database accessed by hacking group ShinyHunters. The cryptocurrency exchange says it is investigating claims that sensitive data of hundreds of thousands of its users has been published on the dark web, reports Graham Cluley for BitDefender. The 6GB of leaked data appears to have come from a MongoDB database and includes user bank account details, email addresses, hashed passwords, mobile phone numbers and Google sign-in tokens.
Having first described the incident as "a low impact security incident" which only affected 200 entries of non-sensitive dummy data, BuyUCoin later replaced this statement with a message saying it is "investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020."
Week of January 18, 2021: Capcom
Gamers of the popular titles "Dark Stalkers" and "Resident Evil," should check their credentials — and start changing passwords. The developer of the titles, Capcom, is now expanding the number of accounts that may have been compromised in a ransomware attack from November 2020, reports Threatpost.
Originally thought to be 40,000 customers, the attack now may have affected 400,000 accounts with personal data involved.
Nitro, a web-based PDF service, just got hit in one of the worst ways, with its database of more than 77 million records leaked online — for free. The details inside include email addresses, names and passwords and even IP addresses which is the unique number assigned to a device, like your computer, to get online.
While the hack actually happened in 2020, the database is actually now online, placed there after offering the download link for $3, according to BleepingComputer.
The security firm Malwarebytes is reporting a hack into its system, gaining access to some internal company emails. The breach gained access through Microsoft Office 365 and Azure, according to Ars Technica, which added that this is the same threat actor that was involved with the attack on SolarWinds in 2019.
Week of January 11, 2021: Parler
Despite being taken offline, and distanced by Apple, Google and Amazon, millions of posts published to the Parler social media app are still visible online. The messages were accessed, 'scraped' from Parler before the service was taken offline on January 11, and uploaded to the Internet Archive. This was done by Twitter user @donk_enby, a so-called hacker and internet activist. She tweeted to say the scraped data included delete and private posts, plus videos that contained "all associated metadata." This data is thought to include the location of where the posts and videos were created.
A such, the data collected by @donk_enby could prove highly valuable, as law enforcement could potentially use the metadata to identify rioters who stormed the Capitol last week. Unusual for Parler is how it doesn't strip out the metadata of uploaded images and videos, as other social networks and web services do.
Ubiquiti Networks, a vendor of networking equipment and Internet of Things devices, informed its customers on January 11 to inform them of a recent security breach. The company said: "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider." The targeted servers stored information relating to user profiles for the company's account.ui.com web portal.
While the company says it is "not currently aware of evidence of access to any databases that host user data," it admits it "cannot be certain that user data has not been exposed." This data, Ubiquiti says, may include customer names, email addresses and one-way encrypted passwords – in other words, passwords that are hashed and salted. Customers are urged to change their password, and also the passwords of any websites and services that use the same username and email address as on Ubiquiti. Customers should also enable two-factor authentication.
The European Medicines Agency (EMA) announced on January 12 that some of the data stolen from the servers of Pfizer and BioNTech, creators of a Covid-19 vaccine, has been leaked online. The EMA said: "The ongoing investigation of the cyberattack on EMA revealed that some of the lawfully accessed documents related to Covid-19 medicines and vaccines belonging to third parties have been leaked on the internet...Necessary action is being taken by the law enforcement authorities."
The agency was keen to point out that European medicines regulation services remain fully functional, and the evaluation and approval timelines of Covid-19 vaccines have not been affected by the data breach, reports BleepingComputer. It is claimed the stolen data, which was unlawfully accessed in December 2020, includes screenshots of emails, EMA peer-reviewed comments, Word documents, PDFs and PowerPoint presentations.
Week of January 4, 2021: British Airways £3 billion settlement
British Airways to starting to talk about settlements regarding 2018 data breaches that exposed details about 185,000 of the airlines rewards members as well as about 380,000 regular users of its app and web site.
Details from names to email addresses, and even credit card as well as the security codes were breached, and the settlement could reach up to £3 billion, according to Infosecurity magazine.
T-Mobile attacked again
T-Mobile has started alerting customers about a data breach that involved their phone numbers, the number of lines on their accounts and even call records. But the company emphasized that details including Social Security numbers, passwords and even physical addresses were not compromised.
The unauthorized access was stopped, said T-Mobile, which is now investigating and has also "reported this matter to federal law enforcement," it said in a statement.
The company reported a similar attack back in March 2020.
Aurora Cannabis employee data breached
Canadian cannabis company Aurora Cannabis has started to reaching out to employees — both current and past — about a breach on December 25, 2020. Involved were details that the company would have had on file about people who worked there including banking data and home addresses, reports MJBizDaily.
People report they first started hearing about it on December 31, which involved a breach into software including SharePoint and OneDrive.