Welcome to GearBrain's Weekly Data Breach Report, a collection of known breaches into company databases where someone you don't know got access to your personal information. The frequency at which these break-ins happen appears to be growing, so every week we'll update our report with fresh news on the latest hacks and links on where you can go if there's action to be taken — whether you're concerned about your privacy or not.
This week we're looking at a possible ransomware attack on Kia Motors America (although the company says it hasn't seen evidence of the attack), a law firm which has had client data and internal communication breached, and the California DMV which saw up to 20 months of personal data on drivers, breached.
- More than 15 percent of used drives sold on eBay still have personal data
- 5 ways to stay secure online
- Two-thirds of hotel websites found to leak personal guest data
Week of February 15, 2021: Kia Motors American
Kia Motors America says it has not been a victim of ransomware, despite a report claiming the company has had a bitcoin demand made
Kia Motors America, based in California, was hit with a heavy ransomware attack to the tune of 404 bitcoin — which at the time attackers claimed was worth about $20 million. (404 of course is a reference to an error message meaning a link is not turning up a requested page on the web.) Today, bitcoin is hovering at about $51,811 which makes that value jump to $20.9 million. And the attackers actually warned that the amount would jump to 600 bitcoin if the payment was not made in a "specific time frame," according o details obtained by Bleeping Computer.
With the payment, hackers promised to release a tool which would unlock the data — and also to not leak data as well. Kia Motors America however told Bleeping Computer they had not seen evidence that they were in fact victims of a ransomware attack.
Law firm Jones Day
Law firm Jones Day has had internal communications and client data breached via an attack on a third-party supplier
A law firm, Jones Day, has suffered a data breach that involves internal communication within the firm, as well as client data, according to Bloomberg Law.
The breach occurred from the file transfer platform, FTA, used by the firm and provided by Accellion. And at least one other law firm has in recent weeks also been affected by the same breach as well. Accellion has admitted that FTA was hit by a cyberattack, and had notified customers on December 23, 2020.
California drivers may have had their personal details breached including names and license plate numbers of their cars
Up to 20 months of personal information on drivers in California may have been breached during an attack on the state's DMV. The hack came via a third-party breach, one that hit Automatic Funds Transfer Services, according to SF Gate.
Involved are details one would expect the DMV would have drivers' names, addresses and license plate numbers, but not information such as Social Security numbers.
Week of February 8, 2021: Cryptocurrency theft with SIM-swapping
The criminals are believed to have used a SIM-swapping technique to steal cryptocurrency
This week, Europol announced the arrests of eight people for their alleged involvement in a series of SIM-swapping attacks targeting high-profile victims in the US. These follow two earlier arrests of people believed to be of the same criminal network. The group is alleged to have targeted thousands of victims throughout 2020, including famous influencers, sports stars, musicians and their families. Europol claims the group is believed to have stolen over $100 million worth of cryptocurrency from the victims, after gaining illegal access to their phones.
SIM-swapping is described by Europol: "It involves cybercriminals taking over use of a victim's phone number by essentially deactivating their SIM and porting the allocated number over to a SIM belonging to a member of the criminal network. The is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques."
'Compilation of Many Breaches'
The database is believed to contain over 3.2 billion usernames and passwords
An unprecedented 3.27 billion cleartext username and email addresses were leaked on a popular hacking forum this week, putting a huge proportion of internet users at risk to credential-stuffing attacks on their private accounts. Reported by Cyber News, the incident involved the leaking of databases containing usernames and passwords caught up in many previous leaks and data breaches, including those of Netflix and LinkedIn. The incident is known as the COMB, or the Compilation of any Breaches.
Cyber News explained: "This does not appear to be a new breach, but rather the largest compilation of multiple breaches...The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat."
Credential stuffing is where criminals use databases like this to repeatedly guess at the usernames and passwords of online accounts. Once one has been cracked, they can use that email address and password combination on other services, assuming the victim used the same details more than once. The leak is believed to be twice as large as 2017's Breach Compilation, which included 1.4 billion email addresses and passwords from 252 previous breaches, including Minecraft, Badoo, Bitcoin and Pastebin.
Cyberpunk developer CD ProjektCyberpunk 2077 developer CD Projekt says it will not cooperate with the ransom demand CD Projekt Red
CD Projekt, the Polish developer of the Cyberpunk 2077 video game, fell victim to a cyberattack this week. Hackers broken into the company's servers and claim to have stolen source code relating to its Cyberpunk 2077, Gwent and Witcher 3 video games. A ransom note left by the hackers and published this morning (February 9) by CD Projekt's Twitter account also claims they have obtained "all of your documents relating to accounting, administration, legal, HR, investor relations and more". The hackers say these documents "will be sent to our contacts in gaming journalism," and that the game developer's servers have been encrypted.
The hackers then appear to have put the stolen code up for auction, with a starting price of $1million and a buy-it-now option for $7million. The hackers later claimed to have received an offer for the data, according to cybersecurity firm Kela.
In a statement released alongside a copy of the ransom note, CD Projekt said it discovered the cyber attack on February 8 and admitted that some of its "internal systems" had been compromised. The statement said: "An unidentified actor gained unauthorized access to our internal network, collected data belonging to CD Projekt capital group, and left a ransom note...Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data."
Week of February 1, 2021: USCellular
USCellular has reported a breached, with some details on customers from names to billing information leaked
USCellular admitted to a hack of a program that leaked names, addresses, billing information and others details of existing customers. The breach happened in January 2021, and occurred when retail workers in a store downloaded a rogue program to a computer — which then tunneled into USCellular's system, specifically a customer relationship management program.
The company filed a notice with the Office of the Vermont Attorney General, but also reached out to customers involved, alerting them to the breach and to the fact that their login details had been changed as well as PIN numbers. The affected computer has been take offline, and employee login details have also been changed.
The state of Washington reported a breach of unemployment claims through most of 2020
People who filed for unemployment in Washington state may have been caught up in a data breach that revealed personal details on 1.6 million claimants from throughout 2020. The breach is being blamed on an outside software service, Accellion, according to GeekWire.
The attack itself occurred on December 25, 2020, and the data affected included people who had filed for unemployment through December 10, as well as some state employees. Details from someone's name to their Social Security number, driver's license, bank information and where they had worked prior to filing was also exposed. People who believe they may have been involved can go to a state web site with more details about the breach, put up by the Office of the Washington State Auditor, for further information.
More than 3 million customers of a car dealership in Illinois had their details breached
A car dealership based in Illinois had its database breached, with details on more than 3 million customers involved. The breach, reported by Infosecurity, involved DriveSure, and included information including names, email addresses, phone numbers, the car that is owned, home addresses, car damage and more. It also involved more than 93,000 hashed passwords.
The hack was discovered after the data was uploaded to a dark web forum on December 19, 2020, and included three folders of information including .mil and .gov email addresses.
Week of January 25, 2021: Bonobos
Men's clothing store Bonobos suffered a massive data breach earlier this month, which saw the exposure of millions of customers details in a 70GB database. The trove of data, lifted from Bonobos' website, included customer addresses, phone numbers, the last four digits of credit card numbers, order information and password histories, reports Bleeping Computer.
The data included the addresses and phone numbers of seven million customers or orders, and 3.5 million partial credit card numbers. The retailer, which was bought by Walmart in 2017 for $300 million, says the data was stolen from an online backup rather than from the website itself. The company said: "What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment. We contacted the host provider to resolve this issue as soon as we became aware of it." Customers of Bonobos are urged to change their passwords immediately, and to change their login details of any other services or accounts they use with the same password.
Online gaming platform VIP Games was found this week to have exposed 23 million data records on a misconfigured server, researchers from WizCase discovered. The data belonged to 66,000 users and included usernames, email addresses, social media IDs, bets, device details, IP addresses and hashed passwords.
VIP Games has in the region of 20,000 daily players and offers online versions of popular classic card and board games like Ludo and Dominoes. Chase Williams from WizCase wrote: "If such data had fallen into the hands of cybercriminals, it could have been exploited for identity theft, fraud, phishing, scamming, espionage and malware infestation. The leak was discovered as part of WizCase' research project that randomly looked for open servers and sought to understand what data these servers contained."
Crytocurrency services are a popular target for hackers, and the latest victim is India-based BuyUCoin, which appears to have had an insecure database accessed by hacking group ShinyHunters. The cryptocurrency exchange says it is investigating claims that sensitive data of hundreds of thousands of its users has been published on the dark web, reports Graham Cluley for BitDefender. The 6GB of leaked data appears to have come from a MongoDB database and includes user bank account details, email addresses, hashed passwords, mobile phone numbers and Google sign-in tokens.
Having first described the incident as "a low impact security incident" which only affected 200 entries of non-sensitive dummy data, BuyUCoin later replaced this statement with a message saying it is "investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020."
Week of January 18, 2021: Capcom
Gamers of the popular titles "Dark Stalkers" and "Resident Evil," should check their credentials — and start changing passwords. The developer of the titles, Capcom, is now expanding the number of accounts that may have been compromised in a ransomware attack from November 2020, reports Threatpost.
Originally thought to be 40,000 customers, the attack now may have affected 400,000 accounts with personal data involved.
Nitro, a web-based PDF service, just got hit in one of the worst ways, with its database of more than 77 million records leaked online — for free. The details inside include email addresses, names and passwords and even IP addresses which is the unique number assigned to a device, like your computer, to get online.
While the hack actually happened in 2020, the database is actually now online, placed there after offering the download link for $3, according to BleepingComputer.
The security firm Malwarebytes is reporting a hack into its system, gaining access to some internal company emails. The breach gained access through Microsoft Office 365 and Azure, according to Ars Technica, which added that this is the same threat actor that was involved with the attack on SolarWinds in 2019.
Week of January 11, 2021: Parler
Despite being taken offline, and distanced by Apple, Google and Amazon, millions of posts published to the Parler social media app are still visible online. The messages were accessed, 'scraped' from Parler before the service was taken offline on January 11, and uploaded to the Internet Archive. This was done by Twitter user @donk_enby, a so-called hacker and internet activist. She tweeted to say the scraped data included delete and private posts, plus videos that contained "all associated metadata." This data is thought to include the location of where the posts and videos were created.
A such, the data collected by @donk_enby could prove highly valuable, as law enforcement could potentially use the metadata to identify rioters who stormed the Capitol last week. Unusual for Parler is how it doesn't strip out the metadata of uploaded images and videos, as other social networks and web services do.
Ubiquiti Networks, a vendor of networking equipment and Internet of Things devices, informed its customers on January 11 to inform them of a recent security breach. The company said: "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider." The targeted servers stored information relating to user profiles for the company's account.ui.com web portal.
While the company says it is "not currently aware of evidence of access to any databases that host user data," it admits it "cannot be certain that user data has not been exposed." This data, Ubiquiti says, may include customer names, email addresses and one-way encrypted passwords – in other words, passwords that are hashed and salted. Customers are urged to change their password, and also the passwords of any websites and services that use the same username and email address as on Ubiquiti. Customers should also enable two-factor authentication.
The European Medicines Agency (EMA) announced on January 12 that some of the data stolen from the servers of Pfizer and BioNTech, creators of a Covid-19 vaccine, has been leaked online. The EMA said: "The ongoing investigation of the cyberattack on EMA revealed that some of the lawfully accessed documents related to Covid-19 medicines and vaccines belonging to third parties have been leaked on the internet...Necessary action is being taken by the law enforcement authorities."
The agency was keen to point out that European medicines regulation services remain fully functional, and the evaluation and approval timelines of Covid-19 vaccines have not been affected by the data breach, reports BleepingComputer. It is claimed the stolen data, which was unlawfully accessed in December 2020, includes screenshots of emails, EMA peer-reviewed comments, Word documents, PDFs and PowerPoint presentations.
Week of January 4, 2021: British Airways £3 billion settlement
British Airways to starting to talk about settlements regarding 2018 data breaches that exposed details about 185,000 of the airlines rewards members as well as about 380,000 regular users of its app and web site.
Details from names to email addresses, and even credit card as well as the security codes were breached, and the settlement could reach up to £3 billion, according to Infosecurity magazine.
T-Mobile attacked again
T-Mobile has started alerting customers about a data breach that involved their phone numbers, the number of lines on their accounts and even call records. But the company emphasized that details including Social Security numbers, passwords and even physical addresses were not compromised.
The unauthorized access was stopped, said T-Mobile, which is now investigating and has also "reported this matter to federal law enforcement," it said in a statement.
The company reported a similar attack back in March 2020.
Aurora Cannabis employee data breached
Canadian cannabis company Aurora Cannabis has started to reaching out to employees — both current and past — about a breach on December 25, 2020. Involved were details that the company would have had on file about people who worked there including banking data and home addresses, reports MJBizDaily.
People report they first started hearing about it on December 31, which involved a breach into software including SharePoint and OneDrive.