Facebook
w03-2023

Here’s your weekly #databreach news roundup:​​​​​

Riot Games, T-Mobile, PayPal, MailChimp, and Ontario’s Liquor Control Board.

Riot Games

Riot Games

Riot Games, the video game developer and publisher behind League of Legends and Valorant, says it will delay game patches after its development environment was compromised last week.

The LA-based game publisher disclosed the incident in a Twitter thread on Friday night and promised to keep customers up-to-date with whatever an ongoing investigation discovers.

“Earlier this week, systems in our development environment were compromised via a social engineering attack,” the company said.

“We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.”

Riot Games also added that the breach directly impacted its ability to publish patches for its games.

T-Mobile

T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).

An API is a software interface or mechanism commonly used by applications or computers to communicate with each other.

Many online web services use APIs so that their online apps or external partners can retrieve internal data as long as they pass the right authentication tokens.

While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first.

PayPal

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.

Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.

This type of attack relies on an automated approach with bots running lists of credentials to “stuff” into login portals for various services.

Credential stuffing targets users that employ the same password for multiple online accounts, which is known as “password recycling.”

MailChimp

Email marketing firm MailChimp suffered another breach after hackers accessed an internal customer support and account administration tool, allowing the threat actors to access the data of 133 customers.

MailChimp says the attackers gained access to employee credentials after conducting a social engineering attack on Mailchimp employees and contractors.

The attack was first detected on January 11th, after MailChimp detected the unauthorized person accessing their support tools.

“After we identified evidence of an unauthorized actor, we temporarily suspended account access for Mailchimp accounts where we detected suspicious activity to protect our users’ data,” reads a statement about the security incident.

“We notified the primary contacts for all affected accounts on January 12, less than 24 hours after initial discovery.”

Ontario’s Liquor Control Board

Ontario Liquor Control Board

Cyber attackers compromised the website of Ontario’s Liquor Control Board and stole personal information of customers who bought products online, the retailer has acknowledged.

“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” the Crown corporation said in a news release Thursday.

“Unfortunately, customers who provided personal information on our check-out pages and proceeded to our payment page on LCBO.com between January 5, 2023, and January 10, 2023, may have had their information compromised. This could include names, email and mailing addresses, Aeroplan numbers, LCBO.com account password, and credit card information. This incident did not affect any orders placed through our mobile app or vintagesshoponline.com.”