fbpx
w6-2021-newsletter

Here’s your weekly data breach news roundup:​​

  • British Mensa
  • Washington State Department
  • Airtel
  • Florida Healthy Kids
  • Metromile
  • Tokyo Gas
  • Foxtons
  • Comcast
  • Oxfam Australia
  • DriveSure
  • StormShield
  • Sitepoint
  • Emsisoft

British Mensa

w6-2021-newsletter-british-mensa

British Mensa, the society for people with high IQs, failed to properly secure the passwords on its website, prompting a hack on its website that has resulted in the theft of members’ personal data.

Eugene Hopkinson, a former director and technology officer at British Mensa, stood down this week, claiming that the organization had failed to secure the data of its 18,000 members properly, according to a report in the FT.

Hopkinson claimed that the stored passwords of Mensa members were not hashed, potentially allowing hackers to unscramble them.

That apparent security blunder became all the more serious this week when the society admitted it had been the victim of a cyberattack. The Mensa website is currently unavailable, merely displaying a message saying “site under maintenance”.

Washington State

The Washington state government has suffered a large data breach involving unemployment claims, potentially exposing data on more than 1.6 million people, officials admitted Monday.

The data appears to have been compromised through Accellion, a third-party vendor that was contracting with the state auditor’s office. In mid-December, the company suffered a cyberattack via a zero-day vulnerability in its legacy file transfer application.

The data exposed is quite sensitive, and includes names, bank account and routing information, social security numbers, place of employment, and driver’s license numbers.

This all happened, ironically, while the auditor’s office was looking to do a thorough investigation of the state’s ongoing problems with unemployment fraud—some of which has been linked to notorious cyber actors, like the Nigerian threat group Scattered Canary. SAO was using Accellion’s file transfer software as it sifted through unemployment claims filed in Washington over the past year, the auditor’s office said Monday:

Airtel

w6-2021-newsletter-airtel

Millions of Airtel numbers may have been part of a recent leak that reportedly saw telephone numbers alongside personal details like address, city, Aadhaar card number, and gender details being up for sale on the web. India Today Tech has seen the details of the data dump and has verified that many numbers part of it do belong to Airtel customers.

In total hackers allegedly put out details over 2.5 million Airtel users. However, they were claiming that they had details of all Airtel users in India and that they wanted to sell the data.

The information has been revealed by Rajshekhar Rajaharia, an Internet security researcher. India Today Tech learns from him that the hackers even communicated with Airtel security teams and then tried to blackmail the company and extort $3500 in Bitcoins from it.

However, it seems that the hackers failed and in the frustration, they put up the data on sale on the web, by creating a website for it and showing a sample of the user details that they had.

Florida Healthy Kids

w6-2021-newsletter-florida-healthykids

Hundreds of thousands of Floridians who applied for coverage or were enrolled in a children’s health insurance program between 2013 and 2020 are being encouraged to take steps to protect themselves financially after a cyberattack.

Florida Healthy Kids Corp. said in a statement Thursday evening that it was notified Dec. 9 that addresses of several thousand Florida KidCare applicants were inappropriately accessed and tampered with.

A subsequent analysis indicated there had been “significant vulnerabilities” on the website — maintained by Jelly Bean Communications Design, LLC — since 2013. As a result, personal information of applicants and enrollees, including Social Security numbers, dates of birth, names, addresses and financial information, could have been illegally accessed.

Florida KidCare is an umbrella name that incorporates four programs that provide health coverage for children from birth to age 18: Medicaid, MediKids, Florida Healthy Kids and the Children’s Medical Services program.

Metromile

Car insurance startup Metromile said it has fixed a security flaw on its website that allowed a hacker to obtain driver license numbers.

The San Francisco-based insurance startup disclosed the security breach in its latest 8-K filing with the U.S. Securities and Exchange Commission.

Metromile said a bug in the quote form and application process on the company’s website allowed the hacker to “obtain personal information of certain individuals, including individuals’ driver’s license numbers.” It’s not clear exactly how the form allowed the hacker to obtain driver license numbers or how many individuals had their driver license numbers obtained.

The disclosure added: “Metromile immediately took steps to contain and remediate the issue, including by releasing software fixes, notified its insurance carrier, and has continued its ongoing operations. Metromile is working diligently with security experts and legal counsel to ascertain how the incident occurred, identify additional containment and remediation measures, and notify affected individuals, law enforcement, and regulatory bodies, as appropriate.”

Tokyo Gas

w6-2021-newsletter-tokyo-gas

Tokyo Gas Co., Ltd, issued, on 30 January 2020, a statement in which it addressed, and apologised for, a data breach potentially affected the personal information of up to 10,365 customers. In particular, Tokyo Gas confirmed that the data leakage was due to unauthorised access to their website by a third-party, resulting in the leaking of customer email addresses and nicknames. Consequently, Tokyo Gas noted that it had commenced the implementation of countermeasures to prevent unauthorised access, including the temporary blocking of its app and website, and had reported the incident to the Metropolitan Police Department.

Foxtons

w6-2021-newsletter-foxtons

Financial details belonging to customers of UK estate agency Foxtons are widely available on the dark web following a malware attack in October last year that affected parent company Foxtons Group.

Despite admitting that the incident affected its subsidiary Alexander Hall, which specialises in mortgage broking, Foxtons assured its customers at the time that no “sensitive data” had been stolen.

However, it has now been revealed that anyone with access to the dark web can view 16,000 card details, addresses and private correspondence – such as details of paid fees – belonging to Foxtons Group customers prior to 2010.

The personal information has been available since at least 12 October 2020, inews reports, two days after the malware attack took place. Since then, the files have been viewed over 15,000 times.

The company is accused of having knowledge of the availability of the data since last month and of failing to inform its customers, particularly those affected by the breach.

Comcast

Comcast, the American telecommunications giant, has exposed 1.5 billion records of a total size of about 478 GB online after they misconfigured a development database to be accessible without a password. The discovery of the database is the work of security researcher Jeremiah Fowler, who responsibly reported the finding to Comcast and received an immediate response from them.

Although the action to restrict access to the data was completed in about an hour, it is possible that malicious actors were able to access and download sensitive details before the data was secured.

The database contained internal development and testing data, and so sensitive internal network systems, configuration settings, IP addresses, logs, ports, pathways, storage info, and various stuff that could be used for deeper network infiltration was irreversibly exposed. Additionally, the researcher saw the email addresses and hashed passwords of Comcast’s development team, job scheduling records, cluster names, device names, internal rules, node names, and a blueprint of the network’s entire structure.

Oxfam Australia

Oxfam Australia investigates a suspected data breach after a threat actor claimed to be selling their database belonging on a hacker forum.

Oxfam Australia is a charity focused on alleviating poverty within the indigenous Australian people and people from Africa, Asia, and the middle east. The charity is part of a confederation of twenty charities worldwide operating under the Oxfam umbrella.

Last week, BleepingComputer learned of a threat actor claiming to be selling a database containing the Oxfam Australia contact and donor information for 1.7 million people.

The database samples seen by BleepingComputer included names, email addresses, addresses, phone numbers, and donation amounts.

BleepingComputer has confirmed that one of the records contains legitimate data for a donor from sample data shared by the threat actor.

When BleepingComputer learned about this sale, we contacted Oxfam Australia, who immediately stated that they were investigating the situation.

Drivesure

On January 4th, 2021  uncovered a threat actor posting multiple databases claiming to originate from drivesure.com and krexinc.com. The databases were shared on a popular English-speaking dark web hacking forum, and according to the threat actor, the data was dumped on December 19th, 2020.

In a lengthy post to prove the databases’ high quality, the threat actor detailed the leaked files and the user information. Typically, hackers only share valuable segments or trimmed down versions of user databases, but in this case, numerous backend files and folders were leaked. One of our researchers concluded that the data appears to be valid after conducting research on the compromised data.

One leaked folder totalled 22 GB and included the company’s MySQL databases, exposing 91 sensitive databases. The databases range from detailed dealership and inventory information, revenue data, reports, claims, and client data.

Separately, the second compromised folder contained 11,474 files in 105 folders and amassed to 5.93 GB. Self identified as “parser files”, they appear to be logs and backups of their databases and contain the same information listed in the previously mentioned SQL databases, adding to the trove of data.

Stormshield

w6-2021-newsletter-stormshield

French cyber-security firm Stormshield, a major provider of security services and network security devices to the French government, said today that a threat actor gained access to one of its customer support portals and stole information on some of its clients.

The company is also reporting that attackers managed to steal parts of the source code for the Stormshield Network Security (SNS) firewall, a product certified to be used in sensitive French government networks, as part of the intrusion.

The company said it’s investigating the incident with French cyber-security agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), which is currently assessing the breach’s impact on government systems.

“As of today, the in-depth analysis carried out with the support of the relevant authorities has not identified any evidence of illegitimate modification in the code, nor have any of the Stormshield products in operation been compromised,” Stormshield said in a message posted earlier today on its website.

SitePoint

w5-2021-newsletter-sitepoint

SitePoint, a website that provides access to a wealth of web development tutorials and books, has disclosed a security breach this week in emails sent to some of its users.

The company has formally admitted to a breach after a hacker put up for sale a collection of one million SitePoint user details on a cybercrime forum in December 2020.

In a data breach notification this week, SitePoint confirmed an intrusion into its systems sometime last year.

“At this point, we believe the accessed information mainly relates to your name, email address, hashed password, username, and IP address,” the company said.

SitePoint has now initiated a password reset on all accounts and is asking users to choose new ones that are at least ten characters long.

The tutorials and books publisher believes that the stolen passwords are currently safe, as they have been hashed with the bcrypt algorithm and salted, which should make cracking the password strings to its plaintext version a pretty lengthy process for the time being.

Emsisoft

  • Emsisoft has had a minor yet important security incident involving data access and exfiltration.
  • The company has left a misconfigured database accessible by anyone online, containing info on how to break in.
  • The actors were detected and thwarted quickly, and the number of compromised clients is very small.

It looks like the work of security firm Emsisoft has annoyed hackers enough to launch an attack against the company. Unfortunately, the attack was successful and resulted in sensitive data exfiltration and limited customer exposure.

According to the announcement that came out today, the attack took place yesterday at around 15:20 UTC and manifested on one of the firm’s test systems used to evaluate and benchmark log data storage and management solutions. The system was taken offline immediately, and an investigation was launched.

The researchers found out that the system contained no client data except for 14 customer email addresses corresponding to seven different organizations. While the exposure is admittedly minor, Emsisoft didn’t try to bury the incident. Also, the fact that hackers managed to break in is by itself a significant occurrence, and Emsisoft has already figured out how the infiltrators did it. As they explain, a configuration error on one of their databases made it accessible to unauthorized users between January 18, 2021, and February 3, 2021.