Here’s your weekly data breach news roundup:
Molson Coors Beverage, WeLeakInfo, K.L.S. Capital, Blender, Guns[.]com, Descartes Aljex Software, Colorado Retina Associates, Mimecast, Western Australia’s Parliament, Acer, Northern Ireland council , Atascadero State Hospital
Molson Coors Beverage
One of America’s largest beer makers, Molson Coors, had to halt production this week the company said.
“Molson Coors experienced a systems outage that was caused by a cybersecurity incident,” the company said in a statement. That systems outage has led to a variety of issues for the company, including “brewery operations, production, and shipments,” according to an SEC filing.
In short: Hackers forced the maker of Coors to stop making beer.
It’s unclear how much of the company’s beer production has been halted by the breach, nor is it clear how this will impact the company’s expected production.
In 2020, the FBI seized WeLeakInfo, a popular service that sold access to more than 12B usernames/passwords stolen from 1,000s of hacked sites. A lapsed domain registration let someone publish account data on 24k WLI customers who paid with a credit card. https://t.co/XdxBqCgFAd— briankrebs (@briankrebs) March 15, 2021
Now, nearly 24,000 WeLeakInfo’s customers are finding that the personal and payment data they shared with WeLeakInfo over its five-year-run has been leaked online.
In a post on the database leaking forum Raidforums, a regular contributor using the handle “pompompurin” said he stole the WeLeakInfo payment logs and other data after noticing the domain wli[.]design was no longer listed as registered.
“Long story short: FBI let one of weleakinfo’s domains expire that they used for the emails/payments,” pompompurin wrote. “I registered that domain, & was able to [password] reset the stripe.com account & get all the Data. [It’s] only from people that used stripe.com to checkout. If you used paypal or [bitcoin] ur all good.”
Cyber threat intelligence firm Flashpoint obtained a copy of the data leaked by pompompurin, and said it includes partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid. One forum member commented that they found their own payment data in the logs.
Black Shadow, the hackers who leaked thousands of documents containing the personal information of customers with Israel’s Shirbit insurance company in December, have now hacked the servers of K.L.S. Capital Ltd. as well, the group said in a Telegram post on Saturday.
On Saturday morning, the hacker group announced, “We are here to inform you a (sic) cyber attack against K.L.S CAPITAL LTD which is in Israel.
“Their servers are destroyed, and their client data is in our hands,” they added, saying that they waited 72 hours for the company to give them the 10 bitcoins they demanded as ransom for the information, but the company failed to pay them.
“We want to leak some part of their data gradually,” they said. “Part of our negotiation will be published later.”
A few hours before making the announcement, the group released purposely blurred photographs of the identification cards of two people who work with the company. A few minutes after the announcement, they released a few more documents and have since released dozens of additional documents including identity cards, letters, invoices, images, scanned checks, database information and more, including the personal information of the CEO of the company.
Blender.org, the official website of the popular 3D computer graphics software Blender, is now in maintenance mode according to a message displayed on the site.
“The http://blender.org website is undergoing maintenance due to a hacking attempt,” the official Blender account on Twitter said earlier today, adding that “the website will be back as soon as possible.”
“Most of the infrastructure, including the Wiki, Developers portal, git repositories, http://blender.chat, and others are available as usual,” Blender added.
According to Blender, parts of the blender.org website and some of the blogs are still down and will remain offline for several hours.
While the site’s homepage is still working, as usual, other parts of the site only display a “This page is not available” error, encouraging visitors to check “a copy on the Internet Archive.”
Hackers have broken into the US-based online weapon and firearms marketplace ‘Guns.com,’ stole its entire database, sold it privately to hackers, and now leaked it publicly to everyone. The actor giving everything away claims that the breach happened in December 2020, and those who first bought the data on private Telegram channels and dark web marketplaces were given some time to exploit it comfortably.
Now, thousands are accessing the database and source of the site, admin passwords, cloud log credentials in plain text form, and more. More specifically, the openly shared pack contains the following:
The platform has acknowledged the incident and placed the breach date on January 11, 2021, saying that the attack lasted for less than 10 minutes and they didn’t think that anything was compromised back then. They dismissed it as an attempt to cause service disruption – and this is why they didn’t think they should have informed anyone about it.
Descartes Aljex Software
According to researchers, 103 GB worth of data belonging to New Jersy based Descartes Aljex Software was left exposed on a misconfigured AWS S3 Bucket.
This affected more than 4,000 people including not only their own customers but also the company’s employees, sales reps, and people working for third-party carriers.
The data, which belonged to New Jersy based Descartes Aljex Software, was exposed by a misconfigured AWS S3 Bucket which left it unsecured and vulnerable to intrusion. This meant that even users with no authorization could potentially gain access to the Bucket only by entering the correct URL.
Colorado Retina Associates
A Colorado-based eye care practice reported this past week that a phishing incident had led to the potential exposure of more than 26,000 patients’ information.
According to a notice posted to its website, Colorado Retina Associates first discovered that an unauthorized individual had gained access to an employee’s work email on January 12.
After a forensic investigation, CRA determined that two user accounts that had patient information may have been synced, or copied, by the bad actors.
“Although CRA could not fully determine whether, and to what extent, the unauthorized individual(s) viewed any personal information, regrettably it is possible, because of the syncing, that some patients’ personal information may have been acquired and could therefore be viewed by the unauthorized individual(s),” wrote system representatives.
Email security company Mimecast has confirmed today that the state-sponsored SolarWinds hackers who breached its network earlier this year downloaded source code out of a limited number of repositories.
To breach Mimecast’s network, the attackers used the Sunburst backdoor, a malware distributed by the SolarWinds hackers to roughly 18,000 SolarWinds customers using the compromised auto-update mechanism of the SolarWinds Orion IT monitoring platform.
“Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information,” Mimecast explained in an incident report published earlier today.
“The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.
“In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products.”
The company believes that the source code exfiltrated by the attackers is incomplete and insufficient to develop a working version of the Mimecast service.
“We do not believe that the threat actor made any modifications to our source code,” the company added. “Forensic analysis of all customer-deployed Mimecast software has confirmed that the build process of the Mimecast-distributed executables was not tampered with.”
Western Australia's Parliament
Western Australia’s parliamentary email network was hit by suspected Chinese hackers earlier this month as part of a massive global cyber-attack involving Microsoft software.
he ABC has confirmed the online strike, which was detected on March 4 in the middle of the state election campaign, prompted intervention from Australia’s cyber security watchdog in Canberra.
“Please be advised that the Parliament mail server has been hit with a cyber-attack,” WA politicians were warned at the time.
“Consequently, the mail server will be down until further notice,” a text message sent by the Department of Parliamentary Services advised.
An investigation by Western Australia’s Parliamentary Services Department has since concluded no sensitive data was stolen in the attack.
“As soon as we became aware of the attack, we immediately disconnected the email server,” WA’s Executive Manager of Parliamentary Services Rob Hunter told the ABC.
Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.— DevaOnBreaches (@DevaOnBreaches) March 20, 2021
The ransomware gang announced on their data leak site that they had breached and shared samples #databreach https://t.co/IWdY4vabea
Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.
Acer is a Taiwanese electronics and computer maker well-known for laptops, desktops, and monitors. Acer employs approximately 7,000 employees and earned $7.8 billion in 2019.
Yesterday, the ransomware gang announced on their data leak site that they had breached Acer and shared some images of allegedly stolen files as proof.
These leaked images are for documents that include financial spreadsheets, bank balances, and bank communications.
Northern Ireland council
Ards and North Down Borough Council has recently been the target of an unlawful ‘phishing attack’ from an external source, Chief Executive Stephen Reid revealed recently on the council website.
Phishing is a method of trying to gather personal information using deceptive e-mails and websites.
Some emails from a single account were illegally forwarded by an unknown external source, and may have exposed the personal data of the council’s customers/partners to a potential unauthorised use by an external party.
Chief Executive Stephen Reid said the council had notified the Information Commissioner’s Office about the incident and said “they remain entirely content with our approach”.
He said: “While the number of people potentially impacted is small, we do not underestimate the concern this will cause them. We have taken several important steps in response, having sought professional advice.”
He added: “We can confirm that the relevant account is no longer compromised, the unlawful attack having been identified and removed. We are working strenuously to ensure that we can minimise the impact of any attack in the future.
“The council has not been contacted in any way by the perpetrator(s), nor has it been asked for any financial payment at all. We are unaware of their motives in attacking the council’s systems.”
Atascadero State Hospital
The breach occurred when the DSH employee accessed names, COVID-19 test results, and health information necessary for tracking coronavirus for 1,415 ASH patients and former patients and 617 employees, a DSH news release said. #databreachhttps://t.co/x0bPpKsyYE— DevaOnBreaches (@DevaOnBreaches) March 20, 2021
A state employee improperly accessed more than 2,000 Atascadero State Hospital patient and employee records in a data breach identified in late February, Department of State Hospitals said.
The breach occurred when the DSH employee accessed names, COVID-19 test results, and health information necessary for tracking coronavirus for 1,415 ASH patients and former patients and 617 employees, a DSH news release said. The employee had access to ASH data servers through their information technology job duties.
The employee had been improperly accessing the information for about 10 months before DSH found out about the data breach, an FAQ about the incident said.
“It appears that the employee used the access they were provided in order to perform their normal job duties to go directly into the server, copy files containing patient, former patient, and employee names, COVID-19 test results, and related health information without any apparent connection to their job duties, indicating a high probability of unauthorized access,” the FAQ said.