w16-2021-banner

Here’s your weekly data breach news roundup: ​

Upstox, ParkMobile, Certis, LogicGate, Manhunt, Mercato, Celsius Network, Moneycontrol, Bizongo, Houston Rockets, Codecov, and Domino’s India.

Upstox

w16-2021-upstox

Upstox, one of the largest discount broking firms, recently suffered a security breach of its systems, resulting in the exposure of its customers’ sensitive information.

Though Upstox did not specify how many of its users’ data was compromised, media reports suggest at least 25 lakh customers data were breached.

The leaked information includes names, email addresses, dates of birth, bank account information, and about 56 million know your customer (KYC) documents pulled from the company’s server.

Following the incident, Upstox issued a clarification, stating: “We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorised access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems.”

ParkMobile

w16-2021-parkmobile

Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.

KrebsOnSecurity first heard about the breach from Gemini Advisory, a New York City based threat intelligence firm that keeps a close eye on the cybercrime forums. Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data.

Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade.

Asked about the sales thread, Atlanta-based ParkMobile said the company published a notification on Mar. 26 about “a cybersecurity incident linked to a vulnerability in a third-party software that we use.”

“In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident,” the notice reads. “Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.”

Certis

w16-2021-certis

About 62,000 e-mails from the public, businesses and customers of local security firm Certis, some containing NRIC and credit card numbers, may have been accessed by cyber criminals, the company said on Friday (April 9).

This includes customers of Certis’ safe deposit box service. The e-mails all came from a customer service account belonging to the company, customerservice@certisgroup.com

The Personal Data Protection Commission (PDPC) said it is investigating the matter.

Certis said on Friday it has begun scanning all the e-mails to check for personal data that could have been exposed to crooks – of the ones done so far, some contain information such as NRIC and credit card numbers.

The company said it was alerted to the incident after several people received phishing e-mails from an e-mail account presumably from Certis. The e-mails were sent between March 16 and 17.

While the e-mails could have been accessed by hackers, Certis’ customer database, stored elsewhere, was not affected.

“Our IT team immediately conducted an investigation, and we were able to conclude that this is an isolated incident,” said Certis in a statement.

LogicGate

Risk and compliance startup LogicGate has confirmed a data breach. But unless you’re a customer, you probably didn’t hear about it.

An email sent by LogicGate to customers earlier this month said on February 23 an unauthorized third party obtained credentials to its Amazon Web Services-hosted cloud storage servers storing customer backup files for its flagship platform Risk Cloud, which helps companies to identify and manage their risk and compliance with data protection and security standards. LogicGate says its Risk Cloud can also help find security vulnerabilities before they are exploited by malicious hackers.

The credentials “appear to have been used by an unauthorized third party to decrypt particular files stored in AWS S3 buckets in the LogicGate Risk Cloud backup environment,” the email read.

“Only data uploaded to your Risk Cloud environment on or prior to February 23, 2021, would have been included in that backup file. Further, to the extent you have stored attachments in the Risk Cloud, we did not identify decrypt events associated with such attachments,” it added.

Manhunt

w16-2021-manhunt

Manhunt, a gay dating app that claims to have 6 million male members, has confirmed it was hit by a data breach in February after a hacker gained access to the company’s accounts database.

In a notice filed with the Washington attorney general’s office, Manhunt said the hacker “gained access to a database that stored account credentials for Manhunt users,” and “downloaded the usernames, email addresses and passwords for a subset of our users in early February 2021.”

The notice did not say how the passwords were scrambled, if at all, to prevent them from being read by humans. Passwords scrambled using weak algorithms can sometimes be decoded into plain text, allowing malicious hackers to break into their accounts.

Following the breach, Manhunt force-reset account passwords and began alerting users in mid-March. Manhunt did not say what percentage of its users had their data stolen or how the data breach happened, but said that more than 7,700 Washington state residents were affected.

Mercato

A security lapse at online grocery delivery startup Mercato exposed tens of thousands of customer orders, TechCrunch has learned.

A person with knowledge of the incident told TechCrunch that the incident happened in January after one of the company’s cloud storage buckets, hosted on Amazon’s cloud, was left open and unprotected.

The company fixed the data spill, but has not yet alerted its customers.

Mercato was founded in 2015 and helps over a thousand smaller grocers and specialty food stores get online for pickup or delivery, without having to sign up for delivery services like Instacart or Amazon Fresh. Mercato operates in Boston, Chicago, Los Angeles and New York, where the company is headquartered.

Celsius Network

w16-2021-celccius

Cryptocurrency rewards platform Celsius Network has disclosed a security breach exposing customer information that led to a phishing attack.

Today, Celsius CEO Alex Mashinsky stated that Celsius’ third-party marketing server was compromised, and threat actors gained access to a partial Celsius customer list.

“An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.”

“The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their personal wallet address,” disclosed a Celsius advisory.

Moneycontrol

Network18-owned financial portal Moneycontrol, which has reported extensively about data breaches affecting companies such as Upstox and Mobikwik, seems to have suffered the same fate, as personal data of over 7 lakh users has allegedly been leaked on the dark web, where it’s available for sale for $350. 

Worryingly, passwords stored in plain text have also been leaked, which prompted the company to reset the passwords of some users. 

According to independent cybersecurity researcher Sourajeet Majumder, the leaked data includes users’ usernames, plain-text passwords, phone numbers, email addresses and their city and state of residence. Since the passwords are in plain text, anyone with access to the sample of 40 accounts released by the hackers can verify that the leaked details are genuine, Majumder told us and said that he has himself verified many of the leaked accounts. 

Bizongo

Bizongo, an online packaging marketplace has suffered a data leak in which the company left highly sensitive customer information unsecured and potentially exposed to hackers and other malicious individuals. The reason behind the incident is the company’s misconfigured AWS S3 data bucket.

The data leak was discovered by researchers at Website Planet security as of late December 2020, but the details of it have also been shared now. According to researchers, they immediately contacted Bizongo regarding the incident but received no response.

However, on 8th January 2021, the team checked the bucket again and the breach was found to be closed. During this time period, approximately 2,532,610 files were exposed, equating to 643GB of data. 

It is worth noting that Bizongo exposed its AWS S3 data bucket to the public allowing anyone to access the treasure trove of data without any password or even the simplest form of security authentication.

Houston Rockets

w16-2021-houstonrockets

The ransomware group known as “Babuk” has added Houston Rockets to its victim list, warning about the imminent leak of 500GB of stolen data if their payment demands aren’t met. The threat actors present screenshots of the exfiltrated files as proof of possession, showing what appears to be contracts, non-disclosure agreements, customer information, employee information, financial data, and others. With the help of KELA, we were able to source the following screenshot from Babuk’s leak portal.

Codecov

Codecov, a software company that provides code testing and code statistics solutions, disclosed on Thursday a major security breach after a threat actor managed to breach its platform and add a credentials harvester to one of its tools.

The impacted product is named Bash Uploader and allows Codecov customers to submit code coverage reports to the company’s platform for analysis.

Codecov said the breach occurred “because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.”

Domino’s India

Domino’s India data that included sensitive customer information such as their names, phone numbers, and credit card details has allegedly been breached and put on sale on the dark Web. According to the person selling the data, it includes details of about 18 crore orders received by the pizza chain. Allegedly, Domino’s India data was taken earlier in April and this included not only customer information but also its internal files that included details about the company’s 250 employees, amounting to 13TB. However, this information has not been confirmed yet.

Alon Gal, CTO of cybersecurity firm Hudson Rock, tweeted about the Domino’s India breach on Sunday. The executive said that the hacker was selling the data for around 10 BTC (roughly Rs. 4.25 crores or $569,000 at current market rates.

The information that was allegedly hacked is claimed to include the details of 10 lakh credit cards. It is also said to have order details of 18 crore orders. Those included customer names, phone numbers, email IDs, addresses, and payment details. The breach is claimed to also include Domino’s India’s internal files that were generated between 2015 and 2021, according to the screenshots shared by the cyber security executive.