w18-2021

Here’s your weekly data breach news roundup: ​

Reverb, MangaDex, BigBasket, Pizza Hut Indonesia, Washington DC police department, DigitalOcean, Paleohacks, Twilio, Raychat, WedMeGood, Vastaamo, Peloton, and U.S. Agency for Global Media (USAGM)

Reverb

w18-2021-reverb

Researcher Bob Diachenko published a staggering finding on Twitter involving an unprotected ElasticSearch cluster that held 5.6 million data records. The entries are generic but match some elements found on Reverb shops, so the data appears to have been derived from the popular music instruments online marketplace. As for what data was leaked, it includes the full names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address, and more.

MangaDex

w18-2021-mangadex

A website that hosts free manga comics has been taken offline after malicious hackers allegedly gained access to a database that housed user data.

The MangaDex site was taken down for maintenance last week (March 20) after an unknown actor gained access to an administrator account.

The site’s maintainers said the attacker was able to access the account through “the reuse of a session token found in an old database leak through faulty configuration of session management”.

After taking control of the account, they claim to have accessed user data.

Although MangaDex said its investigations had “yet to confirm” that a data breach occurred, it said it was working on the assumption that it did take place.

BigBasket

w18-2021-bigbasket

A threat actor has leaked approximately 20 million BigBasket user records containing personal information and hashed passwords on a popular hacking forum.

BigBasket is a popular Indian online grocery delivery service that allows people to shop online for food and deliver it to their homes.

This morning, a well-known seller of data breaches known as ShinyHunters posted a database for free on a hacker forum that he claims was stolen from BigBasket.

In November 2020, BigBasket confirmed to Bloomberg News that they had suffered a data breach after ShinyHunter had previously tried to sell the stolen data in private sales.

“There’s been a data breach and we’ve filed a case with the cybercrime police,” BigBasket CEO  Hari Menon told Bloomberg News. “The investigators have asked us not to reveal any details as it might hamper the probe.”

As is typical for older breaches privately sold by ShinyHunters, the threat actor has now released the whole database for free, which reportedly contains more than 20 million user records.

The database includes BigBasket customer information, including email addresses, SHA1 hashed passwords, addresses, phone numbers, and other assorted information.

Pizza Hut Indonesia

w18-2021-pizzahut

TurgenSec became aware of a publicly accessible datastore which belonged to a Franchisee of Pizza Hut Indonesia or Pizza Hut Indonesia itself. The breach contained 3,978,432 unique email addresses and multiple data headings that Pizza Hut Indonesia disputes contains real data. The data breach was estimated to be almost 65GB in size.

The information was left public facing where anyone with a browser and internet connection could access if they knew where to look.

Pizza Hut Indonesia claims that most of the data fields do not contain detailed customer’s information (especially for matters concerning customers’ financial / bank data, historical transaction, and incomplete / inaccurate phone numbers and addresses).

The below headings is a selection of all the data headings that are contained within this breach.

  • store code, 
  • loyalty point, 
  • name, 
  • email, 
  • password, 
  • First name, 
  • last name, 
  • phone, 
  • alt phone, 
  • gender, 
  • birthday, 
  • street address, 
  • first order date, 
  • customer id, 
  • bank_code, 
  • bank_branch_code, 
  • Bank_account_number.

Washington DC police department

w18-2021-washingtondc-police-min

A Russian-speaking ransomware group claims to have hacked the server of Washington’s Metropolitan Police Department, and is threatening to share the stolen data with other criminal groups

DigitalOcean

w18-2021-digitalocean

Cloud hosting provider DigitalOcean has disclosed a data breach after a flaw exposed customers’ billing information.

An email sent out to affected customers by DigitalOcean states that a “flaw” allowed an unauthorized user to access customers’ billing details between April 9th, 2021, and April 22nd, 2021.

“An unauthorized user gained access to some of your billing account details through a flaw that has been fixed. This exposure impacted a small percentage of our customers,” reads the email sent to customers.

The email states that the exposed information includes a customer’s billing name, billing address, payment card expiration, last four digits of credit card, and the payment card’s bank name.

Paleohacks

w18-2021-paleohacks

A popular online resource for paleo recipes and tips was the source of a data leak impacting roughly 70,000 users.

The team, led by Noam Rotem, said that there was a failure to implement “basic data security protocols” on the S3 bucket, and such misconfiguration means that there were no access limits to the public.

The bucket contained roughly 6,000 files containing the records of approximately 69,000 users. According to the researchers, the content spanned from 2015 and 2020 and included personally identifiable information (PII) including full names, email addresses, IP addresses, login timestamps, locations, dates of birth, bios, and profile pictures.

Raychat

w1-2021-raychat

The hacker behind the data leak claims they downloaded the Raychat app data when the company exposed its entire database online between December 2020 to January 2021.

Raychat app (Raychat.io), a popular Iranian social and business messaging platform has apparently suffered a data breach in which personal data and records of over 150 million users have been leaked online.

The data leak which has been seen and analyzed by Hackread.com includes:

Full names
IP addresses
Email addresses (The exact number leaked email address is yet unclear)
Bcrypt passwords
Telegram messenger IDs, etc.

Twilio

twilio

Cloud communications company Twilio has now disclosed that it was impacted by the recent Codecov supply-chain attack in a small capacity.

As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months.

During this two-month period, threat actors had modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments.

Using the credentials harvested from the tampered Bash Uploader, Codecov attackers reportedly breached hundreds of customer networks.

WedMeGood

ShinyHunters strikes again, and the company that’s called to carry the burden is yet another Indian entity, WedMeGood. This is a popular wedding planning platform that helps with all aspects of organizing the ceremonial event, like finding venues, makeup and mehndi artists, groom and bridal wear, photographers, etc.

The platform had a data breach back in October 2020, and as Cyble reported back then, someone uploaded 500MB of data that exposed 1.34 million users. More specifically, that pack included email addresses, password hashes, contact numbers, activity records, and more.

Now, ShinyHunters is giving it all away for free, and it is a whopping 4.3 GB pack. The notorious seller has been leaking away several databases stolen from Indian sites last year lately, and underground rumors claim that it’s because his extortion to these companies hasn’t yielded the desired results.

Vastaamo

w18-2021-vastaamo

A few days earlier, Vastaamo had announced a catastrophic data breach. A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data.

Peloton

w18-2021-peleton

Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.

Data exposed included:

  • User IDs
  • Instructor IDs
  • Group Membership
  • Workout stats
  • Gender and age
  • Weight
  • If they are in the studio or not

U.S. Agency for Global Media (USAGM)

The U.S. Agency for Global Media (USAGM) has disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries.

USAGM is a US government agency whose mission is to “inform, engage, and connect people around the world in support of freedom and democracy.” USAGM operates broadcast networks, such as Voice of America, Radio Free Europe, Office of Cuba Broadcasting, Radio Free Asia, and Middle East Broadcasting Networks, to deliver news and information to people worldwide.

In a data breach notification shared with BleepingComputer by former Voice of America White House correspondent Dan Robinson, USAGM discloses that they suffered a data breach after falling for a phishing attack in December 2020.

This phishing attack allowed a threat actor to access an agency email account containing the personal information of current and former USAGM, Voice of America, and Office of Cuba Broadcasting employees who worked at the agency between 2013 and 2020.

The exposed information includes full names and Social Security numbers of employees and possibly their beneficiaries and dependents.