fbpx
week22-2021-banner

Here’s your weekly data breach news roundup: ​

Omiai dating app, DailyQuiz, Bose, ‘CEFCO’ Gas Station, Fujitsu, Canada Post, Klarna, Tezpur University, Fractal Analytics, Battle for the Galaxy, UK Special Forces soldiers’ personal data, Scripps Health, MTA,
Tokyo Games organizers, and Apache Pizza

Omiai dating app

week22-2021-ominai

A leading Japanese matchmaking app was hacked, likely exposing the personal information of more than 1.7 million account holders, in the latest high-profile online attack.

Net Marketing Co., which runs the Omiai dating app, said that it found evidence of unauthorized access to its servers in April. Among the data exposed were photos of ID used to confirm the age of users, including drivers’ licenses, insurance cards and passports. Credit card data was not leaked in the hack, the firm said on Friday, adding that it had yet to confirm misappropriation of the personal information.

The Omiai app, named after the Japanese word for matchmaking, had 6.8 million accounts as of April, according to its monthly report. While free for women, Omiai generates revenue by charging men and offers plans starting at 3,980 yen ($37) for a one-month subscription.

DailyQuiz

week22-2021-dailyquiz

The personal details of 13 million DailyQuiz users have been leaked online earlier this year after a hacker breached the quiz builder’s database and stole its content, which he later put up for sale.

The data, of which The Record has obtained copies from two different sources, contains details about 12.8 million users, including plaintext passwords, emails, and IP addresses for 8.3 million accounts.

The stolen data has been sold on hacking forums and Telegram channels since January 2021 for a price of $2,000 paid in cryptocurrency, but leaked into the public domain this month, after it was exchanged through different data brokers, and eventually came into the hands of a security researcher, who shared it with The Record.

Read more at : https://therecord.media/8-3-million-plaintext-passwords-exposed-in-dailyquiz-data-breach/

Bose

week22-2021-bose

Bose Corporation (Bose) has disclosed a data breach following a ransomware attack that hit the company’s systems in early March.

In a breach notification letter filed with New Hampshire’s Office of the Attorney General, Bose said that it “experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across” its “environment.”

“Bose first detected the malware/ransomware on Bose’s U.S. systems on March 7, 2021,” the company added.

The audio maker hired external security experts to restore impacted systems after the attack and forensic experts to determine if any of its data was accessed or exfiltrated by the attackers.

“We did not make any ransom payment,” Bose Media Relations Director Joanne Berthiaume told BleepingComputer. “We recovered and secured our systems quickly with the support of third-party cybersecurity experts.”

“During our investigation, we identified a very small number of individuals whose data was impacted, and we sent notices to them directly in accordance with our legal requirements.

“There is no ongoing disruption to our business, and we are focused on providing our customers with the great products and experiences they have come to expect from Bose.”

‘CEFCO’ Gas Station

Hackers have posted a set of 42 GB of data allegedly belonging to CEFCO, a gas and convenience store chain operating 220 stores across six states in the United States. The details that we saw posted on “Marketo Leaks” include details relevant to clients, partners, and even competitors, with financial documents, contractual agreements, account lists, budget reports, NDAs, and various other interesting stuff involved in the so-called evidence pack. This pack is a whopping 42GB of data that is shared as proof of the breach, free for anyone to download.

Fujitsu's ProjectWEB

Data from various Japanese government entities has reportedly been stolen by hackers that gained access to Fujitsu’s ProjectWEB platform.

Fujitsu’s software-as-a-service platform has since been taken down and the Japanese tech giant is currently investigating the scope of the attacks.

“Fujitsu can confirm unauthorised access to ProjectWEB, a collaboration and project management software, used for Japanese-based projects. Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities,” Fujitsu told ZDNet.

“As a precautionary measure, we have suspended use of this tool, and we have informed any potentially impacted customers.”     

Among the impacted government entities are the Ministry of Land, Infrastructure, Transport, and Tourism; the Cabinet Secretariat; and Narita Airport, Japan’s public broadcaster NHK said in a report.

Canada Post

Canada Post has informed 44 of its large commercial customers that a ransomware attack on a third-party service provider exposed shipping information for their customers.

Canada Post is the primary postal operator in Canada, serving 16.5 million Canadian residential and business addresses.

Canada Post disclosed that a third-party supplier named Commport Communications suffered a ransomware attack where threat actors accessed data stored in their systems.

This accessed data includes shipping manifest data for large parcel business customers, including sender and receiver contact information, names, and mailing addresses.

In total, the breach affected 44 Canada Post commercial customers and 950,000 receiving customers.

Klarna

week22-2021-klarna

Consumers have raised the alarm after user information was mistakenly leaked at Klarna, Europe’s largest private fintech.

The company, which is reportedly in the throes of closing a deal valuing it at $40bn, came under fire on Thursday after users complained they were being accidentally logged in as other people, given them access to strangers’ personal information.

That included randomised postal addresses and past purchases. Partial card details were also exposed, according to one tweet.

Klarna responded by temporarily locking down its app services, and said a technical error was to blame.

The company, which is headquartered in Sweden, now boasts over 90m users worldwide, and saw app downloads grow at pace last year both in Europe and the US.

The reports of data leaks were a blow to the fintech darling which has scooped up increasing amounts of investor cash and is being wooed by regulators across the continent for a potential initial public offering. 

Still, the fintech isn’t the first fast-growing European startup to face data troubles. An IT collective in Germany raised alarm bells earlier this month about delivery startup Gorillas, which is reported chasing a $6bn valuation. The group found weaknesses in its data security and were able to access sensitive customer information.

Tezpur University

week22-2021-tezpuruniversity

Someone is selling a set of databases that they claim are the result of a hack against Tezpur University, a large public educational institute in North-Eastern India. The seller has set a price of $25, although he asked us to bid when contacted, and promises 20,000 database entries in return.

The details shown in the sample images include full names, dates of birth, email addresses, states, gender, phone numbers, religion, age, current address, permanent address, father’s name, mother’s name, spouse’s name, blood type, and more.

Fractal Analytics

week22-2021-fractalanalytics

A hacker was able to obtain a database containing 12 million entries that belongs to ‘Fractal Analytics,’ an international artificial intelligence company based in New York. The database is branded after ‘Customer Genomics,’ a trademark of Fractal Analytics dedicated to integrating enterprise, geo-location, and open social media data to deliver personalized and contextual offers in real-time on mobile platforms. All in all, this is a marketing and targeted advertising analytics platform, and the data that it uses appears to involve full names, email addresses, phone numbers, and more.

The seller is giving away four samples of the database in CSV form to prove the claims made in the listing. The typical assurances about the freshness of the data are also included (the compromise date is May 2021).

We have taken a look at the content of some of these samples, and the information in there appears to be valid. We were also able to see job titles, and in some cases, there are pairs of credentials, albeit with hashed (base64) passwords. This detail tells us that the entries don’t concern only marketing targets but also users of the platform, either employees of Fractal Analytics or their partners/clients.

Battle for the Galaxy

A Chinese game developer has accidentally leaked nearly six million player profiles for the popular title Battle for the Galaxy after misconfiguring a cloud database, Infosecurity has learned.

AMT Games, which has produced a string of mobile and social titles with tens of millions of downloads between them, exposed 1.5TB of data via an Elasticsearch server.

 

A research team at reviews site WizCase found the trove, which contained 5.9 million player profiles, two million transactions, and 587,000 feedback messages.

 

Profiles typically feature player IDs, usernames, country, total money spent on the game, and Facebook, Apple or Google account data if the user linked these with their game account.

 

Feedback messages contain account IDs, feedback ratings and users’ email addresses. At the same time, transaction data includes price, item purchased, time of purchase, payment provider, and sometimes buyer IP addresses, according to WizCase.

 

The firm warned exposed users that their data might have been picked up by opportunistic cyber-criminals searching for misconfigured databases. Data on how much money individuals have spent on the site could enable fraudsters to target the biggest spenders, it added.

 

UK Special Forces soldiers' personal data

An astonishing data security blunder saw the personal data of Special Forces soldiers circulating around WhatsApp in a leaked British Army spreadsheet.

The document, seen by The Register, contained details of all 1,182 British soldiers recently promoted from corporal to sergeant – including those in sensitive units such as the Special Air Service, Special Boat Service and the Special Reconnaissance Regiment.

Special Forces soldiers’ identities are supposed to be protected from public disclosure in case terrorists target them or their families. Yet yesterday an Excel file was freely being passed around on WhatsApp groups after being leaked from inside the Ministry of Defence.

Scripps Health

week22-2021-scripps

More than 147,000 patients, staff and physicians may have had their personal and financial information compromised during last month’s devastating cyberattack on Scripps Health’s internal systems, the health care group confirmed Tuesday.

Scripps Health announced they were notifying patients by email that an “unauthorized person” gained access to their network and acquired copies of documents before deploying ransomware that took their systems offline on May 1. While Scripps’ medical records system was not compromised, some health information and personal financial information was, the agency said.

MTA

Hackers with possible ties to the Chinese government breached three of the MTA’s computer systems earlier this year, transit officials said Wednesday.

The breach occurred on two separate days in the second week of April and continued unchecked until being discovered on April 20, officials said. Hackers did not access systems related to train operations, safety or customer or employee information, the MTA said.

The authority “quickly and aggressively responded to this attack,” MTA Chief Technology Officer Rafail Portnoy said in a statement. An outside audit “found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” Portnoy said.

Tokyo Games organizers

The organizing committee of the Tokyo Olympics is the latest to be hit by a data breach through unauthorized access to an information-sharing tool developed by Fujitsu Ltd., sources familiar with the matter said Friday.

Personal information was leaked from a total of about 170 people who are involved in security management and have participated in a drill hosted by Japan’s national cybersecurity center to brace for potential cyberattacks during the major sporting event, the sources said.

Data breaches have already been found in government agencies including the National Center of Incident Readiness and Strategy for Cybersecurity and the Foreign Ministry, Fujitsu and the affected ministries said in late May.

With around 50 days to go before the Olympics open in the Japanese capital, the organizers and government continue to ramp up efforts to prevent cyberattacks from disrupting the games.

The center declined to comment on whether the leaked information was related to the games and said it has not confirmed any disruptions in the operations of any of the organizations targeted.

Apache Pizza

week22-2021-apachepizza

Apache Pizza has been hit by a data breach that “may have compromised” personal data shared with the company, it has told customers.

The takeaway chain, which has more than 150 outlets in the Republic, said the breach was limited to delivery information and did not concern customers’ bank or credit card details.

The company said it was notified of a data breach on June 2nd and the content of the breach was confirmed on June 3rd.

“We have established that the breach concerns your name, address, email address, telephone number, which pizzas you have ordered and in a small number of cases also your date of birth in connection with birthday orders,” it said in an email.