week29-2022-min-min

Here’s your weekly #databreach news roundup:​​

Twitter, Entrust, Neopets, PLASCHEMA, and Cleartrip.

Twitter

week29-2022-twitter

Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now up for sale on a hacker forum for $30,000.

Yesterday, a threat actor known as ‘devil’ said on a stolen data market that the database contains info about various accounts, including celebrities, companies, and random users.

“Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. (5485636 users to be exact),” reads the forums post selling the Twitter data.

“These users range from Celebrities, to Companies, randoms, OGs, etc.”

Entrust

Digital security giant Entrust has confirmed that it suffered a cyberattack where threat actors breached their network and stole data from internal systems.

Entrust is a security firm focused on online trust and identity management, offering a wide range of services, including encrypted communications, secure digital payments, and ID issuance solutions.

Depending on what data was stolen, this attack could impact a large number of critical, and sensitive, organizations who use Entrust for identity management and authentication.

This includes US government agencies, such as the Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and many more.

Neopets

week35-2022-neopets

Virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members.

Neopets is a popular website where members can own, raise, and play games with their virtual pets. Neopets recently launched NFTs that will be used as part of an online Metaverse game.

On Tuesday, a hacker known as ‘TarTarX’ began selling the source code and database for the Neopets.com website for four bitcoins, worth approximately $94,000 at today’s prices.

PLASCHEMA

PLASCHEMA manages Plateau State Universal Health Care, a program designed to bring affordable healthcare to Plateau State, a region in Central Nigeria.

11 of PLASCHEMA’s buckets were left unsecured without any authentication or encryption controls in place. As such, the organization’s buckets exposed over 75,000 files totaling around 45GB of data.

Each unsecured bucket contained PII belonging to program applicants from a different city located in Plateau State.

Among other files, the open buckets contained ID cards that exposed a range of applicant PII. Based on the volume of these files, we estimate that over 37,000 people are affected by PLASCHEMA’s data incident.

Cleartrip

Cleartrip, one of the popular travel-booking platforms in India, has confirmed a data breach after hackers claimed to post the stolen data on the dark web.

Responding to a request for comment by TechCrunch based on a tip shared by a security researcher, Cleartrip said it is taking legal action against the hackers.

“We have identified a security anomaly in a few of our internal systems,” a Cleartrip spokesperson told TechCrunch in a prepared statement. (The spokesperson did not provide their name.) “Our information security team is currently investigating the matter along with a leading external forensics partner and is taking the necessary action. Appropriate legal action and recourse are being evaluated and steps are being taken as per the law.”