13 Oct
Here’s your weekly data breach news roundup:
Twitch, The Telegraph, Navistar, Plug and Play Ventures, BrewDog, Syniverse, and Next Level Apparel.
Navistar
An investigation at US truck maker Navistar has revealed that a #databreach on its systems exposed employee healthcare information.https://t.co/nPBtpEn9w8
— DevaOnBreaches (@DevaOnBreaches) October 9, 2021
An investigation at US truck maker Navistar has revealed that a data breach on its systems exposed employee healthcare information.
Navistar hired external cybersecurity experts and began an investigation after learning of a security incident on May 20. By the end of May, the firm had confirmed that an “unauthorized third party had accessed and taken certain data from Navistar’s IT systems”.
On June 7, Navistar filed 8-K papers with the US Security and Exchange Commission, warning investors about the incident. The notification generated press coverage about the incident from Reuters and other outlets, as investigators continued to access the scope and impact of the incident.
By August 20, Navistar’s team had confirmed that attackers had “accessed and taken” the personal information of participants to its healthcare and life insurance plans.
The potentially compromised data included the full names, addresses, dates of birth, and Social Security numbers of an unspecified number of Navistar employees past and present, according to an updated statement by Navistar on the breach.
Plug and Play Ventures
Plug and Play Ventures, a Silicon Valley venture capital firm that runs a matchmaking service linking investors with startups exposed 6GB of data, including deal flow information pertaining to investors and startups. #dataleakhttps://t.co/NIm0p4apY0
— DevaOnBreaches (@DevaOnBreaches) October 9, 2021
A Silicon Valley venture capital firm that runs a matchmaking service linking investors with startups exposed 6GB of data, including deal flow information pertaining to investors and startups.
The data belongs to Plug and Play Ventures, which is headquartered in Sunnyvale, California, and has offices around the world. Plug and Play helps startups get off the ground and matches those companies with investors. The firm says it has benefited from early investments in PayPal and Dropbox.
The leaked data appears to be a PostgreSQL database for Playbook.vc, a networking and deal flow application from Plug and Play.
The unencrypted data includes personal contact information for investors, founders and CEOs. It includes personal information voluntarily submitted by those people to Plug and Play, including names, phone numbers and email addresses. There are more than 50,000 unique email addresses in the data.
BrewDog
BrewDog, the Scottish brewery and pub chain famous for its crowd-ownership model and the tasty IPAs, has irreversibly exposed the details of 200,000 of its shareholders and customers. #dataleakhttps://t.co/6QCeQqUji5
— DevaOnBreaches (@DevaOnBreaches) October 9, 2021
BrewDog, the Scottish brewery and pub chain famous for its crowd-ownership model and the tasty IPAs, has irreversibly exposed the details of 200,000 of its shareholders and customers.
The exposure lasted for over 18 months and the point of the leak was the firm’s mobile app, which gives the ‘Equity Punks’ community access to information, discounts at bars, and more.
As detailed in a PenTestPartners report, the problem lies in the app’s API, and more specifically, its token-based authentication system. The security blunder comes from the fact that these tokens were hard-coded into the mobile application instead of being transmitted to it following a successful user authentication event.
As such, anyone was free to append any customer ID to the end of the API endpoint URL, and access sensitive PII (personally identifiable information) for that customer.
Syniverse
Syniverse, the well-known telecom giant, revealed to the Securities and Exchange Commission that hackers infiltrated its systems for more than five years and millions of cellphone users’ data and billions of text messages were exposed. #databreachhttps://t.co/QlUOkASiwD
— DevaOnBreaches (@DevaOnBreaches) October 8, 2021
Syniverse, the well-known telecom giant, revealed to the Securities and Exchange Commission that hackers infiltrated its systems for more than five years. As a result, millions of cellphone users’ data and billions of text messages were exposed.
According to the filing from the Securities and Exchange Commission published last week, in May 2021, the company learned about unauthorized access to its “operational and information technology systems by an unknown individual or organization…. allowing access to or from its Electronic Data Transfer (EDT) environment.”
Syniverse notified law enforcement and initiated an internal investigation that led to the discovery that the data breach actually started in May 2016. This indicates hackers could be accessing the company’s data for so many years.
The data breach has come to light at a time when Syniverse is preparing to go public after its merger with M3-Brigade Acquisition II Corp- a special purpose acquisition entity. The company has not released any statement about the long-term data breach as yet.
Next Level Apparel
Next Level Apparel, a US clothing manufacturer and e-commerce operator, has alerted customers to a data breach connected to the compromise of employee mailboxes.
“A limited number of employees’ email accounts” were compromised via phishing, which gave cybercriminals “access to the contents of the accounts at various times between February 17, 2021 and April 28, 2021,” said Next Level Apparel in a press release issued yesterday (October 5).
This “resulted in unauthorized access to information contained in some email accounts, including names accompanied by Social Security numbers, financial/checking account numbers, payment card numbers, driver’s license numbers, and limited medical/health information”.
Next Level Apparel, a wholesale producer and online retailer of blank apparel, said it “could not confirm that any individual’s information was in fact viewed by an unauthorized person”.
Twitch
The Amazon-owned gaming platform Twitch has suffered a #databreach that experts have called a “highly targeted attack”.https://t.co/azHKY3rQUv
— DevaOnBreaches (@DevaOnBreaches) October 7, 2021
The Amazon-owned gaming platform Twitch has suffered a data breach that experts have called a “highly targeted attack”.
Twitch on Wednesday confirmed it suffered a breach, and said its teams were working to understand its extent.
The breach has revealed a large trove of sensitive data, including Twitch’s entire source code and several years of payout information on the service’s most popular streamers, according to video game news platform Video Games Chronicle, which first reported the news of the hack.
This level of hack would “send a shudder down any hardened infosec professional”, Archie Agarwal, founder and CEO at New Jersey cybersecurity firm ThreatModeler, told the Guardian.
“This is as bad as it could possibly be,” he said. “How on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm?”
The hacker posted the leak to the online forum 4chan and said they carried it out to “foster more disruption and competition in the online video streaming space”, according to Video Games Chronicle.
Twitch’s parent company, Amazon, did not immediately respond to the Guardian’s request for comment.
The Telegraph
‘The Telegraph’, one of the UK’s largest newspapers and online media outlets, has leaked 10 TB of data after failing to properly secure one of its databases. #dataleakhttps://t.co/mogDNhPeUf
— DevaOnBreaches (@DevaOnBreaches) October 6, 2021
‘The Telegraph’, one of the UK’s largest newspapers and online media outlets, has leaked 10 TB of data after failing to properly secure one of its databases.
The exposed information includes internal logs, full subscriber names, email addresses, device info, URL requests, IP addresses, authentication tokens, and unique reader identifiers.
Bob Diachenko, the researcher who discovered the unprotected dataset on September 14, 2021, has confirmed that at least 1,200 unencrypted contacts were accessible without a password at the time of his review.
Notably, many of these cases concern registrant information of Apple News subscribers, also including passwords in plaintext form.
The newspaper was contacted and warned about the exposure immediately, but it took them two days to eventually respond and secure the database.
The instance was indexed on specialized search engines on September 1, 2021, so the period of exposure is at least three weeks. That’s plenty of time for attackers and automated scanners to find the exposed database and exfiltrate the contained data.