Here’s your weekly #databreach news roundup:

Okta, Casio, D-Link, 23andMe, and Air Europa.



What happened?
Casio, a Japanese electronics company, reported a data breach affecting its ClassPad education platform. Hackers gained access to their servers and exposed customer data.

When was it detected?
Casio became aware of the breach on October 11 after a failure in a ClassPad database. The attackers accessed the data on October 12.

What data was exposed?
Customer names, email addresses, countries they live in, how they use the service, and details of their purchases. However, credit card info was not in the affected database.

How many people were affected?
91,921 records of Japanese customers, including some educational institutions.
35,049 records of customers from 148 other countries.

What caused the breach?
Casio admitted some mistakes on their end: network security settings were turned off because of an oversight, and they didn’t manage things properly.

What is Casio doing now?
They made the breached database inaccessible from outside.
The ClassPad.net app is still working and no other systems were hacked.
Casio has informed Japanese authorities and is helping them investigate. They’re also looking into the breach with external security experts.

Was there another breach before?
In August, someone (named thrax) claimed to have data from Casio, stating they took it from an old server. This data went back as far as 2006 and 2011 and included database login details and AWS keys.
Casio hasn’t yet commented on this August claim.



What happened?
A hacker leaked 4.1 million stolen 23andMe genetic data profiles of people from Great Britain and Germany.
This followed an earlier leak this month of data for 1 million Ashkenazi Jews.

How did it happen?
23andMe believes the data was accessed through credential stuffing attacks, where hackers use previously exposed credentials or weak passwords to gain access. There’s no evidence of a direct breach on 23andMe’s systems.
Only a few accounts were directly compromised, but they had the ‘DNA Relatives’ feature on. This allowed the hacker to access data of millions of users.

Who is behind this?
A hacker named ‘Golem’ is believed to be responsible for the attacks.

What data was leaked?
Initially, data of 1 million Ashkenazi Jews.
4,011,607 profiles of people in Great Britain.
139,172 profiles of people in Germany.
The hacker claims this includes data of some very wealthy families, but this hasn’t been confirmed.

Where was it leaked?
The data was posted on the BreachForums hacking forum.

What is the company doing?
23andMe is currently investigating the leaked data. They’ve stated that if they confirm any unauthorized access to customer data, they will notify the affected individuals.

Any other relevant information?
Some of the leaked data was apparently being sold on another hacking forum in August 2023.
Due to the vast amount of data claimed to be in possession of the hacker, more leaks may occur in the future.
This series of leaks has led to numerous lawsuits against 23andMe, accusing the company of not informing or protecting its users adequately.


What happened?
Taiwanese company D-Link, which makes networking equipment, confirmed a data breach. Information from this breach was later offered for sale on BreachForums.

What data was stolen?
The attacker claims to have the source code for D-Link’s D-View software and millions of records with personal details of customers, employees, and even the company’s CEO. The data supposedly includes names, emails, addresses, phone numbers, and sign-in details.
However, D-Link states that the compromised system only contained about 700 old records.

Who is behind it?
The identity of the attacker isn’t clear, but they claimed responsibility on BreachForums and demanded $500 for the data and the alleged source code.

How did it happen?
D-Link believes an employee was tricked by a phishing attack, allowing the attacker access to their network.
The accessed data was in a “test lab environment” on an old D-View 6 system that was supposed to be out of use since 2015.

Is there any controversy?
The data being sold has timestamps from 2012-2013, indicating it’s old. One person noted this on the BreachForums thread.
There’s confusion about why an old server was still online on D-Link’s network for potentially seven years.
The attacker claims to have millions of records, but D-Link says there are only around 700 outdated records.

What is D-Link’s response?
They immediately shut down servers that might be affected and limited user access for the investigation.
D-Link thinks the hacker changed login timestamps to make it seem like the data was more recent.
They emphasized that the data is old, of low sensitivity, and that most current customers are probably not affected.

Air Europa


What happened?
Spanish airline Air Europa, part of the SkyTeam alliance, experienced a data breach where attackers accessed customers’ credit card information.

What data was compromised?
Exposed credit card details include card numbers, expiration dates, and the 3-digit CVV codes.

What did Air Europa advise?
The airline asked affected customers to cancel their credit cards used on their website to prevent potential fraud.
They also cautioned against providing personal information to unknown callers or email senders and warned against opening suspicious links related to card alerts.

What has Air Europa done?
They secured their systems and informed necessary authorities and entities like AEPD, INCIBE, and banks.

What’s unknown?
The number of affected customers, the date of the breach, and its detection are not disclosed. An official comment from Air Europa is still pending.

Any past incidents?
In March 2021, Air Europa was fined €600,000 by the Spanish Data Protection Agency for GDPR violations and a late breach notification. That breach impacted around 489,000 people, and criminals fraudulently used about 4,000 of the compromised bank cards. Notably, Air Europa did not notify the affected individuals at that time.



What happened?
Okta, a leading identity tools provider, experienced a security breach that compromised its customer support unit. While Okta claims the breach affected only a “very small number” of customers, the hackers had access to Okta’s support platform for about two weeks.

Details of the Breach:
Attackers exploited a stolen credential to gain access to Okta’s support case management system, viewing files that customers had uploaded for recent support cases.
Okta often requests HTTP Archive (HAR) files from customers during troubleshooting, which contain sensitive data like cookies and session tokens. Attackers can use these to impersonate valid users.
Okta took protective measures, including the revocation of embedded session tokens and advised customers to sanitize HAR files before sharing.

BeyondTrust’s Involvement:
Security firm BeyondTrust alerted Okta about suspicious activities over two weeks before Okta acknowledged the breach.
BeyondTrust detected unauthorized activities using an Okta account belonging to one of its engineers. They traced the activity back to a HAR file sent to Okta, which was exploited 30 minutes later by the attacker.
BeyondTrust contacted Okta multiple times, asserting their suspicion of a breach at Okta.

Okta’s Response:
Initially, Okta didn’t think BeyondTrust’s alert indicated a system breach. By Oct. 17, however, Okta had identified and contained the incident, disabling the compromised account and invalidating associated Okta access tokens.
Okta’s Deputy Chief Information Security Officer, Charlotte Wylie, stated that the breach affected a “very, very small subset” of its 18,000+ customers.

Past Incidents:
Recently, Caesar’s Entertainment and MGM Resorts were hacked via social engineering attacks targeting Okta administrator accounts.
In March 2022, Okta disclosed another breach involving the hacking group LAPSUS$. This group socially-engineered a support engineer from Sitel, which had access to Okta resources.

Who was behind this?
While specific details about the attacker were not revealed, Okta believes it was a known threat actor that has previously targeted them and their customers.