Here’s your weekly #databreach news roundup:

Redcliffe Labs, CCleaner, D.C. Board of Elections, 1Password and University of Michigan.

Redcliffe Labs

Redcliffe Labs
  • What happened?
    • Redcliffe Labs, a diagnostic services provider, experienced a data leak exposing over 12 million patient records.
  • How did it happen?
    • A cybersecurity expert found an unprotected database from Redcliffe Labs that was not secured with a password. This database held a vast amount of sensitive medical information.
  • What data was involved?
    • The leak included diagnostic scans, test results, and other medical records totaling 7 terabytes of data. It contained patient and doctor names, test locations, and more. Over 6 million PDFs labeled “test results” were in the database, with details like X-ray reports, blood test records, and employee reimbursement documents.
  • Potential risks:
    • There are concerns over medical identity theft, misuse of health information, and the possibility of ransomware attacks due to the breach.
  • Discrepancy in numbers:
    • Although Redcliffe Labs’ website claimed 2.5 million customers, the database held records that suggest a far larger number of individuals may be affected.
  • Other exposed data:
    • The database also contained source code and development documentation for Redcliffe Labs’ mobile app, which could be exploited by hackers.
  • Response and Security Measures:
    • Redcliffe Labs has denied any breach, highlighting their strong cybersecurity measures such as firewalls, private VPCs, and encryption.
  • Current status:
    • There’s no clear information on whether Redcliffe Labs has notified authorities or the individuals potentially affected by the data exposure.


  • What happened?
    • CCleaner, the well-known software tool for cleaning PCs, has confirmed a breach where attackers accessed customer data.
  • How was it first known?
    • Users of CCleaner and Windows forums began reporting emails from CCleaner about the breach.
  • What caused the breach?
    • The breach resulted from a vulnerability known as the MOVEit Transfer bug, which allowed data to be stolen.
  • Initial confusion:
    • There was some confusion when a forum admin on the CCleaner community forum labeled the breach notification emails as a scam, advising users to disregard them.
  • Company confirmation:
    • CCleaner acknowledged the breach after Cybernews reached out, confirming the emails were legitimate and that the breach affected low-risk employee data and some customer information.
  • Data exposed:
    • Personal information like names, email addresses, and phone numbers of some customers was leaked.
  • CCleaner’s response:
    • The company has offered complimentary dark web monitoring services to those affected.
  • Background on CCleaner:
    • Owned by Piriform Software, under the cybersecurity company Avast, CCleaner has a large user base with over 2.5 billion downloads.
    • This isn’t the first security incident for CCleaner. In 2017, it was compromised with a trojan that potentially allowed attackers to access millions of devices, aiming at tech companies as primary targets.

D.C. Board of Elections

D.C. Board of Elections
  • What happened?
    • The District of Columbia Board of Elections (DCBOE) reported a breach that may have exposed the personal information of all registered voters in the District of Columbia.
  • What data was involved?
    • The potentially accessed voter roll includes personally identifiable information (PII) like driver’s license numbers, birth dates, partial Social Security numbers, and contact details such as phone numbers and email addresses.
  • How was it discovered?
    • DCBOE was alerted to the breach after a threat actor, RansomVC, claimed to have stolen U.S. voter data, including that from D.C. voters, boasting over 600,000 lines of data.
  • How did the breach occur?
    • The attackers gained access through a server operated by DataNet Systems, the hosting provider for the DCBOE. The DCBOE’s own databases or servers were not directly affected.
  • Response to the breach:
    • Upon discovering the attack, DCBOE shut down its website and is now working with cybersecurity firm Mandiant, the FBI, and DHS to investigate and respond to the incident.
  • Current status of the data:
    • The stolen data is advertised for sale on RansomedVC’s dark web site. The price is not publicly known.
  • Earlier reports of the breach:
    • Before RansomedVC’s claims, an individual with the username “pwncoder” reportedly offered the DCBOE database for sale on hacking forums, though those posts have since been deleted.
  • Other related incidents:
    • RansomedVC’s recent claims of hacking Sony and stealing data have been contested by another threat actor, MajorNelson, who also released files allegedly from Sony.
  • Verification and ongoing investigation:
    • While the threat actors have made claims about the breaches and stolen data, BleepingComputer has not independently verified these claims. Investigations are ongoing to determine the full scope and impact of the DCBOE breach.


  • What happened?
    • 1Password, a widely-used password management service, reported a security incident where hackers accessed its Okta ID management tenant.
  • Initial Detection and Response:
    • Suspicious activity on 1Password’s Okta instance was detected on September 29, related to a broader incident affecting Okta’s support system.
    • 1Password took immediate action to terminate the activity and after investigation, confirmed that no user data was compromised.
  • Okta’s Breach and Impact:
    • The incident at 1Password is connected to a breach at Okta, where threat actors used stolen credentials to access Okta’s support case management system. Okta customers, including 1Password, use Okta to manage employee-facing apps.
    • Okta’s breach was first identified by BeyondTrust, which took Okta over two weeks to confirm.
  • Cloudflare’s Similar Experience:
    • Cloudflare also encountered malicious activity using a token stolen from Okta, which led to unauthorized administrative access.
  • Details of 1Password’s Incident:
    • Attackers breached 1Password’s Okta tenant using a stolen session cookie from an IT employee.
    • The attacker attempted to access the IT team member’s dashboard, update an Identity Provider tied to 1Password’s production environment, and request a report of administrative users.
    • 1Password became aware of the breach when an IT team member received an unexpected email suggesting they had initiated an administrative report.
  • 1Password’s Investigation:
    • Working with Okta, 1Password linked the breach to Okta’s compromised support system.
    • There is some discrepancy, as Okta’s logs suggest the IT employee’s HAR file, which contained the compromised session, was not accessed until after 1Password’s incident was already underway.
  • Measures Taken:
    • 1Password rotated the affected IT employee’s credentials and adjusted their Okta configuration to enhance security, including changes to login processes, administrative session lengths, multi-factor authentication (MFA) rules, and the number of super administrators.
  • Current Status:
    • 1Password is working with Okta to understand the breach vector fully. They have informed affected parties and taken steps to prevent such incidents in the future.

University of Michigan

  • What happened?
    • The University of Michigan experienced a data breach when hackers infiltrated their network between August 23-27, exposing sensitive information of a broad university community.
  • Who was affected?
    • The breach potentially impacted students, applicants, alumni, donors, employees, patients, and research study participants.
  • What data was exposed?
    • Personal details such as Social Security numbers, driver’s license numbers, financial account and payment card numbers, and health information were among the data compromised.
  • Immediate response:
    • Upon detecting the breach, the university cut off its campus network from the internet. A thorough investigation followed, confirming the exposure of both personal and sensitive data.
  • Notification to affected parties:
    • Individuals whose data was exposed were notified, and letters were sent out, which may take up to five days to be delivered.
  • Protective measures offered:
    • The University of Michigan is providing complimentary credit monitoring services to those whose sensitive information was involved in the incident.
  • Security actions taken:
    • After detecting the intrusion, the university disclosed it publicly, performed a password reset for all accounts on their systems, and took steps to secure the network.
  • Institution background:
    • The University of Michigan is one of the largest and oldest educational institutions in the U.S., with over 30,000 staff and around 51,000 students.