Facebook
w47-2022

Here’s your weekly #databreach news roundup:​​​​​

Twitter, WhatsApp, Sonder Holdings, The Smith Family, Gateway Rehabilitation Center, AAA Collections, and Kannur University.

Twitter

Twitter

Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.

Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.

The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.

WhatsApp

In what could be one of the biggest data breaches, phone numbers of nearly 500 million WhatsApp users are put on sale online. According to a report by Cybernews, an actor posted an ad on a hacking community forum, claiming that it is selling a 2022 database of 487 million WhatsApp user mobile numbers. The database contains mobile numbers of WhatsApp users from 84 different countries that includes the US, the UK, Egypt, Italy, Saudi Arabia and even India.

Update: WhatsApp has denied the breach. In a statement, a WhatsApp spokesperson said that the data breach report was “based on unsubstantiated screenshots,” and that the company had “no evidence of a ‘data leak’.”

Sonder Holdings

Short-term accommodation provider Sonder Holdings on Wednesday confirmed some of its systems, including “certain” guest records that may include driver’s licenses and passports, were exposed in a data breach. 

Data accessed during the breach included guest records created prior to Oct. 1, 2021, some of which involved Sonder account holders’ usernames, passwords, full names, phone numbers, home addresses, email addresses and dates of birth. Some data also may have included guest receipts with the last four digits of credit card numbers, transaction totals and booking dates at Sonder properties, according to the company. 

The Smith Family

The Smith Family

Children’s charity The Smith Family has become the latest major Australian organisation to fall victim to a cyberattack, with hackers gaining access to its donors’ confidential information including credit card details.

The charity on Tuesday confirmed it detected a data breach in October, in which a hacker got into a staff member’s email, and stopped an attempt to steal the charity’s funds. But after digital investigators completed an investigation last week, they found that files with donor names, addresses and contact information were in the inbox along with the partial credit card data.

Gateway Rehabilitation Center

Gateway Rehabilitation Center

Pennsylvania-based Gateway Rehabilitation Center notified 130,000 individuals of a data breach that it discovered in June 2022. The nonprofit provides drug and alcohol rehabilitation services to individuals throughout greater Pittsburgh.

On June 13, Gateway Rehab discovered an “incident disrupting access to certain systems” and immediately took steps to secure its systems. Further investigation revealed that the names, birth dates, Social Security numbers, medical information, health insurance information, and financial account information of current and former patients were potentially compromised.

AAA Collections

AAA Collections, Inc

AAA Collections, Inc. reported a data breach with the Montana Attorney General’s Office after the company learned that an unauthorized party was able to access sensitive consumer data contained on its computer system. As of today, AAA Collections has not published notice of the breach on its website or otherwise clarified what information was compromised. However, based on state data breach reporting requirements, it is likely that the incident involved consumers’ names and one or more of the following: Social Security numbers, financial account information, government identification numbers or protected health information. Recently, AAA Collections sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

Kannur University

Kannur University

In a major data leak, details of over 33,000 students of Kannur University were found on a dark web portal. Kochi-based private cyber security firm Technisanct, while scanning dark web activities, found it available since November 18.

It was a hacker by the name- ‘3Subs’ who leaked five databases from 2018 to 2022 containing 33,040 records of Kannur University. The leaked data includes name, application number, email, password, Aadhar number, phone number, admission details and pass year. There are 321 records from 2018, 7,060 from 2019, 9,127 from 2020, 8648 from 2021 and 7,874 records from 2022 on the portal.