27 Dec
Here’s your weekly #databreach news roundup:
BetMGM, DraftKings, McGraw Hill, SevenRooms, Centers for Medicare & Medicaid Services, Shiseido, Social Blade, and Gemini.
BetMGM
Sports betting service BetMGM said on Wednesday that personal information of its customers was obtained in an unauthorized manner but did not specify the number of users affected. #databreach https://t.co/8lPNNJiMrR
— DevaOnBreaches (@DevaOnBreaches) December 23, 2022
Sports betting service BetMGM said on Wednesday personal information of its customers were obtained in an unauthorized manner, but did not specify the number of users affected.
The issue affected customer information such as name, contact information, date of birth, hashed Social Security number, account identifiers and information related to transactions with BetMGM, the company said.
BetMGM did not immediately respond when asked about the number of customers impacted by to the breach, which it believes occurred in May this year.
DraftKings
Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November.https://t.co/MTBtCidNJE
— DevaOnBreaches (@DevaOnBreaches) December 21, 2022
Sports betting firm DraftKings says the personal data of 68,000 individuals has been compromised in a recent data breach.
The incident, initially disclosed in November, was the result of a credential stuffing attack and not a breach of DraftKings’ systems, the company says.
Credential stuffing involves the use of leaked credentials (usernames, email addresses, and passwords) obtained from a third-party source to access an account on a different service. Such attacks are successful only because some individuals use the same credentials for accounts on different services.
McGraw Hill
Student data of McGraw Hill, an education publishing company based in the USA, mistakenly exposed records of over 100,000s students online. This #databreach exposed students from several universities across the US and Canada. @deepanker70 https://t.co/F3KcIZD9Ih
— DevaOnBreaches (@DevaOnBreaches) December 20, 2022
Student data of McGraw Hill, an education publishing company based in the USA, mistakenly exposed records of over 100,000s students online. The data could be accessed by anyone with a web browser. This breach exposed students from several universities across the US and Canada.
A team of researchers at vpnMentor discover two misconfigured Amazon Web Services (AWS) S3 buckets that belonged to McGraw Hill. One was the production bucket with more than 47 million files and 12TB+ of data. The non-production bucket contained more than 69 million files and 10TB+ of data.
SevenRooms
Restaurant customer management platform SevenRooms has confirmed it suffered a #databreach after a threat actor began selling stolen data on a hacking forum. @billtoulas @BleepinComputer https://t.co/wNnFu6WrUg
— DevaOnBreaches (@DevaOnBreaches) December 19, 2022
SevenRooms, a “guest experience and retention platform” for food establishments and hospitality organisations, has confirmed it has fallen victim to a third party vendor data breach. Mostly known for its customer management platform, Seven Rooms’ breach came to light after stolen data was seen for sale on an underground forum.
Centers for Medicare & Medicaid Services (CMS)
The Centers for Medicare & Medicaid Services (CMS) is responding to a #databreach at Healthcare Management Solutions, LLC (HMS) – a subcontractor to CMS – that may have exposed personally identifiable information of up to 254,000 Medicare beneficiaries.https://t.co/0UsXsIP4yl
— DevaOnBreaches (@DevaOnBreaches) December 17, 2022
The Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS) – a subcontractor to CMS – that may have exposed personally identifiable information of up to 254,000 Medicare beneficiaries.
In a press release, CMS said the subcontractor was subject to a ransomware attack on its corporate network on Oct. 8, 2022. However, no CMS systems were breached and no Medicare claims data were involved.
Shiseido
Employees and former employees of cosmetics firm Shiseido whose data was stolen in a recent #databreach are planning group legal action after their information was used to establish fraudulent companies in their nameshttps://t.co/o52ArPfOlK
— DevaOnBreaches (@DevaOnBreaches) December 17, 2022
Employees and former employees of the UK business of Japanese cosmetics firm Shiseido who found their personal information had been exposed in a data breach are being asked to come forward to take part in a proposed group legal action against the company.
The breach took place in the spring of 2022 and was notified to the Information Commissioner’s Office (ICO) in mid-April. This was supposedly in line with reporting regulations, which require the ICO to be told of impactful breaches within 72 hours, but according to reports at the time, employees had alleged that Shiseido was aware of the incident a month earlier than that.
Social Blade
Social media analytics platform Social Blade has confirmed it suffered a #databreach after its database was breached and put up for sale on a hacking forum. @billtoulas @BleepinComputer https://t.co/XQdDOImDzr
— DevaOnBreaches (@DevaOnBreaches) December 16, 2022
Social media analytics platform Social Blade has confirmed being impacted by a data breach after a database claimed to have been stolen from the company was offered for sale on a hacker forum, reports SecurityWeek. Social Blade had its purportedly stolen database, which is claimed by the attacker to contain 5.6 million records, offered for sale on Dec. 12, with the posted sample of table names and content indicating the presence of user information in many of the compromised records. Only up to two people could purchase the database, which has already been verified to be authentic by a known hacker.
Gemini
A third-party vendor related to Gemini appeared to have suffered a #databreach on or before Dec. 13 and gained access to 5,701,649 lines of information pertaining to Gemini customers’ email addresses and partial phone numbers.https://t.co/mzgimH5kCS
— DevaOnBreaches (@DevaOnBreaches) December 15, 2022
A third-part vendor related to Gemini appeared to have suffered a data breach on or before Dec. 13. According to documents obtained by Cointelegraph, hackers gained access to 5,701,649 lines of information pertaining to Gemini customers’ email addresses and partial phone numbers. In the case of the latter, hackers apparently did not gain access to the full phone numbers, as certain numeric digits were obfuscated. After the news came to light, Gemini has since clarified in a blog post that the breach appeared to be “result of an incident at a third-party vendor” but also warned of ongoing “phishing campaigns” as a result of the data leak.
