Breaches

BREACHES

Where should you look if you have been breached or suspect you have? I recommend “Have I Been Pwned” by Troy Hunt, and there are other resources out there. Lots of people are doing great work in this field to whom I give all credit.  I like to check DataBreaches.net

2021

SITA announced a breach 03/04/21. SITA is an Airline service provider for STAR alliance members like Cathay Pacific, Singapore Airlines, Japan Airlines and more. This affects passenger data stored on US servers in a “highly sophisticated cyberattack”. There has been a steady rise in supply chain attacks going into 2021 and those affecting the airline industry. Supply chain attack / Third party IT service provider. Software bill of materials or SBOM needs to be a thing. Per Threatpost

Isn’t it ironic? Following the massive Equifax breach of 2017, and the fallout from the OPM breach in 2016, how is that there are still monolithic breaches in 2018? Worse, many of these are in healthcare, which exposes some very sensitive information of some very vulnerable victims. How the #@*^&$ does this keep happening? I’m charting a breakdown by sector and severity here. And I’ll also show disclosure dates because the time discovered vs the time revealed has huge impact to those caught up in a breach. It’s time used by the bad guys to sell the data and use that data for fraud. Victims deserve to know as soon as possible so they can choose what action they take to protect themselves, rather then rely on someone else to do that – badly – for them. A year of credit monitoring just doesn’t cut it.

Here is the link to the spreadsheet Breach Report  I am keeping and you are welcome to use what I share with the reminder to always be sure to cite your sources 🙂

What disturbs me is the amount of healthcare data out there, and the number of breaches. I’m going to continue to dig into this and show what I find. A special shout out to folks who are working hard to secure healthcare: I am the Cavalry, @JoshCorman, @_j3lena_, @_odddie_, @beauwoods

 

Historical 2017

Verifone Breach: (March 7, 2017) The credit and debit payment company Verifone is investigating reports of a breach of its internal computer networks. The payment processing giant is the largest maker of credit card terminals being used in the USA. This has impacted some of the companies who run its POS or point of sales offerings. However, Verifone has stated that “the extent of the breach was limited to its corporate network and that its payment services network was not impacted.” An urgent email was issued back in January 23 to all company staff and contractors urging them to change company passwords. An intrusion had been detected in the corporate network. Forensic examination reveal the cyber incident was at two dozen gas stations only, and for a very limited period of time. The attackers deployed CARBANAK or Anunak to compromise the Oracle ticketing portal for MICROS POS. From here they siphoned credentials when customers logged into the support site.Source: https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/

Oct 8  What We Know About the Yahoo Breach
The details are starting to come out on the biggest breach in history, which is expected to double in reported size. A criminal outfit known as Group E appears to be responsible for the Yahoo breach. The outfit is based in Eastern European and sells to anyone including nation states. A Russian crime group, Tessa88, works as their broker. The Yahoo data was sold through them and then onto a nation state actor group.
But what is even more important is that this group is apparently behind the recent major breaches announced this year, and detailed below. Attack methods used include Web app vulns, exploitation, network intrusion through infection, direct access to databases and source code. A second group, ForHell, worked with them. They were part of the Ashley Madison and Adult Friend Finder hacks.
A cybercrime investigator says that much of what’s been reported about the Yahoo breach is inaccurate and the account numbers should be at a billion. A former Yahoo insider who knew the security practices claims the backend systems would have exposed way more user account info. He thinks the actual number is between 1-3 billion. And Yahoo isn’t revealing the accurate amount. There is one main user database for authentication, and as you would expect, it is massive. 2014 numbers showed roughly 700 million to a billion active users monthly. Not counting inactive accounts.
Sites breached by the five-person Group E hacker outfit. Statistics via Andrew Komarov
Breach company Number of records
Yahoo! 500 million (up to 1bn)
Myspace 360 million
LinkedIn 167 million
Vk.com 137 million
Qip.ru 133 million
Badoo 126 million
Dropbox 103 million
Rambler.ru 101 million
Tumblr 50 million
LastFM 43 million
Fling.com 40 million
Mobango.com 6 million
Other combined dumps: 600 million
http://www.businessinsider.com/yahoo-insider-hacking-2016-9
http://www.theregister.co.uk/2016/09/30/fiveperson_hacking_gang_claimed_behind_breaches_of_3bn_logins/

Oct 8 Amazon Online Issues Alert
Amazon issued warnings to as many as 80000 users to warn them their data had been leaked, and that for security their password had been changed. There may be 304 million active customer accounts. The breach includes email addresses and passwords, and may have been leaked by sources other than a computer hack. In July, a hacker known as “0x2Taylor” claimed to have breached the servers and then leaked login creds of 80 000 users. At this time, there is no confirmation of how many users are affected, nor where the data breach materialized.
http://www.express.co.uk/life-style/science-technology/717670/AMAZON-WARNING-as-retailer-sparks-security-fears-in-e-mail-alert

Oct 8 Database Containing 1.5 Million Users Found Leaking Data
Sensitive info including user names, plaintext passwords, email addresses, genders, birthdates, etc has been found accessible via the internet. The unsecured MongoDB (and there have been a few of those in recent breaches) was traced back to a new Zealand company, C&Z Tech Ltd. When notified, the company claimed that the data is mostly dummy data to test migrations. However the researchers who found the database aren’t convinced and are testing the data. What they have found is legit. And in that were users who thought they had cancelled their accounts, only to find the company had kept the data anyway and it was live. New Zealand is a country where breach reporting is not mandatory. Note that the potential 1.5 million users impacted come from many places other than NZ.
https://www.helpnetsecurity.com/2016/10/05/database-leak-online-daters/

Oct 8 Buzzfeed Breached – and Censored?
Hacking group OurMine breached the popular site BuzzFeed, and defaced and deleted articles. OurMine has gone after the accounts of tech CROs, venture capitalists, and celebrities. It was apparently in response to an investigation the site published on Tuesday. This smacks of the DDoS takedown of the site Krebson Security just last week, for the same reasons, and may be the start of a disturbing trend.
https://www.wired.com/2016/10/hack-brief-hackers-breach-buzzfeed-retaliation-expose/
http://motherboard.vice.com/read/hackers-hit-buzzfeed-claims-to-have-database

Capgemini and Michael Page Recruitment Firm Breach: On Nov. 10 details were revealed of a massive data breach which affected UK-based recruitment firm Michael Page, which operates globally. Over 30 GB of data on that leaked ther personal details of millions of job seekers online.  Potentially 780,000 jobseeker records were in the dump, and data included phone numbers, locations, job type etc.  The breach is related to an underlying risk on the server end with .sql files exposed on a publicly facing website.
http://www.arnnet.com.au/article/610027/capgemini-fingered-michael-page-data-breach/

Lightning Strikes Twice – Adult Friend Finder Hacked Again: More than 400 million account were exposed in the latest attack on the adult website.  Many with plaintext passwords.  Compromise was with a local file inclusion exploit, so the site’s code allowed access to files on the server that were NOT supposed to be public. Interestingly, more than a million accounts have the password “123456” while more than 100,000 have the password “password”.
http://boingboing.net/2016/11/13/plaintext-passwords-galore-in.html

8 Million GitHub Profiles Leaked: Security researcher Troy Hunt received a MongoDB backup file that contains information on GitHub users and accounts.  Specifically at site known as GeekedIn  that matches developers with jobs. GitHub’s statement was the third parties often scrape public data for research etc, and so long as it isn’t being sold or abused, that is okay.  However, GeekedIn is actually selling this info, and a lot of people, including Troy Hunt, are included in that data for sale. He offers a link for people to check if they are among those offered up on his site https:/haveibeenpwned.com/NotifyMe. https://www.troyhunt.com/8-million-github-profiles-were-leaked-from-geekedins-mongodb-heres-how-to-see-yours/

UK Carrier Three Mobile Hacked:  Millions of customer records have been exposed through an attack on Three Mobile.  Hackers accessed a database containing info on six million customers. No payment data was there, but names, addresses, phone numbers and birthdays were. Hackers were targeting users eleigible for new handset updates so they could order and intercept the new units for resale. Three Mobile reports it has had an increase in phone thefts and upgrade scams.
http://www.theregister.co.uk/2016/11/18/three_mobile_two_hackers_one_big_data_breach/

Canadian Army Recruitment Website Hacked: On Thursday, the Canadian Armed Forces recruitment site was hacked, to redirect those interested in signing up to the Chinese government’s main page instead.  Officials confirmed the hack was real and worked rapidly to take the page down. This is part of the ongoing attack by foreign hackers against government sites, notably China, which was called out in 2014 by the Conservative government at the time.
http://www.reuters.com/article/us-canada-cyber-idUSKBN13C2SW