Search This Blog

Showing posts with label Data Breach. Show all posts

Anonymous Hacking Group Targets Controversial Web Hoster Epik

 

US-based web host and domain registrar Epik has confirmed an “unauthorized intrusion” in its systems, a week after members of hacktivist group ‘Anonymous’ claimed that the group had obtained and leaked gigabits of data from the hosting company, including 15 million email addresses.

The firm initially denied reports of the breach by saying, “'we are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation.”

According to data breach monitoring service HaveIBeenPwned, the leaked information, comprising 180 GB of information, includes not just information on Epik's own customers, but also millions of other people and organizations' details, whose information Epik scraped via 'Whois' queries from other domain name registrars. 

The group claimed the attack was in retaliation for Epik’s habit of hosting questionable alt-right websites. “This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet. Time to find out who in your family secretly ran an Ivermectin horse porn fetish site, disinfo publishing outfit or yet another QAnon hellhole,” the group said. 

However, Anonymous did not reveal when the attack took place, but timestamps on the most recent files indicated that it likely occurred in late February.

Epik, which was founded in 2009 by current CEO Rob Monster, is known to serve a variety of far-right clients, including Parler, Texas GOP, Gab, and 8chan - all of which are said to have been turned down by mainstream IT providers due to objectionable content. 

Epik has started sending emails to impacted customers regarding an 'unauthorized intrusion', according to screenshots shared by cybersecurity expert Adam Sculthorpe and data scientist Emily Gorcenski. “As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services,'” reads Epik's email notice. 

Although the firm did not say in the message if customers' credit card details were exposed, it encouraged users to contact their credit card providers and “notify them of a potential data breach to discuss your options with them directly.”

Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System

 

Earlier this month, the personal court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The exposed data contained non-disclosure orders, criminal cases, and civil and family law records. 

According to the county’s official website, Lubbock County Defense Lawyers Association and county officials are not on the same page concerning how to define the incident.

In a news release from the County, Judge Curtis Parrish said: “On Tuesday, September 14, 2021, Lubbock County Information and Technology Department became aware that certain court records that were previously unavailable for review by the public had become viewable under Lubbock County’s new software system. Some of these records include non-disclosure orders, criminal cases, civil and family law records. This access portal has now been blocked temporarily until we can identify which court records maybe [sic] accessed by the parties, attorneys, and the general public.

This was not a data breach [sic], or an issue where the computer system was compromised. Lubbock County will continue to review policies concerning all court records, in our effort to make these documents accessible to the attorneys and the public.” 

However, an earlier release by the Lubbock County Defense Lawyers Association characterized the incident as a data breach. The association said it became aware of the situation on September 10. 

“This data includes information on individuals who have had criminal cases expunged or non-disclosure orders signed in their criminal case. This breach affected cases at all levels and in all courts in Lubbock County. Some individuals’ data have been removed from the public access system, while other individuals’ data are still available,” said Lubbock County Defense Lawyers Association in their news release. 

The attacks on local governments is a growing concern for law enforcement agencies and government officials. Due to their shoestring budget, local governments rarely have dedicated security experts and that leaves a huge hole in their security. In March 2021, a report from consumer tech information site Comparitech revealed that American government organizations suffered a loss of $18.88 billion due to cyber-attacks. 

Over the past three years, 246 ransomware attacks struck U.S. government organizations. These attacks potentially affected over 173 million people and nearly cost $52.88 billion. The motive of most of these attacks was to halt processes, interrupt services and cause disruption, not to steal data, according to the report.

Republican Governors Association Targeted in Microsoft Exchange Server Attacks

 

The Republican Governors Association was one of many U.S. organizations attacked in March when a nation-state group exploited vulnerabilities in Microsoft Exchange email servers, according to a breach notification letter filed with the Maine attorney general's office this week.  

For companies worldwide, the situation became a cause of concern; nearly 500 persons linked with the RGA's personal information might have been exposed due to the assault. According to the organization's attorney, personal information includes social security numbers. 

The RGA was notified of the breach on March 10, eight days after Microsoft made the campaign public. At this time, it's highly uncertain who is to blame for the breach and what happened to the data compromised. 

Microsoft exchange server attack’s fallout: 

This incident is the latest fallout to arise from the massive breach of the Microsoft Exchange Server earlier this year. The breach was connected to hacker organizations supported by the Chinese government. A computer exploit made the vulnerabilities public, allowing opportunistic fraudsters to launch a large-scale attack. 

According to the RGA, on February 28, hackers hacked into “a small portion of [its] email work environment". It went on to say that it only discovered the hacking campaign on March 10, eight days after Microsoft made a public announcement about it. 

The RGA's spokesman declined to elaborate on specifics of the breach, such as about the offenders and the damage. It further said it was “unable to determine what personal information, if any, was impacted as a result of the incident.”

The US skeptical of China's role in the Microsoft hack

After the cyberattack, the RGA stated it upgraded its Microsoft software. China was blamed by the US government for its participation in the Microsoft Exchange attack in July. As a response, the United Kingdom and the European Union-backed the United States' condemnation of China. 

Four Chinese nationals were also charged with criminal charges by the US Department of Justice. 

As per security experts, tens of thousands of US state and local companies were using vulnerable software at the height of the Exchange Server attack. However, many companies were able to safeguard themselves by installing a software update. 

The US National Security Council has gathered numerous times since the event, urging corporations to amp up their cyber defenses. Businesses in countries other than the United States were also affected by the attack. This includes Europe, where the European Union's financial authority, the Norwegian parliament, and two German government bodies have all been attacked. 

In accordance with the country's cybersecurity body, it also affected a considerable number of companies in Australia.

Precautionary Measures: 

The Republican Governors Association states that since the assault was identified in March, it has implemented the Microsoft updates for the vulnerable versions of its on-premises Exchange server. According to the letter, law enforcement and other organizations have also been alerted. 

The credit monitoring services are also being given to the approximately 500 persons impacted by the assault. 

"Out of an abundance of caution, RGA is also offering you two years of complimentary credit monitoring and identity restoration services with Experian." 

"RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required."

Massachusetts is Investigating the Massive T-Mobile Data Breach

 

On Tuesday, Massachusetts Attorney General Maura Healey announced that she will look into the cyberattack on T-Mobile US Inc (TMUS.O), which compromised the personally identifiable information of over 53 million people.

After the third-largest U.S. cellphone carrier reported the hack on Aug. 16, Attorney General Maura Healey announced the investigation. 

The breach exposed names, birthdays, social security numbers, driver's licence information, PIN numbers, and other personal information of an estimated 13.1 million current and 40 million past, and potential T-Mobile users.

It was one of many cyberattacks in recent years that impacted banks, gas pipelines, and hospitals, among other businesses. 

Healey aims to examine whether the Bellevue, Washington-based corporation has sufficient measures in place to secure consumer information and mobile devices. Last month, the Federal Communications Commission in the United States launched an investigation into the matter. 

According to court records, consumers and other private plaintiffs have filed at least 23 lawsuits against T-Mobile as a result of the data leak. 

About the security breach

On August 16, T-Mobile US Inc (TMUS.O) admitted a data breach but said it has yet to determine if any customer information had been compromised, a day after an online forum claimed that the personal data of over 100 million of its users had been compromised. 

In a blog post, the telecom provider stated that it was certain that the entry point used to obtain the data had been shut down. It did not disclose the number of accounts impacted. 

"We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement," the company stated. 

According to a report in Vice's Motherboard, the forum post does not specify T-Mobile but the attacker informed Vice that they acquired data on over 100 million individuals from T-Mobile servers. 

Following the news, T-stock Mobile's share dropped 2.8 percent in afternoon trade.

School Childrens' Personal Information on Dark Web: Potential Identity Theft

 

NBC News, an American broadcaster has published a report on the data theft of millions of school children and how it can set up a child for a lifetime of potential identity theft. The data includes medical condition, family financial status, Social Security numbers, and birth dates of school children.

According to the NBC report, threat actors posted the excel sheet titled “Basic student information”, maintained by one of the schools on the dark web after they refused to pay the ransom, as instructed by the FBI.

 “It lists students by name and includes entries for their date of birth, race, Social Security number, and gender, as well as whether they’re an immigrant, homeless, marked as economically disadvantaged, and if they’ve been flagged as potentially dyslexic,” states the NBC report. 

When NBC News contacted some of the targeted schools regarding the data leak, they were unaware of the problem. “I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed. And I don’t think people have a good handle on how large that exposure is,” said Doug Levin, the director of the K12 Security Information Exchange, a nonprofit organization devoted to helping schools protect against cyberthreats. 

Worsening Situation 

The recent surge in ransomware attacks has aggravated the problem, as those hackers often release victims’ files on their websites if they refuse to pay the ransom. While the average person may not know where to find such sites, criminal hackers can find them easily. In 2021 only, hackers released data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft. 

The situation is complicated by the fact that many schools are unaware of all the information that’s stored on all their computers, and therefore do not realize the extent of what hackers have stolen. When the Dallas-area Lancaster Independent School District was targeted in a ransomware attack in June, it notified parents but told them the school’s investigation “has not confirmed that there has been any impact to employee or student information,” Kimberly Simpson, the district’s chief of communications, said in an email. 

But the NBC News’ investigation uncovered the truth when it discovered the audit from 2018 that listed more than 6,000 students, organized by grade and school, as qualifying for free or reduced-price meals. When contacted for comment on the audit, Simpson did not respond. 

Another tactic employed by the attackers is to target a third party that holds students’ data. In May 2021, attackers published files they had stolen from the Apollo Career Center, a northwestern Ohio vocational school that was in the collaboration with 11 regional high schools. The leaked data included hundreds of high schoolers’ report cards from the last school year, all of which are currently visible on the dark web.

“We are aware of the incident and are investigating it. We are in the process of providing notifications to the students and other individuals whose information was involved and will complete the notifications as soon as possible,” Allison Overholt, a spokesperson for Apollo, said in an email. 

 Taking action 

American parents are quickly releasing that addressing these problems may fall to them. Due to the poor knowledge regarding the data stored on their computers, schools may not even know if they have been hacked or if those hackers have released students’ information on the dark web. Federal and state laws for student information often do not issue clear guidance for what to do if a school is hacked, Levin said. 

Eva Velasquez, the president of the nonprofit Identity Theft Resource Center, which helps victims of data theft, is advising parents to freeze their children’s credit to keep them safe from identity theft. “We should for all intents and purposes believe that for the most part, all of our data’s been compromised. We’ve been dealing with data breaches since 2005, and they are absolutely ubiquitous, and just because you didn’t receive a notice doesn’t mean it didn’t happen,” Velasquez said.

Freezing a child’s credit can often be time-consuming, and doing it effectively requires completing the process with all three major credit monitoring services, Experian, Equifax, and TransUnion. But it has become an essential step for digital safety, Velasquez said. 

“We encourage parents to freeze children’s’ credit. From an identity theft perspective, that is one of the most robust, proactive steps that a consumer can take to minimize the risk. And it applies to kids, and it’s free,” she concluded.

UN Computer Networks Breached by Hackers Earlier This Year

 

Hackers breached the United Nations' computer network and stole data, according to researchers at cybersecurity firm Resecurity, 

According to Bloomberg, the theft's unknown perpetrators appear to have acquired access by simply stealing login credentials from a UN employee. 

Logging into the employee's Umoja account provided access. The enterprise resource planning system Umoja, which means "unity" in Kiswahili, was deployed by the United Nations in 2015. The login and password used in the cyber-attack are believed to have been obtained from the dark web. 

Gene Yoo, chief executive officer at Resecurity, stated, “Organizations like the UN are a high-value target for cyber-espionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.” 

Researchers discovered that hackers initially gained access to the UN's networks on April 5, 2021, and that network breaches lasted until August 7. Based on the findings, the attackers did not seem to have harmed or disrupted the UN's computer network. Instead, the hackers seem to have been motivated by a desire to gather information. 

After reporting the security issue to the UN, Resecurity stated it worked with the UN's security team to evaluate the extent of the intrusion. While the UN claims that the assault was a reconnaissance operation by hackers who just captured screenshots of the organization's vulnerable network. The breach resulted in the theft of data, as per the Resecurity experts. 

The UN discontinued interacting with Resecurity, according to Yoo, when proof of data theft was provided to the organization. 

Hackers have previously attacked the United Nations and its agencies. In 2018, Dutch and British law enforcement prevented a Russian cyberattack on the Organisation for the Prohibition of Chemical Weapons (OPCW), which was investigating the deployment of a lethal nerve agent on British territory. 

According to a Forbes article, the UN's "core infrastructure" was hacked in a cyberattack in August 2019 that targeted a known flaw in Microsoft's SharePoint platform. The breach was not made public until the New Humanitarian newsgroup published the news. 

In the context of the latest breach, UN spokesman Farhan Haq told DailyMail.com, “This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” 

“At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.” 

Haq added that the United Nations is often targeted by cyber-attacks, including sustained campaigns.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

Millions Of Indonesians Personal Information Leaked Over a Data Breach

 

In their COVID-19 test-and-trace application, Indonesia investigated a probable security vulnerability that left 1.3 million individuals' data and health status exposed. 

On Friday 3rd of September, following a week-long cyber-attack, PeduliLindungi became the country's second COVID-19 tracking app following eHAC to suffer a data breach. The PeduliLindungi leak has not been identified yet, but the eHAC violation has impacted 1.3 million users. These 2 data breaches occurred in succession within a week. 

The eHAC Data Breach 

According to a Health Ministery official, the government is suspecting its partner as the likely source of infringement in the eHAC app ( electronic health alert card), which has been disabled since July 02. 

The EHAC is a necessary prerequisite for travelers entering Indonesia, which was launched this year. It maintains the records of the health condition of users, personal information, contact information, COVID-19 test results, and many others. 

Researchers from the vpnMentor encryption provider who perform a web mapping operation have discovered a breach to detect unauthorized data stores with confidential material. 

On 22nd July, researchers informed Indonesia's Emergency Response Team and have revealed their conclusions. The Ministry of Communications and Information Technology published a statement on August 31, more than one month after the disclosure, which stated that the data violation would be investigated according to the Electronic Systems and Transactions Regulations of the country. 

Anas Ma'ruf, a health ministry official said, "The eHAC from the old version is different from the eHAC system that is a part of the new app”. "Right now, we're investigating this suspected breach". 

PeduliLindungi Leak

A data search function on the PeduliLindungi-application enables anybody to search for personal data and information on COVID-19 vaccination for Indonesians, including that from the president, Damar Juniarto, a privacy rights activist who also is the vice president of regional government relations at technology firm Gojek, as per a Twitter thread. 

Zurich-based cybersecurity analyst Marc Ruef has shared a screenshot with the President of a compromised COVID-19 vaccination certificate, as it includes his national identity number. However, Ruef did not specifically mention whether PeduliLindungi's data was disclosed. All this explicates that personal identification data and confidential information is scattered everywhere. 

While the Government admitted the breach of the eHAC data and presented a plan of action for the analysis and restoration of flaws, PeduliLindungi has been exonerated. 

The Ministery of Communications and Information Technology of the state, called Kominfo, states that the data on the president's NIK and vaccination records did not originate in the database of PeduliLindungi.

Experts claim such data violations highlight the inadequate cyber security architecture in Indonesia. In May, the officials also conducted a survey on the alleged violation by the state insurer of the country of social security data.

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.

Autodesk Disclosed it was Targeted in SolarWinds Hack

 

Autodesk has disclosed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain assault, nearly nine months after finding that one of its servers had been compromised with Sunburst malware. 

It is an American multinational software corporation that makes software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. 

In a recent 10-Q SEC filing, Autodesk stated, "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents." 

"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations." 

While the company went on to state that there was no additional damage to its systems, the company's announcement of the breach in its most recent quarterly results serves as a reminder to the world of how widespread the SolarWinds supply chain breach was. 

An Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst backdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough before they were detected. 

The spokesperson stated, "Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were collected for forensic analysis, and the software patch was applied. Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software installation." 

One of 18000 tech firms targeted in a large-scale cyber attack

SolarWinds' infrastructure was hacked as a result of a supply-chain assault conducted by the Russian Foreign Intelligence Service's hacking division (aka APT29, The Dukes, or Cozy Bear). 

The attackers trojanized the Orion Software Platform source code and build issued between March 2020 and June 2020 after obtaining access to the company's internal systems. These malicious builds were then used to deploy the Sunburst backdoor to around 18,000 clients, but fortunately, the threat actors only chose a small number of people for second-stage exploitation. 

Before the assault was revealed, SolarWinds stated to have 300,000 clients globally, including over 425 US Fortune 500 firms and all top 10 US telecom corporations. 

A long list of government agencies was also among the company's clients (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States). 

The US Department of Justice was the latest US official agency to reveal that during last year's SolarWinds global hacking spree, 27 US Attorneys' offices were compromised. 

Although Autodesk was not the only big corporation attacked in the SolarWinds breach, other companies such as Cisco, VMware, Intel, and Nvidia revealed similar issues in December.  

T-Mobile CEO Apologizes for Hack of More Than 54 Million Users Data

 

Mike Sievert, CEO of T-Mobile, is in a spot of bother after a major data breach of the carrier’s servers. In a statement issued last week, he apologized for a data breach but also tried to paint a rosy picture of the data breach by claiming no financial details were stolen but confirmed that millions of social security numbers were compromised.

The attack on the carrier’s servers impacted more than 54 million current, former and prospective users. Leaked data included social security numbers, names, contact numbers, driver’s license information, IMEI and IMSI information, and addresses for some, but not financial details. Meanwhile, device identifiers and PINs were obtained for certain accounts. 

“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. In short, this individual’s intent was to break in and steal data, and they succeeded,” Seivert stated. 

Hacker John Binns, a US citizen living in Turkey, has taken credit for the attack, calling the carrier's security practices "awful." Binns has reportedly been scanning T-Mobile's systems for vulnerabilities since last summer, and finally discovered a vulnerable internet-exposed router in July, which provided access to T-Mobile servers in a data center near East Wenatchee, Washington state. He claimed it took him roughly a week to breach the servers storing customer data. 

The hacker said he targeted T-Mobile servers to grab the attention of the world. Last year, he filed a lawsuit against several US government agencies including the CIA and FBI, claiming that he had been blackmailed, surveilled, and tortured. 

T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger. 

T-Mobile has previously disclosed a number of data breaches over the past years, and it doesn’t seem to have learned from those incidents, something that has been mentioned in the lawsuits filed against the carrier as a result of the latest breach.

Sievert said the company has collaborated with cybersecurity firms Mandiant and KPMG LLG to strengthen security. He also apologized to the affected users for the data breach and announced that the company will offer impacted individuals two years of free identity protection services as promised to take steps to prevent these types of incidents in the future.

Russians began to complain more often about hacking accounts on Public Services

DeviceLock, a Russian manufacturer of anti-data leakage systems, reported that the number of complaints about attempts to hack accounts on Public Services has increased.

"Also an increase in offers to sell accounts has been noted in darknet and on closed forums, with their cost dropping from $1.35 at the beginning of the year to $0.40 for new accounts and to $0.05 for used accounts," said Yuri Tomashko, CEO of DeviceLock DLP.

According to him, the stolen accounts can be used by fraudsters to apply for online loans and register with bookmakers.

"In addition, criminals can apply for tax deductions and subsidies on behalf of the account owner through a personal account on Gosuslugi, and almost always in such cases fake documents are provided," said Mr. Tomashko.

"Security should be provided by the administrators of the Gosuslugi website. There was already an attempt to hack, then the database of those who had already been vaccinated against the coronavirus was leaked. But if such a problem has started again now, then users can only contact the site administrators," said Alexander Vlasov, an expert in the field of information security.

Another expert Alexander Baranov believes that users of the website Gosuslugi are unable to influence the security of their accounts.  In his opinion, the security system on Public Service has a drawback, it's the one-factor authorization.

The expert suggests introducing two-factor authentication on the site to improve security. However, according to him, it is not so easy to do: to change the system it will be necessary to re-register all the users of the portal again, and there are already about 60 million registered citizens of the Russian Federation.

Earlier, E Hacking News reported that experts warned about the risk of hacking and obtaining a loan on the Public Services Portal of the Russian Federation.

Chinese Android Game Developer Exposes Data of Over 1 Million Gamers

 

The Chinese developers of famous Android gaming applications exposed user information via an unprotected server. As per the report shared by vpnMentor's cybersecurity team, headed by Noam Rotem and Ran Locar, identified EskyFun as the owner of a 134GB server exposed and made public online.

Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M are among the Android games developed by EskyFun. 

According to the team on Thursday, the users of the following games were included in the data leak and altogether they have over 1.6 million downloads combined: 
-Rainbow Story: Fantasy MMORPG
-Metamorph M
-Dynasty Heroes: Legends of Samkok u 

According to the researchers, the supposed 365,630,387 records included data from June 2021 onwards, exposing user data gathered on a seven-day rolling basis. 

As per the team, when their software is downloaded and installed, the developers impose aggressive and highly troubling monitoring, analytics, and permissions settings, and as a consequence, the variety of data gathered was considerably more than one would imagine mobile games to need. 

The records constituted IP and IMEI data, device information, phone numbers, the operating system in use, mobile device event logs, whether or not a smartphone was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords, and support requests. 

vpnMentor estimates that up to or more than, one million users' information may have been compromised. 

On July 5, the unprotected server was detected, and EskyFun was approached two days later. However, after receiving no answer, vpnMentor tried again on July 27. 

Due to the continued inaction, the team was forced to contact Hong Kong CERT, and the server was safeguarded on July 28. 

The researchers commented, "Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users. Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

Medical Data of 12,000 Patients Exposed Following Revere Health Phishing Attack

 

A healthcare employee of Revere Health, the largest healthcare firm in Utah, was targeted in a phishing email attack that exposed some medical records for approximately 12,000 patients, including patients of cardiology practice in St. George. 

According to a breach notification sent out by Revere Health on Friday, the employee’s mailbox was exposed for roughly 45 minutes on June 21 and leaked some private details about patients of the Heart of Dixie Cardiology Department in St. George. The phishing attack was rapidly identified by Revere Health IT team, which immediately secured the mailbox to prevent unauthorized access. 

After a two-month investigation, Revere Health believes the aim of the attacker was not to secure access to patient data but to use the email account to launch more sophisticated phishing email attacks on other Revere employees. The company found the patients’ data wasn’t being shared online and deemed the breach to be a “low-level risk” to affected patients. 

“From our detailed investigation of this incident, we believe that the intent of this attack was to harvest login credentials from individuals in our organization and not to gather patient information Our security logs suggest that the attacker had three objectives: (1) to spread phishing emails, (2) to gather active usernames and passwords and (3) to attempt financial fraud against Revere Health," stated the healthcare company. 

The exposed data included medical record numbers, dates of birth, provider names, procedures, and insurance provider names. According to Bob Freeze, the director of marketing and communications for Revere Health, no financial information such as credit card information was exposed by this breach of date. The company has informed the impacted patients about the situation and advised them to remain vigilant.

According to the FBI’s 2020 Internet Crime Report, there were 241,342 victims and over $54 million were lost due to these attacks. In 2020 phishing attacks increased by 99.8% from 2019 when there were 114,702 reported attacks. In 2018 there were only 26,379 phishing attacks.

Freeze says Revere Health has further strengthened its tech security protocols and will now send test-phishing emails to employees to prevent more attacks. If they click on the test emails, they will have to undergo awareness training from the group’s IT department. The company also advised its employees to review all aspects of an email before engaging with it. 

According to the Federal Trade Commission (FTC), a phishing email address often looks legitimate, but when clicked, a more sophisticated email address appears. The FTC has recommended several common techniques to avoid phishing attempts including keeping up with software updates on devices, installing security software, using multi-factor identification so it takes more than a password to log in, and backing up data regularly. Alongside, users were advised to not open any links from suspicious email addresses or phone numbers.

Hackers put up for sale the passports of more than 1.3 million Russians

The hackers posted an 809 GB archive with more than 1.3 million scans of passports of Russian citizens, which were stolen as a result of hacking the servers of the cosmetics company Oriflame, on the Cybercriminal Forum RaidForums.

The company's website reports that on July 31 and August 1, it was subjected to a series of cyberattacks, which led to unauthorized access to the company's information systems. At the same time, Oriflame assured that bank account numbers, phone numbers, passwords and commercial transactions of users were not affected by the attack.

The company admits that not only customers from Russia, but also from other CIS countries and Asia were affected. Oriflame has strengthened its cybersecurity measures and is investigating the incident with the participation of law enforcement agencies.

"Probably, the company refused to buy the data from the attackers, so now they are being put into public access," adds Ashot Oganesyan, the founder of the DLBI data leak intelligence service.

It is noted that earlier the seller posted on the Cybercriminal Forum scans of documents of Oriflame clients in Georgia and Kazakhstan and claimed that he has data of the participants of the system from 14 countries in his hands.

Experts speculate that the hackers got it as a result of an attack using vulnerabilities on a corporate site. The leak could have come from a backup copy of the file storage.

A database of 1.3 million copies of passport scans on the black market would cost hundreds of thousands of dollars. Fake documents can be used to take out a microloan, register domains in the .ru zone, SIM cards or wallets of payment systems.

Oriflame leak is not the first among the companies developing network marketing. In 2020, the data of 19 million customers and employees of Avon, including names, phone numbers, dates of birth, e-mail and addresses, became publicly available.

38 Million Records Exposed Due to Microsoft Misconfiguration

 

According to experts, some 38 million records from over a thousand web apps that use Microsoft's Power Apps portals platform were left accessible online. Data from COVID-19 contact tracing operations, vaccine registrations, and employee databases, including home addresses, phone numbers, social security numbers, and vaccination status, is believed to have been included in the records. 

Major corporations and organizations were impacted by the incident, including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. While the data breaches have already been fixed, they demonstrate how a single incorrect configuration setting in a widely used platform can have far-reaching repercussions.  

Customers can use the Power Apps services to easily create their own web and mobile apps. It provides developers with application programming interfaces (APIs) to use with the data they collect. Upguard discovered, however, that accessing those APIs makes data received through Power Apps Portals public by default, necessitating manual reconfiguration to keep the information private. 

In May, researchers from the security firm Upguard began investigating the problem. They discovered that data from several Power Apps portals, which was intended to be secret, was accessible to anyone who knew where to look. According to Upguard, on June 24th, it provided a vulnerability report to the Microsoft Security Resource Center, which included links to Power Apps portal accounts with sensitive data exposed and methods to discover APIs that allowed anonymous data access. 

“The number of accounts exposing sensitive information, however, indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated,” the researchers wrote in the report. “Multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern before.” 

 On Monday, a Microsoft representative defended the product's security, noting that the firm worked directly with affected users to ensure that their data remained private and that consumers were notified if their data was made publicly available. “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs," a Microsoft spokesperson said in a statement.

Private Details of 70M AT&T Users Offered For Sale on Underground Hacking Forum

 

A notorious hacking group, known as Shiny Hunters, is reportedly selling a database containing private details of 70 million AT&T customers. However, AT&T, an American telecommunication provider denied suffering from a data breach. 

Last week, ShinyHunters posted a sale for “AT&T database + 70M (SSN/DOB)” on RaidForums, a popular Darkweb marketplace. Threat actors set the bidding with a starting price of $200,000 and incremental offers of $30,000. Apart from this, there is also a flash sale where customers can buy the entire database for $1 million. 

"In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records,” Sven Taylor of RestorePrivacy, who first reported the data breach, stated. 

ShinyHunters shared a sample subset of stolen data, name, contact numbers, physical addresses, social security numbers (SSN), and dates of birth. An anonymous security expert told BleepingComputer that two of the four people in the samples were identified users in the AT&T database. The hackers are also working on decrypting the data that they believe comprises customer accounts’ PINs.

"Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T responded to the claims of ShinyHunters.

In a follow-up email to BleepingComputer, the telecom provider hedged over whether the data could have been stolen from a third party: “Given this information did not come from us, we can’t speculate on where it came from or whether it is valid,” the firm stated. 

In the past, ShinyHunters has targeted the likes of Microsoft, Mashable, Tokopedia, BigBasket, Nitro PDF, Pixlr, TeeSpring, Promo.com, Mathway, and droves of other small-to-mid-sized platforms. Its modus operandi is to steal credentials, API keys or buy large troves of data, then dump and sell it on underground platforms.

Earlier this month, a fellow Telecom provider, T-Mobile suffered a data breach that exposed the private details of tens of millions of its users. To address the issue, T-Mobile assured its users to provide free identity protection services.

The average price of access to a hacked company in the darknet reached $5,400

Specialists of the Israeli company Kela analyzed more than 1 thousand ads for the sale of initial access to the internal computer networks of hacked organizations published on the darknet from July 2020 to June 2021. The average lot price is about $5.4 thousand.

Kela noted that pricing depends on the revenue of the hacked company: this indicator also determines the nominal value of the ransom that hackers can request. Therefore, access to small firms costs $100-200, and the most expensive lots are thousands of times more.

The highest price tag that the experts met was equal to 12 bitcoins (about $540 thousand at the exchange rate on August 18). That's how much the brokers asked for access to an unnamed Australian company with an annual income of $500 million. The second most expensive access cost 5 bitcoins (about $225 thousand). For this amount, an account was sold in the ConnectWise Control remote desktop access system from the network of one of the American IT companies. Another lot from the top three most expensive accesses was a lot for $100,000, which promised access to the network of some Mexican government agency.

Kela's specialists have compiled a rating of countries, access to companies from which are most often sold on the darknet. The United States led the top by a large margin: 27.9% of ads concern American organizations. France is on the second line with an indicator of 6.1%. Next are the United Kingdom and Australia with shares of 4% each. Canada closed the top five with a result of 3.8%. Then there are Italy (3.5%), Brazil (3.2%), Spain and Germany (2.3% each), the United Arab Emirates (2%).

The researchers noted that Russia and the CIS countries could not enter the top 10, since working with local companies on Russian-language hacker forums is not customary.


Database of 70 Million AT&T Users Being Sold on a Hacker Forum

 

The same threat actor is selling 70 million AT&T customers' records just days after the T-Mobile data leak. The data leak claim was refuted by the mobile service provider, who stated that the data did not emanate from any of their systems. ShinyHunters, the same threat actors that just days ago sold T-Mobile subscribers' data, is now selling 70 million records reportedly belonging to another mobile service provider – AT&T. AT&T consumers' full names, social security numbers, email addresses, and dates of birth are among the data for sale. 

ShinyHunters is a well-known organisation that has been linked to a number of high-profile data breaches. Mashable, 123RF, Minted, Couchsurfing, Animal Jam, and other companies have been targeted, according to HackRead. 

The revelation was first reported by Restore Privacy. According to them, the hacker is seeking $1 million for the full database (direct sell) and has given them exclusive information for this report.

"In the original post that we discovered on a hacker forum, the user posted a small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," said Restore Privacy. "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid." 

AT&T denied that the data had been leaked, claiming that it was either forged or obtained through other sources. “Based on our investigation today, information that appeared in an internet chat room does not appear to have come from our systems,” MarketWatch quoted the cell phone carrier. 

 AT&T has previously experienced a data breach. For an insider breach in 2015, the company agreed to pay a $25 million fine. In fact, a threat actor was looking to hire a T-Mobile and/or AT&T employee in May, presumably to assist them in staging an insider attack on their employer. 

T-Mobile was notified late last week about accusations in an online forum that a threat actor had compromised T-Mobile systems. The company announced that it had discovered and shut down the access point that might have been utilised to obtain unauthorised access to the company's servers.

Confidential Terrorist Watchlist With 1.9Mn Records Exposed Online

 

Cyber security researcher Bob Diachenko has unearthed an unsecured ElasticSearch server containing nearly two million terrorist watchlist records, including "no-fly" list indicators, which were left exposed for a period of three weeks between July 19th and August 09th. 

Earlier this week, Diachenko posted a message and said, “On July 19, I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it." The unprotected server had a Bahrain IP address but it remains unclear whether the server was owned by the US or any other country.

Diachenko immediately reported his discovery to the US Department of Homeland Security, but the records weren't taken down until August 09. The leaked records contained passport details, full name, dates of birth, citizenship, gender, TSC watchlist, country of issuance, and no-fly indicator. 

“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI, which maintains the country's no-fly list, a subset of the larger watchlist. A typical record in the list contains full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more,” he informed. 

No-fly list

The exposed data belongs to the people who are suspected as terrorists but have not necessarily been charged with any crime. "If it falls in wrong hands, this list could be used to oppress, harass or persecute people mentioned on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list," Diachenko said. 

Prior to 2015, the terrorist watchlist was completely confidential. Then the US government modified its policy and began privately informing US citizens who were added to the list, but foreigners still often can't find out whether they're on the no-fly list until they try to board a plane. 

Several media reports suggest that the US officials are recruiting informants in exchange for keeping their names off the no-fly list. Some past or present informants' identities could have been exposed. The Terrorist Screening Center (TSC) was set up by the US Federal Bureau of Investigation (FBI) in 2003.

The discovery of the exposed records comes just a month after the DHS, the Department of Justice, and other federal agencies -- launched a new website with the sole motive of combating the threat of ransomware.