Search This Blog

Showing posts with label Data Leak. Show all posts

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System

 

Earlier this month, the personal court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The exposed data contained non-disclosure orders, criminal cases, and civil and family law records. 

According to the county’s official website, Lubbock County Defense Lawyers Association and county officials are not on the same page concerning how to define the incident.

In a news release from the County, Judge Curtis Parrish said: “On Tuesday, September 14, 2021, Lubbock County Information and Technology Department became aware that certain court records that were previously unavailable for review by the public had become viewable under Lubbock County’s new software system. Some of these records include non-disclosure orders, criminal cases, civil and family law records. This access portal has now been blocked temporarily until we can identify which court records maybe [sic] accessed by the parties, attorneys, and the general public.

This was not a data breach [sic], or an issue where the computer system was compromised. Lubbock County will continue to review policies concerning all court records, in our effort to make these documents accessible to the attorneys and the public.” 

However, an earlier release by the Lubbock County Defense Lawyers Association characterized the incident as a data breach. The association said it became aware of the situation on September 10. 

“This data includes information on individuals who have had criminal cases expunged or non-disclosure orders signed in their criminal case. This breach affected cases at all levels and in all courts in Lubbock County. Some individuals’ data have been removed from the public access system, while other individuals’ data are still available,” said Lubbock County Defense Lawyers Association in their news release. 

The attacks on local governments is a growing concern for law enforcement agencies and government officials. Due to their shoestring budget, local governments rarely have dedicated security experts and that leaves a huge hole in their security. In March 2021, a report from consumer tech information site Comparitech revealed that American government organizations suffered a loss of $18.88 billion due to cyber-attacks. 

Over the past three years, 246 ransomware attacks struck U.S. government organizations. These attacks potentially affected over 173 million people and nearly cost $52.88 billion. The motive of most of these attacks was to halt processes, interrupt services and cause disruption, not to steal data, according to the report.

Massachusetts is Investigating the Massive T-Mobile Data Breach

 

On Tuesday, Massachusetts Attorney General Maura Healey announced that she will look into the cyberattack on T-Mobile US Inc (TMUS.O), which compromised the personally identifiable information of over 53 million people.

After the third-largest U.S. cellphone carrier reported the hack on Aug. 16, Attorney General Maura Healey announced the investigation. 

The breach exposed names, birthdays, social security numbers, driver's licence information, PIN numbers, and other personal information of an estimated 13.1 million current and 40 million past, and potential T-Mobile users.

It was one of many cyberattacks in recent years that impacted banks, gas pipelines, and hospitals, among other businesses. 

Healey aims to examine whether the Bellevue, Washington-based corporation has sufficient measures in place to secure consumer information and mobile devices. Last month, the Federal Communications Commission in the United States launched an investigation into the matter. 

According to court records, consumers and other private plaintiffs have filed at least 23 lawsuits against T-Mobile as a result of the data leak. 

About the security breach

On August 16, T-Mobile US Inc (TMUS.O) admitted a data breach but said it has yet to determine if any customer information had been compromised, a day after an online forum claimed that the personal data of over 100 million of its users had been compromised. 

In a blog post, the telecom provider stated that it was certain that the entry point used to obtain the data had been shut down. It did not disclose the number of accounts impacted. 

"We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement," the company stated. 

According to a report in Vice's Motherboard, the forum post does not specify T-Mobile but the attacker informed Vice that they acquired data on over 100 million individuals from T-Mobile servers. 

Following the news, T-stock Mobile's share dropped 2.8 percent in afternoon trade.

TESLA FSD Beta Software Leaked Days Before the Release of Version 10

 

Full Self Driving (FSD) beta software of the TESLA car has been leaked, and it is circulated in and around the network of hackers. 

This latest software upgrade of Tesla's Full Self-Driving (FSD) enables electric cars to operate virtually on both roads and streets in town. The most recent FSD version also allows for better navigation and quicker turns, roundabouts, and merges. It enables the driver to input a navigation system location. The car will try to convey the driver, who stays accountable and needs to be prepared to take control all of the time, to the place with proper monitoring.

CEO Elon Musk promised the US owners of Tesla that have bought the FSD package a wider release, while the release was repeatedly postponed it finally rolled out on the 12th of September with the Full Self-Driving Beta v10 software.

Elon Musk, CEO of the business termed this software upgrade "mind-blowing." Several early access fleet Tesla customers have also stated that FSD 10 beta is substantially superior to the outgoing version 9.2. 

Insiders aware of this situation told Electrek that Tesla FSD Beta binary firmware documents were leaked in the hacker community of Tesla. 

Root access is often referenced as the ability to connect into a website root account or be able to execute commands as a root, with a Linux-based system, like the working system Tesla. Certain hackers with Tesla cars have root access for viewing software upgrades from Tesla, including enabling unannounced or dormant functions. It has been acknowledged within this community that FSD Beta firmware has been running for quite a while, and one may run it in their vehicle having root access. 

They remained silent not to alert Tesla, however, a Ukrainian customer of the Tesla has shared the FSD Beta 8.2 video in his vehicle in Kiev, in which the Tesla software has still not been released. 

The software has indirectly been described as having slipped outside the internal Tesla testing program and early access. While this is an older version, Electrek was informed by insiders that the newer version of FSD Beta version 9 is also passed around. 

Electrek was further briefed by an insider that Tesla was only recently made aware of the FSD leak, even though it has been going on for a while. The very same insider claims that the root community endeavored because there is no other wrong purpose but to use it, to restrict the distribution of the firmware. There have been efforts to buy the leak too.

Ragnar Locker to Publish Victims Data if They Approach FBI

 

The ransomware gang Ragnar Locker implements a new strategy, which forces victims to pay the ransom and threatens to expose their stolen data if victims approach the FBI. Earlier, Ragnar Locker has struck notable ransomware attacks on various companies to extract millions of dollars in ransom payments. 

Ragnar Locker perpetrators are believed to deploy payloads of the ransomware to the victim's computers manually. They spend time recognizing system resources, business backups, and other critical files before the data encryption phase. 

This week, the organization threatened to release complete information on victims seeking the aid and assistance of the police and investigating authorities amid a ransomware attack in an annunciation on the darknet leak portal of Ragnar Locker. 

The threat is equally applicable to individuals who approach file recovery experts to try to decode files and later on negotiate. In any case, the gang will expose the entire data of the victims on their .onion site. 

The Ransomware administrator says that the process of recovery is only worsened by affected companies who hire "professional negotiators" It is because these negotiators typically collaborate with FBI-associated data retrieval businesses and equivalent organizations. 

“In our practice we has facing with the professional negotiators much more often in last days,” the announcement said in broken-English-ese. “Unfortunately it’s not making the process easier or safer, on the contrary it’s actually makes all even worse.” 

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie. Dear clients if you want to resolve all issues smoothly, don’t ask the Police to do this for you. We will find out and punish with all our efforts,” further reads the announcement. 

Such dealers are either connected to or interact personally with law enforcement officials, the gang claims. In any case, they are in it and do not care about the economic well-being of their customers or their data privacy, stated the organization. 

The previous victims of Ragnar Locker included the Japanese game maker Capcom, ADATA manufacturer of computer chips, and the Dassault Falcon airline company. In Capcom's case, 2,000 devices were supposedly encoded and the attacker demanded $11.000,000 for a decryption key in return. 

Ragnar Locker's latest revelation induces further stress for victims, given that governments across the world have strongly advocated against paying ransoms in the present climate of escalating cyber threats. 

"Government has a strong position against paying ransoms to criminals, including when targeted by ransomware. Paying a ransom in response to ransomware does not guarantee a successful outcome," said the British Home Secretary, Priti Patel in May this year.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

Database of 70 Million AT&T Users Being Sold on a Hacker Forum

 

The same threat actor is selling 70 million AT&T customers' records just days after the T-Mobile data leak. The data leak claim was refuted by the mobile service provider, who stated that the data did not emanate from any of their systems. ShinyHunters, the same threat actors that just days ago sold T-Mobile subscribers' data, is now selling 70 million records reportedly belonging to another mobile service provider – AT&T. AT&T consumers' full names, social security numbers, email addresses, and dates of birth are among the data for sale. 

ShinyHunters is a well-known organisation that has been linked to a number of high-profile data breaches. Mashable, 123RF, Minted, Couchsurfing, Animal Jam, and other companies have been targeted, according to HackRead. 

The revelation was first reported by Restore Privacy. According to them, the hacker is seeking $1 million for the full database (direct sell) and has given them exclusive information for this report.

"In the original post that we discovered on a hacker forum, the user posted a small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," said Restore Privacy. "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid." 

AT&T denied that the data had been leaked, claiming that it was either forged or obtained through other sources. “Based on our investigation today, information that appeared in an internet chat room does not appear to have come from our systems,” MarketWatch quoted the cell phone carrier. 

 AT&T has previously experienced a data breach. For an insider breach in 2015, the company agreed to pay a $25 million fine. In fact, a threat actor was looking to hire a T-Mobile and/or AT&T employee in May, presumably to assist them in staging an insider attack on their employer. 

T-Mobile was notified late last week about accusations in an online forum that a threat actor had compromised T-Mobile systems. The company announced that it had discovered and shut down the access point that might have been utilised to obtain unauthorised access to the company's servers.

Nearly 2 Million Records From Terrorist Watchlist Exposed Online

 

A terrorist watchlist comprising 1.9 million data remained open and unsecured on the internet for three weeks between July 19th and August 9th. The Terrorist Screening Center (TSC), a multi-agency centre run by the Federal Bureau of Investigation, is believed to have compiled the watchlist. The list was left accessible to the public on an Elasticsearch cluster with no password. 

In July this year, Security Discovery researcher Bob Diachenko discovered various JSON documents in an unsecured Elasticsearch cluster, which grabbed his interest. 

The 1.9 million-strong record set includes sensitive information about people, such as their names, nation citizenship, gender, date of birth, passport data, and no-fly status. 

Search engines Censys and ZoomEye listed the exposed server, implying Diachenko was not the only one who came across the list. Given the nature of the open data (e.g. passport details and "no-fly indicator"), the researcher informed BleepingComputer that it seemed to be a no-fly or similar terrorist watchlist. 

“The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed,” he added.

In addition, the researcher observed specific enigmatic fields like "tag," "nomination kind," and "selectee indication" that were not understandable. Diachenko told BleepingComputer, as per the nature of the data and the presence of a specific field entitled 'TSC ID," was the only reasonable conclusion implying that the record set's source may be the Terrorist Screening Center (TSC). 

Multiple federal agencies use the FBI's TSC to manage and exchange integrated information for counterterrorism reasons. The Terrorist Screening Database, often known as the "no-fly list," is a secret watchlist managed by the agency. 

Such databases are regarded as extremely sensitive, given the critical role they play in assisting national security and law enforcement activities. Terrorists or reasonable suspicions who represent a national security threat at the government's discretion are "nominated" for inclusion on the secret watchlist. 

The list is cited by airlines and multiple agencies, like the Department of State, Department of Defense, Transportation Security Administration (TSA), and Customs and Border Protection (CBP), to check the list in order to determine whether a passenger is allowed to fly, impermissible to the United States, or to examine their risk for various activities. 

The unsecured database was discovered on July 19th on a server with a Bahrain IP address and disclosed the data leak to the US Department of Homeland Security on the same day (DHS). 

"I discovered the exposed data on the same day and reported it to the DHS. The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it," writes Diachenko in his report. 

According to Diachenko, releasing such sensitive information might affect people whose data might be included on the list. 

“The terrorist watchlist is made up of people who are suspected of terrorism, but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” he alerted.

St. Joseph’s/Candler (SJ/C) Suffered a Data Breach

 

A ransomware attack on one of the leading healthcare organizations in southeast Georgia compromised personnel and patients' protected health information (PHI.). Based on the current press release, on 17 June 2021, the Georgian healthcare system, with 116 sites around the state, noticed suspicious activities in its network. 

St. Joseph's/Candler of Savannah in Georgia is a national magnet certified nursing excellence institution focusing on state-of-the-art technology and research. This non-profit health system comprises two of the oldest existing hospitals in the United States – St. Joseph's (1875) and Candler Hospitals (1804), serving 33 counties in southeast Georgia and the Low Country in South Carolina, and is also the region's leading and only religious healthcare organization. 

St. Joseph's/Candler (SJ/C) declared on 10th August that it had encountered an incident of data security leading to unauthorized access to information for patients and employees. 

SJ/C promptly took action to disconnect and protect their systems, informed federal law enforcement, and initiated a cyber-security probe. Through the inquiry, SJ/C found that, between the periods of 18 December 2020 and 17 June 2021, an unauthorized entity gained access to its IT network. During a Ransomware attack on SJ/C's IT network, this unauthorized party made documents inaccessible to the SJ/C's IT systems. 

According to the evidence provided by the publication, hackers may have accessed files containing information for both patients and personnel, including protected health information during the data breach. 

"SJ/C cannot rule out the possibility that, as a result of this incident, files containing patient and co-worker information may have been subject to unauthorized access,” it states. “This information may have included individuals' names in combination with their addresses, dates of birth, Social Security numbers, driver's license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, and medical and clinical treatment information regarding care received from SJ/C.” 

In this data breach, the healthcare system began to send messages to the affected employees and patients. SJ/C provides free credit monitoring and identity protection assistance to those persons affected by the breach. The healthcare provider has also developed a dedicated incident response line for all those who require more knowledge about the breach. 

SJ/C suggests that the statements received from its healthcare practitioners be checked by patients whose information might have been implicated in this occurrence in its press statement. Patients shall call the provider promptly if they see services that they do not receive. 

SJ/C stated that improved security is implemented to address the ransomware attack and “will continue to adopt, additional safeguards and technical security measures to further protect and monitor its systems.”

During a Pen-Test University Of Kentucky Unveiled A Data Breach

 


Cyberspace witness a rapid surge in cyberattacks as hackers continue to steal millions of documents at an alarming rate. A thorough penetration test is important to counter their attempts throughout the year. 

Likewise, The University of Kentucky did an annual cybersecurity assessment revealing a website flaw that enables an unauthorized person to probably purchase a copy of their College of Education database. There were no financial, health, or social security data leaked in the database, which restricted identity fraud potential.

The material stolen mainly contained emails and passwords as per the letter of violation issued by the university. There have been no SSNs or financial details leaked in it. 

Penetration tests are intended to evaluate the safety, the testing tools imitate actual attack scenarios that detect and expose security holes that can result in stolen records, impaired credentials, intellectual property, PII, cardholder data, personal, protected health, data ransom, or other detrimental business results. 

Although in the last five years the UK has enhanced cybersecurity, and the issue has been spotted, the UK will now implement extra security measures. The database for the training and the testing of K-12 schools in Kentucky and other states is part of the free resource scheme known as a Digital Driver's License. \

The information in the breach included the names, e-mail addresses, and addresses of Kentucky teachers and students and more than 355,000 individuals in every 50 states and 22 other nations. UK authorities have alerted and notified the relevant regulatory bodies and the affected school districts. This breach had an impact on the university's Digital Driver’s License platform, an internet portal that was established by the university in the early 2000s in the course of an Open Source Tools for Instructional Support program (OTIS). 

“The University of Kentucky has spent more than $13 million on cybersecurity in last five years alone,” said Brian Nichols, UK’s chief information officer. “We have increased cybersecurity investments and enhanced our mitigation efforts in recent years, which enabled us to discover this incident during our annual inspection process conducted by an outside entity. Although the potential for identity theft is limited, we take this incident seriously and it is unacceptable to us. As a result, we will be taking additional measures to provide even more protection going forward. UK's chief concern is end-user privacy and protection and we are making every effort to secure end-user data.”

Inadequate Payment Leads the Affiliate to Leak the Ransomware Gang's Technical Manual

 

A frustrated Conti affiliate revealed the gang's training material during attacks and released details on one of the administrators of ransomware. The document contains the Cobalt Strike C2 server IP addresses and the 113 MB archive with a wide variety of training tools for ransomware attacks. 

The Conti Ransomware business runs as "Ransomware-as-a-service" (RaaS), wherein the core group handles the virus as well as the Tor sites. It has been identified since 2020 as a ransomware program. 

Most ransomware of Conti is laid out straight by a hacker who has obtained an unsecured RDP port, using email phishing on the Internet over a worker's computer or used malware attachments, downloads, patch operations, or network access flaws. 

Recently published at an undercover cybercrime forum called the XSS, an individual who seemed to have had a problem with the minimal money paid by the Conti gang to infiltrate the corporate networks, revealed their documents. These files have been uploaded on a forum of Russian speaking cybercrime practitioners, which contains many instruction manuals, reportedly from Conti, a Russian speaking group of hackers who have attacked several healthcare facilities, which include health chains in the U.S. and the national system of Ireland, the Health Service Executive. 

The main team will get 20-30 percent of the ransom payment under this model, whereas the associates would earn the balance. The affiliate also said he had shared the information since he had been only paid $1,500 in an operation while the rest of the gang make millions and promise enormous payments after a victim pays the ransom. 

In one of the step-by-step tutorials published in Russian, the participants are told to locate and hack the victims using a malware identified as Cobalt Strike. The instruction states that the first stage is to use Google to look for possible revenues for a target company. Hackers are then directed to locate staff accounts that have administrative access for the firm and how to use this knowledge to apply ransomware to encrypt their network interface to demand ransom for its decryption 

"The leak also shows the maturity of their ransomware organization and how sophisticated, meticulous, and experienced they are while targeting corporations worldwide," says Advanced Intel's Vitali Kremez, who had already analyzed the archive. "It also provides a plethora detection opportunity including the group focus on AnyDesk persistence and Atera security software agent persistence to survive detections."

Data of 100 Million JustDial Customers Left Unsecured for Over a Year

 

The Personally Identifiable Information (PII) of approximately 100 million users of local business listing site JustDial was at stake after an Application Programming Interface (API) was left exposed for over a year. 

JustDial is an Indian internet technology firm that offers local search for a variety of services in India via phone, Internet, and mobile apps. 

However, a fix appears to have protected the PII data, which includes users' names, gender, profile photos, email addresses, phone numbers, and birthdates. 

Rajshekhar Rajaharia, an independent internet security researcher who first tweeted about this on Tuesday, informed BusinessLine that after discovering the data breach, he contacted the organization, and it was patched and fixed promptly. 

“The company’s data was exposed since March 2020, though we can’t say yet if they have been leaked. We will only know once JustDial releases an audit report on it,” Rajaharia stated. 

Further, he added that JustDial needs an audit because the system may have other flaws. JustDial did not respond to an email requesting a statement. 

JustDial became a Mukesh Ambani group firm just ten days ago when Reliance Retail bought a 41% stake in it for $3,497 crore. Bill payments and recharge, groceries and food delivery, and reservations for restaurants, cabs, movie tickets, plane tickets, and events are among the services provided by the organization. 

This isn't the first time the information of JustDial has been leaked. In April 2019, Rajaharia discovered that a similar API was leaking user information in real-time whenever someone called or messaged JustDial via its app or website. The organization stated to have solved the issue, but it appears to have reemerged a year later. 

Rajaharia stated, JustDial never reveals the total number of people who have signed up. They disclose the count of active users and merchants, but never the total number, because every time someone dials the platform's "88888 88888" number, the caller data is saved in JustDial's database right away. This information is also in danger of being leaked. This data can also be tracked in real-time by the API in question. If an attacker gains access to it, they would be able to quickly extract and upload the data of every JustDial user to the Dark Web.

Many famous online firms and their customers have been the victims of data leaks and carelessness since the pandemic broke last year. MobiKwik, JusPay, Upstox, Bizongo, BigBasket, Dominos India, and even Air India are among them. 

As per BusinessLine, Kapil Gupta, co-founder, Volon Cyber Security stated, “Customers need to be notified about any data leak happening in companies so that they can reset accounts and change passwords to protect their data. Though users can sue, raise a complaint, and even ask for damages, under the Right to Privacy or IT Acts, these policies are still open to interpretation. The articulation is not obvious.” 

“The proposed Data Protection Bill gives more clarity on accountability of the companies facing a data breach. They have to voluntarily disclose and pay a fine if a data breach happens or they will be punished under the law. But we are still waiting for the DPB,” he added.

1.2 Million Aussies Suffered when Uber was Breached in 2016

 

Uber infringed on the privacy of more than 1 million Australians in 2016, according to the Office of the Australian Information Commissioner (OAIC). Personal data of an estimated 1.2 million Australian customers and drivers was accessed from a breach in October and November 2016, Australia's Information Commissioner and Privacy Commissioner Angelene Falk said on Friday that US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to adequately protect it.

In late 2017, it was revealed that hackers had stolen data on 57 million Uber users throughout the world, as well as data on over 600,000 Uber drivers. Uber hid the breach for over a year and paid the hacker to keep it hidden instead of notifying individuals affected. OAIC said its investigation focused on whether Uber had preventative measures in place to secure Australians' data, even though Uber compelled the attackers to destroy the data so that there was no evidence of future exploitation. 

The Uber company, according to Falk, violated the Privacy Act 1988 by failing to take reasonable precautions to protect Australians' personal information from unauthorized access and destroy or de-identify the data as required. She also claimed that the tech giant failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP). 

"Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability," the determination says. "Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017." 

Falk said the case presented complicated questions about how the Privacy Act applies to firms situated overseas that outsource the handling of Australians' personal information to other companies within their corporate group. "Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group," she added. 

Uber agreed to pay $148 million in a US settlement over the incident in September 2018 and was fined over £900,000 by the UK and Dutch regulators a few months later for the 2016 data breach. In October 2019, two men pled guilty to the hack, and US authorities accused Uber's former chief security officer in August 2020 of the cover-up. "We learn from our mistakes and reiterate our commitment to continue to earn the trust of users," an Uber spokesperson said.

Over 200,000 Students Data Leaked in Cyberattack

 

The personal information of approximately 280,000 students was leaked last week in a cyberattack that targeted the AcadeME company, which serves a variety of colleges and institutions across Israel. Hundreds of thousands of students use AcadeME to get jobs at thousands of companies. 

On June 20, a pro-Palestinian Malaysian hacker group known as "DragonForce" claimed that it hacked into AcadeME and stated in a Telegram message, "THE LARGEST AND MOST ADVANCED STUDENT AND GRADUATE RECRUITMENT NETWORK IN ISRAEL Hacked By DragonForce Malaysia." 

According to the group, emails, passwords, first and last names, addresses, and even phone numbers of students who were enrolled on AcadeME were leaked. Screenshots of code, server addresses, and a table with email addresses and names were all targeted by DragonForce. 

According to May Brooks-Kempler of the Think Safe Cyber Facebook group, the hackers exposed the information of roughly 280,000 students who have utilized the site since 2014. 

As of Monday morning, the AcadeME site had been pulled offline and was labeled as "unavailable." When attempted to visit the site, a notice stated that the site "should be back soon." 

The hackers wrote on Telegram, "This is an urgent call for all Hackers, Human Right Organizations and Activists all around the world to unite again and start a campaign against Israhell, share what is really going on there, expose their terrorist activity to the world. We will never remain silent against israhell war activity." 

The group claimed later that day that it had leaked a "massive" number of Israeli passports. On Friday, the same organization launched DDoS assaults against Bank of Israel, Bank Leumi, and Mizrahi Tefahot, among other Israeli banks. 

Israel's National Cyber Directorate's Warnings: 

Yigal Unna, the chief of Israel's National Cyber Directorate (INCD), cautioned earlier this year that if necessary precautions are not taken, cyberattacks might cripple Israeli academic institutions. 

The chief of the INCD warned that the wide connectivity between academic institutions and other bodies and organizations could constitute a threat to other bodies and result in liability. The message arrived 11 days after a cyberattack on the Ben-Gurion University of the Negev, which resulted in the compromise of several of the university's servers. 

After the breach was found, a joint team of researchers from the INCD and Ben-Technologies, Gurion's Innovation & Digital Division was formed to avoid data leaks and control the situation. 

Though the perpetrator of the attack is still unknown. 

In 2020, the National Cyber Directorate received over 11,000 inquiries on its 119 hotline, a 30 percent increase over the previous year. About 5,000 requests were made to companies to handle vulnerabilities that exposed them to assaults, and about 1,400 entities were contacted about attempted or successful attacks.

Private Details Compromised After Cyber Attack on NSW Health

 

The New South Wales Ministry of Health (NSW Health) has confirmed that it was impacted by a cyberattack involving the Accellion file transfer system. The system was widely used to share and store files by organizations across the globe, including NSW Health. 

NSW Health has been working with NSW Police and Cyber Security NSW and to date, and so far, there is no evidence any of the information has been misused. Strike Force Martine has been set up to determine the impact on NSW government agencies that were caught up in the attack on Accellion.

It is estimated that some 100 organizations across the globe were affected by the Accellion hack, including global corporations, financial institutions, government departments, hospitals, and universities. Within this group, the company said that fewer than 25 appeared to have suffered significant data theft. 

"Following the NSW government's advice earlier this year around a worldwide cyber-attack that included NSW government agencies, NSW Health is notifying people whose data may have been accessed in the global Accellion cyber-attack. Different types of information, including identity information and in some cases, health-related personal information, were included in the attack," NSW Health spokesperson stated.

The local authorities said medical records in public hospitals were not stolen and the software involved is no longer in use by NSW Health.

 “A cyber incident help line has been set up to provide further information and support to those people NSW Health is contacting. If you are contacted by NSW Health, you will be given the cyber incident help line details; if you are not contacted by NSW Health, no action is required. The privacy of individuals is of the utmost importance to NSW Health, and we are making impacted people aware of the attack so that they can take appropriate precautions and access our support services," the spokesperson added. 

In April 2020, the NSW government suffered a cyberattack compromising the private records of 186,000 customers. After an investigation that lasted four months, Service NSW said it discovered that 738GB of data (over 3.8 million documents), was stolen from 47 staff email accounts. 

The Australian Securities and Investments Commission (ASIC) confirmed in January that one of its servers was breached in relation to Accellion software used by the agency to transfer files and attachments.

Prometheus: Emerging Ransomware Group That Has Published Mexican Government Data For Sale

 

Emerging technology has changed the way we make money or hoard wealth, indeed as in the 21st century, information and data means money, and the spy groups that are compromising systems of large tech companies around the world including public and private organizations, have reached some sort of a pinnacle of sophistication. 

The last few years have witnessed a rapid surge in cyberattacks around the world and the consistency of these attacks has been growing dramatically. 

Recently, a new ransomware cyber gang identified as ‘Prometheus’ is making headlines, the group has become a threat to the Mexican Government as the threat actors published illegally compromised data on the dark web which was available for sale today itself. 

Following the aforementioned security incident, the group also became the first cyber-hacking group that has assailed the big state of Latin American at this level. 

Resecurity, a cybersecurity company out of Los Angeles while reporting about the attack said, the leaked data was compromised from the multiple e-mails handles as a result of ATO/BEC and leveraging network resources that belong to several Mexican government firms. The company also added that as of now, it is not easy to determine the extent of consequences and the end impact of the leaks. However, one thing is ascertained: it is an extortion game that has been played by malicious actors. 

As per the available data, Mexico is known as the big trading partner of the United States, the second-largest economy in Latin America, and the 17th-largest exporter around the world. In the past few years, the number of cybercrimes reported in the state has skyrocketed and in 2020, Mexico has become one of the countries with the most cybercrimes in Latin America. 

The data that has been leaked today on the website by the Prometheus group belongs to 27 victims. Some victims are from Hotel Nyack (New York, USA) Ghana National Gas, enterprises in France, and Tulsa Cardiovascular Center of Excellence (Oklahoma, USA), and others are from Switzerland, Norway, Netherlands, UAE, Brazil, and Malaysia. For the time being, The Institute for Security and Technology-coordinated Ransomware Task Force is conducting its research on the issue. 

Domino’s Data Leak Exposed Data of 18 Crore Orders

 

The famous Pizza company Dominos suffered a data leak again this year wherein the details of 18 crore orders are made accessible on the dark web, according to some security experts. 

A hacker alleged that earlier in April he had successfully gained access to Dominos data in the value of 13TB. Data belonging to more than 180,00,000 purchase orders containing telephone numbers, e-mail addresses, and billing information, and user credit card details would be included in the leak. 

Domino's Pizza, Inc. is a multinational American pizza restaurant chain established in 1960, known as Domino's. The F&B chain is particularly prominent in India, which can be seen in the smooth functioning of its operations despite the ongoing pandemic. 

Rajshekhar Rajaharia, a security expert, took to Twitter to announce that Dominos was again infringed upon while showing that 18 crore orders' data was made available as hackers built a search engine on the Dark Web; customers will most probably find their personal information there if they are regular dominos buyers. The information leaked comprises users' name, e-mail, telephone number, and even their GPS locations. 

"Data of 18 crore orders of Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include Name, Email, Mobile, GPS Location, etc," Rajaharia tweeted. 

The incident was brought to light before the beginning of April by Alon Gal, CTO of cybersecurity company Hudson Rock. He said that users' data were sold for about ten BTC by hackers. The hackers want to create a search engine to enable data to be queried, Gal further added. 

The data compromised include 10 Lakh credit card details and even addresses of people who have purchased Dominos Pizza. However, Dominos India had denied leakage of financial information of users in a declaration given to Gadgets 360. 

When Jubilant Food Works, the master franchise holder for Domino's in India, Nepal, Sri Lanka, and Bangladesh, was approached, it was confirmed that the company recently had a security incident but no financial details were revealed. 

"Jubilant Food Works experienced an information security incident recently. No data about financial information of any person was accessed and the incident has not resulted in any operational or business impact.” 

"As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident," the company spokesperson said.

Data Breach: Affects Student Health Insurance Carrier guard.me

After a vulnerability enabled a threat attacker to access policyholders' personal details, student health insurance provider guard.me has taken their website offline. 

guard.me is among the world's largest insurance providers in international education, protecting thousands of individuals studying and working abroad. Founded in 1998 and incorporated in Canada as Travel Healthcare Insurance Solutions Inc. 

On May 12th, after a vulnerability permitted a threat actor to access policyholders' personal details, Guard.me discovered suspicious activity on their website. Visitors to the website are automatically redirected to a maintenance page informing them that the site is unavailable while the insurance provider enhances security. 

"Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible." displays on the guard.me website. 

Today, guard.me started sending out data breach notifications to students, according to BleepingComputer, stating that a website vulnerability enabled unauthorized people to access policyholders' personal details. 

Our Information Systems team found suspicious activity on our website late on May 12, 2021, and as a precaution, they took down the website and took immediate measures to protect our systems. The security flaw has been fixed. Our investigators are working closely to discover more about the incident, guard.in states on the data breach notification. 

The threat actor was able to gain access to students' dates of birth, sex, and encrypted passwords thanks to this flaw. The email addresses, mailing addresses, and phone numbers of certain students were also made public. 

The bug was patched, and urgent steps to protect their system were taken, according to the international student health insurance company, and it has withstood more attempts by their cybersecurity team to circumvent the additional protections. The insurance company also reports that they are implementing new security measures, including such as database segmentation and two-factor authentication. 

Guard.me is a Canadian corporation, so it's unclear whether it informed the Privacy Commissioner of Canada about the violation, and it hasn't responded to BleepingComputer's requests for more details.

App Census Study Reveals that Android Devices Leak User Data Stored in Contact Tracing Applications

 

According to security experts, hundreds of third-party applications on Android devices have access to confidential information collected by Google and Apple API contact-tracking devices. The Department of Homeland Security provided about $200,000 to App Census, a U.S. start-up that specializes in data protection practices in Android applications, earlier this year for testing and validating the reliability of contact tracking apps. 

The researchers of the business observed that the primary contact tracking information inside the device's system logs are recorded by Android Phones logging data from applications that use Google and Apple's Exposure Notifications System (ENS), that is used for collecting details, and usually where applications receive usage analytics and malfunction reports data. 

In an effort to assist medical authorities around the globe to develop contact tracing apps associated with the data protection requirement underlying the Android and iOS ecosystems, Google and Apple jointly launched ENS last year. API built by Apple and Google allows governments to build decentralized Bluetooth-based contact tracking software. 

The app-equipped devices send confidential, regularly changing IDs, known as RPIs, that are diffused via Bluetooth in such a way that nearby telephones that also use the application can be "heard". 

The observations of App Census reveal that the two Tech Giants' privacy pledge has certain deficiencies. Both transmitted and heard RPIs can indeed be identified in the machine logs of Android phones – as well as the device even records the existing Bluetooth MAC address of the destination server on RPIs that have been heard. Thus App Census found many ways of using and computing datasets to conduct data protection attacks since the RPI and the Bluetooth MAC addresses are unique and anonymized.

"Of course, the information has to be logged somewhere to do the contact-tracing, but that should be internally in the ENS," Gaetan Leurent, a researcher at the French National Institute for Research in Digital Science and Technology (INRIA), stated. "It is unsettling that this information was stored in the system log. There is no good reason to put it there." 

The RPIs could have been used along with different pieces of datasets to determine that whether users checked for COVID-19 positively, whether they had contacted an infectious individual or whether two persons met each other with access to device registers from multiple users. It is meant to preserve privacy in the contact tracing process, and precisely this type of data should be avoided. Therefore, the entire defense which should form the foundation of this protocol is defeated. 

A Google spokesperson told: "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code." 

The spokesman added that these Bluetooth identifications neither disclose the location of a customer nor provide any other identifying details, and also they are not aware that they were used in any manner. As per Google, roll started many weeks ago with the upgrade on Android devices and is due to be completed in the coming days. Previous publications of the researcher have shown that irrespective of implementation, the use of digital technology for contact tracking would necessarily present a risk to privacy.

Credit Scores of Americans were Exposed Through Experian API

 

According to a researcher, almost every American's credit score was leaked due to an API platform used by the Experian credit bureau that was left accessible on a lender's website without even basic security safeguards. Experian, for its part, dismissed security experts' fears that the problem could be structural. 

The Experian Connect API is a platform that helps lenders to simplify FICO-score queries. According to a published article, Bill Demirkapi, a sophomore at Rochester Institute of Technology, was looking for student loans when he came across a lender who would verify his eligibility with only his name, address, and date of birth. Demirkapi was taken aback and wanted to look into the code, which revealed that the tool was driven by an Experian API, he said.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.” 

Demirkapi said he was able to create a command-line tool called "Bill's Cool Credit Score Lookup Utility" that allowed him to automate lookups even after entering all zeros in the fields for date of birth. Krebs said he was able to use the API link to get “risk factors” from Experian that clarified possible vulnerabilities in a person's credit background, in addition to raw credit scores. He ran a credit check for his buddy "Bill," who had “Too many consumer-finance company accounts,” according to his mid-700s credit score.

Demirkapi refused to reveal the identity of the lender or the website where the API was revealed to Experian. He declined because he believes there are hundreds, if not thousands, of firms using the same API, and that all of those lenders are leaking Experian's customer data in the same way. “If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained. 

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”