Search This Blog

Showing posts with label Data Leak. Show all posts

Crypto at Risk After Facebook Leak: Here’s how Hackers Can Exploit Data

 

The tech giant Facebook has been hit with a new wave of data leaks, yet again but this time, the number of users whose records were exposed was not 50 million but a massive 500 million. 

According to a security analyst, sensitive personal information for over half a billion Facebook users was leaked on a well-trafficked hacking forum on April 3, posing a danger to millions of cryptocurrency traders who may now be susceptible to sim swapping and other identity-based attacks.

What should be done? 

In response to the question that how exactly does this most recent breach place at risk the crypto assets of individuals, Dave Jevans, CEO of blockchain security firm CipherTrace, told Cointelegraph that people who have had their phone numbers leaked need to be extra careful because a lot of fraud involving digital assets hinges on such details. 

He further added, “We’ve seen an increase in SIM swaps, phishing attacks, and other types of fraud involving cryptocurrencies that rely on acquiring the phone numbers of victims to execute. Leaked info about the identity of high-profile crypto users gave bad actors the ability to target them.” 

Ben Diggles, co-founder, and chief revenue officer at Constellation, told Cointelegraph that Facebook's latest security lapse is unsurprising, especially given that most Facebook users have a different approach, in which they prefer their world to be managed and structured for them. 

“Those that are crypto holders that were on the list have little to worry about unless they were storing descriptive details of their holdings and access on their Facebook account. However, these hackers have gotten really sophisticated, so I have no idea what tricks they may have [up] their sleeves with regards to scraping info specific to crypto wallets and exchanges.”, he added. 

However, he suggests that most users should update their passwords for all of their social media profiles, as well as all other sites that share their data with Facebook, as a precaution. 

Does decentralization matter? 

As more data leaks occur, a large majority of people around the world are understanding the value proposition that decentralized systems offer in terms of protection, particularly, since they do not feature a single point of failure. 

On the matter, Eli Arkush, a cloud solutions engineer at cybersecurity firm GlobalDots, suggests that having a platform's backend system distributed using blockchain technology could make it more difficult for hackers to obtain user information; however, once credentials fall into the wrong hands, password reuse may become a concern. 

However, Stephen Wilson, the CEO of Lockstep Group and a member of the Australian government's National Blockchain Roadmap Cybersecurity Working Group, believes that, contrary to popular belief, storing personal information on any blockchain ecosystem is never a good idea. He pointed out that the type of personal data breached by Facebook should never be stored in a blockchain, and even if it is, such data can never be completely protected by blockchain in the long run.

“Blockchain and DLTs usually only decentralize some aspects of data management. They don’t usually decentralize data storage in any relevant sense because they tend to duplicate ledger entries across multiple systems. The storage is distributed, but identical copies of information are available in multiple locations and can be vulnerable to attackers or thieves.”, he further added. 

Most hacking schemes in the past have primarily focused on stealing funds from cryptocurrency exchanges. For example, in 2014 and 2018, the total amount of money compromised as a result of exchanges being hacked was $483 million and $875 million, respectively. 

However, an increasing number of offenders are focusing their attention on stealing user data because it provides them with unique opportunities to obtain funds quickly. As a result, cryptocurrency owners must protect their assets.

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security

 


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Data Leak of 10cr Users: ‘The Largest KYC Data Leak in History’

 

According to cybersecurity researcher Rajshekahar Rajaharia, mobile payment app Mobikwik came under attack after the data of 10 crores of its users was posted for sale on a hacker website on the dark web. The alleged data breach was conducted by a group of hackers known as the ‘Ninja Storm,' who have also been selling the ‘leaked' details online since March 26. 

The data is being sold for 1.5 Bitcoins, which is nearly Rs 63 lakhs, as per a post by the hacker community. Ever since tens of thousands of people have taken to Twitter to share screenshots of their personal information being exposed. It is the ‘largest KYC data leak in history,' according to cybersecurity researcher Elliot Laderson. 

Personal information of merchants who obtained loans via Mobikwik is also said to be available for purchase in exchange for bitcoins. Over 4 crore Mobikwik customers' card details and hashes are reportedly included in the leak. 

The Gurugram-based fintech firm has maintained a denial of its involvement in the breach, accusing the researchers who made the infringement public of being "media-crazed" and offering "concocted files" as evidence. "We thoroughly investigated and did not find any security lapses. Our user and company data are completely safe and secure," said a spokesperson from Mobikwik. 

On January 20, a hacker named 'Jordan Daven' took over 8 terabytes (TB) of private user data from Mobikwik's main server and posted it on dark-web websites, according to Rajaharia. “Regular keys and passwords should have been changed and logs should have been monitored to prevent this kind of security compromise,” he said. 

Furthermore, in February, Rajaharia claimed that a hacker was selling Mobikwik user data, including PAN card numbers, Aadhar numbers, debit/credit card numbers, phone numbers, and other personally identifiable information that is typically exchanged mostly during Know Your Customer (KYC) process. 

To complicate things, Mobikwik claims that its technology has not been hacked. In a statement, it said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media.“ 

It isn't the first time Mobikwik has been the target of a cyber-attack. The business witnessed another information security incident in 2010. 

According to reports, the Reserve Bank of India is keeping an eye on such security breaches and has enacted many new regulations, along with the upcoming payment aggregator and payment gateway guidelines, that will limit customer data exposure to a few databases of approved gateways.

Russian Hacking Forum Maza Hijacked, Suffers Data Breach

Cybercriminal forum Maza was recently hit by a data breach that led to the leak of user information. Earlier this week, experts at Flashpoint found the breach suffered by Maza, (earlier called Mazafaka) that has been on the web since 2003. It is a reserved and strictly restricted platform for Russian hackers. The group is involved in carding, which involves the selling of stolen credit card/financial information on the web, besides this, the forum discusses spam, exploits, malware, phishing attacks, money laundering, and much more. The hackers posted a warning message "This forum has been hacked/Your data has been leaked," after the successful breach of the platform.  

The leaked information includes usernames, user IDs, email IDs, links to messenger app that include- MSN, messenger, and login credentials (obfuscated and hashed). ZDNet reports, "In January, Russian forum Verified was taken over without warning. The introduction of new domains, temporary open registration, and the silence of old moderators has raised suspicion among some users as to the intentions of the new owners." According to Flashpoint, around 2000 user accounts were breached. Users discussing the breach said that they'll now have to find another forum, whereas other users believe that the breach is partial or old. 

As of now, the experts are unaware of who hijacked the forum besides the fact that hackers might have used an online translator to post the warning. It implies that the hackers may not be Russian speaking unless they did it intentionally to misguide.  This is not the first time Maza was hacked, back in 2011 by a rival group named DirectConnection, around 2000 user accounts were leaked. Soon, DirectConnection was compromised as a retaliation.  

Aleksei Burkov, known as alias 'Kopa,' is said to be the admin for both the forums. He was sentenced to prison for 9 years by US authorities against the charge of running the Cardplanet carding forum. "Users may be justified in such concerns, especially considering law enforcement is now posting 'friendly' warnings on hacking forums to discourage illegal activities," says ZDNet.As of now, no latest developments have appeared. Stay updated to know more.

Data of 14 Million Amazon and eBay Accounts Leaked on Hacking Websites

 

An anonymous user offered 14 million data from Amazon and eBay accounts on a prominent hacking website for dissemination. The details seem to have been obtained from customers of Amazon or eBay having accounts from 18 countries between 2014-2021.

In Seattle, USA- focused on e-commerce, cloud computing, internet streaming, and artificial intelligence, Amazon.com Inc. is an international corporation based in Washington. Founded in 1994, the business was named "one of the most influential economic and cultural forces in the world" as well as the most valuable brand in the world. Whereas eBay Inc. is also a U.S. international e-commerce company headquartered in San Jose, California that allows transactions and sales to customers and companies through its website. eBay was founded in 1995 by Pierre Omidyar and became a remarkable success story for the dot-com bubble. 

The database acquired by the hacker was sold for 800 dollars where the accounts were divided through each country. The details leaked contain the entire customer name, mailing code, shipping address and store name, and a telephone number list of 1.6 million users. Although two copies had already been sold, the blog publisher has now closed the deal. 

The way the blog-publisher has acquired data is at present- unclear. Though the firm researching this incidence did not independently check or validate that Amazon or eBay data were certainly from the 2014-2021 period. A representative of Amazon said that the allegations had been reviewed with no evidence of any data violation. 

Also, it is more probable that Amazon or eBay have not experienced any infringements. Instead, a common form of password spraying was presumably used by the threat actor to get the passwords. Spraying passwords is an attack attempting to enter a wide number of accounts with a few popular passwords (usernames). Standard attacks by brute forces seek to enter a single account by guessing the password.

Fortunately, highly confidential material, including billing records, national ID numbers, or even e-mail addresses, does not exist on the server. However, the data being sold at this time is also potentially vulnerable and can be used for a range of reasons, such as doxing users by public dissemination of private data (e.g. sensitive things that nobody needs to hear about). The data may also be exploited by cybercriminals for purposes of creating a spam list or business intelligence.

Resident Evil Developer Capcom Became a Victim of Ransomware Attack

 

The year 2020 had been a year that witnessed a lot of data leaks and hacks of assorted kinds for apps and websites. This time it was the turn of an Osaka headquarters video game developer company, Capcom that became the victim of a data breach and ransomware attack in November 2020. Not only the company but its users have also been compromised because of this attack. As a result of the ransomware attack, Capcom had to shut down its assorted parts of the network including its email and file services. 

Initially, they never disclosed that if any customer's information was breached or any of its websites, servers, or games were compromised because of this attack. However, on 16th November 2020, the company published that almost 9 of its users had their personal information compromised and further added that 350,000 of its users were at risk of a data breach. 

In this attack, Capcom witnessed hundreds of thousands of pieces of personal data stolen from its servers, including the names and addresses of customers and former employees. The estimated number of victims of the aforementioned case is 16,415. 

Capcom later affirmed that they were suspicious that the company’s information, including "sales reports, financial information, game development documents, [and] other information related to business partners," was illicitly accessed during the attack. They stated that Documents matching that description have been circulating around certain corners of the Internet since November. 

Capcom further stated that "the company has also ascertained that the potential maximum number of customers, business partners, and other external parties, etc., whose personal information may have been compromised in the attack is approximately 390,000 people (an increase of approximately 40,000 people from the previous report)." 

Not only that Capcom's network was hit by a Ransomware attack but a note was also left on the server by the threat actors. The letter affirmed that Ranga Locker, the ransomware gang is behind this cyber-attack. The gang left some hyperlinks as proof of the attack by them. Those links led the company to a file that had personal information of the company and its users as well as employees, that was later published on the internet. 

Additionally, the company wrote, "Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident.”

Freedom Finance's customer data got leaked after employee fell for phishing attack

Broker Freedom Finance admitted the fact of hacking its internal network and stealing data leaks about 16,000 clients of the company for 2018. The founder and CEO of the company Timur Turlov announced this on Instagram.

He called the incident "an extremely unpleasant and shameful incident in information security", which occurred on December 24, and admitted: "We screwed up."

According to him, one employee of the company received a phishing email, which he opened and ran on the local machine despite the security warning. "And then all the weak points of our security were revealed," said Turlov.

“Cyber ransomware attacked a segment of our internal network and stole some data from the local machines of a number of employees in Russia. These are machines belonging to the employees of a Russian broker that provides access to the Russian stock market and almost the entire data packet is dated 2018,” wrote Turlov on his Instagram.

Almost no customers who opened accounts in the United States were affected. The broker's international clients were not affected either.

He assured that hackers did not get access to CRM, back-office reports, trading platform data, and also did not get customer passwords.

Turlov promised that the company will contact affected customers as soon as possible, tell them what documents have been made publicly available, and advise on how to minimize risks.

"Of course, now we have completely cleaned out the network and all local machines, have already rebuilt it, and are convinced that data is no longer leaking," assured he.

Turlov believes that the system was hacked to blackmail the company with media publicity and extort money.

"The company has decided to admit its mistake and not cooperate with criminals," said Turlov.

On November 24, Ashot Hovhannisyan, the founder of the Data Leakage & Breach Intelligence (DLBI) service, announced the appearance of Freedom Finance's customer data.

Sensitive Data of 7 Million Indian Cardholders Circulating On Dark Web


There is a rapid increase in the number of data breaches last year, jumping by 17%, which has become an increasingly serious issue. Recently, sensitive data of 7 million debit and credit cardholders has been circulating on the dark web.

The 2GB database included names, contact numbers, email addresses, Permanent Account Number, income details, and employers' firm.

As per the screenshots of the leaked data, the details were found on a public Google Drive document discovered by Rajshekhar Rajaharia, an Internet cybersecurity researcher who informed Inc42, warning that as the private data pertains to the finances, it is highly valuable and can potentially be used by malicious actors to develop phishing attacks.

The database that also included the PAN numbers of around 5 lakh users, relates to the time period between 2010 and 2019 which could be of extreme significance to cybercriminals and scammers, per se. Although the card numbers were not available in the database, Rajaharia managed to verify the details for certain users including himself. He matched the LinkedIn profiles of the names mentioned in the list, and it proved to be accurate.

In a conversation with Suriya Prakash, Sr Security Researcher Cyber Security and Privacy Foundation Pte Ltd, Ehacking News attempted to understand the source of the breach: He said, "These usually don't originate at the bank level as they have secure environments. Regulators and banks often misunderstand this and spend crores securing infrastructure."

"The main source of data breaches are usually due to bank employees using their official emails to create accounts in third-party sites (social media etc). When these third parties get breached its causes issues for the bank. This can be simply avoided by putting in the SOP that employees should not use their official emails for other services, any usage should get written permission from the admin team. If this is strictly enforced majority of data breaches can be avoided."

"Also websites that collect payments like e-commerce sites should be brought user RBI regulations as they too might be causes of the breach," he concluded.

The scale of data leaks of patients with coronavirus in Russia has become known


More than a third of all cases of leaks of personal data of patients with coronavirus, as well as suspected cases, occurred in Russia.

According to InfoWatch, in just the first half of 2020, there were 72 cases of personal data leakage related to coronavirus infection, of which 25 were in the Russian Federation. Leaks in Russia were caused by employees of hospitals, airports, and other organizations with access to information resources. In general, for this reason, 75% of leaks occurred in the world, another 25% were due to hacker attacks.

The company clarified that in 64% of cases worldwide, personal data associated with coronavirus was compromised in the form of lists. Patient lists were photographed and distributed via messengers or social media groups. Some leaks were due to the accidental sending of data by managers to the wrong email addresses.

According to InfoWatch, 96% of cases on the territory of the Russian Federation are leaks of lists, and 4% are leaks of databases.  In all cases, data leaks occurred due to willful violations. InfoWatch stressed that the disclosure of such data often led to a negative attitude towards coronavirus patients from the society.

The Russian Federal Headquarters for coronavirus declined to comment.  Moreover, the press service of the Moscow Department of Information Technology reported that since the beginning of 2020, there have been no leaks of personal data from the information systems of the Moscow government.

In Russia, there are no adequate penalties for organizations in which personal data leaks occurred, said Igor Bederov, CEO of Internet search. In addition, there is still no understanding of the need to protect personal data in electronic systems. There are not enough qualified specialists in this industry. As a result, network cloud storage used by companies, including for processing personal data, is poorly protected.

Orange Confirms Ransomware Attack Compromising Data of 20 Enterprise Customers


Orange, the fourth-largest mobile operator in Europe has confirmed that it fell prey to a ransomware attack wherein hackers accessed the data of 20 enterprise customers. The attack targeted the 'Orange Business Services' division and was said to have taken place on the night of 4th July and was continued into the next day, ie., 5th July.

Orange is a France based multinational telecommunications corporation having 266 million customers worldwide and a total of 1,48,000 employees. It is a leading provider of global IT and telecommunications services to residential, professional, and large business clients. It includes fixed-line telephone, mobile communications, Internet and wireless applications, data transmission, broadcasting services, and leased line, etc.

The attack was brought to light by Nefilim Ransomware who announced on their data leak site that they acquired access to Orange's data through their business solutions division.

In a conversation with Bleeping Computer, the company said, "Orange teams were immediately mobilized to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems." Orange further told that the attack that occurred on the night of 4th July affected an internal IT platform known as, "Le Forfait Informatique", it was hosting data belonging to 20 SME customers that were breached by attackers, however, there were no traces of any other internal server being affected as a result of the attack. Giving insights, Tarik Saleh, a senior security engineer at DomainTools, said, "Orange certainly followed best practices by promptly disclosing the breach to its business customers, who will need to take all the possible precautions to make their data unusable in future attacks: changing the password of their accounts and looking out for potential phishing or spear-phishing emails."

While commenting on the security incident, Javvad Malik, Security Awareness Advocate at KnowBe4, said that in these times, it is essential, "that organizations put in place controls to prevent the attack from being successful, as even if they have backups from which they can restore, this won't bring back data that has been stolen."

"As part of this, organizations should implement a layered defensive strategy, in particular against credential stuffing, exploitation of unpatched systems, and phishing emails which are the main source of ransomware. This includes having technical controls, the right procedures, and ensuring staff has relevant and timely security awareness and training," he further added.

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

Devicelock: data from 115 thousand Russians was put up for sale on the Web


A database with the data of Russians stuck abroad because of the coronavirus and returning to their homeland was put up for sale, its authenticity has not been confirmed, said Ashot Hovhannisyan, Technical Director of DeviceLock.

According to him, the first announcement of the sale appeared in late April. The seller asked for 240 thousand dollars for the database and claimed that it contained 79.6 thousand lines.

The seller did not provide any evidence that this database exists and it is authentic, and a few days later removed the advertisement.

In June, a similar offer appeared from another seller, who claims that the database is relevant for the current month and it has about 115 thousand lines. The data was estimated at 66.6 bitcoins (about 627 thousand dollars).

"Based on the samples provided by the seller, we can say that the database contains 58 columns, including full name, date of birth, passport data, address, phone number, e-mail, date of entry and exit from Russia, date of application on the public services portal, as well as Bank card and account data, passport data and country of location," said Hovhannisyan.

He explained that, most likely, the database was copied when it was transferring from one Department to another via electronic communication channels.

Expert added that it is also likely that this is a fake, since the seller put an unusually high price and did not confirm the authenticity of the data, except for screenshots with 34 lines.

The expert warned that if the database exists, victims may receive phishing emails about allegedly accrued compensation and receive calls from fraudsters asking them to name the code from the Internet Bank.

According to Hovhannisyan, the seller writes that he uses the database for carding, purchasing App Store & iTunes Gift Card gift certificates with the existing card details, which he then sells.

Maze Ransomware Operators Leaked 2GB of Financial Data from Bank of Costa Rica (BCR)


Bank of Costa Rica (BCR) has been receiving threats from the threat actors behind Maze ransomware who have stolen credit card details from the bank, the ransomware gang started publishing the encrypted financial details this week.

The Banco de Costa Rica is one of the strongest state-owned commercial banks operated in Costa Rica, starting from humble origins of mainly being a private commercial bank, it expanded to become a currency issuer and one of the most renowned baking firms in Central America contributing largely in the financial development of the nation.

The hacker group behind the data leak have demanded a ransom from Banco de Costa Rica at various occasions, however, to their dismay they observed a lack of seriousness in the way the bank dealt with these previous leaks and it served as a primary reason that motivated the latest data leak, according to an interview with Maze ransomware operators.

As per the claims made by the attackers, Banco de Costa Rica's network remained insecure till February 2020; it was in August 2019 when they first compromised the bank's network and the second attempt was made in the month of February 2020 to see how the security has been improvised – if at all so.

The 2GB of data published by the Maze ransomware attackers on their leak site contains the details of at least 50 Mastercards and Visa credit cards or debit cards, a few being listed more than once.

As per the statements given by Brett Callow, a threat analyst with Emsisoft to ISMG, "Like other groups, Maze now weaponizes the data it steals,"

"The information is no longer simply published online; it's used to harm companies' reputations and attack their business partners and customers."

"The Maze group is a for-profit criminal enterprise who are out to make a buck," Callow says. "The credit card information has been posted for one of two reasons: Either to pressure BCR into paying and/or to demonstrate the consequences of non-compliance to their future victims," Callow further told.

'ShinyHunters', a Hacker Group Selling Databases of 10 Organization on the Dark Web for $18,000


A group of hackers has put the user databases of 10 companies for sale on the dark web, a part of the internet world that requires specialized software to be accessed, it isn't normally visible to search engines. 

The group that is selling more than 73.2 million user records goes by the name of 'Shinyhunters' and was reportedly behind the breach of Indonesia's biggest online store, Tokopedia. Notably, it's the success of Tokopedia's breach that has encouraged the hackers to steal and sell data from various organizations including Zoosk (online dating app, 30 million records), Minted (online marketplace, 5 million records), Chatbooks (Printing service, 15 million records), Mindful (Health magazine, 2 million records), Bhinneka (Indonesia online store, 1.2 million records), Home Chef (Food delivery service, 8 million records) and others. The samples of the aforementioned stolen records have been shared by the hackers; security experts have verified the same to confirm the authenticity of most of the databases that are being sold separately by the hackers for almost $18,000. However, the legitimacy of some of the enlisted user records is yet to be proved. Despite the ambiguity and confusion, ShinyHunters seems to be a well-founded threat actor as per community sources. 

In the last week's breach targeting Tokopedia, initially, hackers published 15 million user records for free, however, later on, the organization's full database containing around 91 million records was put on sale for $5,000. 

Allegedly the hacker group has also been involved in the data breach of a very popular Facebook-funded education initiative, Unacademy, the breach affected a total of 22 million user records. 

Reports indicate that the data posted by hackers contain authentic databases that could lead to serious concerns for all the affected organizations, although there are limited insights available about ShinyHunters, the modus-operandi of the hacker group resembles that of Gnosticplayers, a computing hacking group that made headlines for selling stolen data of the dark web with its latest victim being Zynga Inc, a mobile social game company.

Around 25,000 Email Addresses and Passwords Belonging to NIH, WHO, World Bank and Others Posted Online


The SITE Intelligence Group, a non-governmental US-based consultancy group that monitors online activities of international terrorist groups and tracks global extremism, recently discovered around 25,000 email addresses and passwords being posted online by unidentified activists. Reportedly, these credentials belong to the World Health Organisation, National Institutes of Health, the Gates Foundation, and various other organizations united in the global battle against COVID-19 – working to contain the spread of the Coronavirus.

The data of unidentified origins was exposed on Sunday and Monday and straight away used by cybercriminals to make attempts at hacking and take advantage of the posted information by causing incidents of harassment led by far-right extremists. The information made its first appearance on 4chan, an imageboard website where people anonymously post their opinions on subjects ranging from politics, anime, music, video games to sports and literature. It then subsequently appeared on Pastebin, Twitter, and Telegram groups belonging to far-right extremists.

However, the authenticity of the email addresses and passwords is still in question as the SITE said it was unable to verify the data. As per Robert Potter, an Australian cybersecurity expert, the 2,732 emails and passwords belonging to WHO were found to be authentic.

The biggest victim of the incident was NIH with a total of 9,938 emails and passwords being exposed, following NIH was the Centers for Disease Control and Prevention with the second largest number i.e., 6,857 and the World Bank with a total of 5,120, according to the report by SITE. All three organizations were quick to decline the requests of making any comment on the matter.

While providing insights, SITE's executive director, Rita Katz said, “Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues.”

“Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials was just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.” She further added.

Meanwhile giving assurance, Twitter spokeswoman Katie Rosborough said, “We’re aware of this account activity and are taking widespread enforcement action under our rules, specifically our policy on private information. We’re also taking bulk removal action on the URL that links to the site in question.”

UK-Based Network Rail Confirms Online Exposure of Wi-Fi User Data


The travel details and email addresses of around 10,000 commuters who used free wi-fi provided at UK railway stations were exposed online, as per the confirmations given by UK-based Network Rail. The unfortunate event affected a number of railway stations including London Bridge, Norwich, Harlow Mill, Chelmsford, Colchester, Waltham Cross, and Burnham.

The incident came into light when a security researcher Jeremiah Fowler, from Security Discovery, discovered an unprotected database online consisting of 146 million records, it included personal information of travelers such as their contact details and DOBs. The confirmation on the incident followed after three days by the Network Rail and the service provider C3UK who took immediate measures to protect the leaked database, a backup copy containing around 10,000 email addresses of the commuters.

On 14 February, Fowler tried to contact C3UK and sent two emails over six days for which he did not receive any feedback. Reportedly, the data was not misused or stolen by any third party, therefore C3UK chose not to notify the data regulator, the Information Commissioner's Office (ICO).

Network Rail strongly recommended the service provider C3UK to report the vulnerability and informed media that they will have their data protection team reach out to ICO and explain its stance on the matter.

While providing assurance and explaining its position on the matter, C3UK said, "To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available."

"Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability," it added.

Meanwhile, the ICO also confirmed to BBC that it hadn't been notified, "When a data incident occurs, we would expect an organization to consider whether it is appropriate to contact the people affected and to consider whether there are steps that can be taken to protect them from any potential adverse effects," it said.

In the wake of the incident, Greater Anglia, a Great Britain based train operating company, which manages some of the affected railway stations told that it stopped employing C3UK to provide its station wi-fi. Meanwhile, the provider for London Bridge station assured the corresponding Network Rail that it was an issue of low-risk and that "the integrity of people's information remains fully secure."

Data leak- Thousands of US defense contractors' data leaked !


A digital consultancy firm accidentally leaked personal information of thousands of defense contractor employees of United States due to A misconfiguration in cloud infrastructure .

 IMGE, a Washington DC based firm unintentionally revealed personal data like names, phone numbers, home and email addresses of more than 6000 Boeing staff as reported by The Daily Post.

 The employees whose data was leaked included defence staff, government relations staff, senior executives and even those who worked on prototyping unit on highly sensitive technologies.

 “This information was exposed as a result of human error by the website’s vendor,” a Boeing spokesperson told the news site. “Boeing takes cybersecurity and privacy seriously and we require our vendors to protect the data entrusted to them. We are closely monitoring the situation to ensure that the error is resolved quickly.”

 The data was collected by IMGE from a website called Watch US Fly, with the idea - “advancing and protecting American aerospace and manufacturing.” The website asks its users for contact details for future campaigns. The Daily Post reports that, Chris DeRamus, CTO of DivvyCloud, explained that cloud misconfigurations like this are increasingly common as many users aren’t familiar with cloud security settings and best practices.

“It is especially concerning that the database contained information about 6,000 Boeing employees, many of whom are heavily involved with the US government and military, as the exposed data is more than enough information for cyber-criminals to launch highly targeted attacks against those impacted to gain more confidential government information,” he added.

 “Companies who manage large amounts of sensitive data, especially data related to government and military personnel, need to be proactive in ensuring their data is protected with proper security controls. Companies must adopt robust security strategies that are appropriate and effective in the cloud at the same time they adopt cloud services – not weeks, months, or years later.”

The data of Alfa-Bank's clients is sold on the black market


The data of Alfa-Bank credit card holders, as well as Alfa Insurance customers came up for sale in the Darknet. The bank confirmed the leak saying that it affects a few customers and does not pose a threat to the money in the accounts.

Seller who published the ad on a hacker forum said that he has up-to-date data on about 3,500 Alfa-Bank customers and about 3,000 Alfa Insurance customers. The ad was published on October 31, the seller registered there on the same day.

To verify the data, the seller suggested to look at 23 contracts. They contained the full name, mobile phone number, passport data, registration address, the amount of credit limit or issued insurance, the subject of insurance, as well as the date of conclusion of the contract. According to the seller, all contracts of Alfa-Bank are issued in October.

When the investigator tried to transfer money by phone number, in 11 of the 13 credit card contracts, the names and first letters of the surnames matched. Also he phoned up nine customers, most of them confirmed that they had recently issued a credit card at Alfa Bank. Fraudsters have already managed to make a call to one of the clients, after which he blocked the card.

Alfa-Bank confirmed the leak. "At the moment, it is reliably known about the illegal distribution of personal data of 15 clients. The occurrence of this situation is not the result of a violation of the protection of the corporate information system of the Bank, " - said the representative of the Bank.

According to him, the leak does not pose a threat to customer accounts, as it does not have data to access them.

Indeed, the contracts do not contain card numbers and CVV-codes, so fraudsters will not be able to get direct access to the money. However, they can use the information to call a customer under the guise of a Bank and find out the necessary information to steal money.
Alfa Insurance has introduced additional security measures and is investigating the publication of customer data.

Recall, in early October Sberbank confirmed of credit card accounts, which affects at least 200 customers of the Bank. It was announced that 60 million credit cards were in the public domain.

China supported website attacks Hong Kong activists : leaking their personal details online!


HK Leaks, a notorious website is targeting Hong Kong pro-democracy supporters, leaking their personal details online and there seems to be no way of catching the site and stopping it.

The website is using a Russian based server and is also supported by China's ruling Communist Party. From Journalists to lawmakers, around 200 individuals, those supporting the protests in Hong Kong have been "doxxed"- had their personal details broadcasted online by the site.

Since June anti-government protests have rocked Hong Kong against proposals to allow extradition to mainland China and clashes between the activists and police have become increasingly violent, with police firing live bullets and protesters attacking officers and throwing petrol bombs. With this new development, of doing activists; the situation shows no sign of dying down.

Privacy Commissioner Stephen Wong said he had ordered HK Leaks to take down all posts but the site remains online. On the home page of the website, a picture of black-clad protester is shown and a banner in Chinese saying, "We want to know who these people are and why they are messing up Hong Kong!". Phone numbers, addresses and personal details of hundreds of people are posted with their "misdeeds". And it is illegal in Hong Kong to disclose certain personal details, including phone numbers, without consent.

HK Leaks has a very sophisticated operation, designed to evade prosecution. It is registered anonymously on a Russian server, DDOS-Guard and has changed domain three times since August.

"The IP address that is shown for the website is not that of the website itself but of the DDOS-Guard company," cybersecurity expert Brian Honan said. The site has a bulletproof anonymous hosting, and whoever is running the website is very good at what they do. It ran as hkleaks.org in early August then migrating to hkleaks.ru, which discontinued in late October and since then three more similar domains have been used by the site.

"This site seems to be really well set up to reveal as little as possible and it doesn't use lots of external services, like buttons, statistics trackers, various scripts that would leak information," said Maarten Schenk, co-founder of the fact-check site Lead Stories.

To extract any details from the domain registrar, a court order would be necessary and the site is heavily supported by the big guns of China with heavy traffic, which is 175,000 unique page views. Chinese Communist Youth League, a group linked to China's Communist Party, has promoted the site's content on its official Weibo accounts. The state-run broadcaster, CCTV and Global Times newspaper, also posted similar messages on their social media accounts.

Some victims also accused the Chinese authorities of involvement behind the leaks, said that the fake address they gave the police during an interrogation showed up on the website HK Leaks.

The data of almost 9 million customers of Russian mobile operator Beeline was in the public domain


The database of 8.7 million former and current Beeline mobile customers was in the public domain. The test showed that the data is relevant. This database contains data of customers who connected Beeline home Internet. According to the press service of the mobile operator reported that the data leak was recorded in 2017, and the perpetrators were identified. Beeline assured that now most of the information is outdated data.

According to experts, the information in the database is enough for attacks using social engineering methods, and there are still no ways to deal with fraudsters of this kind.

According to the Beeline press service, the company immediately established an operational headquarters to investigate the situation.

"Part of the information in the distributed archive does contain the data of the subscriber base of customers, however, a significant part of the information is outdated and irrelevant," the company said.

They also noted that Beeline’s customer base at the end of the second quarter of 2019 was 2.5 million subscribers, and not eight million, as attackers say.

The company assured that they are making every effort to ensure that this does not happen again.

"We appealed to all file-sharing resources where information about customers was posted. Many of them immediately agreed to remove it," Beeline said.

It is noted that the criminals are trying to re-publish the data, which indicates their desire to discredit the company.

"Our security service is investigating this incident, we will be grateful for any information that will help this work, both from our customers and from colleagues in the market," the press service said.

It also reported that the company is working closely with the competent authorities and agencies to prevent the disclosure of personal data not only of its customers, but also customers of all Telecom operators.

The company assures that outsiders do not have the opportunity to carry out transactions with the accounts and tariffs of their customers.