Search This Blog

Showing posts with label User Data. Show all posts

Security Bug Detected in Google’s Android App

 

A vulnerability had existed in Google's eponymous Android app with over five billion downloads to date that might have enabled an attacker to stealthily steal the personal information of a victim's device. 

In a blog post-Sergey Toshin, the founder of Oversecured Mobile App Security Group, noted that it's about the way the Google app relies on code that is not packaged with the app directly. Several Android apps, notably the Google application, decrease download size and storage space by depending on code libraries installed on Android smartphones. 

However, the shortcoming in Google's code allowed the malicious application to inherit the permissions of the Google app and permit it to almost completely access data from a user. 

The malicious application could also pull the code library from a malicious app on the very same device rather than its legitimate code library. This access includes access to Google user accounts, search histories, e-mails, text messages, contacts, and call history, as well as microphone/camera triggering and user location. 

Toshin added that the malicious application will be activated once for the attack to start, but it is carried out without the knowledge or cooperation of the user. He added that removing the malicious program will not remove malicious components from the Google app. 

A Google spokesman told that last month it addressed the issue and there was no proof that the attackers would be using the flaw. The built-in malware scanner of Android, Google Protect Play, will stop the installation of harmful apps. However, there is no absolute safety feature, and malicious apps are already on the internet. 

Toshin stated that the vulnerability in Google's app is almost like a bug identified in TikTok earlier in this year that would allow an attacker to hijack a TikTok user's session tokens which are exploited to gain control of their account. 

Oversecured identified several other identical vulnerabilities, including the Google Play app for Android and more recent pre-installed apps on Samsung phones.

Audi And Volkswagen's Data Breach Affected 3.3 Million Customers

 

Volkswagen announced that a massive data breach exposed the personal information of over 3.3 million customers after one of its vendors left a cache of customer data unencrypted on the internet. In a letter to customers, Volkswagen said that the vendor utilized by Volkswagen, its subsidiary Audi, and authorized dealers in the United States and Canada had left customer data from 2014 to 2019 unsecured for two years between August 2019 and May 2021. 

Personal information about clients and potential buyers were included in the data, which was collected for sales and marketing purposes. Volkswagen Group of America, Inc. (VWGoA) is the German Volkswagen Group's North American subsidiary, responsible for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc. operations in the United States and Canada. 

Between August 2019 and May 2021, a vendor left insecure data accessible on the Internet, according to data breach notices submitted with the California and Maine Attorney General's offices. This specific vendor informed the VWGoA in March that an unauthorized person had gained access to the data and may have accessed customer information for Audi, Volkswagen, and some authorized dealers. 

According to VWGoA authorities, the hack affected 3.3 million customers, with almost 97% of those affected being Audi customers or potential buyers. The data breach appears to have exposed information ranging from contact information to more sensitive data including social security numbers and loan numbers. 

"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages," disclosed VWGoA in a data breach notification. 

"The data also included more sensitive information relating to eligibility for purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers." 

The hackers are demanding between $4,000 and $5,000 for all of the records, claiming that the database contains no social security numbers. The threat actors earlier stated that the database for a VPN service provider with various Android apps on the Google Play Store was on sale for $1,000. 

Volkswagen is offering free credit protection and monitoring services to the 90,000 customers whose personal information was exposed, as well as $1 million in identity theft insurance.

Carnival Cruise Line Unveiled a New Data Breach

 

Carnival Corporation one of the biggest cruise ship operators in the world, and another major firm that reveals it is affected by data breaches. 

Carnival Corp. encountered an illegal entry to its computer networks on 19 March. According to the company, authorities have been contacted and a cybersecurity company has been employed. 

The research discovered that third parties, using a "limited number of e-mail accounts" could access personal information of clients, staff, and crew on their Carnival, Holland America, and Princess cruise lines.

The data obtained included names, addresses, telephone numbers, passport numbers, birth dates, health information, and in some cases additional information, like national identity numbers or social security. 

According to Carnival, the impacted information includes “data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or another safety testing.” The Carnival letter stated that data was exploited with "low likelihood." 

It is worth noting that ever since 2019 Carnival has been attacked by numerous cyber threat actors, including last summer's ransomware attack. Just as cruise lines start booking trips following an extended COVID-19 halt, Carnival faces yet another question mark on cyber safety, said Erich Kron, the KnowBe4 security adviser. 

Kron said that this is no surprise that they have been attacked, given the type of data and the volume it gathers, and that Carnival records some highly important information to attackers. 

The majority of large cruises prefer to visit ports abroad in their very nature so that they acquire sensitive data that is necessary for the processing of customs as well as other travel-related objectives. Such types of attacks are generally initiated by e-mail phishing and firms seeking to avoid problems like Carnival would be advised to invest in high-quality e-mail filters and a training program for employees focusing on recognizing e-mail phishing attacks and proper password hygiene. 

Cohn Bambenek, Threat Intelligence Advisor at Netenrich, stressed the necessity for the organization to ask some important questions about what it is doing to secure the sensitive information since it has been hit three times in the past few months. 

“At a certain point, they are advertising to the world that they are an easy target and can look forward to more frequent and serious attacks,” Bambenek added.

Carnival Cruise Line is a multinational cruise line with its headquarters in Doral, Florida. It is a division of Carnival Corporation & plc. The corporation operates several of the largest cruise lines, including the Princess Cruises and Carnival Cruise Line. 

Fraudsters are Mailing Modified Ledger Devices to Steal Cryptocurrency

 

Scammers are mailing fraudulent replacement devices to Ledger customers who were recently exposed in a data breach, which are being used to steal cryptocurrency wallets. 

With increased cryptocurrency values and the use of hardware wallets to secure crypto funds, Ledger has become a frequent target for scammers. After receiving what appears to be a Ledger Nano X device in the mail, a Ledger user published a devious fraud on Reddit. The gadget arrived in authentic-looking packaging with a sloppy letter claiming that it was sent to replace their existing device as their customer information had been leaked online on the RaidForum hacker community. 

"For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device," state the fake letter from Ledger. 

"For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again." 

Despite the fact that the letter contained numerous grammatical and spelling issues, the information for 272,853 persons who purchased a Ledger device was published on the RaidForums hacking site in December 2020. This provided a slightly convincing reason for the new device's arrival. 

A shrinkwrapped Ledger Nano X box was also included in the package, containing what appeared to be a genuine device. After becoming skeptical of the device, they opened it and posted photos of the printed circuit board on Reddit, which clearly indicated the modification of devices. 

Mike Grover, a security researcher, and offensive USB cable/implant expert informed BleepingComputer that the threat actors added a flash drive and hooked it to the USB port based on the photos. 

Grover told BleepingComputer in a conversation about the photographs, "This appears to be a simple flash drive slapped on to the Ledger with the purpose of being for some form of malware delivery." 

"All of the components are on the other side, so I can't confirm if it is JUST a storage device, but.... judging by the very novice soldering work, it's probably just an off-the-shelf mini flash drive removed from its casing." 

As per the image examining, Grover highlighted the flash drive implant connected to the wires while stating, "Those 4 wires piggyback the same connections for the USB port of the Ledger." 

According to the enclosed instructions, it instructs people to connect the Ledger to their computer, open the drive that appears, and execute the accompanying application. The person then enters their Ledger recovery phrase to import their wallet to the new device, according to the guidelines. 

A recovery phrase is a human-readable seed that is used to produce a wallet's private key. Anyone with this recovery phrase can import a wallet and gain access to the cryptocurrency contained within it. After entering the recovery phrase, it is sent to the attackers, who use it to import the victim's wallet on their own devices to steal the contained cryptocurrency funds. 

This fraud is acknowledged by Ledger and they issued warnings about it in May on their dedicated phishing website. 

Recovery phrases for Ledger devices should never be shared with anybody and should only be input directly on the Ledger device the user is trying to recover. The user should only use the Ledger Live application downloaded straight from Ledger.com if the device does not allow to enter the phrase directly. 

Ledger customers flooded with scams: 

In June 2020, an unauthorized person gained access to Ledger's e-commerce and marketing databases, resulting in a data breach. 

This information was "used to send order confirmations and promotional mailings — largely email addresses, but with a subset that also included contact and order details including first and last name, postal address, email address, and phone number." 

Ledger owners began getting several of the phishing emails directing them to fraudulent Ledger apps that would fool them into inputting their wallet's recovery codes. After the contact information for 270K Ledger owners was disclosed on the RaidForums hacker community in December, these scams became more common. 

The leak resulted in phishing operations posing as new Ledger data breach notifications, SMS phishing texts, and software upgrades on sites imitating Ledger.com.

Emails and Passwords of Government Officials Exposed due to Data Breaches

 

Hundreds of Union government officials' emails and passwords have been exposed to hackers as a result of recent data breaches of Air India, Domino's, and Big Basket, according to the government. The Hindu obtained a copy of an internal document that stated that compromised emails on government domains such as @nic.in and @gov.in are potential cyber threats because they are being exploited by "adversaries" to send malicious emails to all government users. 

A malicious web link provided on WhatsApp and SMS days after the alert was sent on June 10 targeted many government offices, including Defence Ministry officials, requesting them to update their vaccination status. The message directed officials to https://covid19india.in to generate a digital certificate of COVID-19 inoculation, forwarding them to a page called "@gov.in," which looks similar to the government website mygov.in, and asking for their official e-mail and password. 

According to cyber expert Rajshekhar Rajaharia, the website was hosted in Pakistan in June. “The page mentioned @nic.in email IDs to make the official believe it is a government page. The purpose seemed to be getting the e-mails and passwords of only government officials and get unauthorised access to government systems, the page does not accept any other domain such as gmail.com,” said Mr. Rajaharia. 

On May 15, Air India informed passengers that its passenger service system, which is provided by multi-national IT company SITA, was the target of a sophisticated cyber-attack in the last week of February that affected nearly 45 lakh “data subjects” worldwide who registered between August 26, 2011 and February 3, 2021. Officials from the government are frequent travellers on Air India. 

The alert sent to officials said, “It is intimated that recent data breaches of Air India and other companies like Domino’s, Big Basket etc. have resulted in exposure of e-mail ID and passwords of many users, which includes lots of government email IDs as well. All such compromised gov. domain emails are potential cyber threats as they are being used by the adversaries to send out malicious mails to all gov email users. It may please be noted that largely these are name based email IDs which are available with the malicious actors.” 

On March 1, the Union Power Ministry announced that multiple Indian power centres had been targeted by “state-sponsored” Chinese cyber gangs. Recorded Future, a cyber security and intelligence organization based in the United States, determined that Chinese state-sponsored actors may have infiltrated Indian power grids and seaports with malware.

RockYou2021: The Largest Data Leak with 8.4 Billion Passwords

 

According to Cybernews, what appears to be the world's largest password collection, called RockYou 2021, has been leaked on a famous hacker site. A forum user uploaded a 100GB TXT file containing 8.4 billion password entries. 

All of the passwords in the leak, according to the author, are 6-20 characters long, with non-ASCII characters and white spaces eliminated. According to the same individual, the collection has 82 billion passwords. However, Cybernews discovered that the actual figure was roughly ten times lower, at 8,459,060,239 entries, after conducting its own testing. 

The forum member has named the compilation ‘RockYou2021,' probably in allusion to the historic RockYou data breach that occurred in 2009 when threat actors hacked into the social app website's servers and obtained over 32 million user passwords stored in plain text. 

This leak is equivalent to the Compilation of Many Breaches (COMB), the greatest data breach compilation ever, with a collection that exceeds its 12-year-old namesake by more than 262 times. The RockYou2021 compilation, which has been accumulated by the individual behind the compilation over several years, contains its 3.2 billion hacked credentials, as well as credentials from numerous other hacked databases. Given that only roughly 4.7 billion people are online, the RockYou2021 compilation might theoretically contain the passwords of the entire global online population almost two times over. 

“By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts,” CyberNews notes.

“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if you feel one or more of your passwords may have been exposed as a result of the RockYou2021 incident, you should change your passwords for all of your online accounts right away. A password manager, according to Cybernews, can help you build strong, complex passwords that aren't easy to remember. You may also set up two-factor authentication (2FA) across all of your accounts. Finally, as always, carefully check all unsolicited spam emails, phone calls, and text messages for signs of phishing.

Hackers Target American Retail Businesses, FINRA Scolds Brokerage Firms

 

Besides the American corporations facing threats from overwhelming cyberattacks, American retail businesses are also struggling to fight against the rise of hackers hacking into their accounts and investments. FINRA (Financial Industry Regulatory Authority), the market's self-regulatory body, in a recent notice said that it received several complaints related to customer accounts being hacked. The incident involved attackers using stolen customer information like login credentials to hack into online customers' brokerage accounts. 

According to Market Watch "Ari Jacoby, chief executive and co-founder of cybersecurity firm Deduce, backed up this statement with data showing that account-takeover fraud increased by roughly 250% from 2019 to 2020. He told Security.org that account-takeover prevention is a $15 billion market that is “growing significantly year-over-year.“ FINRA finds two factors that might be responsible for the surge in account takeover incidents. 

First is an increase in the use of online services and brokerage apps, that allows hackers to break into user accounts using login I'd and passwords that they buy from Darkweb. It becomes very easy for hackers to find the login credentials of the customers as many users use the same password combinations for multiple accounts. The second aspect is the Covid-19 factor. "Customer account-takeovers have been a recurring issue, but reports to FINRA about such attacks have increased as more firms offer online accounts, and as more investors conduct transactions in these accounts. In part due to the proliferation of mobile devices and applications and the reduced accessibility of firm’s physical locations due to the COVID-19 pandemic," reports FINRA. 

The Security and Exchange Commission is also keeping an eye on this incident and is pressing hard on brokerage firms for not keeping a check on suspicious activities. Market Watch says "But most individual investors don’t have to wait for the SEC or FINRA to come to their rescue, because this sort of criminal activity is largely enabled by a lack of vigilance on the part of victims, including requesting that their broker send them suspicious login alerts and using two-factor authentication, according to Jacoby."

Cybercrime Forum Publishes Alleged Database, Source Code From Russian Firm That Helped Parler

 

A seller on a famous cybercrime website claims to be selling source code and a database that they claim belongs to DDoS-Guard, the Russia-based hosting firm that helped social media company Parler relaunch after Amazon Web Services banned it. 

DDoS-Guard also offers computing capacity and restricts the recognition of website owners of hundreds of shady resources involved in unlawful goods sales, gambling, and copyright infringements, according to Group-IB research on online piracy. 

On May 26, Group-IB, a global threat hunting, and adversary-centric cyber intelligence firm specialized in investigating and combating high-tech cybercrime, uncovered a database supposedly connected to bulletproof hosting provider DDoS-Guard that was placed for sale on a cybercrime website. 

Customers' names, IP addresses, and payment details are allegedly stored in the database. In addition to the database, the threat actor claims to possess the DDoS-Guard infrastructure's source code. The entire collection is currently up for auction, with a starting bid of $350,000. Since the threat actor did not offer a sample, it is impossible to verify the legitimacy of the allegedly stolen material. 

DDoS-Guard also offers computing capacity and restricts the recognition of website owners of hundreds of shady resources involved in unlawful goods sales, gambling, and copyright infringements, according to Group-IB research on online piracy.

“Initially, the threat actor was auctioning off the lot with a starting price of $500,000. Shortly after the amount was reduced to $350,000,” stated Oleg Dyorov, Threat Intelligence analyst at Group-IB. “The threat actor didn’t provide a sample of the database, which makes it impossible to verify the authenticity of the reported stolen database and the source code. The seller registered this account on exploit in January 2021 and has been looking to buy access to different corporate networks ever since. It is only the second time that they are trying to sell data on the forum. Despite the regular activity, the threat actor has no reputation on the forum and has made no deposits yet.” 

According to the Group-IB Threat Intelligence & Attribution system, this user had an account on exploit[.]in before being barred by the forum administrators for refusing to use the escrow service. DDoS-Guard provides DDoS prevention, CDN, and hosting services, and its data is allegedly being traded on a hacker site. 

“As an international certified emergency response team, we get to interact with dozens of hosting providers around the world every day to ensure violations are removed promptly,” says Reza Rafati, a senior analyst at CERT-GIB in Amsterdam. 

“Whenever we establish a connection with this company, it immediately reflects a red flag. We’ve seen a number of rogue websites hosted by DDoS-Guard. They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn’t do any good for the global effort against cybercrime.”

New Zealand Reserve Bank: Taking Action to Respond to Data Breach Reports

 

Two independent investigations into an unauthorized data breach and the handling of sensitive information have been announced by the Reserve Bank of New Zealand. 

“The Bank accepts the findings and has implemented, and will continue to implement, the recommendations,” stated Reserve Bank Governor Adrian Orr. 

“As signalled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritized these initiatives consistent with the recommendations outlined in the reports". 

On December 25, 2020, the Reserve Bank became the target of a cyber-attack on the third-party application it utilizes to exchange and store information. Following that, KPMG was appointed to conduct an independent investigation into the bank's rapid response to the security incident and identify areas where the bank's systems and processes may improve. 

He also stated that, despite being the victim of a massive illegal attack on the file-sharing system, the Reserve Bank accepts complete responsibility for the inadequacies in the KPMG report. 

“We were over-reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning". 

As per KPMG, the bank's controls and processes need to be enhanced, which is now being done. If these procedures had been in place at the time of the unlawful breach, the damage would have been lessened. 

Background 

In late 2020, the Bank recruited Deloitte to conduct an independent investigation to assist the Reserve Bank of New Zealand in better managing sensitive data. This was in response to two incidents in which sensitive information was improperly kept in a draft internal report and disclosed to a small group of financial services firms just before it was made public. 

Initiatives to put the report's recommendations into action are also underway. The Bank estimates that the total cost of the security breach response, including internal resources, will be around $3.5 million.

In January 2021, the Reserve Bank discovered a data breach through Accellion FTA, a third-party file-sharing application that was utilized to share and store information. As part of the inquiry into the event, the Bank recruited KPMG to conduct an independent assessment of its systems and processes.

Canada Post's Data Breach Affected 950K Customers

 

The state-owned postal service, Canada Post has reported that a cyber-attack on a third-party provider resulted in a data breach affecting 950,000 parcel recipients. Canada Post Corporation, also known as Canada Post, is a Crown corporation that serves as the country's major postal operator. 

Canada Post claimed in a press release on May 26 that it had notified 44 "major business customers" that they may have been compromised by "a malware assault" targeting Commport Communications, a supplier of electronic data interchange (EDI) services. 

On May 19, the supplier informed Canada Post that “manifest data housed in their systems, which was related with some Canada Post customers, had been compromised.” 

It stated that the data was compromised between July 2016 and March 2019, with 97% of it containing the names and addresses of receiving consumers. According to the firm, the remaining 3% contained email addresses and/or phone numbers. The Crown corporation has already "taken preventive measures and will continue to take all required efforts to mitigate the repercussions," according to the statement. 

“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue,” the statement further read.

According to Canada Post, a thorough forensic investigation was conducted, but “no evidence” of financial information being compromised was found. Despite the fact that the breach was caused by a supplier, Canada Post claimed in a statement on Wednesday that they “sincerely regret the difficulty this may cause our valued customers. Canada Post respects customer privacy and takes matters of cybersecurity very seriously.”

“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” the company said.
 
The postal service is currently "proactively alerting" impacted business clients, as well as providing the required support and information "to help them select their future steps." “The Office of the Privacy Commissioner has been notified,” Canada Post said.

In November 2020, Canada Post mentioned: "a potential ransomware issue" reported by Commport Communications to its IT division, Innovapost. However, “Commport Communications advised there was no evidence to imply any customer data had been hacked at that time,” according to the report.

45 Lakh Customer Data Compromised as Air India Servers Gets Hacked

 

A massive cyberattack was perpetrated against the domestic carrier Air India, which compromised passengers' data including passports, contacts, ticket information, and credit card information. 

Air India is India's flag carrier, based in New Delhi. It owns and runs the Airbus and Boeing aircraft fleet serving 102 national and international destinations and is operated by Air India Limited. 

The airline stated that the incident impacted about 4,500,000 data subjects worldwide. The company further added that the violation involved data from somewhere between August 2011 and February 2021. 

“The breach involved personal data registered between 26 August 2011 and 3 February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data,” a message from Air India reads. 

While the airline has admitted that the credit card details have been violated, it has made it clear that its data processors have not held the CVV/CVC numbers - which are the key to carrying out transactions. 

"Our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world," said the statement issued by Air India. 

The state-owned flight operator also mentioned that the first communication concerning the data violation had been obtained from its data processor on 25 February 2021. That being said, on March 25 and May 4, the identification of the data subjects concerned was given. 

"While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 and 5.04.2021," the statement said. 

Air India has also mentioned that it follows data protection policies and has started investigating data protection incidents. The airline also secures vulnerable servers, engages external computer protection experts, liaises, and notifies Air India frequent flyer program credit card issuers and reset flyer passwords.

Data Breach: Affects Student Health Insurance Carrier guard.me

After a vulnerability enabled a threat attacker to access policyholders' personal details, student health insurance provider guard.me has taken their website offline. 

guard.me is among the world's largest insurance providers in international education, protecting thousands of individuals studying and working abroad. Founded in 1998 and incorporated in Canada as Travel Healthcare Insurance Solutions Inc. 

On May 12th, after a vulnerability permitted a threat actor to access policyholders' personal details, Guard.me discovered suspicious activity on their website. Visitors to the website are automatically redirected to a maintenance page informing them that the site is unavailable while the insurance provider enhances security. 

"Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible." displays on the guard.me website. 

Today, guard.me started sending out data breach notifications to students, according to BleepingComputer, stating that a website vulnerability enabled unauthorized people to access policyholders' personal details. 

Our Information Systems team found suspicious activity on our website late on May 12, 2021, and as a precaution, they took down the website and took immediate measures to protect our systems. The security flaw has been fixed. Our investigators are working closely to discover more about the incident, guard.in states on the data breach notification. 

The threat actor was able to gain access to students' dates of birth, sex, and encrypted passwords thanks to this flaw. The email addresses, mailing addresses, and phone numbers of certain students were also made public. 

The bug was patched, and urgent steps to protect their system were taken, according to the international student health insurance company, and it has withstood more attempts by their cybersecurity team to circumvent the additional protections. The insurance company also reports that they are implementing new security measures, including such as database segmentation and two-factor authentication. 

Guard.me is a Canadian corporation, so it's unclear whether it informed the Privacy Commissioner of Canada about the violation, and it hasn't responded to BleepingComputer's requests for more details.

Herff Jones Credit Card Breach: College Students Across the US Affected

 

Graduating students from many universities in the United States have reported fraudulent transactions after using payment cards at Herff Jones, a prominent cap and gown seller. Following the initial reports last Sunday, the company launched an investigation to assess the scope of the data breach. 

The complaints persisted this week, prompting others to review their credit card statements for fraudulent charges. Students at universities in Indiana (Purdue, IU), Boston, Maryland (Towson University), Houston (UH, UHD), Illinois, Delaware, Michigan, Wisconsin, Pennsylvania (Lehigh, Misericordia), New York (Cornell), Arizona (Wake Forest), Florida (State University), and California (Sonoma State) are affected by the issue. 

Herff Jones was entirely unaware of the data violation until students began to complain about fraudulent charges to their payment cards on social media. They all had one thing in common: they were graduating students who had purchased commencement gear at Herff Jones. Some of them had to withdraw their payment cards and file a dispute with the bank over the fraudulent charges. 

Apart from delivery delays, the students said that they had been charged fraudulently for amounts ranging from tens of dollars to thousands of dollars. While the majority of reports indicate losses ranging from $80 to $1,200, one student said that a friend was charged $4,000. 

“Someone just bought a ps5 with my card info and I respect the hustle,” stated one student.  

A parent chimed in saying that their “daughter and about 30 other graduates that she knows of at her school (not Purdue) have had their debit cards compromised through HJ [Herff Jones].” 

According to one Cornell University senior, their credit card was stolen, and fraudsters attempted to charge $3,000 to "asics" and use it on adult content subscription service OnlyFans. Although the exact date of the Herff Jones violation is unknown, some of the earliest transactions date from the beginning of the month. Several students reported that they bought graduation products in April. 

Herff Jones released a statement on May 12th acknowledging the payment card data breach and apologizing for the incident.

Herff Jones said in a statement, “We sincerely apologize to those impacted by this incident. We are working diligently to identify and notify impacted customers. The company is investigating the incident with the help of “a leading cybersecurity firm.”

Flipkart Users to Reset Passwords to Avoid Fraud: Cyber Expert

 

A data breach occurred recently at the e-commerce sites Flipkart and BigBasket. According to reports, BigBasket's latest data breach revealed the personal information of some Flipkart customers as well. Seven months after it was first discovered, the matter has resurfaced. 

According to an independent cybersecurity expert, an alleged leaked database may lead to unauthorized transactions from accounts of Flipkart customers who also used grocery platform BigBasket with the same user ID and passwords. 

In November, BigBasket was involved in a major data breach that exposed the personal information of over 2 crore users. Some users who shared the same credentials for Flipkart and BigBasket have complained that their accounts have been compromised as a result of the leak. As of now, this is just affecting Flipkart users. 

Cybercriminals are selling sets of email addresses and passwords of customers from allegedly leaked databases of BigBasket that match with accounts of e-commerce company Flipkart and Amazon, according to expert Rajashekhar Rajaharia. However, he said Amazon sends OTP for login when there is a change in the browser. 

'It seems, some people are selling Bigbasket Email: Password combinations as Flipkart data. People are using the same password for all websites. Almost all emails are matching with Bigbasket DB (database). Change your Flipkart Passwords asap,' Rajaharia tweeted. 

He also mentioned that Flipkart's accounts should be secured and posted account details being sold on Telegram. 

'Anyone with a combination of leaked email and password can easily log in from anywhere including VPN/TOR to Flipkart. Please mandatory 2FA ( two-factor authentication) for all accounts,' Rajaharia said. 

When contacted, a Flipkart spokesperson said that the company is absolutely dedicated to ensuring the safety and protection of customer data and that the company has "robust information security systems and controls in place." 

A Flipkart spokesperson told Inc42 in response to the data breach, “In addition, we run awareness campaigns through different media and social networks to raise awareness about fraudulent activities, educating consumers on best practices for a secure online experience and keeping their accounts safe from unscrupulous cyber elements.”

Apple Covered a Mass Hack on 128 Million iPhone Users in 2015

 

Apple and Epic are now embroiled in a legal dispute, and as a result, some shocking material has surfaced on the internet. Epic recently demonstrated Apple's desire to conquer the industry by deciding not to unleash the iMessage platform on Android. Now, according to a recent email filed in court, Apple decided not to alert 128 million iPhone users of its first-ever mass hack. This was back in 2015 when the iPhone 6s series was first introduced. 

The massive hack was first discovered when researchers discovered 40 malicious App Store applications, which quickly grew to 4,000 as more researchers looked into it. The apps included malware that turned iPhones and iPads into botnets that stole potentially sensitive user data. 

According to an email filed in court last week in Epic Games' litigation against Apple, Apple managers discovered 2,500 malicious apps on September 21, 2015, that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the United States. 

“Joz, Tom, and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, talking to Apple's Greg Joswiak, senior vice president of worldwide communications, and Tom Neumayr and Christine Monaghan, who work in public relations. 

The email continued: "If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language)." 

Bagwell talks about the complexities of notifying all 128 million impacted customers, localizing updates to each user's language, and "accurately including the names of the applications for each client" about 10 hours later. 

Unfortunately, it seems that Apple never carried out its plans. There was no indication that such an email was ever sent, according to an Apple spokesperson. Apple instead released only this now-deleted article, according to statements the representative submitted on background—meaning I'm not allowed to quote them.

Vulnerabilities Exposed Pelton User Data

 

Special security research published this week, states that unauthorized users might have been able to access confidential user information through recently patched vulnerabilities in Peloton's bike software. The same week, Peloton revealed that two of its treadmills were voluntarily recalled because of significant security concerns and vulnerability problems. 

Pen Test Partners, a cybersecurity organization, said it found loopholes earlier this year that enable unauthenticated users to use Peloton's API, a platform that allows bikes-to-server communications. 

The bugs could enable untrusted users, even when personal mode settings have been selected for their account profiles, to access confidential material for all Peloton users, even Live-class information, says Pen Test Partners. 

Pen Test Partners has informed Peloton, which gives the company 90 days until publication to fix the vulnerabilities. However, Peloton has "acknowledged the disclosure," but hasn't "fix the vulnerability," as per a blog posted by Pen Test Partners on Wednesday 5th of May 2021. 

TechCrunch first revealed the bugs, that were publicly disclosed the same week. After the death of a child and hundreds of users reported accidents, Peloton had to withdraw all its treadmills. The workpieces have had the same insecure API. 

A Peloton spokesman denied the idea that confidential information might have been infringed, saying that through an e-mail address to The Hill, “the identification of vulnerabilities by itself does not constitute a breach.” 

“No software is immune from bugs, and we aim to responsibly investigate reported vulnerabilities that we deem legitimate,” the spokesperson added. “Our security team is continuing their work to monitor attempts at unauthorized access by exploitation of these vulnerabilities.” 

Peloton also noted that when the Pen Test partners eventually approached, but it was “slow to update the researcher about our remediation efforts,” he acted and addresses the vulnerabilities. 

The organization also praised Pen Test Partner creator Ken Munro for sending and collaborating with them on the vulnerability studies. Pen Test Partners later proposed that the cyber vulnerabilities had been resolved by Peloton.

Amazon Fake Reviews Scam Exposed in Data Breach

The identities of over 200,000 people who appear to be participating in Amazon fraudulent product review schemes have been exposed by an open database. 

There is an ongoing struggle between the e-commerce giant and shady traders all over the world who want to hamstring rivals and gain an advantage by creating fake product feedback. The ways in which they function and remain under Amazon's radar differ, but an open ElasticSearch server has revealed some of their inner workings. 

Researchers from Safety Detectives reported on Thursday that the server, which was open to the public and accessible online, held 7GB of data and over 13 million documents appeared to be connected to a widespread fake review scam. It is unknown who owns the server, but due to messages written in Chinese that were leaked during the incident, there are indications that the company might be based in China. 

The database includes the user names, email addresses, PayPal addresses, links to Amazon accounts, and both WhatsApp and Telegram numbers, which also included records of direct messages between consumers willing to provide false reviews and traders willing to pay them. The leak may implicate "more than 200,000 people in unethical activities," according to the team. 

The database, as well as the messages it included, exposed the strategies used by suspicious sellers. One approach involves sending a customer a connection to the goods or products for which they want 5-star ratings, and the customer then makes a purchase. After a few days, the customer leaves a positive review and sends a message to the vendor, which will result in payment via PayPal — which could be a 'refund,' while the item is kept for free. It's more difficult to spot fraudulent, paid reviews because refund payments are held off the Amazon website. 

On March 1, an open ElasticSearch server was discovered, but the owner could not be identified. On March 6, however, the leak was detected and the server was secured. 

"The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors," the researchers speculated. "What's clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon's terms of service." 

Vendors are not allowed to review their own goods or receive a "cash incentive, discount, free products, or other compensation" in exchange for positive reviews, according to Amazon's spokesperson and review policy which includes third-party organizations. However, since Amazon is such a popular online marketplace, it's likely that some vendors will continue to try to take advantage of review systems in order to increase their profits. 

"We want Amazon customers to shop with confidence, trusting that the reviews they read are genuine and appropriate," a spokesperson for the company said. "We have clear policies for both reviewers and selling partners that forbid the misuse of our community features, and we suspend, ban, and taint people who break them," states the company.

ShinyHunters is Leaking Data of all the Big Conglomerates

 

Following the hacking of masked credit and debit card data belonging to crores of Juspay customers, independent cybersecurity analyst Rajshekhar Rajaharia reported on January 6, 2021, that the same hacker, likely branded as 'ShinyHunters,' is now selling databases belonging to three more Indian companies on the Dark Web. 

ShinyHunters, the well-known hacker responsible for exposing the accounts of companies such as Animal Jam, Mashable, Upstox, and 123RF, among others, has returned with yet another high-profile data breach. 

The hacker has recently focused on leaking databases belonging to Indian institutions. While unconfirmed, it is thought that the hacker's extortion efforts failed, and as a result, the hacker leaks the stolen info. 

This time, ShinyHunters has leaked a database belonging to WedMeGood, a prominent Indian wedding planning website that handles everything from location selection to photographer bookings and wedding outfit arrangements. WedMeGood has a website and an app that allows couples planning weddings to find nearby vendors and get ideas and inspiration for their big day. The business is headquartered in Gurgaon and was founded in 2014 by Mehak Sagar Shahani and Anand Shahani. 

According to Hackread.com's review, the database contains 41.5 GB of data, including the city, gender, full names, phone numbers, email addresses, password hashes, booking leads, last login date, account formation date, Facebook unique ID numbers, and holiday summary for Airbnb.

JusPay, a Bengaluru-based digital payments portal, previously stated that their Secure Data Store, which houses sensitive card numbers, had not been accessed or leaked. "Thus, all our customers were secure from any kind of risk. Our priority was to inform the merchants and as a measure of abundant precaution, they were issued fresh API keys though it was later verified that even the API keys in use were safe," the company said. 

The hacker, according to Rajaharia, is the same one who leaked BigBasket info, as confirmed by cybersecurity firm Cyble. BigBasket, one of India's most popular online grocery stores, discovered that its data of over 20 million users had been compromised and was for sale on the dark web for over $40,000 in November of last year. 

"Now, the same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies' databases," Rajaharia said. "There is a strong connection between all these recent data leaks, including BigBasket," he added.

Raychat App Suffered a Data Breach of 150 Million Users

 

Around 7:20 a.m. on Monday, May 3, 2021, the database was first made public on a prominent Russian hacker website. It was unclear if these documents were stolen from the Raychat app's servers or whether they were a result of a recent data breach, which occurred on January 31st, 2021, as a consequence of a misconfigured database discovered by IT security researchers Bob Diachenko. 

Diachenko posted a series of tweets about the Raychat application on Twitter. He said that a misconfigured server leaked the entire database of the Raychat app. According to the researcher, the database contained over 267 million accounts with information such as addresses, addresses, passwords, metadata, encrypted messages, and so on. 

He also claimed that he had not received a response from the organization after Diachenko received a response from an Iranian Twitter user. He shared a screenshot of a tweet from the Raychat app confirming that no data had been compromised. 
 
The data was allegedly leaked by a threat actor on a well-known hacker website, Raid Forum. He said that they downloaded the data until the meow attack erased it. The data seems to be genuine, and millions of Iranians' personal information has been made public. The leaked data includes names, IP Addresses, email addresses, Bcrypt passwords, Telegram messenger IDs, etc.

Despite the fact that Iranian hackers have been blamed for increasingly advanced attacks against their adversaries, Iranian civilians have been one of the most overlooked victims of data breaches in recent years. For example, a database allegedly belonging to the Snapp app (Iranian Uber) leaked "astonishingly sensitive details" of millions of users on an unreliable MongoDB server in April 2019. 

52,000 Iranian ID cards with selfies were sold on the dark web in April 2020 and later leaked on the open web. The personal information and phone numbers of 42 million Iranians were sold on a hacker forum in March 2020. The database was first revealed on an Elasticsearch server by a misconfigured database. 

It's now up to the victims to be more cautious. They should be wary of email-based phishing attacks. Users should not click on links in texts or emails because they could be scams. By breaking into a user's phone, they could further intrude on their privacy.

City of Toronto Hit by a Potential Cyber Breach

 

A possible cyber breach from a third-party data transfer software supplier was reported by the City of Toronto on 22nd January 2021. The City took effective measures to halt all the applications that day, while research was promptly initiated by the Chief Information Security Officer of the City to assess the types of data potentially breached. 

The City has documented the infringement to the Commissioner for Information and Privacy of Ontario and had further interacted with everyone whose information might be infringed. Also, additional jurisdictions or organizations in Ontario and across the globe recently reported that this sort of cyber-breach has also affected them. 

The City of Toronto claims that in January, there was a "potential cyber breach" of data on its Accellion FTA file transmission servers that could include individual health details. 

Later, IT World Canada was assured by City workers that Accellion was involved. There had been a problem in the city on January 22nd. A city spokesperson said that the CISO office was examining and released a report only on the 20th of April, on being asked why and how the event had taken until now to be made public – “It takes time to reach any sort of conclusion given the legacy system that was breached, and the extent of investigation required,” the spokesperson said. 

The representative added that they are still investigating exactly how many folk details were revealed. In addition, the city hasn't submitted a ransom application and it is not known either that if a ransom demand has been obtained as a consequence of this violation. 

In its statement, the city said it “took immediate action and shut down access to the software that day, and the city’s chief information security officer immediately launched an investigation to determine the type of data that may have been compromised.” 

In all cases whereby personal health data are affected, the city must notify the IPC. The IPC has been informed since personal health information is potentially accessible. In its attempts to safeguard the privacy and welfare of Toronto people, Toronto has effectively stopped cyber threats regularly. 

In February, cybersecurity agencies across five countries released a global warning to organizations that have transferred their Accellion FTA files after several organizations have admitted that bugs in the program are being compromised at the beginning of this year. Publicly known victims include Shell, the oil supplier, Bombardier, and the pharmaceutical operation of the US retail chain, the Canadian company jet maker.