Search This Blog

Showing posts with label User Privacy. Show all posts

What Cybercriminals Do with Your Personal Information? Here's How to Defend

 

We all know that data breach is a major issue that can cause devastating damage to organizations and individuals, but have you ever wondered what happens to the data that is stolen during these incidents?

It depends on the importance of the stolen data and the attackers behind a data breach, and why they’ve stolen a certain type of data. For instance, when threat actors are motivated to embarrass a person or organization, expose perceived wrongdoing or improve cybersecurity, they tend to release relevant data into the public domain. 

To prove this, the attack on Sony Pictures Entertainment in 2014 is the biggest example for the readers. Attackers backed by North Korea stole Sony Pictures Entertainment employee data such as Social Security numbers, financial records, and salary information, as well as emails of top executives. The hackers then published the emails to embarrass the company, possibly in retribution for releasing a comedy about a plot to assassinate North Korea’s leader, Kim Jong Un.

According to Verizon’s annual data breach report, nearly 86% of data breaches are about money, and 55% are committed by organized criminal groups. Stolen data often ends up being sold online on the dark web. For example, in 2018 hackers offered for sale more than 200 million records containing the personal information of Chinese individuals. This included information on 130 million customers of the Chinese hotel chain Huazhu Hotels Group.

The most reliable and common way to pay for the transaction is with cryptocurrency or via Western Union. The price varies on the type of data, its demand, and its supply. For example, a big surplus of stolen personally identifiable information caused its price to drop from $4 for information about a person in 2014 to $1 in 2015. Email dumps containing anywhere from a hundred thousand to a couple of million email addresses go for $10, and voter databases from various states sell for $100.

What Hackers Do with Your Personal Info? 

The most obvious thing hackers do is steal your money—either directly by funneling it from a bank account or by creating new accounts under your name. They may use your credit card details to shop at Amazon or set up a Netflix account. They might also use your info to create a sham social media profile to fool your friends or have a fake driver’s license made.

While that’s scary, there are even more frightening things to worry about. In some cases, hackers may steal info like personnel files, bank records, and private photos for purposes of blackmail, extortion, or even espionage.

Lastly, some hackers may target you or your organization directly. Stolen info, such as an online alias where you share political commentary or an online dating profile, maybe shared to prank or embarrass you. In more nefarious cases, doxing—releasing personal information about your identity—could put you in danger. Imagine internet users sending you hate mail, calling your cell phone, or even showing up to your house over a post you made online about a particular view you hold.

Three easy steps to protect your data

(1). The first step is to find out if your information is being sold on the dark web. You can use websites such as haveibeenpwned and IntelligenceX to see whether your email was part of stolen data.

(2). Inform credit reporting agencies and other organizations that collect data about you, such as your health care provider, insurance company, banks, and credit card companies.

(3). To help you create strong passwords and remember them, consider using a password manager. Secondly, check whether your accounts offer multi-factor authentication (MFA). If yes, then use MFA.

Flipkart Users to Reset Passwords to Avoid Fraud: Cyber Expert

 

A data breach occurred recently at the e-commerce sites Flipkart and BigBasket. According to reports, BigBasket's latest data breach revealed the personal information of some Flipkart customers as well. Seven months after it was first discovered, the matter has resurfaced. 

According to an independent cybersecurity expert, an alleged leaked database may lead to unauthorized transactions from accounts of Flipkart customers who also used grocery platform BigBasket with the same user ID and passwords. 

In November, BigBasket was involved in a major data breach that exposed the personal information of over 2 crore users. Some users who shared the same credentials for Flipkart and BigBasket have complained that their accounts have been compromised as a result of the leak. As of now, this is just affecting Flipkart users. 

Cybercriminals are selling sets of email addresses and passwords of customers from allegedly leaked databases of BigBasket that match with accounts of e-commerce company Flipkart and Amazon, according to expert Rajashekhar Rajaharia. However, he said Amazon sends OTP for login when there is a change in the browser. 

'It seems, some people are selling Bigbasket Email: Password combinations as Flipkart data. People are using the same password for all websites. Almost all emails are matching with Bigbasket DB (database). Change your Flipkart Passwords asap,' Rajaharia tweeted. 

He also mentioned that Flipkart's accounts should be secured and posted account details being sold on Telegram. 

'Anyone with a combination of leaked email and password can easily log in from anywhere including VPN/TOR to Flipkart. Please mandatory 2FA ( two-factor authentication) for all accounts,' Rajaharia said. 

When contacted, a Flipkart spokesperson said that the company is absolutely dedicated to ensuring the safety and protection of customer data and that the company has "robust information security systems and controls in place." 

A Flipkart spokesperson told Inc42 in response to the data breach, “In addition, we run awareness campaigns through different media and social networks to raise awareness about fraudulent activities, educating consumers on best practices for a secure online experience and keeping their accounts safe from unscrupulous cyber elements.”

Researchers Flag Serious Authentication Bypass Vulnerability After Pega Infinity Hotfix Released

 

After security researchers discovered a flaw in the Pega Infinity enterprise software platform, users are being advised to upgrade their installations. 

CVE-2021-27651 is a critical-risk vulnerability in Pega's Infinity program versions 8.2.1 to 8.5.2, according to the research team of Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert. 

The proof-of-concept shows how an intruder can circumvent Pega Infinity's password reset system. Via administrator-only remote code execution, assailants could then use the reset account to “fully compromise” the Pega case. It includes modifying complex pages or templating. The researchers collaborated with the developer Pegasystems, to construct a hot patch. According to the vendor, customers running the program on-premises should check if their version is affected and apply the relevant hot patch. 

With over 2,000 users, Pega Infinity is a common enterprise software suite. Customer service and sales automation, an AI-driven ‘customer decision hub,' workforce intelligence, and a ‘no-code' development platform are all included in the kit. The Pega Infinity vulnerability was discovered as a result of the security researchers' involvement in Apple's bug bounty program. 

“We’d been hacking on Apple's bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig. 

“After reading a blog post from two amazing researchers, we agreed to take a different approach and target vendors [supplying technology to Apple].”Curry has written about his experiences with Apple's bug bounty program in the past. 

Burp Suite was used by the researchers to find the password reset flaw in Pega Infinity. According to Curry, this allows for a complete compromise of any Pega instance with "no prerequisite information." Justin Rhinehart also developed a Nuclei template for determining whether or not the software is running Pega Infinity. 

“Pega's customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.” 

Curry states that Pega was able to collaborate with the researchers to patch the flaw, although they needed time for customers using Infinity on-premises to upgrade their installations. Curry mentioned that the procedure took more than three months.

Apple Covered a Mass Hack on 128 Million iPhone Users in 2015

 

Apple and Epic are now embroiled in a legal dispute, and as a result, some shocking material has surfaced on the internet. Epic recently demonstrated Apple's desire to conquer the industry by deciding not to unleash the iMessage platform on Android. Now, according to a recent email filed in court, Apple decided not to alert 128 million iPhone users of its first-ever mass hack. This was back in 2015 when the iPhone 6s series was first introduced. 

The massive hack was first discovered when researchers discovered 40 malicious App Store applications, which quickly grew to 4,000 as more researchers looked into it. The apps included malware that turned iPhones and iPads into botnets that stole potentially sensitive user data. 

According to an email filed in court last week in Epic Games' litigation against Apple, Apple managers discovered 2,500 malicious apps on September 21, 2015, that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the United States. 

“Joz, Tom, and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, talking to Apple's Greg Joswiak, senior vice president of worldwide communications, and Tom Neumayr and Christine Monaghan, who work in public relations. 

The email continued: "If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language)." 

Bagwell talks about the complexities of notifying all 128 million impacted customers, localizing updates to each user's language, and "accurately including the names of the applications for each client" about 10 hours later. 

Unfortunately, it seems that Apple never carried out its plans. There was no indication that such an email was ever sent, according to an Apple spokesperson. Apple instead released only this now-deleted article, according to statements the representative submitted on background—meaning I'm not allowed to quote them.

Amazon Fake Reviews Scam Exposed in Data Breach

The identities of over 200,000 people who appear to be participating in Amazon fraudulent product review schemes have been exposed by an open database. 

There is an ongoing struggle between the e-commerce giant and shady traders all over the world who want to hamstring rivals and gain an advantage by creating fake product feedback. The ways in which they function and remain under Amazon's radar differ, but an open ElasticSearch server has revealed some of their inner workings. 

Researchers from Safety Detectives reported on Thursday that the server, which was open to the public and accessible online, held 7GB of data and over 13 million documents appeared to be connected to a widespread fake review scam. It is unknown who owns the server, but due to messages written in Chinese that were leaked during the incident, there are indications that the company might be based in China. 

The database includes the user names, email addresses, PayPal addresses, links to Amazon accounts, and both WhatsApp and Telegram numbers, which also included records of direct messages between consumers willing to provide false reviews and traders willing to pay them. The leak may implicate "more than 200,000 people in unethical activities," according to the team. 

The database, as well as the messages it included, exposed the strategies used by suspicious sellers. One approach involves sending a customer a connection to the goods or products for which they want 5-star ratings, and the customer then makes a purchase. After a few days, the customer leaves a positive review and sends a message to the vendor, which will result in payment via PayPal — which could be a 'refund,' while the item is kept for free. It's more difficult to spot fraudulent, paid reviews because refund payments are held off the Amazon website. 

On March 1, an open ElasticSearch server was discovered, but the owner could not be identified. On March 6, however, the leak was detected and the server was secured. 

"The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors," the researchers speculated. "What's clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon's terms of service." 

Vendors are not allowed to review their own goods or receive a "cash incentive, discount, free products, or other compensation" in exchange for positive reviews, according to Amazon's spokesperson and review policy which includes third-party organizations. However, since Amazon is such a popular online marketplace, it's likely that some vendors will continue to try to take advantage of review systems in order to increase their profits. 

"We want Amazon customers to shop with confidence, trusting that the reviews they read are genuine and appropriate," a spokesperson for the company said. "We have clear policies for both reviewers and selling partners that forbid the misuse of our community features, and we suspend, ban, and taint people who break them," states the company.

ShinyHunters is Leaking Data of all the Big Conglomerates

 

Following the hacking of masked credit and debit card data belonging to crores of Juspay customers, independent cybersecurity analyst Rajshekhar Rajaharia reported on January 6, 2021, that the same hacker, likely branded as 'ShinyHunters,' is now selling databases belonging to three more Indian companies on the Dark Web. 

ShinyHunters, the well-known hacker responsible for exposing the accounts of companies such as Animal Jam, Mashable, Upstox, and 123RF, among others, has returned with yet another high-profile data breach. 

The hacker has recently focused on leaking databases belonging to Indian institutions. While unconfirmed, it is thought that the hacker's extortion efforts failed, and as a result, the hacker leaks the stolen info. 

This time, ShinyHunters has leaked a database belonging to WedMeGood, a prominent Indian wedding planning website that handles everything from location selection to photographer bookings and wedding outfit arrangements. WedMeGood has a website and an app that allows couples planning weddings to find nearby vendors and get ideas and inspiration for their big day. The business is headquartered in Gurgaon and was founded in 2014 by Mehak Sagar Shahani and Anand Shahani. 

According to Hackread.com's review, the database contains 41.5 GB of data, including the city, gender, full names, phone numbers, email addresses, password hashes, booking leads, last login date, account formation date, Facebook unique ID numbers, and holiday summary for Airbnb.

JusPay, a Bengaluru-based digital payments portal, previously stated that their Secure Data Store, which houses sensitive card numbers, had not been accessed or leaked. "Thus, all our customers were secure from any kind of risk. Our priority was to inform the merchants and as a measure of abundant precaution, they were issued fresh API keys though it was later verified that even the API keys in use were safe," the company said. 

The hacker, according to Rajaharia, is the same one who leaked BigBasket info, as confirmed by cybersecurity firm Cyble. BigBasket, one of India's most popular online grocery stores, discovered that its data of over 20 million users had been compromised and was for sale on the dark web for over $40,000 in November of last year. 

"Now, the same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies' databases," Rajaharia said. "There is a strong connection between all these recent data leaks, including BigBasket," he added.

Raychat App Suffered a Data Breach of 150 Million Users

 

Around 7:20 a.m. on Monday, May 3, 2021, the database was first made public on a prominent Russian hacker website. It was unclear if these documents were stolen from the Raychat app's servers or whether they were a result of a recent data breach, which occurred on January 31st, 2021, as a consequence of a misconfigured database discovered by IT security researchers Bob Diachenko. 

Diachenko posted a series of tweets about the Raychat application on Twitter. He said that a misconfigured server leaked the entire database of the Raychat app. According to the researcher, the database contained over 267 million accounts with information such as addresses, addresses, passwords, metadata, encrypted messages, and so on. 

He also claimed that he had not received a response from the organization after Diachenko received a response from an Iranian Twitter user. He shared a screenshot of a tweet from the Raychat app confirming that no data had been compromised. 
 
The data was allegedly leaked by a threat actor on a well-known hacker website, Raid Forum. He said that they downloaded the data until the meow attack erased it. The data seems to be genuine, and millions of Iranians' personal information has been made public. The leaked data includes names, IP Addresses, email addresses, Bcrypt passwords, Telegram messenger IDs, etc.

Despite the fact that Iranian hackers have been blamed for increasingly advanced attacks against their adversaries, Iranian civilians have been one of the most overlooked victims of data breaches in recent years. For example, a database allegedly belonging to the Snapp app (Iranian Uber) leaked "astonishingly sensitive details" of millions of users on an unreliable MongoDB server in April 2019. 

52,000 Iranian ID cards with selfies were sold on the dark web in April 2020 and later leaked on the open web. The personal information and phone numbers of 42 million Iranians were sold on a hacker forum in March 2020. The database was first revealed on an Elasticsearch server by a misconfigured database. 

It's now up to the victims to be more cautious. They should be wary of email-based phishing attacks. Users should not click on links in texts or emails because they could be scams. By breaking into a user's phone, they could further intrude on their privacy.

Stop Tweeting, Says Click Studios: Phishers Use Breach Notification Information to Create New Lures

 

Click Studios, an Australian password protection company, claims that only a small percentage of its 29,000 customers were impacted by a security breach caused by a compromised update containing malicious code. 

In a new advisory posted on their website, Click Studios issued an update on their investigation into the breach which took place between 8:33 p.m. Universal Coordinated Time on April 20 and 12:30 a.m. UCT April 23. During that time, any customer who changed their PasswordState tool may have been hacked. In this incident, it's unclear how Click Studios defines "affected" customers. 

According to CSIS Security Group researchers, the compromised update was most likely only the first stage of a multi-stage malware attack. At least one customer downloaded the update, but the attack was stopped before any second-stage malware could be deployed. 

“The number of affected customers is still very low. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected,” the company stated. 

SC Media has contacted the company for additional details. Although Click Studios has been notifying affected customers, they have also asked them to stop posting screenshots of the company's correspondence online, claiming that the bad actor is "actively scanning social media" for more information to use in future attacks. They say that an email sent on Friday, April 23 confirming the violation and detailing possible remediation measures was repurposed and sent to some customers as phishing emails. 

Customers are asked to download an update, which is actually a modified version of the dynamic link library used in the original attack, which requested a malware payload from a content delivery network server that was not under the company's control. The server has been taken down now, according to ClickStudios, and a copy of the payload has been retrieved for further study. Customers can spot a fake by searching for a domain suffix that does not match that of legitimate Click Studios emails or claims that an "urgent" update is required to correct a flaw in the previous patch, or emails that direct the user to a subdomain to download the update. 

In the aftermath of data breaches, companies are often criticized for a lack of accountability or for keeping their customers in the dark about the possible consequences. This incident highlights the other side of the coin: how bad actors can weaponize information or communications from an organization following a breach. The fact that these latest lures are built to look like legitimate notification emails shows a sophisticated social engineering tactic, basically exploiting PasswordState users' fears to learn more about the previous breach and infect them with the same assault. 

Inon Shkedy, a security researcher for Traceable stated, “What happened with the Click Studios disclosure seems like a new trend that companies should be aware of and shows us how phishing campaigns are becoming more and more sophisticated."

“Click Studios was adopting normal post-breach notification procedures, according to Chris Morales, the chief information security officer at resolution intelligence company Netenrich, and that some of the blame should fall on the customers who posted their correspondence online without knowing the possible consequences. “The issue here isn't with the notification system. The people who got the message are the ones who are publicizing it on social media, even though there is supposed to be a time window to fix any problems before making it public,” Morales explained. “Of course, it would just exacerbate the situation.” 

Others argued that companies should not be shocked to see the letters they send users that end up on the internet and keep companies responsible for the effects of a breach, not their customers.

250 Million Americans Sensitive Data Leaked Online by Pompompurin

 

As of 22nd April 2021, a Pompompurin named hacker group dropped a database of more than 250 (250,806,711) million American citizens and residents which included their personal and sensitive household information. 

The database that was published on a popular hacker forum, included 263 GB of documents, each with 200,000 CSV subfiles. Although the origin of the leak comes from open Apache SOLR on Amazon Web Server, it is not clear who obtained or managed the data. Besides, three separate IP addresses were made accessible for the data which is something the hacker obtained before its owner disabled or reassigned them. 

The stolen information is nothing short of a treasure trove for cybercriminals and state-supported hackers as it contained massive amounts of information such as full names, telephone numbers, mailing addresses, DOB, Status of marriage, home developed year, Zip code, gender, house rental, home address, credit capability, political participation, number of proprietary cars, details on wages and taxes, number of domestic animals, children's numbers in a home. However, the leak didn’t contain any passwords. 

After the database had been leaked online for a whole week, it was then exposed alongside Telegram chat groups on even several Russian-speaking hacker forums. 

The leaked documents are a treasure trove among malicious people looking for US civilians based on the ongoing diplomatic line-up between Russia and the United States over the SolarWinds hack. 

Moreover, this is not the first instance that US people and residents have been unveiled with a collection of confidential household data online. Data of 200 million people from the US was mistakenly disclosed by a marketing agency in June 2017. Further in December 2017, a data analytics company based in California revealed household data, in which 123 million Americans were compromised due to an AWS bucket that was not properly installed. 

The leaked documents now constitute a threat to the confidentiality and physical protection of victims online. Although some may use the data to find people, hackers and scammers may send phishing emails, SMS, and use the data to try SIM swapping or other identity frauds. However, if an unknown party sends users an email emphasizing clicking on a connection or logging in then they must not click on the links sent as Text messaging.

ClickStudios told Clients to Change Passwords After a Cyberattack

 

Following a cyberattack on the corporate password manager Passwordstate, Click Studios, an Australian software house, has advised consumers to reset passwords across their organizations. According to an email sent to consumers by Click Studios, attackers had "compromised" the password manager's software upgrade function in order to extract user passwords. 

Between April 20 and April 22, the Australian software firm was hacked. The attack specifics were published by CSIS Security Group, which dealt with the hack. In an advisory, ClickStudios detailed the assault.

The company said, “Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.” 

An update to the Passwordstate app started the supply chain assault. When the malicious update is enabled, it connects to the attacker's servers and downloads malware intended to intercept and deliver the password manager's contents back to the attackers. The attacker's servers were also taken down on April 22, according to the company. However, if the attackers are able to reactivate their infrastructure, Passwordstate users can be at risk.

Employees can exchange passwords and other personal information through their company's network computers, such as firewalls and VPNs, shared email addresses, internal directories, and social media accounts, using enterprise password managers. According to Click Studios, Passwordstate is used by “more than 29,000 customers,” including Fortune 500 companies, federal agencies, banks, military and aerospace companies, and businesses in most sectors. 

For the remediation for Passwordstate customers, ClickStudios said, “Customers have been advised to check the file size of moserware.secretsplitter.dll located in their c:\inetpub\passwordstate\bin\ directory. If the file size is 65kb then they are likely to have been affected. They are requested to contact Click Studios with a directory listing of c:\inetpub\passwordstate\bin output to a file called PasswordstateBin.txt and send this to Click Studios Technical Support.”

Logins for 1.3 million Windows Remote Desktop Servers Leaked by UAS

 

UAS, the biggest hacker platform for hacked RDP credentials, has leaked the login names and passwords for 1.3 million new and previously infected Windows Remote Desktop servers. Researchers get an insight into a bustling cybercrime economy for the first time thanks to this huge leak of stolen remote access credentials, and they can use the evidence to tie up loose ends from past cyberattacks. 

The Remote Desktop Protocol (RDP) is a stable, interoperable protocol that allows network terminals to build and maintain secure connections between clients and servers or virtual machines. RDP is the most sought-after listing by cybercriminals because it works through many Windows operating systems and applications. Criminals will gain access to an entire business network by launching their attack with completely valid login credentials. This allows the offenders to remotely monitor a device because the system will not know the nefarious activities. After all, no authentication measures will be used, enabling the criminals to have complete and unrestricted access. 

UAS, or ‘Ultimate Anonymity Services,' is a website that offers Windows Remote Desktop login credentials, leaked Social Security numbers, and SOCKS proxy server access. UAS stands out as a wide marketplace that also provides manual authentication of sold RDP account credentials, customer service, and advice about how to keep remote access to a compromised device. 

"The market functions partially like eBay - a number of Suppliers work with the market. They have a separate place to log in and upload the RDPs they hacked. The system will then verify them, collect information about each one (os, admin access? internet speed, CPU, memory etc etc), which is added to the listing. The supplier interface provides real time stats for the suppliers (what sold, what didn't, what was sold but a refund was asked for, etc). They also provide support if for some reason what you bought doesn't work. They do take customer support seriously," a security researcher who wishes to remain anonymous told. 

Threat actors can scan for compromised computers in a specific country, state, area, zip code, ISP, or operating system while buying stolen RDP accounts, helping them to locate the specific server they need.

Threat Actors Target India's No. 2 Discount Broker 'Upstox'; Personal Data of 2.5 Mn Users Leaked

 

Retail broking firm Upstox suffered a massive data breach affecting the personal data of 2.5 Mn of its customers, according to several media reports on Sunday (April 11, 2021). Thereafter, the company admitted that earlier claims about the data breach were right and it has since strengthened its cybersecurity systems. 

According to cybersecurity researcher Rajshekhar Rajaharia, 2.5 Mn users were affected and 56 Mn KYC data files were leaked — including email, date of birth, passport, PAN, etc. — by hacker group ShinyHunters. 

The hacking group is rumored to have been behind multiple data breaches of Indian startups over the past one year such as Dunzo, BigBasket, JusPay, ChqBook, among others. 

“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems,” said the company on its blog. 

The Upstox data leak comes at a time when cybersecurity breaches seem to have picked pace in the past few months — from the data leak of 100 Mn Mobikwik users to 500 Mn+ Facebook users (of which 6 Mn were Indian accounts) to over500 Mn LinkedIn users.

In one of the biggest data breaches in India, in March, Gurugram-based fintech company MobiKwik was rocked by the allegations of data of over 100 Mn users being leaked. The allegation that was repeatedly denied by the company also led to a warning by the RBI who ordered an external auditor to conduct a forensic audit on the breach.

Last week, Microsoft-owned LinkedIn denied the breach, but Cyber News had reported that scraped data of over 500 Mn LinkedIn users was put for sale on a hacker forum. The data up for sale included account IDs, full names, email addresses, phone numbers, workplace information, and links to social media accounts among other details. 

In the case of Facebook, leaked data of 533 Mn users was posted for free on hacking forums and included the date of joining, place of work, names, gender, occupation, and relationship status of users. The breach affected 6 Mn Indian users and included details such as phone numbers, Facebook IDs, full names, locations, birthdates, bios, and in some cases email addresses. The social media giant told media agencies that the leak was related to a vulnerability that the company patched in 2019.

Eversource Energy Data Breach: Due to Unsecured Cloud Storage

 


New England's largest energy provider, Eversource experienced a data breach after sensitive details of customers were exposed on an unsecured cloud server. Eversource Energy is New England's latest energy provider, supplying 4.3 million electric and natural gas customers across Connecticut, Massachusetts, and New Hampshire.

According to a data breach notice shared with BleepingComputer, Eversource Energy is warning customers that their name, address, phone number, social security number, service address, and account number were exposed due to an unsecured cloud storage server. Eversource is also providing a free one-year identity monitoring service via Cyberscout to those who have been affected by the data breach.

Eversource claims that there is no evidence that any of this information was obtained or misused by unauthorized individuals at this time. Although this is possible, BleepingComputer suggests that users sign up for Eversource's free identity theft monitoring to be which notify the users if their social security number is used fraudulently. 

When the Eversource customer called Cyberscout to learn more about the data breach after receiving the breach notice. They were eventually sent an internal frequently asked questions (FAQ) guide, which Cyberscout employees used to respond to questions about the breach. 

According to the FAQ shared with BleepingComputer, Eversource conducted a security review on March 16th and discovered an "internet data storage folder" that was misconfigured, allowing anyone to access its contents. They immediately protected the unsecured folder after discovering it and started investigating what data was stored on it. 

The unsecured folder comprised of unencrypted files containing the personal details of 11,000 Eversource eastern Massachusetts customers which were created in August 2019. Affected users should also be on the lookout for phishing emails posing as Eversource or other companies and harvesting additional details using the exposed data. 

Several utility firms, including EDP Renewables North America, Centrais Eletricas Brasileiras (Eletrobras), Companhia Paranaense de Energia (Copel), and the Enel Group, have been attacked by ransomware attacks and network breaches in the last two years. Threat perpetrators recently breached a water treatment plant in Oldsmar, Florida, and attempted to raise the sodium hydroxide (NaOH) cleanser concentration to dangerous levels. 

These breaches, as well as EverSource's less destructive breach, highlight the need for utilities to improve their security posture in order to avoid potential leaks and attacks.

Two Outdated Software Bug Patched, Says WhatsApp

 

WhatsApp on Monday stated that it has addressed two bugs that existed on its outdated software program and that it had no cause to imagine that “these vulnerabilities were ever abused”. The official assertion got here within the wake of the latest advisory issued by the CERT-In, which cautioned WhatsApp customers about sure vulnerabilities within the app that might result in the breach of delicate info. CERT-In is the federal expertise arm for combating cyberattacks and guarding the online world.

According to this latest advisory, the vulnerability exists due to certain features on WhatsApp and thus allows hackers to access personal data like chats, images, videos, etc. by running malicious codes remotely. This vulnerability is linked “to a cache configuration issue and missing bounds check within the audio decoding pipeline.” 

“We regularly work with security researchers to improve the numerous ways WhatsApp protects people’s messages. As is typical of software products, we have addressed two bugs that existed on outdated software, and we have no reason to believe that they were ever abused,” a WhatsApp spokesperson informed PTI in a press release. 

The spokesperson added that WhatsApp “remains safe and secure, and end-to-end encryption continues to work as intended to protect people’s messages”.

An “excessive” severity rating advisory issued by the CERT-In, or the Indian Computer Emergency Response Team, on Saturday, had said that the vulnerability has been detected in the software that has “WhatsApp and WhatsApp Business for Android previous to v2.21.4.18 and WhatsApp and WhatsApp Business for iOS previous to v2.21.32”. 

“Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system,” the advisory had stated. The advisory had really useful customers replace their units with the newest model of WhatsApp from the Google Play retailer or iOS App Store to counter the vulnerability menace.

After facing intense scrutiny in India over its upcoming privacy update, consumer protection agencies in Brazil have now asked the government to act on the May 15 privacy update that will allow Facebook to aggregate users' data across all of its platforms.

Hackers Have Access to Domino’s India 13TB of Internal Data

 

Popular pizza outlet Domino's India appears to have succumbed to a cyber assault. As per Alon Gal co-founder of an Israeli cybercrime intelligence, the hackers have access to Domino's India 13TB of internal information which incorporates employee details of more than 250 employees across verticals like IT, Legal, Finance, Marketing, Operations, and so on. The hackers guarantee to have all client details and 18 crore other details which incorporate clients' names, phone numbers, email IDs, delivery address, payment details including more than 10 lakh credit card details used to purchase on Domino’s India app. 

Further, the hackers are meaning to sell the whole information to a single buyer. As indicated by Alon Gal, the hackers are searching for $550,000 (around Rs 4 crores) for the whole database. The hackers likewise have plans to construct a search portal to enable querying the data. The sale is clearly occurring on the dark web and likely on a site frequented by cyber scammers. For now, Domino's India has neither affirmed nor rejected that information of its consumers has been stolen or leaked from its servers. 

“Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards,” Gal claimed in a tweet. “Plenty of large-scale Indian breaches lately, this is worrying,” he added. 

It is particularly worrying as India has been a victim of several large-scale cyber breaches lately. As indicated by Computer Emergency Response Team (CERT-IN) information, during the Covid-19 pandemic digital assaults on India grew by almost 300% last year, developing to 11,58,208 out of 2020 contrasted with 3,94,499 out of 2019.

Independent cybersecurity researcher Rajshekhar Rajaharia revealed to IANS that he had cautioned about this conceivable hack to the CERT-in on March 5. “I had alerted CERT-in about a possible Domino’s Pizza India hack where the threat actor got data access with details like 200 million orders and personal data of the users too. The hacker, however, did not provide any sample,” Rajaharia said. 

There have been a string of hacking incidents including Indian firms in the recent past, including Bigbasket, BuyUcoin, JusPay, Upstox, and others. Gal recently claimed that the personal information of almost 533 million (53.3 crore) Facebook clients, including 61 lakh Indians, was leaked online after a hacker posted the details on a digital forum.

ParkMobile Data Breach: 21Million User Data Exposed

 

Due to a data breach, the account details of 21 million customers of ParkMobile, a prominent mobile parking app in North America, are now being sold online. The data includes customer email addresses, date of birth, phone numbers, license plate numbers, hashed passwords, and mailing addresses.

ParkMobile issued a statement regarding the cybersecurity incident in March, stating that it was caused by a vulnerability in third-party applications employed by them. 

The sources state, “In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident. Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time. Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”  

When asked for clarification on what information the attackers gained access to, ParkMobile reported that it included basic account information such as license plate numbers, email addresses and/or phone numbers if given, and vehicle nickname. 

ParkMobile does not store user passwords, but rather it stores the output of a fairly robust one-way password hashing algorithm called bcrypt, which is much more resource-intensive and expensive to crack than common alternatives like MD5. The database stolen from ParkMobile and put up for sale includes each user’s bcrypt hash. 

According to the source, the company stated, “In keeping with our commitment to transparency, we want to share an update on the cybersecurity incident we announced last month. Our investigation concluded that encrypted passwords, but not the encryption keys needed to read them, were accessed.”

“While we protect user passwords by encrypting them with advanced hashing and salting technologies, as an added precaution, users may consider changing their passwords in the “Settings” section of the ParkMobile app or by clicking this link. Our investigation has confirmed that basic user information – license plate numbers and, if provided by the user, email addresses and/or phone numbers, and vehicle nicknames – was accessed.”

“In a small percentage of cases, mailing addresses were affected. No credit cards or parking transaction history was accessed, and we do not collect Social Security numbers, driver’s license numbers, or dates of birth. Please rest assured we take seriously our responsibility to safeguard the security of our users’ information and appreciate your continued trust,” the company further added. 

In these cases, changing the account password and other credentials may be the best course of action, as good credential hygiene may be the key to keeping the data secure.

Capcom Released the Final Update on Ransomware Attack

 

Capcom, known for multi-million-selling game franchises, announced in November 2020, that it had been hit by a ransomware attack: Hackers gained access to the company's servers, encrypted data on its devices, and claimed to have downloaded over 1TB of data. According to a malware researcher, the hackers also left behind a demand for $11 million in Bitcoin in exchange for the encryption key.
 
In its final report on the matter, the good news is that no credit card information was compromised, and the attack did not affect any of Capcom's systems related to buying or playing games. "It remains safe for Capcom customers or others to connect to the internet to play or purchase the company's games online," Capcom stated.

Interestingly, it also clarified that it was never actually in contact with the attackers, and had not received the reported $11 million ransom demand. The report provides a timeline of events from the initial discovery of possible issues to the present, as well as a small decrease in the number of user accounts confirmed as compromised: 15,640, down from 16,415 in January. This figure includes current and former staff, as well as a few thousand "business partners," which Capcom explained do not include customers. 

The company mentioned that its global networks had been revamped before the attack, but an "older backup VPN" was still in use in North America to help it handle the increased load caused by the Covid-19 pandemic. "Some devices were compromised at both the Company's US and Japanese offices through the affected old VPN device at the Company's North American subsidiary, leading to the theft of information," Capcom explained. 

"While the Company had existing perimeter security measures in place and, as explained below, was in the processes of adopting defensive measures such as a SOC [Security Operation Center] service and EDR [Endpoint Detection and Response], the Company had been forced to prioritize infrastructure improvements necessitated by the spread of COVID-19. As a result, the use of these measures was still in the process of being verified (not yet implemented) at the time this matter took place." 

The old system is no longer in use, and Capcom has put in place several technological and organizational steps to reduce the chances of anything similar occurring again in the future. Capcom has introduced new internal divisions, including an Information Technology Security Oversight Committee and an Information Technology Surveillance Section, to stay on top of possible future threats. 

"While it is true that the threat actor behind this attack left a message file on the devices that were infected with ransomware containing instructions to contact the threat actor to negotiate, there was no mention of a ransom amount in this file," Capcom wrote.

Warning: Your WhatsApp May Be Hacked and There’s Nothing You Can Do

 

If one is not careful, things might get really unpleasant for WhatsApp users. A new vulnerability has been discovered that could enable a remote attacker to deactivate WhatsApp on one’s phone using nothing more than their phone number. 

Alarmingly, two-factor authentication would be ineffective in preventing this from happening. The way these attack works is that it requires some amount of error by the user themselves but at the next step that should be designed to protect this, the two-factor authentication also doesn’t do anything to prevent the attack. 

According to Forbes, security researchers Luis Márquez Carpintero and Ernesto Canales Perea demonstrated vulnerability and were able to disable WhatsApp on a user's phone. 

According to the report, there are two parts to this vulnerability. The first is the method for installing WhatsApp on any system. When one installs WhatsApp on their phone, they will get an SMS code to verify the SIM card and phone number. A hacker can do the same thing by installing WhatsApp on their phone using the phone number. The user will begin to receive six-digit codes via SMS at this stage, indicating that someone has requested the code for installing WhatsApp on their phone. There is nothing one can do at this moment as WhatsApp will continue to work normally. 

Since this is a part of the hacking process, these codes will appear frequently. For a duration of 12 hours, WhatsApp's verification process will limit the number of codes that can be submitted and disable the ability to create more codes. During this time, WhatsApp will continue to function normally. However, one should not deactivate WhatsApp on their phone and then try to reinstall it at this time. This vulnerability is expected to impact both WhatsApp for Android and WhatsApp for iPhone. 

In the next step, the hacker generates an email ID and then sends an email to support@whatsapp.com claiming that the phone in which WhatsApp is enabled has been stolen or misplaced and that they need to deactivate WhatsApp for that number—which is the user’s phone number. WhatsApp may send an email to confirm the user’s phone number, but they have no way of knowing whether the email is being sent by a hacker or the legitimate owner. The user phone number's WhatsApp will be deactivated after a while. When they open the app again, they will see a message that says "Your phone number is no longer registered with WhatsApp on this phone." 

The reasonable next step would be to try to reinstall WhatsApp on one’s account. According to the report, no code will be sent via SMS, and the app will tell the user to "Wait before requesting an SMS or a call.", which is because now the user’s phone is also subjected to the same limitation as that of the hacker. 

After the 12-hour mark has elapsed, if the attacker waits for the 12-hour period and sends a mail to WhatsApp again, the user will not be able to set up WhatsApp on his phone even if they receive the text messages with codes. 

The researchers indicate that WhatsApp breaks down and gets confused after the third 12-hour cycle and instead of a countdown, simply says “try again after -1 seconds”. The user’s phone and the attacker's phone are both treated the same way. And this is where the issue arises. If the attacker waits until now to email WhatsApp again to deactivate the number, the user won't be able to reregister for the app on their phone once they have been kicked out. The researchers told Forbes, "It's too late." 

“There is no way of opting out of being discovered on WhatsApp. Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy-focused would help protect users from this, as well as forcing people to implement a two-step verification PIN,” ESET’s Jake Moore told Forbes. 

WhatsApp's response to Forbes' Zak Doffman, unfortunately, does not evoke much trust. All they state is, “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”

Hackers Expose Contact and KYC Details of Upstox Clients

 

Upstox, India's second-biggest broking firm in terms of the number of active customers, disclosed that its databases, including contact details and know-your-customer (KYC) details, may have been breached. The Delhi-based discount brokerage firm, anyway thought that it has improved its security systems at its servers manifold recently, on the suggestions of a global cyber-security firm against a suspected data breach. 

The organization has guaranteed the customers that their funds and securities are protected and remain safe. Sources propose that Upstox has endured a huge information breach that has uncovered some significant information like Aadhaar, PAN, bank account numbers, canceled cheques, signatures, and photographs apart from other personally identifiable information like passport, mobile numbers, and email addresses.

“On receipt of e-mails claiming unauthorized access into our database, we have appointed a leading international cyber-security firm to investigate possibilities of breach of some KYC data stored in third-party data warehouse systems. This morning, hackers put up a sample of our data on the dark web,” a company spokesperson said in an e-mailed statement. 

The spokesperson added that as a proactive measure, the organization has started numerous security upgrades, especially at the third-party warehouses, continuous 24x7 monitoring, and additional ring-fencing of its network. 

“As a matter of abundant caution, we have also initiated a secure password reset via OTP for all Upstox users. Upstox takes customer security extremely seriously. Funds and securities of all Upstox customers are protected and remain safe. We have also duly reported this incident to the relevant authorities,” the spokesperson said. The spokesperson further said that at this point, “We don't know with certainty the number of customers whose data has been exposed.” 

Upstox, upheld by investors like Tiger Global and Ratan Tata, has more than 3,000,000 clients. In an announcement note on the organization site, Upstox co-founder and CEO Ravi Kumar said funds and securities of customers are protected and remain safe. 

“Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP. Through this time, we have also strongly fortified our systems to the highest standards,” he said.

Google Tricked Millions of Chrome Users in the Name of 'Privacy'

 

Google revealed last month that it is rolling out the Federated Learning of Cohorts (FLoC) program, an important part of its ‘Privacy Sandbox Project’ for Chrome. The company advertised FLoC as the latest, privacy-preserving option in Google Chrome to the third-party cookie.

But the real question is can Google truly preserve the privacy of its users? Well, the results of the FLoC trial don’t indicate that. Millions of Chrome users had no control of their involvement in the FLoC trial, they received no personal text, and, currently, they have no option to opt out from the FLoC trial. The only option to leave the trial is by blocking all third-party cookies on their Google Chrome browsers.

What is the FLoC program? 

FLoC is based on machine learning technology designed by Google and is meant to be an alternative to the kind of cookies that advertising technology firms use today to track you across the web. Instead of a personally-identifiable cookie, FLoC runs locally and examines your browsing pattern to group you into a cohort of like-minded people with similar interests (and doesn’t share your browsing history with Google). That cohort is particular enough to permit advertisers to do their thing and show you relevant ads, but without being so specific as to allow marketers to spot you personally. 

This "interest-based trial,” as Google likes to call it, allows you to hide within the crowd of users with similar interests. All the browser displays are cohort ID and all your browsing history and other data stay locally. Google has also started testing the FLoC cookie for some Chrome users which allows them to analyze the new system in an origin trial. 

Last month, Google’s FLoC trial announcement, gave Chrome users no alternative to quitting before the trial started. Instead, Google quietly started to expand its FLoC technology to Chrome users in the US, Canada, Mexico, Australia, New Zealand, Brazil, India, Japan, Indonesia, and the Philippines.

"When other browsers started blocking third-party cookies by default, we were excited about the direction, but worried about the immediate impact. Excited because we need a more private web, and we know third-party cookies aren’t the long-term answer. Overall we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was responsible and even harmful, to the open and free web we all enjoy,” Marshall Vale, Google’s product manager, stated.