Search This Blog

Powered by Blogger.

Blog Archive

Labels

Unprecedented Data Breach: Millions Impacted by Personal Information Theft via Website Error

Millions of personal information is exposed via website errors. Tech users are targeted by scammers who use scare tactics to gain their attention.

 


Tech support scams have become increasingly popular over the past few years. Scammers use scare tactics to get you to pay for unnecessary technical support services to fix supposedly unproblematic equipment or software.

In most cases, scammers try to trick you into paying them to fix an unresolvable problem with your devices or software. The scammers do so by tricking the victims into making a payment. These criminals may be stealing your financial or personal information at worst. They will often install malware, ransomware, or other unwanted programs on your computer if they can remotely access it to perform this "fix". These unwanted programs may steal your information or damage your data or your device if one allows them to do so. 

A recent report by cybersecurity experts warned that websites and web apps are increasingly stealing sensitive information belonging to millions of people every day. All three incidents in question share a common denominator: direct object references (IDOR) that are not secure. A flaw in the site or app that allows the user to request sensitive information from it, without first ensuring that the site is allowed to access this information, is known as a security hole, which enables people to request sensitive information from the site or app. 

Taking note of this, the United States Computer Emergency Readiness Team (CERT) and the Australian Cyber Security Centre have jointly published a security bulletin warning of IDORs in response to IDORs discovered in the past. 

Criminals can not lay their hands on confidential information or compromise user privacy without stealing digital information from computers, servers and electronic devices that store digital data. Data that can be stolen include bank account numbers, online account passwords, passport numbers, license numbers, social security numbers medical records, subscriptions to online stores, etc. 

When an unauthorized person has access to financial or personal information that belongs to the owner, they can delete, alter, or prevent access to that information without the owner's consent. 

Malicious actors steal data to sell it, use it to rob identities or sell it for profit. If data thieves steal enough data from an individual, they can use it to get access to secure accounts. They can also set up credit cards in the victim's name, or use the individual's identity to their advantage. While data theft in the past was predominantly the responsibility of businesses and organizations, it has unfortunately become a bigger problem for the general public as well.    

There are many misconceptions surrounding the term 'data theft'. Although it is said to be a thief stealing data, it does not mean taking or stealing information in the literal sense. Data theft refers to the act of copying or duplicating information to profit by using it themselves.  

Flaws Commonly Encountered 


CISA analysts noted in their announcement that IDOR flaws are "frequently" exploited by hackers, since "they are exceptionally common, hard to detect outside the development process, and have the capability to be exploited at scale." 

"In general, these vulnerabilities exist because an object's identifier is exposed, passed externally, or can be easily guessed -allowing any user with access to the object to use or modify the object," according to CISA. 

The occurrence of these attacks can have quite a painful impact on the victim, since it allows the perpetrator to steal sensitive information, including financial information, health information, and personal information, thereby causing quite a bit of pain. 

There has been a series of security breaches affecting First American Financial in 2019 (800 million peoples' data was stolen), the security flaw in Microsoft Teams IDOR discovered at the end of June 2023, and the IDOR bug discovered in Nexx smart home devices at the beginning of April 2023, among others.  

CISA says web developers should follow a secure-by-design approach at each step of the development process to ensure secure-by-design principles are implemented. To ensure that the code is robust and error-free, it is recommended that automated code analysis tools be incorporated, which will allow them to identify flaws before the apps reach production. 

Both groups say developers should ensure applications are set up with default access settings. To do so, they can check the authenticity of any request for accessing or editing sensitive information every time someone tries to do so. 

What Factors Contribute to Data Theft? 


Various methods are available for the theft of data or digital information. There are several types of fraud, including:

Engineering social behavior: 


There are many ways in which social engineering can be done, but phishing is the most common. A phishing attack occurs when someone impersonates an official entity to trick the victim into opening an email, a text message, or an instant message that appears to be from a trusted source. Among the most common causes of data theft is users falling victim to phishing attacks. 

Passwords With Weak Security Measures:


By using a password that is easy to guess, or by using the same password across multiple accounts, attackers can gain access to your sensitive data. This is if you choose an easy-to-guess password. As well as poor password habits, such as keeping passwords on paper or sharing them with others, other actions can lead to data theft. For example, sharing passwords. 

System vulnerabilities:


Hackers can exploit vulnerabilities in software applications and network systems to steal data and identity information. This is attributed to poorly written or poorly designed applications or network systems. Old antivirus software can also expose one to vulnerability because of its out-of-date threats.

Information about customers can be accessed by employees in the organization who are responsible for the organization's operation. If an employee runs afoul of the rules or a contractor is disgruntled, data can be copied, altered, or stolen. Although current employees may be at risk of insider threats, they are not alone.
Share it:

CISA

Cyberattacks

CyberCrime

CyberCriminal

Cybersecurity

Data Breach

Data Theft

Malicious actor