Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label American Firm. Show all posts

Hot Topic Data Breach Exposes Private Data of 57 Million Users

 

Have I Been Pwned warns that an alleged data breach compromised the private data of 56,904,909 Hot Topic, Box Lunch, and Torrid users. Hot Topic is an American retail franchise that specialises in counterculture-themed clothes, accessories, and licensed music merchandise. 

The firm has approximately 640 stores in the United States and Canada, mostly in shopping malls, with a large customer base.

According to HIBP, the exposed information includes full names, email addresses, birth dates, phone numbers, physical addresses, transaction history, and partial credit card data for Hot Topic, Box Lunch, and Torrid users. 

On October 21, 2024, a threat actor known as "Satanic" claimed responsibility for the security incident on BreachForum. The threat actor claims to have siphoned 350 million user records from Hot Topic and its subsidiaries, Box Lunch and Torrid. 

"Satanic" attempted to sell the database for $20,000 while also demanding a $100,000 ransom from Hot Topic to remove the ad from the forums. According to a HudsonRock report published on October 23, the intrusion could be the result of an information stealer malware infection that acquired credentials for Hot Topic's data unification service. 

While Hot Topic has stayed silent, and no notifications have been issued to potentially impacted users, data analytics firm Atlas Privacy revealed last week that the 730GB database impacts 54 million users. Atlas further highlighted that the collection contains 25 million credit card numbers encrypted with a poor cypher that can be easily broken by current computers. 

Although Atlas is not positive that the database belongs to Hot Topic, it did note that approximately half of all email addresses had not been seen in previous breaches, adding to the authenticity of the threat actor's claims. According to Altas, the hack appears to have occurred on October 19, with data ranging from 2011 until that date. 

The company has set up a website where Hot Topic consumers can see if their email address or phone number was compromised in the data breach. Meanwhile, the threat actor continues to offer the database, albeit for a lower cost of $4,000. Potentially impacted Hot Topic consumers should be wary of phishing attacks, keep track of their financial accounts for strange activity, and change their passwords on all platforms where they use the same credentials.

Social Blade Confirms Data Breach

The company Social Blade has disclosed a security breach after a group of threat actors offered to sell a database illegally obtained from the company’s systems. 

Social Blade is an American social media analytics website that monitors tens of millions of social media accounts. The website primarily tracks the YouTube platform but also provides analytical information regarding other social media platforms such as Twitch, Twitter, Facebook, Instagram, and TikTok. 

Social Blade works as a third-party API, which facilitates its customers with the compilation of data from different social media platforms, it helps content creators boost their number of subscriptions and the channel's popularity. 

According to the reports, on Monday the threat actor offered the database of Social Blade for sale on a hacker forum which included Email addresses, Password hashes, Client IDs, Tokens for business API users, Auth tokens for connected accounts, and Various non-personal and internal data of users. 

The seller has also provided a sample of table names and content. Reportedly, the hacker obtained 5.6 million records. The sample that has been provided by the hacker shows that many of the records contain user credentials.  

"Even the smallest of flaws, if they go unnoticed, can compound into a huge problem for an organization. Without knowing the exact nature of the flaw we can assume it allowed full access to the Database as this is what the attacker had after running the breach. The overall response here was excellent including resetting passwords and flushing API keys as well as addressing the flaw,” Jason Kent, CEO of Social Blade said. 

Following the incident, the company reported that the matter is under investigation after the officials observed that a hacker offered its users data for sale on a criminal website. Also, the company reported that it has started contacting its customers regarding the incident. 

"Had the accounts or API keys been compromised and left valid, the damage could have been much much worse. Imagine having administrative access at the level of every one of their customers. They could sell social analytics to anyone for any purpose including reputational and/or brand damage. Moving on to the knock-on effect of this, now the people that possess the database know a good credential set to try on other platforms. Understand who the customers are for contextual phishing campaigns as well as other scams that can be run with such data. If you are/were a customer of Social Blade, be prepared for these kinds of attacks," he added.

Uber Claims No Private Details Accessed in Latest Network Breach

 

The hacker who claims to have hacked Uber might not have landed a stinging punch. The ridesharing firm has provided an update regarding the security breach by confirming there's "no evidence" to suggest that intruders accessed sensitive user data, such as trip histories. 

All services provided by the company, including Uber, Eats, Freight, and the Uber Driver app are functioning correctly and have also restored the use of internal software it took down upon unearthing the network breach. 

“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company stated. “Internal software tools that we took down as a precaution yesterday are coming back online this morning.” 

Uber contacted law enforcement and started an internal investigation into the incident, a company spokesman confirmed. However, the company didn't say more about the reported perpetrator or the nature of the incident, several security experts believe that it is downplaying the incident and has no clear idea regarding the depth of the breach. 

Intrusion details 

The breach allegedly involved a lone hacker, who claimed to be an 18-years-old male, who employed a social engineering-based hacking technique to trick an Uber employee into revealing login credentials by posing as a coworker. 

Upon securing an initial foothold, the hacker discovered an internal network share containing PowerShell scripts with privileged admin credentials, allowing carte blanche access to other critical systems, including AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack. 

Singapore-based Group-IB's follow-up investigation of downloaded artifacts as captured by the hacker reveals complete access to Uber's cloud-based infrastructure to hold private consumer and financial data. The hacker blamed Uber’s feeble security system for successfully exploiting its databases. He also contacted the New York Times claiming that he hacked Uber for fun and has its source code in his possession, which he might post online. 

Firm’s history of downplaying the data breach 

Network breach has been an issue for Uber in the past. In 2018, it agreed to a $148 million settlement over a 2016 data breach the company failed to reveal. Hackers were able to siphon data on 57 million drivers and riders, including private details such as names, email addresses, and driver's license numbers.

The data breach incident remained buried for more than a year. However, in November 2017 multiple reports surfaced that Uber suffered a massive security breach, and paid the hackers $100,000 to delete the information and had them sign a nondisclosure agreement.