Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Incident. Show all posts

Discord.io Acknowledges Data Breach: Hacker Exposes Information of 760K Users

 

The Discord.io custom invitation service has temporarily ceased its operations due to a data breach that has exposed the personal details of approximately 760,000 members.

Discord.io, while not an official Discord platform, functions as a third-party service that enables server owners to generate custom invitations for their channels. The community largely revolves around the service's Discord server, boasting a membership of over 14,000 users.

According to the threat actor, the database contains the information for 760,000 Discord.io users and includes the following types of information:

"userid","icon","icon_stored","userdiscrim","auth","auth_id","admin","moderator","email","name","username","password","tokens","tokens_free","faucet_timer","faucet_streak","address","date","api","favorites","ads","active","banned","public","domain","media","splash_opt","splash","auth_key","last_payment","expiration"

The breach has exposed sensitive information, including usernames, email addresses, a small number of billing addresses, salted and hashed passwords (in a limited number of cases), and Discord IDs. The disclosure of Discord IDs, while not deemed private, raises concerns about the potential linkage of Discord accounts to specific email addresses.

Following initial reporting by StackDiary, Discord.io has acknowledged the breach's legitimacy through notifications on its Discord server and website. Consequently, the service has taken the decision to temporarily suspend its operations.

A statement on the Discord server of the service conveys, "Discord.io has fallen victim to a data breach. We are halting all activities indefinitely." More information is available on their designated "#breach-notification" channel, and an identical message is slated for an upcoming update to the website.

Discord.io's website outlines a sequence of events that led to their discovery of the breach subsequent to a post on a hacking forum. The veracity of the leaked data was swiftly confirmed, prompting the temporary shutdown of services and the discontinuation of all paid memberships.

Discord.io maintains that it has not received any communication from the responsible party behind the breach, nor has it disclosed details regarding the method of infiltration.

In a conversation with the seller of the Discord.io database, identified as Akhirah, BleepingComputer verified that the Discord.io operators have not engaged in dialogue with them. Akhirah emphasized that their motivations extend beyond financial gain. 

They assert concerns about Discord.io's alleged associations with illicit and harmful content, emphasizing a desire for the removal of such content in lieu of selling or releasing the pilfered database.

The Discord.io platform functions as a directory facilitating searches for Discord servers aligned with specific interests, providing access via invitations that sometimes require the site's virtual currency, Discord.io Coins. The site's terms of use allocate responsibility for content to its members, although the operators retain the right to eliminate any content deemed illegal or violative of guidelines.

Archived versions of the site display a range of Discord servers catering to diverse interests, encompassing areas like anime, gaming, and adult content. Akhirah underscored concerns over the sale of the database, not solely for financial purposes, but due to the platform's purported links to objectionable and illegal materials.

The hacker also indicated that while significant interest surrounds the database, the majority emanates from individuals seeking to exploit it for purposes such as doxing adversaries. Akhirah expressed a preference for the Discord.io operators to address the alleged offensive material's removal from the site as a condition for not disseminating the stolen database.

Discord.io members are advised to exercise caution, as the hacker affirms that the database has not been sold; however, members should remain vigilant against potential misuse of their data. The passwords compromised in the breach are secured using bcrypt, which is computationally intensive and resistant to rapid decryption. Nevertheless, the leaked email addresses could be exploited for targeted phishing endeavors, facilitating the theft of further confidential information.

Therefore, individuals associated with Discord.io should remain alert to unsolicited emails containing links to websites soliciting passwords or additional personal details. For updates pertaining to the breach, the primary website should be monitored, as it is expected to provide guidance on potential password resets and communications from the service.

LastPass Releases New Security Incident Disclosure and Recommendations

 

LastPass was compromised twice last year by the same actor, once in late August 2022 and again on November 30, 2022. On Wednesday, the global password manager company released a report with new findings from its security incident investigation as well as recommended actions for affected users and businesses. As per LastPass, the hacker first gained access to a software engineer's corporate laptop in August. 

The first attack was critical because the hacker was able to use information stolen by the threat actor during the initial security incident. The bad actor then launched the second coordinated attack by exploiting a vulnerability in a third-party media software package. The second attack targeted the home computer of a DevOps engineer.

“The threat actor was able to capture the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault,” detailed the company´s recent security incident report.

LastPass has validated that the attacker gained access to the company's data vault, cloud-based backup storage containing configuration data, API secrets, third-party integration secrets, customer metadata, and all customer vault data backups during the second incident. The LastPass vault also includes access to the shared cloud-storage environment, which houses the encryption keys for customer vault backups stored in Amazon S3 buckets, which users utilize to store data in their Amazon Web Services cloud environment.

The second attack was laser-focused and carefully planned, as it targeted one of only four LastPass employees with access to the corporate vault. After decrypting the vault, the hacker exported the entries, including the decryption keys required to access the AWS S3 LastPass production backups, other cloud-based storage resources, and related data.

In two security bulletins, LastPass issued instructions to affected users and businesses. The following are the key points from those bulletins. The Security Bulletin: Recommended actions for LastPass free, premium, and families include best practices for master passwords, guidebooks to creating strong passwords, and allowing extra layers of security such as multifactor authentication. Users were also urged to change their passwords.

LastPass master passwords should be between 16 and 20 characters long, include a minimum of one upper and lower case, numeric, symbol, and special character, and be unique — that is, not used on another site. Users can reset LastPass master passwords by following the official LastPass guide.

LastPass also requested that users use the Security Dashboard to check the security score of their current password strength, enable and test the dark web monitoring feature, and enable default MFA. Users are notified when their email addresses appear in dark web forums and sites. To assist businesses that use LastPass, the Security Bulletin: Recommended Actions for LastPass Business Administrators was created exclusively after the event. The more comprehensive guide contains ten points:
  • Master password length and complexity.
  • The iteration counts for master passwords.
  • Super admin best practices.
  • MFA shared secrets.
  • SIEM Splunk integration.
  • Exposure due to unencrypted data.
  • Deprecation of Password apps (Push Sites to Users).
  • Reset SCIM,, Enterprise API, and SAML keys.
  • Federated customer considerations.
  • Additional considerations.
Superb administration LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations. LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations.
 
LastPass has stated that it is confident that it has taken the necessary steps to limit and eliminate future access to the service; however, according to Wired, the most recent disclosure of LastPass was so concerning that security professionals "started calling for users to switch to other services." LastPass' main competitors are 1Password and Dashlane.

Experts have also questioned LastPass's transparency, pointing out that it fails to date security incident statements and has yet to clarify when the second attack occurred or how long the hacker was inside the system; the amount of time a hacker spends inside a system has a significant impact on the amount of data and systems that can be exploited. (I contacted LastPass for a response but did not receive one.)

The consequences of these recent security incidents are clear to LastPass users. While the company convinces that there is no evidence that the compromised data is being sold or marketed on the dark web, business administrators are left to deal with LastPass' extensive recommendations.
A password-free future

Unfortunately, password manager hacking is not a new phenomenon. Since 2016, LastPass has had security incidents every year, and other top password managers such as Norton LifeLock, Passwordstate, Dashlane, Keeper, 1Password, and RoboForm have been either targeted, breached, or proven to be vulnerable, according to Best Reviews.

Password manager companies are increasingly being targeted by cybercriminals because they store sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted. Cybersecurity practices, transparency, breaches, and data exfiltration can all have an impact on the future of these password manager companies in this highly competitive landscape.

Uber Investigates Potential Breach Of its Computer System

 

Uber announced on Thursday that it is responding to a cybersecurity incident involving a network breach and that it is in contact with law enforcement authorities. The incident was first reported by the New York Times. When reached for comment, the company referred to its tweeted statement.  

As per two employees who were not authorised to speak publicly, Uber employees were instructed not to use the company's internal messaging service, Slack, and discovered that other internal systems were inaccessible.

Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach" shortly before the Slack system was taken offline on Thursday afternoon. The message went on to list a number of internal databases that the hacker claimed were compromised.

"It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times stated. 

Uber has not released any additional information about the incident, but it appears that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to obtain their password by impersonating a corporate IT employee and then used it to gain access to the internal network. 

The attacker was able to circumvent the account's two-factor authentication (2FA) protections by bombarding the employee with push notifications and contacting the individual on WhatsApp to abide by the authorization by claiming to be from Uber's IT department. The technique is similar to the recently disclosed Cisco hack, in which cybercriminal actors used prompt bombing to gain 2FA push acceptance. 

"Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface," Kevin Reed, a chief information security officer at Acronis, told The Hacker News.

It's not the first time

This is not Uber's first security breach. It came under fire for failing to adequately reveal a 2016 data breach that affected 57 million riders and drivers and then paying hackers $100,000 to obfuscate the breach. It was only in late 2017 that the public became aware of it.

Uber's top security executive at the time, Joe Sullivan, was fired for his role in the company's response to the hack. Mr. Sullivan was charged with obstructing justice for failing to notify regulators of the breach, and he is currently on trial. Mr. Sullivan's lawyers have argued that other employees were responsible for regulatory disclosures and that the company had made Mr. Sullivan a scapegoat. 

In December 2021, Sullivan was sentenced to three additional counts of wire fraud in addition to the previously filed felony obstruction and misprision charges.

"Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack," the superseding indictment said. It further said he "took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach."

The latest breach comes as Sullivan's criminal case goes to trial in the United States District Court in San Francisco.

Reed concluded, "The compromise is certainly bigger compared to the breach in 2016. Whatever data Uber keeps, the hackers most probably already have access."