Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label User Data Leak. Show all posts

Ticketmaster Data Breach Affects Over 500 Million Customers


 


We are all music fans at heart, and recently the most eye-catching tour is the three-hour Taylor Swift concert. The platform that sells tickets for these in-demand tours, Ticketmaster, has taken a hit. In a substantial blow to one of the world’s largest ticketing services, Ticketmaster has reportedly suffered a massive data breach impacting over half a billion customers. According to Mashable, the hacker group known as ShinyHunters claims responsibility for stealing customer data from nearly 560 million users. Although Ticketmaster has yet to confirm the breach, ShinyHunters has a history of high-profile hacks and is now selling the stolen data on a popular hacking forum for $500,000.


Details of the Stolen Data

ShinyHunters alleges they have obtained a substantial 1.3 terabytes of data, including sensitive information such as full names, addresses, and phone numbers. Additionally, the breach encompasses detailed order histories, which reveal ticket purchase details and event information. Alarmingly, partial payment information, including names, the last four digits, and expiration dates of credit cards, is also among the compromised data.


While waiting for Ticketmaster's official response, it is crucial for affected customers to take proactive steps to protect themselves. The stolen data could be used for targeted phishing attacks, making it essential to remain vigilant when checking emails, messages, or mail. Cybercriminals may impersonate reputable companies to trick individuals into revealing passwords or financial information.


To mitigate risks, users should avoid clicking on links or downloading attachments from unknown senders and always verify the legitimacy of the sender’s email address. Implementing robust cybersecurity measures, such as using the best antivirus software for PCs, Macs, and Android devices, can provide additional protection against potential malware infections.


Steps to Take Following a Data Breach

In the wake of a data breach, companies typically offer guidance and access to identity theft protection services. However, Ticketmaster has not yet confirmed the breach or announced any support for affected customers. Until more information is available, individuals should monitor their accounts for suspicious activity and consider changing passwords for any online accounts associated with the compromised email addresses.


Given ShinyHunters' notorious track record, including the 2021 leak of 70 million AT&T subscribers’ information, the claims warrant serious attention.


This incident surfaces the importance of cybersecurity and the potential vulnerabilities even large companies face. As the situation develops, staying informed and cautious will be key for those potentially affected by this breach. We will continue to provide updates as more information becomes available from Ticketmaster and other reliable sources.



Is iPhone’s Journal App Sharing Your Personal Data Without Permission?

 

In the digital age, where convenience often comes at the cost of privacy, the Journal app stands as a prime example of the fine line between utility and intrusion. Marketed as a tool for reflection and journaling, its functionality may appeal to many, but for some, the constant stream of notifications and data access raises legitimate concerns. 

While the Journal app offers a seemingly innocuous service, allowing users to jot down thoughts and reflections, its behind-the-scenes operations paint a different picture. Upon installation, users unwittingly grant access to a wealth of personal data, including location, contacts, photos, and more. This data serves as fodder for the app's suggestions feature, which prompts users to reflect on their daily activities. For those who engage with the app regularly, these suggestions may prove helpful, fostering a habit of mindfulness and self-reflection. 

However, for others who have no interest in journaling or who simply prefer to keep their personal data private, the constant barrage of notifications can quickly become overwhelming. The issue extends beyond mere annoyance; it touches on fundamental questions of privacy and consent in the digital realm. Users may find themselves grappling with the realisation that their every move is being tracked and analyzed by an app they never intended to use beyond a cursory exploration. 

Moreover, the implications of this data collection extend beyond the confines of the Journal app itself. As Apple's Journaling Suggestions feature allows for data sharing between journaling apps, users may inadvertently find their personal information circulating within a broader ecosystem, with potential consequences for their privacy and security. 

Fortunately, there are steps that users can take to regain control over their digital lives and mitigate the impact of unwanted notifications from the Journal app. Disabling Journaling Suggestions and revoking the app's access to sensitive data are simple yet effective measures that can help restore a sense of privacy and autonomy. Additionally, users may wish to reconsider their relationship with technology more broadly, adopting a more discerning approach to app permissions and data sharing. 

By scrutinising the terms of service and privacy policies of the apps they use, individuals can make more informed decisions about which aspects of their digital lives they are comfortable surrendering to third-party developers. Ultimately, the Journal app serves as a poignant reminder of the complex interplay between convenience and privacy in the digital age. While its intentions may be benign, its implementation raises important questions about the boundaries of personal data and the need for greater transparency and control over how that data is used. 

As users continue to grapple with these issues, it is incumbent upon developers and policymakers alike to prioritize user privacy and empower individuals to make informed choices about their digital identities. Only through concerted effort and collaboration can we ensure that technology remains a force for good, rather than a source of concern, in our increasingly connected world.

Fake Android App Enables Hackers to Steal Signal and WhatsApp User Data

Cybercriminals have recently developed a highly sophisticated approach to breach the security of both WhatsApp and Signal users, which is concerning. By using a phony Android conversation app, cybercriminals have been able to obtain user information from gullible individuals. There are significant worries regarding the vulnerability of widely used messaging services in light of this new threat.

Cybersecurity experts have reported that hackers have been exploiting a spoof Android messaging software to obtain users' personal information without authorization, specifically from Signal and WhatsApp users. With its slick layout and promises of improved functionality, the malicious app lures users in, only to stealthily collect their personal information.

Using a traditional bait-and-switch technique, the phony software fools users into thinking they are utilizing a reliable chat service while secretly collecting their personal data. According to reports, the software misuses the required rights that users are requested to provide during installation, giving it access to media files, contacts, messages, and other app-related data.

Professionals in cybersecurity have remarked that this technique highlights the growing cunning of cybercriminals in taking advantage of consumers' trust and the weaknesses in mobile app ecosystems. It is emphasized that consumers should exercise caution even when they download programs from official app stores because harmful apps can occasionally evade detection due to evolving evasion strategies.

Researchers studying security issues advise consumers to protect their data right away by taking preventative measures. It is advised to carefully examine user reviews and ratings, confirm the app's permissions before installing, and exercise caution when dealing with unapproved sources. Moreover, setting two-factor authentication (2FA) on messaging apps can provide an additional degree of security against unwanted access.

Signal and WhatsApp have reaffirmed their commitment to user privacy and security in response to this new threat. Users are encouraged to report any suspicious behavior and to remain alert. The event serves as a reminder that users and platform providers alike share responsibility for cybersecurity.

Dr. Emily Carter, a cybersecurity specialist, has stressed that a proactive approach to digital security is crucial in light of the hackers' increasing strategies. Users must be aware of potential risks and exercise caution when interacting with third-party apps, particularly those that request an excessive amount of permissions."

The necessity for ongoing caution in the digital sphere is highlighted by the recent usage of a phony Android chat app to steal user data from Signal and WhatsApp. To avoid becoming a victim of these nefarious actions, consumers need to stay informed and take precautions as hackers continue to improve their techniques. People can contribute to the creation of a safer online environment by keeping up with the most recent cybersecurity trends and best practices.

Cyberattack Targets US Hospital in Texas

Just several weeks following one of the largest healthcare cyberattacks in the US, another hospital system was taken down by a ransomware attack. 

According to a report, OakBend discovered that cybercriminals had accessed its network and encrypted parts of its system on September 1, 2022. In reaction, OakBend started working on network restoration before getting in touch with a third-party data security organization to help with the business's investigation into the event.

The investigation revealed that OakBend Medical Center's computer system had been accessed without authorization and that the hackers had been able to delete some of the material that was accessible.

OakBend Medical Center started looking through the affected files after learning that private customer information had been made available to an unauthorized entity, in order to ascertain what information had been hacked and whose customers were impacted.

On October 28, the medical system notified the Department of Health and Human Services (HHS) of a data breach affecting approximately 500,000 people. The attack has been linked to the ransomware and data extortion gang Daixin Team.

The group, which was formed in June of this year, has financial motivations. Fitzgibbon Hospital in Missouri was its prior victim, and the gang claims to have stolen 40GB of confidential data, including personnel and patient records.

Additionally, CommonSpirit, which manages over 140 hospitals in the US, decided not to reveal the precise number of its locations that were experiencing delays. However, a number of hospitals have reported being impacted, including CHI Memorial Hospital in Tennessee, some St. Luke's hospitals in Texas, and Virginia Mason Franciscan Health in Seattle.

According to Brett Callow, a cybersecurity specialist at Emsisoft, ransomware has been used to breach 19 significant hospital chains in the United States this year.

OakBend stated: "Our analysis shows that only a small quantity of data was really transported outside of the OakBend computing environment, even though we are aware that the hackers had access to OakBend's servers to encrypt our data. However, it does seem that the cybercriminals were able to access or remove several employee data sets and some reports that contained the private and medical information pertaining to our present and past patients, employees, and connected individuals."

To all those whose information was affected as a result of the current data breach, OakBend Medical Center handed out data breach notifications on October 31, 2022.

Optus Data Breach: Australia’s Telco Giant Confirms Data of Millions of Users Compromised

 

Australia’s second largest Telecom Company, Optus has recently become a victim of a cyberattack that attack apparently led to the exposure of personal data of its current as well as former customers. According to Trevor Long, a Sydney-based tech analyst, the attack is the biggest breach of personal data from any Australian firm. 

The firm states that as soon as the attack was detected, it worked towards containing the attack, subsequently shutting it down before customers could suffer any harm. The company believes that one of the networks was still exposed to the test network with internet access. 

The data breach notification read, “Following a cyberattack, Optus is investigating the possible unauthorized access of current and former customer [..] Upon discovering this, Optus immediately shut down the attack.” 

In the wake of the attack, the firm confirmed that its customers' private data could be compromised since the attackers had an access to the customer identity database and opened it to other systems via Application Programming Interface (API). The firm further told that its network was accessed from an external source.  

The exposed data, as per the firm’s statement in a press release included customers’ names, dates of birth, contact numbers, email addresses, residential addresses, and identity documents numbers such as passport and driving licenses. The company’s services on the other hand, including mobile and home internet, have not been compromised and the attackers were void of access to messages and phone calls. 

Is Human Error Responsible For The Breach? 

At a media briefing, when asked about the possibility of a human error being responsible for the breach, Optus CEO Kelly Bayers Rosemarin stated that “I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so will not be divulging details about that.” 

The company has denied any claims of a human error that could execute this data breach. The CEO also apologized to the firm’s customers, stating it was challenging to offer immediate advice unless the case investigation was complete. 

The CEO also mentioned the strong cyber defense softwares invested in Telco pertaining to the attacks. She further said that this attack should be a wake-up call for all organizations in order to avoid becoming a victim of a data breach. 

California Gun Permit Website Exposes User Data

 

About the Data Leak

A state website in California disclosed private information of any user who registered for CCP (concealed Carry Weapons) permits during 2011-2021. The California Department of Justice says the incident happened last week, in the blunder, the US state's firearms dashboard portal was overwhelmed. 

Besides the portal breach, the data was also leaked on various other online dashboards like- Assault Weapon Registery, Dealer Record of Sale, Firearm Safety Certificate, Certified for Sale, Dealer Record of Sale, Gun Violence Restraining Order, and Firearm Safety Certificate dashboards. 

What are the experts saying?

"The California cyber-gaffe comes at a time when data privacy is at the forefront of the national debate, in large part because of the US Supreme Court's recent decision to overturn Roe vs. Wade, which has called into question what personal data is collected, retained — and potentially sold or shared," reports the Register. 

California Department of Justice says that data and dashboards were accessible to the public for 24 hours. The data leaked include Gender, Race, Date of Birth, driver's license info, criminal histories, and addresses. However, it didn't expose financial information and social security numbers. 

Info exposed in the Data Leak 

But still, some personal information may have been leaked on social media websites, says Fresno County Sheriff's Office, which found the data leak. The state DOJ will inform California users whose data was leaked and will give additional info and details about soon. It also includes credit monitoring services for impacted users. 

"I immediately launched an investigation into how this occurred at the California Department of Justice and will take strong corrective measures where necessary," said Rob Bonta, California Attorney General, in a statement. He also said that he was deeply sorry and unsettled by the incident. 

The office didn't address the issue immediately, denying to provide info about the number of users affected and a number of California residents that apply for concealed weapons permit every year but are denied. 

Tim Marley, VP for audit, risk, and compliance at Cerberus Sentinel said that "the failure to keep stakeholders' sensitive data confidential is coming with greater consequences for organizations in the United States."

NRA Reacts to Allegations of a Ransomware Campaign

 

Last year, the National Rifle Association — champion of gun-toting maniacs worldwide, admitted it was hacked by cybercriminals. The organization's political action committee (PAC) confirmed the attack in a filing to the Federal Election Commission on Friday. 

Last October, a ransomware group known as "Grief" boasted to the digital underworld about hacking into the gun lobby's networks and stealing critical internal papers. It released screenshots of documents it claimed to be stolen during the event. The NRA did not confirm or deny it had been hacked at the time. 

"The National Rifle Association does not talk about its physical or electronic security. The NRA, on the other hand, takes exceptional precautions to safeguard information about its members, funders, and operations, and is extremely cautious in doing so." Andrew Arulanandam, managing director of NRA Public Affairs. 

The NRA was added as a new victim on the ransomware gang's data site today, along with pictures of Excel spreadsheets revealing US tax information and transaction amounts. The threat actors also published a 2.7 MB archive called 'National Grants.zip,' which comprises bogus NRA grant applications. After Grief claimed it obtained 13 files supposedly from the NRA's databases, security researchers began posting about the breach on Wednesday. According to an analysis of the documents supplied, it included records from a recent NRA board meeting as well as grant documents. If the NRA did not pay an undisclosed ransom, it threatened to release more files. 

The Grief ransomware group is believed to be linked to Evil Corp, a Russian hacking group. Evil Corp has been active since 2009 and has been involved in a variety of destructive cyber activities, including the spread of the Dridex trojan, which was used to steal online banking credentials and money. 

In 2017, the hacking gang published BitPaymer, ransomware which was later renamed DoppelPaymer in 2019. The US Department of Justice charged members of the Evil Corp with stealing more than $100 million and adding the cyber group to the Office of Foreign Assets Control (OFAC) sanction list after years of attacking US interests. 

Soon after, the US Treasury cautioned ransomware negotiators may face civil penalties if anyone helped gangs on the blacklisted list get ransom payments. To avoid US sanctions, Evil Corp has been spreading new ransomware strains under different identities on a regular basis since then.WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, quite recently, the Macaw Locker are among the ransomware families.

NRA members should take precautions to protect themselves from any penalties which may occur as a result of this breach, according to Paul Bischoff, a privacy advocate at Comparitech. With the Grief ransomware group emerging, security researchers believe it is another version of DoppelPaymer due to the code similarities. Because Grief is related to Evil Corp, ransomware negotiators are unlikely to allow ransom payments unless the victim first obtains OFAC certification.

Doxy.me is Resolving a Data Leak that Exposed Patient Information to Facebook and Google

 

Doxy.me, a telehealth platform, is correcting an issue that allowed three third-party firms to obtain the names of some patients' providers. After examining the platform, privacy researcher Zach Edwards discovered that the company, which self-reports as having 30% of the growing US telemedicine market and is currently used by over 1 million providers worldwide, appeared to be sharing IP addresses and unique device identification numbers with Google, Facebook, and the marketing software company HubSpot. 

When patients clicked on a link to the platform's "virtual waiting room" service, which connects patients with medical professionals, the sensitive user data became available. According to Edwards, Doxy.me appears to have attempted to remove the doctor name from URLs given to third parties, but the three companies used particular technical loopholes to obtain the complete URL, which included the doctor names. There was no breach of patient health information.

Working with third parties like Google and Facebook to maximize data analytics and marketing poses dangers that are distinct from encrypting patient sessions or requiring strong passwords for Doxy.me. Regulators and lawmakers have shown a desire to address the privacy concerns raised by telehealth apps. In September, the Federal Trade Commission issued guidelines that would punish health applications for failing to tell consumers about the sharing of personal information without their permission. 

“As soon as you start sharing data, networks, there are some things that are out of your control and much of the responsibility here is on the ad networks themselves,” said Rykov, of the Mozilla Foundation. “They operate like a black box, we don’t really know what their algorithm is doing and what they’re capable of.” 

The problem raises broader concerns about data security in the telehealth industry. Google and Facebook use metadata gathered from throughout the web to categorize people into "audiences." Companies employ metadata collected across websites to construct audience groups, sometimes known as "lookalike" or "similar" audiences, to assist advertising customers target audiences they are attempting to reach. A marketing customer can then utilize this technique to increase the size of its own audience list. 

Such data sharing puts users in danger of being inadvertently grouped with other patients by Google and Facebook's advertising platforms, potentially providing sensitive information about a patient's condition to the companies' algorithms. Advertisers could therefore target individuals with adverts that were personalised to their specific medical issues.

California Pizza Kitchen Spilled 100K+ Employee SSNs in Data Breach

 

California Pizza Kitchen (CPK) data breach exposed the names and Social Security numbers (SSNs) of over 100,000 current and past workers.

According to a Data Breach Notification released on the Maine Attorney General's website, the "external system breach" happened on Sept. 15 at the popular U.S. pizza chain, impacting 103,767 people. CPK was formed in 1985 in Beverly Hills, California, and now has over 250 locations across 32 states. As per the statement, CPK identified suspicious behaviour in its computing environment on or about Sept. 15 and responded swiftly to mitigate and investigate the incident with third-party IT professionals. 

The company stated in the notice CPK sent to affected residents of Maine, “CPK immediately secured the environment and … launched an investigation to determine the nature and scope of the incident.” 

Following the notice, by Oct. 4, investigators had determined that some files on CPK's computers "could have been accessed without authorization." According to the company, by the end of the initial investigation on Oct. 13, it was evident that the breach had provided attackers with the names of previous and present employees, as well as their Social Security numbers. 

On Monday, Nov. 15, CPK notified all persons affected by the incident. According to the firm, there is no evidence that the information acquired has been misused by cybercriminals at this time. There have been no details released concerning the sort of breach that happened or how the attackers gained access to the system. CPK did not respond to Threatpost's request for comment on the incident right away.  

The firm is presently assessing existing security standards and has adopted additional measures – such as safeguards and employee training – to assist avoid future instances. 
 
Employee training, as per one security expert, is a critical component of preventing breaches like these, which are all too often at firms that have sensitive information on their networks but generally employ personnel who have no specialized expertise in how security breaches occur. 

Al-Khalidi, co-founder and co-CEO of security firm Axiad, stated in an email to Threatpost, “Every business like California Pizza Kitchen possesses valuable PII data which makes them a prime target for attackers. To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene.” 

He believes that ongoing training may help reinforce a company's overall security defense by preventing employees from falling prey to phishing or other socially engineered assaults that can bring a whole IT system down.

Over 2.6 Million Data of Instagram and TikTok Users Exposed by Data Scrapers

 

Security researchers detected over two million social network user accounts scraped from the internet after they were unintentionally posted online by an analytics firm. 

Anurag Sen's team at reviews site SafetyDetectives discovered the data on a misconfigured Elasticsearch server that had been left accessible with no password security or encryption in place. It instantly traced the 3.6GB trove of over 2.6 million TikTok and Instagram accounts to IGBlade, a company that delivers marketing information on social media users to its clients. 

The researchers wrote, “The scraped data of users on the server is the same data that features each user’s corresponding IGBlade.com page, and the database often provides links back to IGBlade,” this is how we know the database belongs to IGBlade.com.” 

Although data scraping is not unlawful, and all of the user information in the leaked database was publicly available, it violates TikTok and Instagram's terms of service. The breach might also benefit cyber criminals, who can use the enormous amount of user information collected in one place to facilitate mass social engineering and fraud schemes. 

As per the report, the compromised data was publicly available online for more than a month before the research team discovered it and contacted IGBlade. The Romanian company obtained it on the same day, July 5. 

The database contained complete names and usernames, profile images, "about" information, email addresses, phone numbers, and geographical data. Celebrities such as Alicia Keys, Ariana Grande, Kim Kardashian, Kylie Jenner, and Loren Gray have all been caught up in the privacy issue. 

According to SafetyDetectives, the disclosure might find IGBlade in hot water with the two social media behemoths. Furthermore, if thieves had access to the trove, they might utilise it in subsequent phishing attempts and bulk robocalling frauds.  They might even utilise the collected profile pictures to build new bogus profiles for disinformation and fraud operations. 

SafetyDetectives stated, “Data scraping can make information for thousands or millions of users instantly accessible, as it’s all stored in the same place. For example, navigating logs in a database is a far quicker solution than navigating between each user on a social media site.” 

“In this case, cyber-criminals can use data scraping as a cybercrime accelerant rather than an enabler. It can accelerate the speed and scope of hackers’ criminal activities.”

Thingiverse, 3D Printing Site Suffered Data Breach

 

The Thingiverse website has suffered a data breach which resulted in the email addresses of nearly 228,000 users surfacing on black-hat crime websites. 

Have I Been Pwned (HIBP), whose administrator Troy Hunt was informed off to the breach's dissemination on the forums, published the 228,000 hacked email addresses to the site, which led to the news coming to notice. 

The 36 GB data cache, which was first disclosed in October 2020, is reported to contain unique email addresses as well as other information that might be used to identify people. Whereas these details have been floating around the internet for over a year, data breach notification service provider 'Have I Been Pwned' has now discovered proof that they are "extensively circulating within the hacking community." 

On Twitter, Hunt said that the leak had exposed more than two million email addresses. He clarified that the bulk of the email addresses were webdev+$username@makerbot[.]com, which looked to be generated by Thingiverse itself based on their structure. 

Thingiverse that hosts free-to-use 3D printer designs is managed by Makerbot, a 3D printing company that was previously featured on these web pages in 2015 when it announced layoffs despite failing to fulfill "ambitious goals" 

Hunt stated on Twitter that Makerbot was unresponsive to his private overtures, prompting him to go public in the hopes of persuading someone that the source of the hack should be closed down. 

"We became aware of and have addressed an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users. We have not identified any suspicious attempts to access Thingiverse accounts, and we encouraged the relevant Thingiverse members to update their passwords as a precautionary measure. We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management," Thingiverse told The Register. 

Amazon's Twitch Blames Server Error for Massive Data Leak

 

Twitch disclosed a massive data breach on Wednesday, attributing it to an "error in a Twitch server configuration change" that exposed certain data to the internet. 

The purportedly stolen material includes the source code for Amazon's streaming platform, reports on creator payments, and information regarding an unannounced Steam competitor from Amazon Game Studios. Twitch acknowledged the incident in a tweet on Wednesday. The firm will provide further information in a blog post later, stating that it is still trying to determine the entire scope of the event. 

The company wrote, "We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." 

"Our teams are working with urgency to investigate the incident." 

Twitch said there's no indication that login credentials were exposed. The streaming platform also said, "full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed." 

Twitch's brief statement demonstrates that the company is in full crisis mode. IT professionals and security specialists are still attempting to determine the severity of the data breach. The attack was caused by a "server configuration" issue, according to the explanation. In other words, someone misconfigured the computers that contain Twitch's sensitive data, allowing hackers to discover and download it. 

The organization has not yet stated when this error occurred. Some of the stolen data dates back three years, so the computers might have been a victim for a while - or the error could have just left the door open for a few days or weeks. Attackers are always searching and analyzing the internet for open databases, and someone may likely have informed hackers about the internal IT mistake. 

Making these types of blunders, however, is costly, especially when the target is as large as Twitch. Numerous streamers informed BBC News that the payment data was correct for their own earnings and this poses issues for the firm. Candid Wuest from cyber-security company Acronis stated, "A lot more damage is now in store for Twitch. The breach is already harming Twitch on all the fronts that count." 

The leaked data "could contain nearly the full digital footprint of Twitch, making it one of the most severe data breaches of late." "Releasing payout reports for streaming clients will not make the influencers happy either," Mr. Wuest added. 

The download released online is also labeled "part one," implying that there may be more data to be published on the internet.

Private Details of 63,126 Health Employees Compromised in Navistar Data Breach

 

After four months of detailed analysis, US truck manufacturer Navistar has confirmed a data breach on its systems that exposed the details of 63,126 healthcare employees. 

Navistar straight away implemented its cybersecurity response program after learning of a data breach on May 20. The manufacturer also collaborated with third-party cybersecurity specialists to discover the nature and extent of the security breach. 

Ten days later, the American manufacturer received information regarding the exfiltration of data from its systems. In the first week of June, the healthcare provider filed 8-K papers with the US Security and Exchange Commission, alerting investors regarding the data breach. The notification generated press coverage about the incident from Reuters and other media outlets, as investigators continued to examine the impact of the incident.

The investigation into the data theft confirmed on August 20, 2021, that the stolen files contained the protected health information of present and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. 

According to a statement by Navistar, the exfiltrated data possibly contained names, addresses, birth dates, and data linked with participation on the medical and insurance policies, which might have contained certain health-related data like the names of healthcare providers and prescription medications. 

The stolen private details are commonly used and traded by attackers because it offers a means to run more convincing phishing scams and to apply for fraudulent lines of credit under false names, researchers explained.

Navistar claimed it has strengthened the security after the data breach, which includes using the latest technologies and performing additional training for the employees. Security controls will still be assessed and kept up to date as necessary to avoid further disruptions. 

Earlier in July, Navistar sent notification letters to the victims to advise them regarding the data breach. The company is also providing a 2-year free membership to credit monitoring and identity theft protection services to persons whose Social Security number was affected in the attack.

Additionally, the healthcare provider sent the breach report to the Maine Attorney General suggesting that 63,126 persons were affected. The breach report was also submitted to the Department of Health and Human Services’ Office for Civil Rights stating that 49,000 plan members’ PHI was exposed.

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

UN Computer Networks Breached by Hackers Earlier This Year

 

Hackers breached the United Nations' computer network and stole data, according to researchers at cybersecurity firm Resecurity, 

According to Bloomberg, the theft's unknown perpetrators appear to have acquired access by simply stealing login credentials from a UN employee. 

Logging into the employee's Umoja account provided access. The enterprise resource planning system Umoja, which means "unity" in Kiswahili, was deployed by the United Nations in 2015. The login and password used in the cyber-attack are believed to have been obtained from the dark web. 

Gene Yoo, chief executive officer at Resecurity, stated, “Organizations like the UN are a high-value target for cyber-espionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.” 

Researchers discovered that hackers initially gained access to the UN's networks on April 5, 2021, and that network breaches lasted until August 7. Based on the findings, the attackers did not seem to have harmed or disrupted the UN's computer network. Instead, the hackers seem to have been motivated by a desire to gather information. 

After reporting the security issue to the UN, Resecurity stated it worked with the UN's security team to evaluate the extent of the intrusion. While the UN claims that the assault was a reconnaissance operation by hackers who just captured screenshots of the organization's vulnerable network. The breach resulted in the theft of data, as per the Resecurity experts. 

The UN discontinued interacting with Resecurity, according to Yoo, when proof of data theft was provided to the organization. 

Hackers have previously attacked the United Nations and its agencies. In 2018, Dutch and British law enforcement prevented a Russian cyberattack on the Organisation for the Prohibition of Chemical Weapons (OPCW), which was investigating the deployment of a lethal nerve agent on British territory. 

According to a Forbes article, the UN's "core infrastructure" was hacked in a cyberattack in August 2019 that targeted a known flaw in Microsoft's SharePoint platform. The breach was not made public until the New Humanitarian newsgroup published the news. 

In the context of the latest breach, UN spokesman Farhan Haq told DailyMail.com, “This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” 

“At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.” 

Haq added that the United Nations is often targeted by cyber-attacks, including sustained campaigns.

Autodesk Disclosed it was Targeted in SolarWinds Hack

 

Autodesk has disclosed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain assault, nearly nine months after finding that one of its servers had been compromised with Sunburst malware. 

It is an American multinational software corporation that makes software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. 

In a recent 10-Q SEC filing, Autodesk stated, "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents." 

"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations." 

While the company went on to state that there was no additional damage to its systems, the company's announcement of the breach in its most recent quarterly results serves as a reminder to the world of how widespread the SolarWinds supply chain breach was. 

An Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst backdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough before they were detected. 

The spokesperson stated, "Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were collected for forensic analysis, and the software patch was applied. Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software installation." 

One of 18000 tech firms targeted in a large-scale cyber attack

SolarWinds' infrastructure was hacked as a result of a supply-chain assault conducted by the Russian Foreign Intelligence Service's hacking division (aka APT29, The Dukes, or Cozy Bear). 

The attackers trojanized the Orion Software Platform source code and build issued between March 2020 and June 2020 after obtaining access to the company's internal systems. These malicious builds were then used to deploy the Sunburst backdoor to around 18,000 clients, but fortunately, the threat actors only chose a small number of people for second-stage exploitation. 

Before the assault was revealed, SolarWinds stated to have 300,000 clients globally, including over 425 US Fortune 500 firms and all top 10 US telecom corporations. 

A long list of government agencies was also among the company's clients (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States). 

The US Department of Justice was the latest US official agency to reveal that during last year's SolarWinds global hacking spree, 27 US Attorneys' offices were compromised. 

Although Autodesk was not the only big corporation attacked in the SolarWinds breach, other companies such as Cisco, VMware, Intel, and Nvidia revealed similar issues in December.  

Chinese Android Game Developer Exposes Data of Over 1 Million Gamers

 

The Chinese developers of famous Android gaming applications exposed user information via an unprotected server. As per the report shared by vpnMentor's cybersecurity team, headed by Noam Rotem and Ran Locar, identified EskyFun as the owner of a 134GB server exposed and made public online.

Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M are among the Android games developed by EskyFun. 

According to the team on Thursday, the users of the following games were included in the data leak and altogether they have over 1.6 million downloads combined: 
-Rainbow Story: Fantasy MMORPG
-Metamorph M
-Dynasty Heroes: Legends of Samkok u 

According to the researchers, the supposed 365,630,387 records included data from June 2021 onwards, exposing user data gathered on a seven-day rolling basis. 

As per the team, when their software is downloaded and installed, the developers impose aggressive and highly troubling monitoring, analytics, and permissions settings, and as a consequence, the variety of data gathered was considerably more than one would imagine mobile games to need. 

The records constituted IP and IMEI data, device information, phone numbers, the operating system in use, mobile device event logs, whether or not a smartphone was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords, and support requests. 

vpnMentor estimates that up to or more than, one million users' information may have been compromised. 

On July 5, the unprotected server was detected, and EskyFun was approached two days later. However, after receiving no answer, vpnMentor tried again on July 27. 

Due to the continued inaction, the team was forced to contact Hong Kong CERT, and the server was safeguarded on July 28. 

The researchers commented, "Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users. Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

Reindeer Leak Personal Data of 3,00,000 Users In A Breach

 

WizCase's cybersecurity group discovered a prominent breach impacting Reindeer, an American marketing company that previously worked with Tiffany & Co., Patròn Tequila, and other companies. Led by Ata Hakçil, the group revealed that the breach leaked customer names, DOB, email ids, phone numbers, address, etc. The cybersecurity experts found a misconfigured Amazing S3 bucket that belonged to Reindeer.

It contained around 50,000 files and a total of 32 GB of data. Reindeer is currently a defunct American advertising company. Being a defunct company, it owns the bucket, so researchers had to contact Amazon for information about the breach as it is the only source that could provide details about the attack. The team also informed US-Cert, in hopes that it would contact the previous company owner. The misconfigured S3 bucket contained data of around 3,00,000 customers of Reindeer clients. Patròn was the top client with the highest number of customer PII (Personal Identifiable Information) leaked, however, other Reindeer clients were also affected, such as Jack Wills, a UK clothing brand. It seems that it has become an easy task to misconfigure permission/access errors in cloud-based deployments. 

The companies that are set to work on cloud-based platforms should have a robust cybersecurity system that keeps an eye on such breaches and informs about any potential error in the cloud infrastructure. The leaked information contains details of around 3,60,009 customers and profit photos of 1400 users. PPI include customer names, address, DOB, e-mail ids, Facebook Ids, and hashed passwords. As per the experts, 35 countries' users were included in the breach, the top three being Canada, the US, and Britain, having around 2,80,000 affected users. 

"The leaked data dates from May 2007-February 2012. The public cloud brings a whole host of new issues to which organizations are still adapting. The case of the Reindeer breach raises serious questions about the shared responsibility model and certainly highlights the need for a layered defense. When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration,” said Valtix CEO Douglas Murray.

Personal Information of 2,000 FOID Cardholders Compromised in ISP Website Breach

 

The Illinois State Police are notifying Firearm Owners Identification cardholders regarding a possible data breach after attackers attempted to breach the agency's Police FOID card portal.

According to ISP officials, the personal information of about 2,000 FOID cardholders, or about .0008% of the total number of FOID cardholders in the state, may have been compromised in the attempted hack. Those people will be contacted, the agency said in a news release.

“The software vendor determined that using previously stolen personal data to access existing accounts, unauthorized users may or may not have accessed additional “auto-populated” personal identifiers unique to that account and card such as the last four of a social security number. 2,067 FOID card holders, less than .0008 % of total cardholders, were possibly impacted by these attempts. In accordance with state law and out of an abundance of caution, all affected persons were sent a notice and issued a new card at no cost, according to the news release.

The ISP has strengthened its online security requirements and is limiting the use and access of personal information that FOID card applicants submit in their online FOID account that could match Illinois resident personal identification information unlawfully obtained from any number of previous cyber breaches. The personal information did not come from their systems and servers, ISP officials said after an investigation. 

The FOID website software vendor, working with ISP, recently determined unauthorized persons were attempting to use this type of previously unlawfully obtained personal information to match with and access existing FOID online account information to add further detail to their existing stolen data, the release read. 

The site is back online and is accepting applications. The residents who want to buy and own firearms and ammunition possess a Firearm Owners Identification card issued by Illinois State Police. For more than 18 months, the state has been delayed in processing applications for the required ID, with many waiting months, the agency said. 

“I’d rather there not be a database somewhere of gun owners and their addresses. It doesn’t take that much imagination to figure out how that information can be used in ways that increase the risk to those persons,” Cybersecurity consultant John Bambenek said while raising questions regarding cybersecurity.

WhatsApp CEO: US Allies' National Security Officials Targeted with NSO Malware

 

According to WhatsApp CEO Will Cathcart, governments used NSO group malware to target high-ranking government officials all around the world. 

Cathcart addressed the spyware assaults discovered by the Project Pegasus inquiry with The Guardian, noting they are similar to a 2019 attack against 1,400 WhatsApp users. 

Cathcart added, “The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then. This should be a wake-up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.” 

NSO Group's military-grade spyware is suspected of being utilized against heads of state, cabinet members, activists, and journalists. Over 50,000 phone numbers have been leaked from the Pegasus project's central breach. The inclusion of a person's phone number on the list, however, does not always indicate that they were efficiently targeted, according to The Guardian. 

The leak is said to have included French President Emmanuel Macron, although NSO denies that none of its clients targeted Macron. The IT company also stated that the reported 50,000 figure was overstated. 

Cathcart, on the other hand, tried to refute this portrayal, stating that his firm had documented a two-week-long attack in 2019 that affected 1,400 customers. He added, “That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high. That’s why we felt it was so important to raise the concern around this.” 

According to The Guardian, WhatsApp lodged a lawsuit against NSO in 2019, saying that the corporation had transmitted malware to its customers' phones. NSO, an Israeli firm, argued that the responsibility should be put on its customers who are the foreign government. 

“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this," Cathcart stated. "Should they stop? Should there be a discussion about which governments were paying for this software?” 

The NSO spokesperson told The Guardian, "We are doing our best to help to create a safer world. Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists, and criminals using end-to-end encryption platforms? If so, we would be happy to hear."