07 Jul Cybercrime Diary, Vol. 5, No. 2: Who’s Hacked? Latest Data Breaches And Cyberattacks
Hackers attack WhatsApp, Honda, Nintendo, while Google, Equifax settle for millions
Sausalito, Calif. – Jun. 30, 2020
COVID-19 stoked online criminal activity during the year’s second quarter. Meanwhile, unprotected online databases exposed the personal information of millions, and cyber thieves raked in big bucks by bilking Uncle Sam’s unemployment system and scamming Norway’s state-fund for helping out developing nations.
Jun. 30. Unity Point Health in Iowa agrees to $2.8 million settlement with 1.4 million patients and employees affected by two data breaches in 2017 and 2018. In addition to credit monitoring and identity theft protection services, affected parties can receive up to $6,000 for extraordinary expenses.
Jun. 28. vpnMentor reveals an improperly secured database belonging to OneClass, a tool that allows students to share class notes and study guides, has exposed the information of more than one million students. Information exposed includes full names and email addresses, phone numbers, and course enrollment details.
Jun. 28. Tusla, a child family agency in the United Kingdom, is fined 40,000 euros by the country’s Data Protection Commission for sending a letter detailing allegations of abuse to a third party who posted it to social media. The fine is the second issued since the European’s Union General Data Protection Regulation took effect in 2018. The commission’s first fine of 75,000 euros was also imposed on Tusla.
Jun. 26. vpnMentor, a cybersecurity research company, reveals inadequately secured Amazon Web Services data storage bucket has exposed to the public internet 4,000 voice recordings captured by the domestic violence and abuse prevention software Aspire News App. Information in the exposed recordings includes victims’ full names and home addresses, details of their emergencies or personal circumstances, and abusers’ names and personal details.
Jun. 25. Privacy commissioners of Canadian provinces of Ontario and British Columbia issue report finding LifeLabs, the country’s largest group of medical laboratories, failed to protect the personal health information of 15 million Canadians during a data breach last year. They say that the provider, by failing to provide reasonable data safeguards, violated Ontario’s and B.C.’s health privacy laws.
Jun. 25. Researchers at Risk Based Security reveal a data thief has compromised Preen.me and is threatening to release on the public internet personal information on more than 100,000 affiliated influencers. Information obtained by the bandit includes social media links, email addresses, names, phone numbers, and home addresses. Earlier in the month, the same threat actor released social media links and personal information of more than 250,000 users of the website’s ByteSizedBeauty app.
Jun. 25. In a letter to U.S. House Judiciary Committee Chairman Jerry Nadler, D-N.Y., the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warns that police departments that use drones made by DJI, a company located in China, run the risk of having any data collected by the unmanned aircraft compromised. The agency says any data gathered by the drones should be considered at risk and be protected from inadvertent disclosure.
Jun. 23. Kod.ru, a Russian-language tech publication, reports that personal data of millions of users of the Telegram mobile messaging app is up for sale on the dark web. Telegram tells the publication the information posted to the internet is mostly outdated, with 84 percent of it collected before mid 2019. The maker of the app also explains that the data was collected by exploiting the app’s contacts import feature at registration.
Jun. 22. Krebs on Security reports “hundreds of thousands” of potentially sensitive files from police departments across the United States have been made available online at a public, searchable website. It says the collection, known as BlueLeaks, resulted from a data breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals. It adds that the data dump is the latest release from Distributed Denial of Secrets, a WikiLeaks-like publisher of caches of secret data.
Jun. 21. Jakarta Post reports a data thief using the handle Database Shopping is offering on the data-exchange platform Raid Forums a government database of 230,000 people who have undergone COVID-19 testing. Data sets in the database include names, addresses, ages, and nationalities of the patients undergoing COVID-19 testing at several hospitals in Bali, as well as the kinds of tests taken by individuals.
Jun. 19. The Council of State, France’s highest administrative court, rejects appeal by Google of $56 million fine for not being sufficiently clear and transparent with Android users about their data protection options. The penalty was imposed on Google under the General Data Protection Regulation by France’s National Data Protection Commission.
Jun. 19. Security researcher Anurag Sen finds inadequately secured online database belonging to BlueKai, a web tracking company owned by Oracle, has exposed billions of records containing personal data to the public internet. According to TechCrunch, data leaking from database includes names, home addresses, email addresses and other identifiable data, as well as users’ web browsing activity, from purchases to newsletter unsubscribes.
Jun. 18. U.S. Justice Department announces arrest of Justin Sean Johnson, 29, who allegedly stole personal identifying information of 65,000 employees from the human resources databases belonging to the University of Pittsburgh Medical Center in 2014. It adds that Johnson allegedly sold the stolen data on the dark web, which resulted in $1.7 million in false tax refunds being issued by the IRS.
Jun. 15. Claire’s, a jewelry and accessories retailer, reveals an unknown number of its online customers have had their credit card information stolen in a Magecart attack. It says the attack affected only online business and not its retail stores.
Jun. 15. Foodora, which is owned by online food delivery service Delivery Hero, reveals data breach affecting customer data from 2016. It says data includes some 480,000 unique email addresses as well as certain customer details, including encrypted password hashes, name, first name, delivery address, and phone number.
Jun. 15. Postbank, a financial institution in South Africa, announces it is replacing 12 million bankcards after insiders stole the bank’s master key during a data center move. The employees used the key to steal some $3.35 million from beneficiaries who receive social grants every month. The institution estimates the cost of replacing the cards to be $58.7 million. It has not said if grant beneficiaries will be reimbursed for their losses.
Jun. 11. Northern District of California gives preliminary approval of $7.5 million settlement of class-action lawsuit against Google stemming from data leaks caused by software bugs in its now-defunct Google+ social network. Consumer plaintiffs allege two 2018 data leaks exposed personal data of up to 500,000 users to third-party developers.
Jun. 9. Fitness Depot, Canada’s largest fitness equipment retailer, reveals a security incident has exposed to cybercriminals personal information of an undisclosed number of customers. Data includes customers’ names, home addresses, email addresses, telephone numbers, and numbers of credit cards used in transactions. It says customer info was captured by the data thieves by redirecting customers to a bogus form posted to the company’s website.
Jun. 9. TechCrunch reports that WhatsApp, a popular messaging app, has fixed a problem that allowed the phone numbers of some users to appear in Google search results. It explains a feature called Click to Chat allows users to create a short URL that allows phone numbers to be shared without going through the process of adding a phone number to the program’s contact list. Those URLs were showing up in search results, exposing the phone numbers on the internet. WhatsApp has directed Google and other search engines not to index the URLs so they won’t appear in search results anymore.
Jun. 9. Japanese carmaker Honda confirms a cyberattack has disrupted its operations. It says it is having problems accessing servers, email, and other internal systems, and that production systems outside of Japan are also affected. It adds that it expects the event to have a minimal impact on its business.
Jun. 9. Game maker Nintendo revises number of people affected by data breach, saying an additional 140,000 Nintendo Network IDs were compromised. It also notifies affected users about the breach and resets their passwords. Initially, the company announced 160,000 accounts were breached.
Jun. 9. Federal Judge in Alabama allows Macy’s to settle class-action lawsuit over data breach in 2018 for $192,500. During the breach, a number of Macy’s accounts were compromised by a threat actor with valid credentials for the accounts. Macy’s contends the credentials were obtained from a source other than the retailer.
Jun. 6. Bleeping Computer reports a data thief calling themselves John Wick and Korean Hackers claim to have stolen data from ZEE5, an Indian streaming service with 150 million subscribers, and are threatening to sell the data on the dark web. In addition to the source code for ZEE5’s software, the threat actors say the customer data they have includes recent transactions, passwords, emails, mobile numbers, email addresses, and messages.
Jun. 6. Cybersecurity firm Cyfirma reports 1.5 terabytes of data was stolen from VT San Antonio Aerospace, a U.S. subsidiary of ST Engineering Aerospace, of Singapore. It says stolen data includes contract details with governments, including Peru and Argentina, government-related organizations, including NASA, and air carriers, including American Airlines. Although discovered in June, Cyfirma believes the breach could have started as early as March.
Jun. 5. Equifax agrees to pay $5.5 million to settle lawsuit brought by the Credit Union National Association and stemming from data breach in 2017 that exposed personal information of more than 145 million consumers and 209,000 credit card numbers. In addition to the $5.5 million, Equifax has agreed to spend $25 million to enhance its data security and comply with PCI security standards.
Jun. 4. Bleeping Computer reports Maze ransomware operators claim at their data leak website that they breached in May the computer network of Conduent, a $4.47 billion IT services company, and stole unencrypted files and encrypted devices on the network. It says Conduent confirmed it suffered a ransomware attack on May 29 that affected its services for about 10 hours.
Jun. 4. San Francisco Employees’ Retirement System announces data breach at a third-party provider could affect some 74,000 members. It says a test server at the provider, 10up, was accessed by an unauthorized party and while there is no evidence any data was removed, it can’t be confirmed if any data was viewed or copied. It adds data potentially compromised did not include Social Security or bank routing numbers.
Jun. 2. Citrix Systems, a multinational software company, agrees to pay nearly $2.3 million to settle lawsuit stemming from data breach that resulted in theft of information on 24,000 current and former employees. Final court approval of the settlement is pending.
Jun. 1. Researchers at vpnMentor discover improperly secured Amazon data storage bucket belonging to 8Belts, an e-learning platform, has exposed online private data of hundreds of thousands of its users. They say that after they alerted 8Belts of the problem, it was fixed.
Jun. 1. Researchers at vpnMentor discover improperly secured Amazon data storage bucket belonging to the Bharat Interface for Money app, a mobile payment app, exposed online more than seven million records dating back to February 2019. Data exposed includes all information needed to open an account with the app — scans of Ardaar cards (India’s national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, Permanent Account Number cards associated with Indian income tax services, and screenshots captured within financial and banking apps used as proof of fund transfers. The researches say the problem was fixed after they contacted India’s CERT.
May 30. Amtrak reveals an unauthorized third party, using previously compromised account usernames and passwords, accessed an undisclosed number of user accounts and may have viewed some personal information stored for its Guest Rewards program. It says all passwords have been reset on the affected accounts.
May 26. Have I Been Pwned, a data breach indexing service, posts database containing email addresses, passwords, and usernames for 26.4 million accounts belonging to LiveJournal, an online blogging platform. Although the theft of the database has been rumored for years, HIBP’s action appears to confirm a data breach at the platform, which HIBP says happened in January 2017.
May 25. Virginia U.S. Magistrate Judge John Anderson rules Capital One must allow plaintiffs in a lawsuit stemming from a 2019 data breach to see forensic report prepared by Mandiant, a cybersecurity firm, about the incident. According to CyberScoop, the ruling is signficant because in future breach cases, it could give plaintiffs additional leverage to obtain higher payouts.
May 23. Cybersecurity consultant Rajshekhar Rajaharia claims personal data of some 3.5 million users of Zoomcar, a self-driving car rental company, is up for sale on the dark web. He says data includes names, email IDs, passwords, mobile numbers, and IP addresses. Zoomcar disputes the authenticity of the data, saying all data used by the service is strongly encrypted, making it impossible to access.
May 22. The New York Times reports a sophisticated international fraud ring is using detailed information about U.S. citizens that may have been obtained from past data breaches to siphon millions of dollars in payments intended for unemployed Americans. Citing a U.S. Secret Service memo, the Times says there is information suggesting the scam is originating from a well-organized fraud ring and could result in losses of hundreds of millions in dollars.
May 22. Researchers at Cyble report finding cache of data on the dark web exposing personal details of 29 million Indian job seekers. They say the data leak appears to be from a resume aggregator collecting data from known job portals.
May 22. ZDNet reports a cybercriminal group known as ShinyHunters is selling on the dark web more than 25 million emails and passwords stolen from Mathway, a popular application for solving math problems. It says the asking price for the data is the equivalent of $4,000 in digital money. In response to the data breach, Mathway is notifying all affected customers of the incident and resetting passwords for all accounts.
May 20. Home Chef, a meal kit and food delivery service based in the United States, confirms data breach in which eight million user records were stolen. The records have been spotted for sale on the dark web for $2,500 by a hacking group calling itself ShinyHunters.
May 19. Researchers at Safety Detectives discover personal information of nearly 192 million customers of Natura, one of Brazil’s largest cosmetic companies, was exposed online due to two improperly secured Amazon servers. After being alerted by the researchers, the company secured the servers and removed them from public view.
May 19. EasyJet, the UK’s largest airline, announces an online intruder has accessed the travel details of nine million of its customers. It adds another 2,200 customers had their credit card details accessed, and the matter has been reported to the UK’s Information Commissioner’s Office.
May 18. Bleeping Computer reports a database containing 129 million records of car owners in Moscow is being offered for sale on the dark web. It says non-exclusive access to the data is being sold for the digital money equivalent of $2,900 and exclusive rights for $14,500.
May 15. Stop & Shop, a regional supermarket chain, announces credit card shimmers were discovered at five of its stores, three in New Jersey and one each in Massachusetts and Connecticut. Shimmers are used by thieves to steal credit card information when cards are swiped through a terminal. The company says it has removed the devices from the stores and reviewed security camera footage to determine who installed the devices and how long they were active.
May 14. Bleeping Computer reports a data thief is selling on the dark web 29 databases containing some 550 million records. The databases range in age from 2012 to 2019 and include data from Evite, Tokopedia, and Dubsmash. BC notes that many of the databases include millions of cracked passwords, which make them easier to use in credential stuffing attacks.
May 13. Norfund, Norway’s state-owned investment fund for developing countries, announces online criminals managed to bilk the organization of $10 million through a business email compromise attack. It says the criminals were able to falsify and manipulate information between the fund and one of its borrowers so the money intended for the borrower was diverted to an account in Mexico controlled by the bandits.
May 11. Krebs on Security reports ransomware attack at Diebold Nixdorf, a major provider of ATMs and payment technology to banks and retailers, disrupted some of the company’s operations. The company says the attack affected only its corporate network and not its ATM or customer networks.
May 10. Police and council chiefs in the UK reveal details on 8.6 million car journeys were exposed online in an inadequately secured database. Records in the database included information on vehicle movements tracked through a network of number plate recognition cameras. Britain’s Information Commissioner is investigating the snafu.
May 9. Variety reports ransomware attack at the law firm of Grubman Shire Meiselas & Sacks has compromised 756 gigabytes of data on dozens of celebrities. Information includes contracts, nondisclosure agreements, phone numbers and email addresses, and personal correspondence. Celebrities potentially affected by the breach include Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and Run DMC.
May 8. ZDNet reports a database belonging to MobiFriends, a mobile dating app, containing personal details of 3.68 million users is being shared on numerous online forums, in some cases as a free download. It says the database includes email addresses, mobile numbers, dates of birth, gender information, usernames, and app/website activity. Also included in the data are passwords weakly hashed with MD5, which can be easily cracked.
May 8. Cognizant, an IT services provider, reveals ransomware attack in April will reduce revenues for its quarter ending in June by $50 million to $70 million. It adds that it expects the incident to incur additional and unforeseen legal, consulting, and other costs associated with the investigation, service restoration, and remediation of the attack.
May 8. TechCrunch reports data breach at a public-facing server operated by the Justice Department has exposed the personal information of 387,000 current and former prisoners of the U.S. Marshalls Service. Citing a letter from Justice to the Marshalls Service, TechCrunch notes compromised data may have included names, addresses, dates of birth, and Social Security numbers of the affected individuals.
May 7. The Checkers and Rally drive-in food chain settles lawsuit stemming from payment card security incident that affected 1.5 million transactions between September 2016 and April 2019. Under the proposed settlement, affected customers may receive a $20 voucher redeemable at any of the chain’s outlets and up to $5,000 in documented out-of-pocket expenses. Named plaintiffs in the case receive $2,500 each and attorneys’ fees were $575,000.
May 7. Hackread.com reports data breach at StorEny, an online store building and social marketplace, has exposed personal details of 1.5 million customers and merchants. It says the data is available as a free download at an online hacker forum.
May 3. Researcher GreenTheOnly reveals electric car maker Tesla doesn’t erase personal data from media control units and autopilot hardware it replaces. He says he found owners’ personal data on four units he purchased on eBay. Information discovered on the units included owner’s home and work location, all saved Wi-Fi passwords, calendar entries from the phone, call lists and address books from paired phones, and Netflix and other stored session cookies.
May 3. Researchers at Cyble discover database belonging to Unacademy, one of India’s largest online learning platforms, and containing information on nearly 22 million accounts being sold on the dark web for $2,000. Data includes usernames, SHA-256 hashed passwords, date joined, last login date, email addresses, first and last names, and whether the account is active, a staff member, or a superuser.
May 1. Researcher Anurag Sen discovers online database containing data from COVID-19 symptom checker app made by Jio, India’s largest cell phone network, exposed on the internet. Among the millions of logs and records in the database is self-test data by people using the app. Jio took the database offline immediately after learning of the problem.
Apr. 29. UK House of Lords suspends online broadcasting of its proceedings after discovering personal phone numbers were being aired online. During previous day’s sessions, member’s cell phone numbers were being read out online as they left the Microsoft Teams session linked to the proceedings.
Apr. 22. Researcher Anurag Sen finds inadequately secured database belonging to Paay, a card payment processor based in New York, exposes 2.5 million card transactions on the internet. Paay pulls database offline after it’s informed of the problem.
Apr. 21. Researchers at Cyble reports database containing 267 million Facebook profiles is being sold on the Dark Web for $623. It says the database contains user details that can be used for phishing or spamming.
Apr. 18. ZDNet reports 23 million username and password pairs belonging to users of Webkinz World, one of the most successful children’s games of the past decade, have been posted on an online hacker forum. It says the information, which includes passwords encrypted in the MD5-Crypt algorithm, was in a one-gigabyte file uploaded to the web. It adds that the threat actor gained access to the data through an SQL injection vulnerability in one of the site’s forms. Ganz, the Canadian toy company that manages the game, says it has fixed the problem and increased security at the site.
Apr. 15. FBI announces rise in cybercrimes reported to its Internet Crime Complaint Center since the beginning of the COVID-19 pandemic. It says IC3 is receiving from 3,000 to 4,000 complaints a day compared to 1,000 a day before the start of the pandemic.
Apr. 9. U.S. Securities and Exchange Commission settles case with David Kwon and Igor Sabodakha, two traders who allegedly profited from trading on nonpublic corporate earnings information hacked from the SEC’s EDGAR system. Under the settlement, the pair are enjoined from violating the antifraud provisions of the securities laws. In addition, Kwon agreed to pay $165,474 in disgorgement, representing the profits from his illegal trades, and $16,254 in prejudgment interest. The settlement reserves the issue of a civil penalty for Kwon for further determination by the court upon a motion of the SEC. Sabodakha agreed to disgorge $148,804 in profits from his illegal trades, including trades he conducted in the account of his wife, Victoria Vorochek, with prejudgment interest of $20,945. Sabodakha also agreed to pay a civil penalty of $148,804. The SEC will move to dismiss the charges it had filed against Vorochek. The settlement agreements are subject to court approval.
Apr. 9. South Korea’s Seoul Metropolitan Police Agency announces arrest of two people suspected in hacking the phones of celebrities, including international star Joo Jin-mo. It says eight celebrities were targeted by the hackers, who blackmailed them for money. It adds five of the celebrities paid the cybercriminals some $505,176.
Apr. 2. Researchers at vpnMentor find unprotected Amazon storage bucket belonging to Key Ring, a popular smartphone app, exposes 44 million records on the Internet. Data found by the researchers in the records included driver licenses, government IDs, medical insurance cards, medical marijuana ID cards, credit cards, and even NRA club membership cards. Researchers add that in addition to the unprotected bucket, they found four other open Key Ring databases exposing different sets of data.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.