Another week, another few million items of personal information exposed. It’s not getting better yet, cybercriminals are hard at work attacking company systems and companies still appear to be making errors that expose the data of their customers.
There is light at the end of the cybersecurity tunnel
Cybersecurity experts are working just as hard to improve defences and protect systems. There is a growing appreciation for the need for every individual and employee to have security awareness in order to join the fight against cybercrime and data breaches. A culture of cybersecurity is a recognised strategy, combined with technology and stringent processes, to identify, deflect, and deal with cyber threats and protect data.
Let’s look at this past week’s data breaches and what we can learn from them.
MIXCLOUD, UK, 20 MILLION RECORDS AFFECTED
UK-based audio streaming service Mixcloud has seen the data from 20 million, and potentially up to 22 million, user accounts put up for sale on the dark web, as per reports by TechCrunch.
On November 30, Mixcloud published a statement and “security notice,” saying:
“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems.”
The streaming company adds that “the incident” involves email addresses, IP addresses, and “securely encrypted passwords.” And, that “the majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.” The company also declares that it does not store full credit card numbers or mailing addresses. Mixcloud adds:
“The passwords that Mixcloud does store are encrypted with salted cryptographic hashes to ensure that they are extremely difficult to unscramble. This means that they are unlikely to be decrypted by hackers.”
TechCrunch, reported the breach on November 29, saying it was alerted by a dark web data seller and writing that:
“The data breach happened earlier in November, according to a dark web seller who supplied a portion of the data to TechCrunch, allowing us to examine and verify the authenticity of the data.”
TechCrunch says the breached data from Mixcloud was available on the dark web for around $4,000, or 0.5 Bitcoin. The publication checked the data for authenticity and adds:
“The data contained usernames, email addresses, and passwords that appear to be scrambled with the SHA-2 algorithm, making the passwords near impossible to unscramble. The data also contained account sign-up dates and the last-login date. It also included the country from which the user signed up, their internet (IP) address, and links to profile photos.”
Mixcloud, in its statement, says users may want to change their passwords, especially if they use the same one across different services but adds, “we have no reason to believe that any passwords have been compromised.” The company signs off the statement with the first names of the co-founders, “Nico, Mat, Nikhil,” saying:
“We are actively investigating the incident. We apologize to those affected and are sorry that this has happened. We understand this is frustrating and upsetting to hear, and we take the trust you put in us very seriously.”
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
CHURCH’S CHICKEN RESTAURANTS, US
As per Techgenix, fast-food chain Church’s Chicken has notified its customers of a data breach in October localized to customers of restaurants in 11 US states. In a statement Church’s says:
“Our company immediately retained a leading cybersecurity forensics firm, to help us contain and remediate the activity, and launch an investigation to determine the extent to which information in Church’s systems may have been impacted. In addition, we are continuing to cooperate with federal law enforcement and have notified payment card networks and credit monitoring agencies.”
The breach appears to have occurred via “payment processing systems,” and the company has not confirmed exactly how many restaurants have been affected. It has said that customer are safe to use credit cards as steps have been taken to remediate the incident and “any previous unauthorized third-party access is not ongoing.” Church’s believes that customer data has not been accessed but warns customers that bank statements should be monitored.
Another US food chain, On the Border, has also notified customers of a data breach in a payment processing system in restaurants in 28 US states and says that some customer credit card information may have been compromised between April and August 2019.
ADOBE MAGENTO MARKETPLACE
Customers of the Magento e-commerce Content Management System, who number around 250,000, use the Magento Marketplace for software add-ons.
Reports last week indicate that the security team discovered a vulnerability on November 21 that allowed an “unauthorised third party,” to access account information.
The breached data includes names, email addresses, billing and shipping addresses, and phone numbers, as well as some information on developer use.
Adobe has said it “immediately launched an investigation, shut down the service and addressed the issue.”
Records of 7.5 million Adobe Creative Cloud customers were discovered online in an exposed database just weeks ago.
TRUEDIALOG, MILLIONS OF TEXT MESSAGES EXPOSED
News is also just breaking that a database containing “tens of millions” of SMS text messages ran by business SMS service TrueDialog has been found exposed online. The messages, reports TechCrunch, are mostly those sent by businesses to potential customers and date back years.
The database appears to have been stored on the internet without password protection or encryption and was discovered by security researchers Noam Rotem and Ran Locar.
The data contained information about university finance applications, job alerts, and marketing messages, but also some sensitive text messages containing two-factor security authorisation codes. This latter data may allow those with access to the information to gain access to online accounts and includes codes to access online medical services, Facebook and Google accounts, to obtain password reset and login codes.
TrueDialog has removed the database from the internet, as per reports, but does not appear to have commented or made a statement yet on the matter.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.
Subscribe to the Proofpoint Blog