The battle against the breaches continues, this week Google might aid the fight, adding a new feature to browser Chrome’s latest iteration Chrome 79.
Google’s password checking service
Google’s “Password Checkup” began as an extension for desktop versions of Chrome. It audits passwords when they are entered, comparing them against a 4 billion record public list of compromised usernames and passwords. The list has been compiled from all the breaches that have occurred in recent years. The new feature has already been integrated into Google accounts as an on-demand task that can be performed on all saved passwords. Now Password Checkup has been integrated into the standard desktop versions of Chrome 79.
Let’s look at some of the many more breached records that might be added to that already 4 billion strong record of exposed data…
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
Conor, South Africa, 1 million web browsing records
Breaking this week, a major South African IT company, Conor is reportedly behind a breach that’s led to the exposure of “highly sensitive and private information and activity, including porn browsing history,” as per ZDNet.
A database containing “detailed, daily logs” of user behaviour by customers of ISPs which use web filtering software created by Conor was discovered by vpnMentor’s research team. It contains all the internet browsing activity of the users as well as personally identifying information.
The research team discovered the unsecured, unencrypted database on November 12. It’s 890GB in size and contains over a million records. They were able to view activity of ISP users on porn websites, and as usernames were also exposed, then identify these individuals on social media platforms. VpnMentor says:
“We viewed constantly updating user activity logs for the last two months from customers of numerous ISPs based in African and South American countries.”
LightInTheBox, China, 1.3TB of data
Noam Rotem and Ran Locar, of vpnMentor, also discovered a breach in late November. This time an unsecured and unencrypted database that could be accessed from a normal browser and belonging to Chinese e-commerce website LightInTheBox.com. The database was 1.3 terabytes in size and contained around 1.5 billion entries. As per The Register:
“The database [we found] was a web server log – a history of page requests and user activity on the site dating from 9th of August 2019 to 11th of October.”
The server logs included user email addresses, IP addresses, countries of residences, and pages viewed on the website. The breaches database also contained information from subsidiary sites including MiniInTheBox.com. LightInTheBox reportedly has 12 million monthly visitors.
Cheshire West and Chester Council Website
The names of 50 foster carers, amounts paid for accommodation, mileage, and other expenses, were inadvertently published online by Cheshire West and Chester Council Website.
A member of the public contacted website CheshireLive and a data analyst after spotting the breach. The data analyst informed the council who removed the sensitive information.
The information was contained in the “Open Data” section of the site which allows the public to check local government spending records but where personal information should be redacted. The council’s director of governance, Vanessa Whiting has responded:
“We take our responsibility for personal information very seriously. It appears that, due to a processing error, surnames and initials of some individuals have been included in data published on our website. This has now been removed. Our data protection officer is investigating this incident and the council has reported it to the Information Commissioner.”
It is, as per CheshireLive, not the first breach for the Open Data section of the council’s website.
750,000 applications for US birth certificate copies exposed online
As per TechCrunch, an online company that allows individuals to obtain copy birth and death certificates from US state governments has exposed the application forms of 752,000 site users.
The applications were discovered online in an Amazon Web Services (AWS) storage bucket that wasn’t protected by a password and could be accessed via an “easy-to-guess” web address.
The data checked by TechCrunch reportedly revealed names, dates of birth, addresses, email addresses, phone numbers, previous addresses, the names of family members, and the reason for the application. The records date back to late in 2017.
Fidus Information, a UK penetration testing company found the exposed data.
As we missed last weeks data breach roundup, let’s also take some statistics from one by Dark Reading published on December 10. It says 2.7 billion email addresses and 1 billion email account passwords have also been breached via unsecured “cloud buckets.” Dark Reading says:
“An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches.”
It adds that organisations aren’t securing their cloud servers properly.
Researcher Bob Diachenko discovered the ElasticSearch breached data base of 2.7 billion email address included 1 billion plain text passwords. The email domains were from mainly internet providers in China and were discovered at a US based colocation service. The database had reportedly been open and searchable with no password protection for a week. It may have contained records previously exposed in 2017 and Diachenko says users probably are not aware of the breach. The database may have been uploaded by either cybercriminals, or even security researchers.
Our last data breach round-up was December 3, and detailed breaches affecting millions of users of Mixcloud, Adobe Magento Marketplace, and TrueDialog.
Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.
Subscribe to the Proofpoint Blog