Temu Hacked, Hackers Sell Leaked Data

On Monday, September 16, a hacker with the nickname smokinthashit published a post on the hacker forum BreachForums that contains Temu’s user database. The attacker claims that the database contains 87 million records. The database reportedly contains usernames, identifiers, IP addresses, full names, birth dates, phone numbers, shipping addresses, and hashed passwords. As proof, the attacker published samples of the stolen data.

Temu is a Chinese shopping platform that operates pretty much around the world. It offers a variety of goods at relatively low prices. Despite numerous jokes about the quality of goods from Temu, the price-quality ratio allows the service to enjoy great popularity among buyers. It is not surprising that such a statement by cybercriminals caused such a fuss among users of the service.

Temu’s response

Security researchers contacted Temu representatives and asked them to comment on the situation. However, the company categorically denied any data leak. Temu said they examined the samples published by the attackers and found no matches with their databases. The platform representatives also clarified that they take user data privacy seriously and have the app’s MASA certification. They also have independent security validations, a HackerOne bug bounty program, and comply with the PCI DSS payment security standard.

For their part, the attackers went on to claim that they had indeed hacked Temu. They also claimed they still had access to the company’s internal dashboards and knew of the vulnerabilities in the code. However, they provided no evidence to support this claim. In any case, as a security measure, service users are recommended to enable two-factor authentication and change their passwords. In addition, against the backdrop of the incident, astrologers announced an increase in phishing attempts related to Temu and online shopping.

May Users be in Danger?

Although such statements from hackers are not usually made without any proof, there is no reason to believe them now. According to the responses from Temu’s representatives and attackers, it appears to be a database compiled through web scraping from various sources rather than a fresh breach. However, If the data breach is confirmed, it would suggest that sensitive information like actual shipping addresses, bank card details, and purchase history has been leaked online. Still, taking preventive measures like changing your password and enabling 2FA is always a good idea.

The post Temu Allegedly Hacked, Data Put on Sale On The Darknet appeared first on Gridinsoft Blog.

BangBros Drops 12 Million Records About Users

Cybersecurity researchers have reported a major unintended data breach affecting BangBros. The studio and platform, known for adult content, disclosed over 12 million confidential user records. These records included IP addresses, usernames, geolocation data, and other sensitive information. But the main problem is that all this stuff was available as is, without any authentication or security.

The first discovery of this database happened on June 6, 2024, when the initial research found an 8GB database in Elasticsearch. That is a toolkit for working with big amounts of data – exactly what you would expect for such databases. And it eventually appears to be the culprit. Due to a configuration error, BangBros has probably left confidential information unprotected. The researchers who discovered the leak contacted the studio, so now the information is safe.

Potential Risks

The majority of this leaking information was primarily stored in a file named “bangbros_straight,” containing nearly 12 million records. In it, there were statistics from various media or content management systems. Additionally, the user registration log file includes 496,542 records, and 37,974 feedback messages were linked to IP addresses, usernames, and dates. Among the types of data that were exposed in that leak are:

• Usernames
• IP addresses
• Country
• Geolocation based on the IP
• Device type
• Reviews
• Model statistics (upvotes, downvotes, views)
• Model names, genders, descriptions

This means that potential attackers could use this data to track and associate content viewing habits with specific individuals. The Darknet is notorious for being filled with personal data from other breaches. By combining different data obtained from various sources using OSINT (Open Source Intelligence), attackers can reconstruct a highly detailed digital profile of a user.

Consequences for Users

What does this mean for users? First, spear phishing attacks could become more precise thanks to this data. Second, attempts to blackmail victims for watching compromised videos would no longer be just empty threats. Third, publishing such delicate information, particularly about a user’s preferences, could lead to personal embarrassment and public condemnation, especially among colleagues, relatives, or friends.

Such recklessness is not typical for big companies and, as you can see, gets fixed pretty quickly upon detection. That does not still mean that you are free to trust your data to each and every website. Do your research, scan the site with URL checkers, and share only necessary information – this way, you mitigate your risks in case of such a leak.

The post BangBros Leak Exposes 12 Million User Records appeared first on Gridinsoft Blog.

AT&T Data Breach Affects All Customers of Wireless Communications

On July 13, 2024, AT&T published a SEC filing regarding the several-month investigation of the malicious activity. As it turned out, the hackers managed to get access to company’s databases and keep it for several weeks. From April 14 to April 25, 2024, threat actors extracted quite a substantial amount of information about the customers of the company and related organizations (MVNOs).

List of mobile virtual network operators affected by the breach

In particular, AT&T discloses the leakage of files that contain data about calls and SMS sent between numbers (date, call durations, phone numbers etc). The actuality of the leak, however, is in question: adversaries allegedly got their hands only on older databases, specifically one that have kept records from May to October 2022. It is not clear from the company’s filing whether hackers had access to more files, but exfiltrated only this part, or this was the only piece of data they managed to get to.

But even with this, lesser scale of the breach, the consequences are not ones to ignore. The data from the exact breach contains so-called cell site identification numbers. Those are special codes that identify the cell tower(s) each of the call participants were connected to. With that info, and also data from several other leaks from AT&T, especially ones that coincide in dates with what was leaked, hackers can get detailed information on who, where from and how long was talking.

How did AT&T Hack Happen?

Following the disclosure of the hack, a spokesperson of AT&T disclosed that the hack take place at Snowflake’s cloud DBs. As it turned out earlier, the cloud tech company ignored important account protection measures, which led to a massive number of companies getting consequently hacked. And AT&T appears to be yet another victim. Hackers appear to access databases that the telecom company kept in the Snowflake cloud storages.

The ongoing investigation already figured out that the Snowflake’s flaws are exploited by one specfic group of cybercriminals. In particular, Mandiant names several citizens of North American countries and Turkey as guilty for all these attacks. Still, despite the power of US law enforcements, these actors are not detained yet.

Should I be concerned?

Although the potential of the breach is rather high, the leaked data is useful almost exclusively in targeted attacks. AT&T specifically pointed out that hackers did not leak any sensitive information, like SSN or personal info.

Nonetheless, the company likely has something it does not want to disclose, as they promise to “notify the customers about their data exposed in the breach”. Sure enough, this may touch just the phone calls and SMS that I’ve mentioned above. But it is a bad idea to underestimate what hackers could have leaked – this never went well historically.

The post AT&T Hacked in April, All Wireless Customers Affected appeared first on Gridinsoft Blog.

Dell Hacked, Leaking User Data

On May 10, Dell released the official statement regarding a data breach, and started sending emails to the customers exposed in the leak. More specifically, a server that keeps the sales-related information was hit, so it is particularly easy to estimate the possible types of exposed information. Though, Dell does not keep this information in secret and openly details what exactly was leaked in the said emails.

What is disturbing is that the security breach was in fact claimed back on April 28. The user of Breached forum Menelik placed the database for sale, accepting messages from anyone “to discuss use cases and opportunities”. Later, they updated the post, including the screenshot of the official Dell email notification as a proof of the leak’s originality.

Aside from the confirmation of the breach, the hacker provides some more data regarding what data was leaked. Forum post says about the leak consisting mostly of data of large clients, such as enterprises, educational institutions and so on. Customers and customer-oriented retailers have only 18 million records in the breach. The majority of clients in the leak are from the US, Canada, India and China.

How dangerous is Dell data leak?

Despite quite a scale of this data breach, types of exposed data are not really threatening. Passwords and payment information are left untouched, and this should be the biggest relief for anyone who will receive the notification from Dell.

Still, shipping addresses and the full name fall under the designation of personally identifiable information. These two will not make much of a fuss, but another two, and two more from a different company – and the hacker has a full pack of data about the person. Be careful with the websites and companies you share your personal information on: as you can see, even big corporations are not invulnerable.

One thing that bothers me here is whether the hack is only about the server that has kept the sales data. It is rather common for hackers to sell/share for free less valuable data on the Darknet after ceasing their persistence. More valuable pieces, like login credentials or any keys for further attacks, hackers will keep to themselves – most likely to use in another attack. And it won’t be an easy task to guess which system will be its target.

The post Dell Hacked, 49 Million Users Exposed appeared first on Gridinsoft Blog.

What is a Data Breach?

A data breach is when confidential data becomes available to an intruder – usually staff data, client data, company data, financial data, etc. The primary purpose of such a procedure is to sell confidential data on the darknet. Data breaches are achieved by several methods, such as social engineering, hacking, or malware injection. In some cases, data breaches can go undetected for a long time. One notable example was the Marriott International hack in 2014. Back then, hackers were not just able to infiltrate the system but stayed there until 2018, and that led to a data breach of up to 500 million guests. This could have been detected earlier if the company had taken security more seriously and applied at least standard security procedures.

Causes of Data Breaches

If a data breach occurs in a company, it can cause severe and irreparable consequences, so it is important to know why it can happen. Given that most of them are related to the human factor in one way or another, with proper awareness, they can be avoided. The main causes of data breaches:

• Human error – accidentally sending an email to the wrong person, losing important documents, drives, or devices, or accidentally disclosing confidential information is why most of these breaches happen.
• Physical theft or loss – accidentally forgetting a device in a cafe, negligent acts of employees, such as sharing passwords, or just lost documents in public transit.
• Phishing – many people know that opening suspicious emails that contain a link or file, much less following that link or downloading a file, is dangerous. Nevertheless, quite a few people still fall for this kind of deception.
• Not secure enough data – weak security, a simple, predictable password gives attackers a guaranteed victory over your data protection.
• Vulnerabilities and security holes – any application that hasn’t been updated for a long time can be an open door for cybercriminals.
• Cyberattacks – malware, ransomware, and other viruses are constantly improving and evolving, posing a threat to the data breach.
• Social engineering – this method, like phishing, is designed for gullible people who can give the fraudster unauthorized access to confidential information.

How to Prevent Data Breaches

The next tips help minimize the chances of your organization being affected by a data breach:

1. Comply with GDPR. Develop a clear, GDPR-compliant company policy to keep your sensitive data secure.
2. Work on a security policy for data and equipment usage. A detailed description of data processing methods and processes and secure BYOD practices will help reduce the likelihood of a successful hack.
3. Automation of processes will minimize the number of human errors, which are the leading cause of data breaches.
4. Provide cybersecurity training to employees, thus reducing employee negligence and raising awareness of how to detect suspicious online activity.
5. Encrypt your data. Even if a fraudster can get their hands on it, encryption will prevent them from taking advantage.
6. Regulate the restriction of access to confidential information. Only employees who need it for their jobs should have access to it.
7. Monitor access and use of data. Please keep track of data that has been sent outside your network and who sent it.
8. Keep your system up to date. Updates include patches and improvements and fixes for vulnerabilities that cybercriminals like to exploit.
9. Regularly analyze your system for vulnerabilities. This way, you can identify potential threats before they can do any harm.
10. Back up your data regularly, so in case of damage, you will have a chance to recover it quickly, and the recovery process will take much fewer resources.

What is a Data Leak?

A Data Leak is also a leak of confidential information, not because of a cyber attack but an unintentional leak or system vulnerability. Also, unlike data breaches, with a data leak, you cannot say for sure whether such information is in the public domain or not. The leading causes of data leakage are flaws in security policy, improper user access to the site, or improperly designed applications. The main difference between data leakage is that it happens due to an error in processing or an internal source.

As an example, take Facebook – Cambridge Analytica, in which a whistle-blower covered the unethical practices of Banbridge Analytica. This circumstance can be classified as a data leak because an excessive amount of user data was collected, but no information was exposed to the public.

Causes of Data Leaks

Data leakage occurs because proper security measures are not followed during data transmission. Here are three main reasons why data leaks are:

• Data transmission over the Internet without proper API protection, no port protection, or other port protocol increases the risk of data leakage. The same applies to email transmission, web browsing, and other forms of online communication.
• Data at rest – If data is stored on insecure devices, for example, files with confidential information are stored on a drive without a password, this can also lead to data leakage.
• Data leaks can occur if the leaked data is on removable media lost or forgotten.

How to Prevent Data Leaks

The key method to prevent data leaks is a proactive approach to the issue of cybersecurity. The approach to security must be layered to reduce the consequences of an intrusion. Here are some tips to help prevent data leaks:

1. Use end-point protection. Data leaks are often caused by improper configuration or inefficient storage of sensitive information on end-point devices.
2. Network monitoring. Monitoring data sent and received between your organization and others will detect unusual behavior or suspicious traffic, thus significantly reducing the chances of data leakage.
3. Use secure storage. Storing sensitive data in clear, unprotected form would make it easy for a potential attacker to take advantage of the data. Encrypting data and regulating access to that data through automation will increase security.
4. Develop Policy for device usage. To prevent data leaks, it is important to develop and implement a policy for proper device usage among employees.
5. Third-party risk management or vendor risk. Applying appropriate third-party risk management will allow you to analyze the data and determine how much of it is shared by the respective vendors.
6. Comply with GDPR guidelines for data storage and management. This will minimize all risks of data breaches.

What is Worse?

A data leak or a data breach, what is worse? Are there improper security practices, accidental or intentional data breaches, and crooks who broke into your system and stole your data? Suppose, in the first situation, all your resentment is directed at the intruder that has infiltrated your system and the lack of effective security measures in your system. In the second case, you can only blame yourself for leaving your system unprotected without paying due attention to its security.

The situation will be unfortunate, and the headlines will be loud in both cases. Regardless of size or industry, many organizations occasionally encounter problems securing the confidentiality or integrity of collected data. To avoid misleading people or solving complex situations, it is important to know the differences and understand the difference between data breaches and data leaks. Even though both are very damaging to your organization’s reputation, the second scenario is more devastating.

The post Data Breach & Data Leaks appeared first on Gridinsoft Blog.

Hewlett Packard Enterprise Hacked

A post on the infamous BreachForums published on February 1 offers to purchase an extensive database, leaked from Hewlett Packard Enterprise (HPE) internal network. The seller, known under the name IntelBroker, claims hacking into the network and obtaining the said data. That means the company has suffered a new security breach, or the hacker was present in the network for quite some time.

As it usually happens with Darknet forum posts offering to buy leaked information, there are several screenshots attached as evidence. Among the leaked data types, hacker claims CI/CD access, system logs, config files, access tokens, HPE StoreOnce files and access passwords. Albeit being representative to the types of data claimed in the leak, the screenshots do not include any data that allows identifying the time frame, e.g. there is no way to find how old this breach is.

As I’ve mentioned in the introduction, HPE knows about the data posted on the forum and investigates the case. At the same time, representatives of the company do not have any evidence of a cyberattack or a security breach over the last time.

Data Leak, But No Ransomware

The fact that the attack that leaked extensive amounts of data may sound absurd, considering that there is typically a ransomware deployment that finalizes the attack. Though, such an approach is not new: adversaries may practice leak-only attacks to speed up the overall process or avoid possible detection. In some cases, this works as the way to get at least something from the attack, when the security manages to block malware.

Still, there is a positive part of this story – no customer data appears to be involved. Both what is claimed and things that appear on the screenshots are purely internal data. And this is good not only to the HPE customers, as the company itself has much less headache notifying the ones whose data have been leaked.

Any Relation to HPE Corporate Email Accounts Breach?

Despite the company’s representative saying that no cyberattacks were detected, there apparently was one that can be a culprit. Back in mid-January 2024, HPE reported that their corporate email accounts were hacked by APT29, a threat actor related to Russian SVR. The breach itself took place in May 2023, with the fact of the adversary having access to the environment acknowledged on December 12, 2023.

Why can this data be sourced from this old breach? The official company note regarding the case mentions a selection of data categories, which matches with what we see in the BreachForums post. More specifically, the company talked about hackers accessing several mailboxes of employees of their cybersecurity, go-to-market, business segment and several others. Logs, configs and access tokens is a normal occurrence in those emails, though there could have also been access to customer data. Nonetheless, that won’t be much of a surprise if the ongoing investigation will lead to the past APT29 hack.

The post Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data appeared first on Gridinsoft Blog.

Hackers Gain Access to Sensitive Data in 23andMe Database

In a startling revelation, genetic testing and biotechnology company 23andMe confirmed on Monday that nearly 7 million customers fell victim to a data leak in October. The expansive cybersecurity incident involved the unauthorized access and extraction of user profile data, affecting a significant portion of the company’s total customer base.

In brief, hackers targeted the data of a service called DNA Relatives, scraping information such as display names, ancestry reports, and sensitive health-related data. The compromised information includes sensitive health data, allowing for enormously wide analysis. Reports also disclose a user’s gene carrier status for diseases like cystic fibrosis, Tay-Sachs type 2 diabetes, and Parkinson’s disease.

23andMe Hacked in October

The breach began in early October when hackers could directly access 14,000 23andMe customer accounts. Crooks used credentials stolen from unrelated third-party breaches. While the source of this information is not specified (though we know what is behind all this), 23andMe clarifies that there was no indication that their systems had been compromised.

Next, hackers targeted the DNA Relatives feature, scraping information such as display names, ancestry reports, and sensitive health-related data. The total number of exposed users grew to 6.9 million. It was possible with each compromised account potentially connected to hundreds or thousands of relatives.

Who is under attack?

According to the company’s claims, an average 23andMe account had access to information from 1,500 DNA relatives. In other words, attackers used it to leverage these accounts to scrape genetic data from 5.5 million DNA relatives’ leaked profiles, and an additional 1.4 million had their Family Tree profiles exposed.

Of the nearly 7 million users affected, 1 million were of Ashkenazi Jewish descent, and 300,000 were Chinese heritage users. This suggests that these communities were explicitly targeted for their ancestral data. More reported 4.1 million leaked profiles belonged to British and German 23andMe consumers. The breach exposed customer display names, ancestry reports, and sensitive health information.

Official reaction

Upon discovering suspicious activity, 23andMe reset all user passwords on October 9th. The company is also in the process of notifying affected customers and complying with legal requirements. Moreover, they have temporarily taken steps to disable certain features within the DNA Relatives tool.

As for really effective measures, since then, multi-factor or two-factor authentication has been mandated for all accounts (isn’t such sensitive information not required this before?). The problem was that users didn’t place much importance on protecting their accounts. As a result with 14k accounts, the attackers were able to hit a jackpot of 6.9 million accounts.

The post 23andMe Data Leak Exposes Nearly 7 Million Users’ Sensitive Data appeared first on Gridinsoft Blog.

Okta Hack Results Into a Massive Data Breach

As it was originally expected, the data breach within Okta Help Center touched only a miserable number of users. Due to the poor session token authentication, hackers managed to log in under the guise of a legit client and spawn several additional entities. This ended up with calling for a function designed to list all the Help Center accounts, which, as it was originally believed, had not been successful. As of October 20, Okta claimed about only 134 accounts having their data exposed in this incident.

As it turned out, this number was heavily underestimated. Further investigation showed that hackers successfully dumped info about all the accounts in the system. The co shares some specific details regarding the types of data exposed in that breach:

Therefore, it is possible that some of the users (0.4%, or 72 people) have more than just email and name exposed. Not a lot, but this already creates some critical contrast with the original claims from the company. And, what is more important, raises questions regarding the security architecture within the company.

More Details of Okta Hack Appeared

Aside from the data exposure disclosure, the company also shared some new details regarding the hack. As it turns out, crooks put their hands on a service account, designed to work with an automated algo running on a machine. This is often needed for automated backup creation and similar scheduled tasks. Credentials to this account were stored among other data on the employee’s Google account that hackers previously managed to access.

That explains the lack of the MFA protection on the compromised account (which is not an option for a machine) and its high privileges. Before, the story sounded rather ironic. The largest identity provider does not care about using identity protection mechanisms in their own networks. Now though it makes sense – as well as raises new questions about securing similar accounts. And it still does not justify the fact that compromising the account of a single employee in fact compromised the entire service.

The post Okta Hack Exposes Data of All Support Customers appeared first on Gridinsoft Blog.

Who is the LockBit Ransomware Gang?

LockBit, operating as a ransomware-as-a-service (RaaS) entity, has been a persistent threat for over four years. With a track record of targeting diverse sectors, including Continental, the UK Royal Mail, the Italian Internal Revenue Service, and the previously known Boeing leak from October 27th., LockBit has extorted approximately $91 million since 2020 in nearly 1,700 attacks against US organizations.

LockBit Leaks Boeing Data on the Darknet

Before the data leak unfolded, LockBit hackers issued stern warnings, accusing Boeing of neglect and threatening to expose a sample of 4GB of the most recent files. Boeing, a cornerstone in aviation and defense, stood steadfast against the ransom demands.

On November 10, LockBit carried out its threat, publishing over 43 GB of files from Boeing on the Darknet. The leaked data includes backups for various systems, with the most recent backups timestamped on October 22. Notably, the files encompass configuration backups for IT management software, logs for monitoring and auditing tools, and backups from Citrix appliances, raising concerns about the exploitation of the Citrix Bleed vulnerability.

While Boeing confirmed the cyberattack, it has yet to divulge details on the breach’s specifics. The leaked data, however, does not compromise flight safety, according to Boeing statements. However the decision not to pay the ransom suggests that the stolen data may not hold critical relevance to Boeing’s information security or its clients.

The exposed data allegedly includes names, locations, and contact details of Boeing’s suppliers and distributors across Europe and North America. Details about the supported functions within Boeing’s structure. It including airframe manufacturing, structural mechanics, computer and electronics, are also part of the compromised information.

Navigating the Aftermath

Boeing’s breach serves as a stark reminder for organizations to reassess their cybersecurity posture continually. The imperative to implement proactive measures, including employee cybersecurity training, network fortification, and timely security patches, is underscored by the evolving tactics of ransomware groups like LockBit.

As Boeing grapples with the fallout of this unprecedented cyberattack, the incident serves as a clarion call for heightened vigilance across industries. Also the exposed vulnerabilities highlight the critical need for organizations to invest in robust cybersecurity frameworks to mitigate the ever-growing threat landscape. In the wake of LockBit’s audacious move against Boeing, the imperative for international collaboration to combat cyber threats becomes more evident than ever.

The post LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked appeared first on Gridinsoft Blog.

Typos In Email Addresses Cause US Military Info Leak

Well, the fact is here – the US military has a huge data leak through the incorrect email routing. But how could that happen in a system like that? Well, Uncle Sam adopted the .MIL domain at the dawn of the Internet era. Actually, the Internet itself was built for the army’s needs. But with Internet expansion, the country of Mali received a top-level domain of .ML – just one letter off the military one. You may think that it is too hard to make such a mistake, but statistics stands for another. There could potentially be millions of letters that arrived to a wrong address, and confidential or even classified stuff may be among them.

The situation actually started long ago – but was never discussed publicly. Since 2013 a Dutch entrepreneur Johannes Zuurbier noticed the flow of messages going to non-existent navy.ml and army.ml domains back in 2013. And even back then, before the massive introduction of electronic paperwork, he counted over 115,000 letters in just about 6 months. The letters were mostly regular spam, though some contained sensitive information. By now, the number of such messages is over 10 million.

But how can a Dutchman view all the emails that are coming to the country’s TLD? Mr. Zuurbier is a managing director of Mali Dili B.V. The company has a contract with the Malian government for establishing and managing the Internet connections over the country. Well, while he cannot access the mailboxes and stuff, the messages that are sent to the domain zone but failed to reach the receiver remain visible.

What kind of data is exposed?

As I said, these messages are not consistently filled with content. Some are simple spam, some just do not contain any interesting things, at least without the context of the mailing. However, there were a few examples of really compromising messages. Fortunately, no classified information was found among the messages.

One example of compromising messages is the results of X-ray tomography of a soldier and his medical data. Others contained lists of staff that reside on bases, their photos, reports upon the inspections, investigations of internal accidents, and more. Some messages were disclosing the dates and staying places of top officers that were visiting other countries.

Why the US military information leak so dangerous?

Since this information is related to the US Army, the consequences for ones who gained illegal access to it could be pretty bad – regardless whether it was intended or not. Mr. Zuurbier approached the US officials several times, trying to make them react to the problem – but that did not have any effect. The problem is, as his contract with Mali ends this year, the control over the domain zone will be given to the Malian government. The latter is known for their extensive cooperation with Russia, which is not in the best relations with the US at the moment, to say the least.

Moreover, is it even pleasant to have the internal letters leaked to the third party? It is critical even for corporations, and is just unbearable for organisations like the army. Now all these things have a form of mistakes and never get to any possible adversaries. But once the contract with Mali Dili is over, it may get a very bad twist. Typosquatting is quite easy to set up and exploit, especially when the govt is interested in gathering information in such a way.

The post US Military Emails Leaked Massively Due to the Typo appeared first on Gridinsoft Blog.