Tag

data breach

Browsing

At first glance, August has been a quiet month for data breaches, with a total of 114,686,290 breached records. That’s about 10 percent of the monthly average coming into the month.

But that figure comes from 95 incidents in total, which is the highest number of breaches we’ve had all year.

Let’s take a look at those breaches in full in our slightly tweaked monthly list. After a reader suggestion last month, we’re also listing the UK-specific incidents in bold. Let us know if you like that change or if you have any other suggestions for future months.

Cyber attacks

 

Ransomware

Data breaches

 

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

Remember after last month’s relatively serene cyber security scene we said this wasn’t the beginning of the GDPRevolution?

July was bound to be a bounce-back month, but we couldn’t have expected the frighteningly high total of 2,359,114,047 breached records.

Granted, a big chunk of those come from a single incident – a mammoth breach involving a Chinese smart tech supplier – but as unimaginative football commentators say, ‘they all count’.

Let’s take a look at the full list:

Cyber attacks


Ransomware


Data breaches

Financial information

Malicious insiders and miscellaneous incidents

Source: IT Governance

Capital One Financial Corp. announced late Monday that more than 100 million people had their personal information hacked.

The hacker got information including credit scores and balances, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers, the bank said. It will offer free credit-monitoring services to those affected. The hack affected about 100 million people in the U.S. and 6 million in Canada.

Capital One couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers. Over that time, it sought help from law enforcement.

The hacker also stole the names, addresses, phone numbers, dates of birth, credit scores and other financial data, Capital One COF, -1.18%   said. The company couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers; it sought help from law enforcement to catch the alleged perpetrator.

Two years after Equifax EFX, +0.27%  revealed that hackers accessed the personal information of up to 147 million people, the credit bureau recently announced a settlement for up to $700 million, including $425 million in relief for those who have been affected, although there are some key requirementspeople should be aware of before they file a claim.

Last year, Facebook FB, -1.91%  announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data. Facebook Chief Executive Mark Zuckerberg testified before Congress and vowed to do more to fix the problem, and help make sure that nothing like that happens again. Cambridge Analytica closed down in the wake of the scandal. Earlier this month, the Federal Trade Commission fined Facebook $5 billion.

Don’t miss: A worrying theory after Equifax and Facebook settlements — aggregated data is NOT enough to protect your privacy

WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and AppleAAPL, +0.93%  iPhones. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” it said at the time.

More than 57 million customers of Uber UBER, -1.44%  had their data exposed by a massive hack in October 2016. Uber fired its chief security officer, Joe Sullivan, and one of his deputies for concealing the hack, which included the email addresses of 50 million Uber riders around the world. The revelation was made a year after the attack. It also affected 7 million drivers.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One email address.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address. Consumers need to be careful whenever they are contacted by an unsolicited caller. Hang up and call the number on your card. “Phishing” scams — calls, emails or text messages that appear to offer protection — are actually trying to get more data from customers.

Security experts generally recommend never re-using security passwords and say people should use two-factor authentication on their phones, which requires a user to put a code sent to a phone or email into an app or website in order to log in from a new device or to change a password. They also say those affected by such hacks should freeze their credit report.

Don’t be pawned off by an offer of credit monitoring. Credit monitoring only looks for changes on a credit report, indicating that someone is using your personal information to open new accounts in your name. Here’s the bad news: Such security precautions would not help people protect against a data breach like the one Capital One announced Monday evening. Exposure of data that can’t be changed, such as Social Security numbers, are the hallmarks of particularly severe data breaches.

Here’s what else you should do now:

1. Check if your accounts have been affected

There still aren’t many formal ways to check if your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to. Some states, like California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations. Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible.

2. Know the difference between a credit freeze and a lock

A freeze means that a consumer cannot take out a new loan or credit card without “unfreezing” the report first, but also prevents a hacker from taking out a loan in your name. Credit agencies also offer a service called credit “locking,” which offers the same protections as a freeze, but typically cost a monthly fee. Contact Equifax, Experian EXPN, +1.53%  and TransUnion TRU, -1.34%  to request a freeze.

3. Sign up for additional fraud protection

Those affected should sign up for services that go beyond typical credit freezing and alert services, such as LifelockEZ Shield and Identity Guard. The most basic version of Lifelock costs $9.99 per month and provides benefits including address change verification, help canceling or replacing lost credit cards, driver’s licenses, Social Security cards and insurance cards, plus a “restoration team” that helps correct any identity-theft issues and black-market website surveillance.

4. Know the difference between a hack and a breach

A breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence. A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom; that’s what happened with Capital One. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen.

Source: Market Watch

After a rampant start to the year for data breaches and cyber attacks, it’s about time we went one month without at least one massive security incident.

June 2019’s total of 39,713,046 breached records is the lowest since May last year – the month that the GDPR (General Data Protection Regulation) came into effect.

Is this the start of the long-awaited ‘GDPR bounce’? We doubt it, but it’s certainly a step in the right direction.

Here’s a full list of every incident in the month of June:

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

 

How Equifax neglected cybersecurity and suffered  a devastating data breach

Credits:  Connor Lechleitner

The cyber security story for May 2019 is much the same as it was last month, with one mammoth breach raising the monthly total.

The offender this time is the First American Financial Corp., which breached sixteen years’ worth of insurance data. That incident accounted for more than 60% of all of May’s breached records.

In total, at least 1,389,463,242 records were compromised. That brings the annual running total to 7.28 billion and reduces the monthly average to 1.44 billion.

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

New York (CNN Business)Binance, a major cryptocurrency exchange, says hackers stole more than $40 million worth of bitcoin from its customers.

The Taiwan-based company, one of the world’s largest crypto exchanges, announced that it discovered a “large scale security breach” Tuesday. It said hackers stole 7,000 bitcoins in one transaction. One bitcoin trades at nearly $6,000.
“The hackers used a variety of techniques, including phishing, viruses and other attacks,” CEO Changpeng Zhao wrote in the statement. He said the company continues to investigate the breach.
Zhao explained that the hackers waited for the best time to conduct their operation, but he didn’t clarify specifically how the hack went undetected.
“The transaction is structured in a way that passed our existing security checks,” he said. “Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.”
The stolen bitcoin (XBT) will be reimbursed through Binance’s secure asset fund, emergency insurance available in case of a breach. Binance warned that other accounts could be affected.
Binance also temporarily suspended deposits and withdrawals, but it said bitcoin trading can continue. A security review of the incident will take at least a week.
“We beg for your understanding in this difficult situation,” Zhao wrote.
The hack is coming during a time when bitcoin is hot once again. Bitcoin prices have surged nearly 60% this year after plunging almost 75% in 2018
Source: CNN

We would’ve been talking about an extraordinarily low number of breached records this month if it hadn’t been for a string of incidents in India, another Facebook gaffe and a massive blunder in China, in which a series of companies exposed almost 600 million citizens’ CVs.

Still, April 2019 saw a not completely disastrous 1,334,488,724 breached records. That’s better than last month, bringing the annual total to 5.64 billion and reducing the monthly average to 1.46 billion.

Here’s the list in full:

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governanace

There’s a new compiler at the helm of our monthly list of data breaches, following the departure of IT Governance stalwart Lewis Morgan, who leaves me with some mighty big shoes to fill.

Fortunately – or, rather, unfortunately ­– the new regime has a familiar ring to it, with another mammoth list of data breaches. By our count, there were at least 2,100,480,045 records compromised in March.

That brings the 2019 running total to 4.53 billion, and raises the monthly average to 1.52 billion.

Here’s the list in full:

Cyber attacks

Ransomware

*Not included in the total number of records, as they are part of the 1.2 million records affected in the already-reported Wolverine Solutions incident.

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

You may have noticed this happening more and more lately: Online accounts get taken over in droves, but the companies insist that their systems haven’t been compromised. It’s maddening, but in many cases, technically they’re right. The real culprit is a hacker technique known as “credential stuffing.”

The strategy is pretty straightforward. Attackers take a massive trove of usernames and passwords (often from a corporate megabreach) and try to “stuff” those credentials into the login page of other digital services. Because people often reuse the same username and password across multiple sites, attackers can often use one piece of credential info to unlock multiple accounts. In the last few weeks alone, Nest, Dunkin’ Donuts, OkCupid, and the video platform DailyMotion have all seen their users fall victim to credential stuffing.

“With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services,” says Crane Hassold, a threat intelligence manager at the digital fraud defense firm Agari. “Most people don’t change their passwords regularly, so even older credential dumps can be used with relative success. And since password reuse is rampant, cybercriminals will generally test a set of credentials against numerous different websites.”

Credential Craze

Credential stuffing has been a problem for years now, as troves of credentials from seminal breaches like LinkedIn and Dropbox in 2012 and Myspace in 2013 have been used—to great effect!—in countless credential stuffing campaigns. But one trend in particular has fueled a recent rise in successful campaigns.

Recently hackers have posted more gigantic, aggregated credential collections that comprise multiple data breaches. One of the most wild recent examples is known as Collection #1-5, a “breach of breaches” that totaled 2.2 billion unique username and password combinations, all available to download in plaintext—for free.

THE WIRED GUIDE TO DATA BREACHES

“With Collections 1 through 5 we have actually seen spikes in credential stuffing recently, immediately after that news came out,” says Shuman Ghosemajumder, chief technical officer at the corporate digital fraud defense firm Shape Security. “In fact, we saw some of the largest credential stuffing attacks across several customers in just that week. And that makes sense because you’ve got all these plaintext usernames and passwords available through a torrent. It democratizes credential stuffing.”

The Collection credentials are mostly a few years old, meaning many were already in broad circulation and not worth much. But over the last week, another outlandish trove has provided exactly the type of fresh, high-quality credentials hackers cherish. Posted on the Dream Market dark web marketplace, the collection includes a total of roughly 841 million records, released in three batches, from 32 web services, including MyFitnessPal, MyHeritage, Whitepages, and the file-sharing platform Ge.tt. The first part of the dump costs about $20,000 in bitcoin, the second about $14,500, and the third roughly $9,350. A few of the breaches don’t include passwords, and some that do are protected by cryptographic scrambling that buyers will need to decode, but overall these are top-shelf troves ripe for use in credential stuffing.

Hot Stuff

As you’ve probably guessed, credential stuffing relies on automation; hackers aren’t literally typing in hundreds of millions of credential pairs across hundreds of sites by hand. Credential stuffing attacks also can’t try massive numbers of logins on a site with all the tries coming from the same IP address, because web services have basic rate-limiting protections in place to block floods of activity that could be destabilizing.

So hackers use credential stuffing tools, available on malicious platforms, to incorporate “proxy lists” to bounce the requests around the web and make them look like they’re coming from all different IP addresses. They can also manipulate properties of the login requests to make it look like they come from a diverse array of browsers, because most websites will flag large amounts of traffic all coming from the same type of browser as suspicious. Credential stuffing tools will even offer integrations with platforms built to defeat Captchas.

Credential stuffing campaigns ultimately try to get the malicious requests to blend into the noise of all the legitimate logins happening on a service at any given time, or “simulate the activity of a large population of humans,” as Shape Security’s Ghosemajumder puts it.

It also requires patience; Shape estimates that typically attackers find matches between their test credentials and an account on the platform they are attacking 0.1 to 2 percent of the time. This is why attackers need hundreds of thousands or millions of credential pairs to make credential stuffing attacks worth it. And once they’ve gotten into some accounts, attackers still need a way to monetize what they find there—either by stealing more personal data, money, gift card balances, credit card numbers, and so on—to make the whole thing worthwhile.

Stuff It

Th best way to protect against credential stuffing attacks is to use unique passwords for each of your digital accounts—ideally by using a password manager—and turn on two-factor authentication when it’s available. But it’s not entirely on you. Companies, too, are increasingly attempting to detect and block credential stuffing attempts. And some like Google (which also owns Nest) have started initiatives to proactively check whether users’ account credentials have been compromised in breaches and trigger password resets if they discover a match. But the trick is to do all of this without blocking or hindering legitimate activity.

One strategy companies can deploy is to track logins that ultimately result in fraud, then blacklist the associated IP address. Over time, this can erode the effectiveness of the proxy lists attackers rely on to mask their mass login attempts. This doesn’t completely stop credential stuffing, but does make it more difficult and potentially costly for hackers to carry out the attacks. Services whose users are mainly in specific geographic regions can also establish geofences, blocking proxy traffic that comes in from elsewhere in the world. Once again, though, attackers can ultimately adapt to this restriction as well by switching to using proxy IPs within those areas.

A recent credential stuffing attack against the productivity and project management service Basecamp helps illustrate the problem. The company reported recently that it had faced 30,000 malicious login attempts from a diverse set of IP addresses in a single hour. The company began blocking the IPs as quickly as possible, but needed to implement a Captcha to ultimately end the attack. When the barrage died down, Basecamp found that the attackers had only succeeded in penetrating 124 accounts; the company quickly reset those account passwords to revoke the attackers’ access.

Many companies aren’t as prepared to handle the scale of the credential stuffing threat. Shape Security’s Ghosemajumder says that it’s pretty typical at this point for corporate clients to see 90 percent of their logins come from malicious attacks. He has even worked with customers who deal with credential stuffing in 99.9 percent of login attempts to their service. And while credential dumps from leaks and breaches are the primary fuel for these attacks, criminals can also diversify their approach by using credential pairs gathered from phishing attacks.

“Most credential stuffing uses information obtained from the major data breaches,” Agari’s Hassold says. “But over the past few years there has been a shift in the credential phishing landscape to target generic account credentials that are then ‘stuffed’ into a number of different websites.”

Though it is frustrating when companies insist that they haven’t been breached and deny responsibility for protecting their users from credential stuffing attacks, the truth is that service providers don’t have a foolproof way of defending against this threat. As Basecamp’s CTO and co-founder David Heinemeier Hansson put it after the service’s recent incident, “Our ops team will continue to monitor and fight any future attacks. … But if someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.”

For such a simple technique, credential stuffing is frustratingly difficult to quash. So keep your passwords as diverse as possible and use two-factor whenever you can. And complain loudly on social media about any web service that isn’t offering it.

Source:  Wired