data breach


The cyber security story for May 2019 is much the same as it was last month, with one mammoth breach raising the monthly total.

The offender this time is the First American Financial Corp., which breached sixteen years’ worth of insurance data. That incident accounted for more than 60% of all of May’s breached records.

In total, at least 1,389,463,242 records were compromised. That brings the annual running total to 7.28 billion and reduces the monthly average to 1.44 billion.

Cyber attacks


Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

New York (CNN Business)Binance, a major cryptocurrency exchange, says hackers stole more than $40 million worth of bitcoin from its customers.

The Taiwan-based company, one of the world’s largest crypto exchanges, announced that it discovered a “large scale security breach” Tuesday. It said hackers stole 7,000 bitcoins in one transaction. One bitcoin trades at nearly $6,000.
“The hackers used a variety of techniques, including phishing, viruses and other attacks,” CEO Changpeng Zhao wrote in the statement. He said the company continues to investigate the breach.
Zhao explained that the hackers waited for the best time to conduct their operation, but he didn’t clarify specifically how the hack went undetected.
“The transaction is structured in a way that passed our existing security checks,” he said. “Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.”
The stolen bitcoin (XBT) will be reimbursed through Binance’s secure asset fund, emergency insurance available in case of a breach. Binance warned that other accounts could be affected.
Binance also temporarily suspended deposits and withdrawals, but it said bitcoin trading can continue. A security review of the incident will take at least a week.
“We beg for your understanding in this difficult situation,” Zhao wrote.
The hack is coming during a time when bitcoin is hot once again. Bitcoin prices have surged nearly 60% this year after plunging almost 75% in 2018
Source: CNN

We would’ve been talking about an extraordinarily low number of breached records this month if it hadn’t been for a string of incidents in India, another Facebook gaffe and a massive blunder in China, in which a series of companies exposed almost 600 million citizens’ CVs.

Still, April 2019 saw a not completely disastrous 1,334,488,724 breached records. That’s better than last month, bringing the annual total to 5.64 billion and reducing the monthly average to 1.46 billion.

Here’s the list in full:

Cyber attacks


Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governanace

There’s a new compiler at the helm of our monthly list of data breaches, following the departure of IT Governance stalwart Lewis Morgan, who leaves me with some mighty big shoes to fill.

Fortunately – or, rather, unfortunately ­– the new regime has a familiar ring to it, with another mammoth list of data breaches. By our count, there were at least 2,100,480,045 records compromised in March.

That brings the 2019 running total to 4.53 billion, and raises the monthly average to 1.52 billion.

Here’s the list in full:

Cyber attacks


*Not included in the total number of records, as they are part of the 1.2 million records affected in the already-reported Wolverine Solutions incident.

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

You may have noticed this happening more and more lately: Online accounts get taken over in droves, but the companies insist that their systems haven’t been compromised. It’s maddening, but in many cases, technically they’re right. The real culprit is a hacker technique known as “credential stuffing.”

The strategy is pretty straightforward. Attackers take a massive trove of usernames and passwords (often from a corporate megabreach) and try to “stuff” those credentials into the login page of other digital services. Because people often reuse the same username and password across multiple sites, attackers can often use one piece of credential info to unlock multiple accounts. In the last few weeks alone, Nest, Dunkin’ Donuts, OkCupid, and the video platform DailyMotion have all seen their users fall victim to credential stuffing.

“With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services,” says Crane Hassold, a threat intelligence manager at the digital fraud defense firm Agari. “Most people don’t change their passwords regularly, so even older credential dumps can be used with relative success. And since password reuse is rampant, cybercriminals will generally test a set of credentials against numerous different websites.”

Credential Craze

Credential stuffing has been a problem for years now, as troves of credentials from seminal breaches like LinkedIn and Dropbox in 2012 and Myspace in 2013 have been used—to great effect!—in countless credential stuffing campaigns. But one trend in particular has fueled a recent rise in successful campaigns.

Recently hackers have posted more gigantic, aggregated credential collections that comprise multiple data breaches. One of the most wild recent examples is known as Collection #1-5, a “breach of breaches” that totaled 2.2 billion unique username and password combinations, all available to download in plaintext—for free.


“With Collections 1 through 5 we have actually seen spikes in credential stuffing recently, immediately after that news came out,” says Shuman Ghosemajumder, chief technical officer at the corporate digital fraud defense firm Shape Security. “In fact, we saw some of the largest credential stuffing attacks across several customers in just that week. And that makes sense because you’ve got all these plaintext usernames and passwords available through a torrent. It democratizes credential stuffing.”

The Collection credentials are mostly a few years old, meaning many were already in broad circulation and not worth much. But over the last week, another outlandish trove has provided exactly the type of fresh, high-quality credentials hackers cherish. Posted on the Dream Market dark web marketplace, the collection includes a total of roughly 841 million records, released in three batches, from 32 web services, including MyFitnessPal, MyHeritage, Whitepages, and the file-sharing platform Ge.tt. The first part of the dump costs about $20,000 in bitcoin, the second about $14,500, and the third roughly $9,350. A few of the breaches don’t include passwords, and some that do are protected by cryptographic scrambling that buyers will need to decode, but overall these are top-shelf troves ripe for use in credential stuffing.

Hot Stuff

As you’ve probably guessed, credential stuffing relies on automation; hackers aren’t literally typing in hundreds of millions of credential pairs across hundreds of sites by hand. Credential stuffing attacks also can’t try massive numbers of logins on a site with all the tries coming from the same IP address, because web services have basic rate-limiting protections in place to block floods of activity that could be destabilizing.

So hackers use credential stuffing tools, available on malicious platforms, to incorporate “proxy lists” to bounce the requests around the web and make them look like they’re coming from all different IP addresses. They can also manipulate properties of the login requests to make it look like they come from a diverse array of browsers, because most websites will flag large amounts of traffic all coming from the same type of browser as suspicious. Credential stuffing tools will even offer integrations with platforms built to defeat Captchas.

Credential stuffing campaigns ultimately try to get the malicious requests to blend into the noise of all the legitimate logins happening on a service at any given time, or “simulate the activity of a large population of humans,” as Shape Security’s Ghosemajumder puts it.

It also requires patience; Shape estimates that typically attackers find matches between their test credentials and an account on the platform they are attacking 0.1 to 2 percent of the time. This is why attackers need hundreds of thousands or millions of credential pairs to make credential stuffing attacks worth it. And once they’ve gotten into some accounts, attackers still need a way to monetize what they find there—either by stealing more personal data, money, gift card balances, credit card numbers, and so on—to make the whole thing worthwhile.

Stuff It

Th best way to protect against credential stuffing attacks is to use unique passwords for each of your digital accounts—ideally by using a password manager—and turn on two-factor authentication when it’s available. But it’s not entirely on you. Companies, too, are increasingly attempting to detect and block credential stuffing attempts. And some like Google (which also owns Nest) have started initiatives to proactively check whether users’ account credentials have been compromised in breaches and trigger password resets if they discover a match. But the trick is to do all of this without blocking or hindering legitimate activity.

One strategy companies can deploy is to track logins that ultimately result in fraud, then blacklist the associated IP address. Over time, this can erode the effectiveness of the proxy lists attackers rely on to mask their mass login attempts. This doesn’t completely stop credential stuffing, but does make it more difficult and potentially costly for hackers to carry out the attacks. Services whose users are mainly in specific geographic regions can also establish geofences, blocking proxy traffic that comes in from elsewhere in the world. Once again, though, attackers can ultimately adapt to this restriction as well by switching to using proxy IPs within those areas.

A recent credential stuffing attack against the productivity and project management service Basecamp helps illustrate the problem. The company reported recently that it had faced 30,000 malicious login attempts from a diverse set of IP addresses in a single hour. The company began blocking the IPs as quickly as possible, but needed to implement a Captcha to ultimately end the attack. When the barrage died down, Basecamp found that the attackers had only succeeded in penetrating 124 accounts; the company quickly reset those account passwords to revoke the attackers’ access.

Many companies aren’t as prepared to handle the scale of the credential stuffing threat. Shape Security’s Ghosemajumder says that it’s pretty typical at this point for corporate clients to see 90 percent of their logins come from malicious attacks. He has even worked with customers who deal with credential stuffing in 99.9 percent of login attempts to their service. And while credential dumps from leaks and breaches are the primary fuel for these attacks, criminals can also diversify their approach by using credential pairs gathered from phishing attacks.

“Most credential stuffing uses information obtained from the major data breaches,” Agari’s Hassold says. “But over the past few years there has been a shift in the credential phishing landscape to target generic account credentials that are then ‘stuffed’ into a number of different websites.”

Though it is frustrating when companies insist that they haven’t been breached and deny responsibility for protecting their users from credential stuffing attacks, the truth is that service providers don’t have a foolproof way of defending against this threat. As Basecamp’s CTO and co-founder David Heinemeier Hansson put it after the service’s recent incident, “Our ops team will continue to monitor and fight any future attacks. … But if someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.”

For such a simple technique, credential stuffing is frustratingly difficult to quash. So keep your passwords as diverse as possible and use two-factor whenever you can. And complain loudly on social media about any web service that isn’t offering it.

Source:  Wired

A possible compromise of servers where NASA stored data on current and former employees may have given hackers access to social security numbers (SSN) and personally identifiable information (PII).

The incident occurred on or before October 23, when NASA cybersecurity team started to look into a possible server breach. Immediate action secured the machines and the data they stored.


Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations
had been stolen from its Starwood database.

One problem: the email sender’s domain didn’t look like it came from Marriott at all.

Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.

But what makes matters worse is that the email is easily spoofable.

Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.

Companies should host any information on their own websites and verified social media pages to stop bad actors from hijacking victims for their own gain. But once you start setting up your own dedicated, off-site page with its unique domain, you have to consider the cybersquatters — those who register similar-looking domains that look almost the same.

Take “email-marriot.com.” To the untrained eye, it looks like the legitimate domain — but many wouldn’t notice the misspelling. Actually, it belongs to Jake Williams, founder of Rendition Infosec, to warn users not to trust the domain.

“I registered the domains to make sure that scammers didn’t register the domains themselves,” Williams told TechCrunch. “After the Equifax  breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals.”

Equifax, the biggest breach of last year, made headlines not only for its eye-watering hack, but its shockingly bad response. It, too, set up a dedicated site for victims — “equifaxsecurity2017.com” — but even the company’s own Twitter staff were confused, and inadvertently sent concerned victims to “securityequifax2017.com” — a fake site set up by developer Nick Sweeting to expose the company’s vulnerable incident response.

With the Equifax breach not even a distant memory, Marriott has clearly learned nothing from the response.

Many others have sounded the alarm on Marriott’s lackluster data breach response. Security expert Troy Hunt,  who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant’s use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords.

Williams isn’t the only one who’s resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named “email-mariott.com” on the day of the Marriott breach.

“Please watch where you click,” he wrote on the site. “Hopefully this is one less site used to confuse victims.” Had Marriott just sent the email from its own domain, it wouldn’t be an issue.

A spokesperson for Marriott did not respond to a request for comment.

Source: Tech Crunch