We would’ve been talking about an extraordinarily low number of breached records this month if it hadn’t been for a string of incidents in India, another Facebook gaffe and a massive blunder in China, in which a series of companies exposed almost 600 million citizens’ CVs.
Still, April 2019 saw a not completely disastrous 1,334,488,724 breached records. That’s better than last month, bringing the annual total to 5.64 billion and reducing the monthly average to 1.46 billion.
Here’s the list in full:
- Criminal accesses personal data of faculty staff and students at Georgia Tech(1.3 million)
- Bangladesh Oil, Gas and Mineral Corporation’s website hacked hours after recovering from previous attack (unknown)
- Australian Signals Directorate confirms data was stolen in parliament IT breach(unknown)
- Massachusetts hospital caught in phishing scam (12,000)
- Hacker breached Minnesota state agency email (11,000)
- South Carolina’s Palmetto Health discloses phishing attack dating back to 2018(23,811)
- Phishing scam exposes personal data at Florida’s Clearway Pain Solutions Institute (35,000)
- Customer data stolen as website of Japanese luxury railway hit by cyber attack(8,000)
- Dakota County, MN, discloses breach after an employee’s email is hacked(1,000)
- Blue Cross of Idaho notifies members of privacy breach after thwarting financial fraud (5,600)
- Texas’s Questcare Medical Services investigating business email compromise attack (unknown)
- Ontario’s Stratford City Hall recovers from cyber attack (unknown)
- IT outsourcing and consulting giant Wipro hacked (unknown)
- Texas-based Metrocare Services discloses second breach in five months (5,290)
- California-based Centrelake Medical Group notifies patients of security incident(unknown)
- North Carolina’s Klaussner Furniture Industries notifies employees of security incident (9,352)
- Customers at US fast food retailer Chipotle say their accounts have been hacked (unknown)
- Minnesota’s Riverplace Counseling Center notifies patients after malware infection (11,639)
- Hacktivists attack UK police sites to protest arrest of Julian Assange (unknown)
- Texas-based EmCare says patient and employee data has been hacked (60,000)
- Idaho-based bodybuilding.com discloses employee-related data breach(unknown)
- Illinois dental insurer notifies members after phishing attack (unknown)
- Attackers breached Docker Hub, grabbed keys and tokens (190,000)
- Atlanta’s Woodruff Arts Center shuts down network amid security breach(unknown)
- University of Alaska discloses data breach that occurred more than a year ago(unknown)
- Magecart hackers steal data from Atlanta Hawks’ online shop (unknown)
- Genesee County, MI, government suffers ‘aggressive’ ransomware attack(unknown)
- Ransomware attack affects Women’s Health Care Group of PA (300,000)
- Greenville, NC, government’s systems knocked out by ransomware (unknown)
- Ransomware attack hits Garfield County, UT (unknown)
- Augusta, ME, hit by ransomware, forcing City Center to close (unknown)
- New Jersey-based paediatric orthopaedic surgeon hit by ransomware (unknown)
- Ransomware at Florida’s Stuart City Hall “more than likely” caused by phishing(unknown)
- Massachusetts-based medical billing services notifies patients of ransomware attack (unknown)
- Idaho’s Sugar-Salem School District 322 hit by ransomware during ISAT testing(unknown)
- Ransomware disables Cleveland airport’s email systems, information screens(unknown)
- Indian government leaves healthcare database exposed on web (12.5 million)
- West Yorkshire council data leak leaves couple who adopted abused children living in fear (2)
- History repeats itself as Facebook third-party apps expose users’ personal data(540 million)
- Canadian pension firm loses microfiche containing personal data (unknown)
- Crook swipes Winnipeg Regional Health Authority employee’s bag; patients’ records taken (75)
- VoterVoice exposes database containing ‘treasure trove’ of personal data(300,000)
- Ohio government accidentally leaks information of those seeking job, family services and health aid (993)
- Chinese companies responsible for massive data breach of CVs (590 million)
- Texas’s Weslaco Regional Rehabilitation Hospital discloses data breach(unknown)
- Russian hospital dumps medical waste, sensitive data in landfill site (unknown)
- UK’s Home Office sorry for EU citizen data breach (240)
- Pennsylvania’s Community College of Allegheny County discloses data breach(unknown)
- Patients at Toledo, OH, rehab hospital subject to data breach (unknown)
- Washington state-based RS Medical discloses incident that may have compromised patient information (unknown)
- Athens, OH, rehabilitation centre notifies patients after unauthorised access to network (20,485)
- Sensitive data found on hard disks may be India’s largest ever data breach (78 million)
- California-based LD Evans says it has only just learned about 2018’s Citrix vulnerability (631)
- India’s JustDial service is breaching users’ personal data in real time (100 million)
- Drug addicts’ personal data found in rehab centres’ unexposed databases (4.91 million)
- Researcher uncovers exposed personal data from Iranian ride-hailing app(6,772,269)
- Pennsylvania-based Partners for Quality discloses data breach (3,673)
- US health provider Inmediata discovers patients’ information was exposed on the web (unknown)
- ‘Horrendous’ privacy breach at Australia’s Centrelink sees clients’ names published on Facebook (unknown)
- Personal data of employees at Lauderdale County, MS, emailed to colleagues(100)
- US consumer commission warns of data breach affecting safety information(unknown)
- Almost $500,000 swiped in Tallahassee, FL, payroll hack (unknown)
- AeroGrow says hackers stole months of credit card data (unknown)
- Florida-based United Way of the Big Bend says tax payers’ info was stolen (64)
- KPMG faces fine of up to $1.6 million after leaking payroll data (41)
Malicious insiders and miscellaneous incidents
- Former IT aide to New Hampshire senator caught keylogging (unknown)
- Employee at Cleveland’s University Hospital accidentally shared patients’ health info (840)
- University of Toledo counsellor fired after allegedly disclosing a student’s PTSD(1)
- Maine’s Acadia Hospital mistakenly release confidential information of Suboxone patients (300)
- Employee at California’s St. Boniface Hospital “inappropriately” viewed patient records (38)
In other news…
- USB stick containing sensitive data (and the movie Gone Girl) discovered during manslaughter trial (6,385)
- Barking resident jailed for blackmailing porn watchers (unknown)
- Source code of Iranian cyber-espionage tools leaked on Telegram (unknown)
- Supply chain hackers snuck malware into video games (unknown)
Source: IT Governanace
Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.
Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data loss.
We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.
Data Breaches by the Numbers
The increasing amount of large-scale, well-publicized breaches suggests that not only are the number of security breaches going up — they’re increasing in severity, as well.
- In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)
- In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
- In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (LeakedSource)
- In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
- According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)
- Thirty-one percent of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
- 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Malware Tech Blog)
- Attacks involving cryptojacking increased by 8,500 percent in 2017. (Symantec)
- In 2017, 5.4 billion attacks by the WannaCry virus were blocked. (Symantec)
- There are around 24,000 malicious mobile apps blocked every day. (Symantec)
- In 2017, the average number of breached records by country was 24,089. The nation with the most breaches annually was India with over 33k files; the US had 28.5k. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- In 2018, Under Armor reported that its “My Fitness Pal” was hacked, affecting 150 million users. (Under Armor)
- Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches. (ID Theft Resource Center)
Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity part of their regular budget.
- In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million. (Accenture)
- The average cost of a malware attack on a company is $2.4 million. (Accenture)
- The average cost in time of a malware attack is 50 days. (Accenture)
- From 2016 to 2017 there was an 22.7 percentage increase in cybersecurity costs. (Accenture)
- The average global cost of cyber crime increased by over 27 percent in 2017. (Accenture)
- The most expensive component of a cyber attack is information loss, which represents 43 percent of costs. (Accenture)
- Ransomware damage costs exceed $5 billion in 2017, 15 times the cost in 2015. (CSO Online)
- The Equifax breach cost the company over $4 billion in total. (Time Magazine)
- The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190). (Ponemon Institute’s 2017 Cost of Data Breach Study)
- In companies with over 50k compromised records, the average cost of a data breach is $6.3 million. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)
Cybersecurity Facts and Figures
It’s crucial to have a grasp on the general landscape of metrics surrounding cybersecurity issues, including what the most common types of attacks are and where they come from.
- Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2 percent of all ransomware attacks. (Symantec)
- Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
- Most malicious domains, about 60 percent, are associated with spam campaigns. (Cisco)
- Seventy-four percent of companies have over 1,000 stale sensitive files. (Varonis)
- Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense. (Accenture)
- The financial services industry takes in the highest cost from cyber crime at an average of $18.3m per company surveyed. (Accenture)
- Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)
- About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)
- Over 20 percent of cyber attacks in 2017 came from China, 11 percent from the US and 6 percent from the Russian Federation. (Symantec)
- The app categories with most cybersecurity issues are lifestyle apps, which account for 27 percent of malicious apps. Music and audio apps account for 20 percent. (Symantec)
- The information that apps most often leak are phone numbers (63 percent) and device location (37 percent). (Symantec)
- In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks. (Symantec)
- Between 2015 and 2017, the U.S. was the country most affected by targeted cyber attacks with 303 known large-scale attacks. (Symantec)
- In 2017, overall malware variants were up by 88 percent. (Symantec)
- Among the top 10 malware detections were Heur.AdvML.C 23,335,068 27.5 2 Heur.AdvML.B 10,408,782 12.3 3 and JS.Downloader 2,645,965 3.1 (Symantec)
- By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media)
With new threats emerging every day, the risks of not securing files is more dangerous than ever, especially for companies.
- 21 percent of all files are not protected in any way. (Varonis)
- 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
- 70 percent of organizations say that they believe their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- 69 percent of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)
- 7 out of 10 organizations say their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- 65 percent of companies have over 500 users who never are never prompted to change their passwords. (Varonis)
- Ransomware attacks are growing more than 350 percent annually. (Cisco)
- IoT attacks were up 600 percent in 2017. (Symantec)
- The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)
- 61 percent of breach victims in 2017 were businesses with under 1,000 employees. (Verizon)
- Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)
- Variants of mobile malware increased by 54 percent in 2017. (Symantec)
- Today, 1 in 13 web requests lead to malware (Up 3 percent from 2016). (Symantec)
- 2017 represented an 80 percent increase in new malware on Mac computers. (Symantec)
- In 2017 there was a 13 percent overall increase in reported system vulnerabilities. (Symantec)
- 2017 brought a 29 percent Increase in industrial control system–related vulnerabilities. (Symantec)
- By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion. (Cybersecurity Ventures)
- The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East. (Ponemon Institute’s 2017 Cost of Data Breach Study)
There’s no question that the situation with cybercrime is dire. Luckily, by assessing your business’s cybersecurity risk, making with company-wide changes and improving overall security behavior, it’s possible to protect your business from most data breaches.
Make sure you’ve done everything you can do to avoid your company becoming a victim to an attack. The time to change the culture toward improved cybersecurity is now.
What just happened?
Yesterday, it emerged that more than a billion unique email address and password combinations had been posted to a hacking forum for anyone to see in a mega-breach dubbed Collection #1.
The breach was revealed by security researcher Troy Hunt, who runs the service allowing users to see if they’ve been hacked called Have I been Pwned. He has now loaded the unique email addresses totalling 772,904,991 onto the site.
The data includes more than a billion unique email and password combinations – which hackers can use over a range of sites to compromise your services. They will do so by utilizing so-called credential stuffing attacks, seeing bots automatically testing millions of email and password combinations on a whole range of website login pages.
The data originally appeared briefly on cloud service MEGA and was later posted to a popular hacking forum. The Collection #1 folder is comprised of more than 12,000 files weighing in at 87 gigabytes.
Most concerningly, the protective hashing of the stolen passwords had been cracked. This means they are easy to use because they are available in plain text rather than being cryptographically hashed as they often are when sites are breached.
Should I be worried?
In a word: Yes. It’s a massive concern, not least because scale of this breach is huge: Yahoo’s breaches saw 1 billion and 3 billion users affected but the stolen data hasn’t actually resurfaced yet.
And unlike other huge hacks such as Yahoo and Equifax, this breach cannot be tied down to one site. Instead it appears to comprise multiple breaches across a number of services including 2,000 databases.
Hunt says there are many legitimate breaches in the directory listing, but he cannot yet verify this further. “This number makes it the single largest breach ever to be loaded into HIBP,” he adds in a blog.
What’s more, his own personal data is in there “and it’s accurate”, he says. “Right email address and a password I used many years ago. Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.”
Finding out if you’re affected
If you are one of the 2.2 million people that already use the Have I Been Pwned site, you should have received a notification: Nearly half of the site’s users – or 768,000 – are caught up in this breach.
If you aren’t already a member, you need to visit Have I Been Pwned now. Once on the site, you simply need to type in your email address and search, then scroll down to the bottom of the page. The site will let you know if your email address is affected by this breach – and while you are there, you can see if your details were stolen in any others too.
To find out if your password has been compromised, you separately need to check Pwned Passwords– a feature built into the site recently. This feature also helps you to use strong passwords: if yours is on there, it’s safe to assume others are using it and your accounts could be easily breached.
What if my details are there?
Hunt says in his blog: “Whilst I can’t tell you precisely what password was against your own record in the breach, I can tell you if any password you’re interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about.”
If you have a bunch of passwords, checking all of them could be time-consuming. In this case, Hunt suggests 1Password’s Watchtower feature which can take all your stored passwords and check them against Pwned Passwords in one go.
Most importantly, if your password is on the list, do not ignore it as it can be used in credential stuffing attacks mentioned earlier. Hunt says: “People take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.”
More generally, as the number of breaches and their sheer scale increases, it’s time to clean up your password practices. In addition to using two-factor authentication, passwords should be complex – such as a phrase from a favourite book or a line from a song. At the same time, security experts don’t rule out analogue books containing your password – as long as these are not stored on your device or with it.
If you take these measures into account you should be able to avoid using the same password across multiple sites. Ideally, start using a password manager to ensure you can remember these.
Let me guess. From a young age, you were attracted to spy movies. You are someone who wasn’t necessarily interested in school subjects, but probably did okay regardless. You learn concepts easily and quickly compared to others. You had a natural affinity for computers at a young age. Something about you is excited by the subversive blackhat hacking community, but actually, you’re a good person who doesn’t like the idea of ruining people’s lives or spending your life doing chin-ups with your morally questionable mate “Steve” in a high security prison.
So what’s the solution? Become an ethical hacker, so that you can do these illegal things without risk of jailtime, and get paid for it!
I should start with a disclaimer — I’m not an expert. I’ve only ever landed one hacking job, which is my current one — and I haven’t even been here long! But I did spend a lot of time in other sectors of IT wishing I was in security. As a result, I’ve read a lot of stuff and spoken to a lot of people. Basically, it all boils down to this:
There is no one-size-fits-all approach to getting your first infosec role. There was a recent Twitter hashtag that did the rounds, #MyWeirdPathToInfosec, where a whole bunch of infosec professionals revealed the paths they took to an eventual infosec role. They varied widely, some spent time in federal prison (not recommended), some were musicians, some scored an infosec role straight out of college, some were offered jobs after illegally hacking a company and then telling the company how they did it (also not recommended). This technique may have worked for some people in the 90s, now it will probably land you in jail.
The point is, don’t have tunnel-vision. Career opportunities often arise where you least expect.
A Little About My Path to Infosec
I remember my first experience with “hacking.” I was about 10 years old, and I discovered the ability to save webpages locally. I headed straight to Google, downloaded the home page, and edited my local copy in notepad.exe to contain the words “Luke was ‘ere!”. When I opened up the edited page, my stomach dropped. I thought I had defaced Google. How long until the FBI kick in my door? Should I tell my parents before they find out?
Back in myyy daaaay, there were no hacking challenge sites. In fact, there was barely any information out there, at least that I could find. My first resource was a website by Carolyn Meinel, titled “The Guides to (mostly) Harmless Hacking.” The guides were written in Comic Sans, the token font of that bad design genre that can only be found in the 90s and early 00s. These guides included such classics as “Telnet: the Number One Hacking Tool” and “How to Hack with Windows XP part I: The Magic of DOS.” They can still be found here.
Upon finishing school I scored my first job in IT and started a computer science degree, almost finished, dropped out, got made redundant, moved out of home, acquired Bachelor of Music, became a full-time musician, spent a couple of years performing on cruise ships, met my wife, lived in the UK, got married, moved back to Australia, and started working as a full-time web developer.
Throughout all this, my passion for hacking never really subsided, and development was never something I loved. I had a wonderful job with great people, but the actual tasks of my job weren’t sparking me. As it turns out, I was on a project which involved e-commerce and sensitive data, so my boss offered for me to take a security related course. I emailed the CEO of a local penetration testing firm and asked what the best security course was, and he recommended OSCP. So I did it!
Completing my OSCP was a turning point for me. I spent every spare moment of those 60 days learning as much as possible about the art of hacking. Even when I was exhausted, I had trouble sleeping because my brain wouldn’t stop thinking about the challenge boxes in the labs. That’s how I knew it should probably be my job, instead of development, which I had grown tired of. (I wrote a three-part blog series about the OSCP too, if you’re into that.)
Only a month or two after completing OSCP, I landed my first penetration testing job through a great infosec recruiter after solving a hacking challenge they posted online. You can read more about that story here.
Enough about me! Finally, we are at the bit you all came here to read. Some actionable tips on how to get your first job as a hacker:
Get Active in the White Hat Community
Contribute to open source tools, write your own, blog, start a podcast, go to hacker cons, connect with people on Twitter. You will learn a lot and it will introduce you to a whole network of lovely people who can help you. The infosec community on the whole are a friendly, tight-knit pack of smart, passionate people. If you’re reading this, there’s a good chance you will feel at home.
Email People You Respect
Are there people out there in your dream role? Email them and ask about your career path. The worst that will happen is that they don’t reply, the best that can happen is that you gain a mentor and some life-changing advice.
You can have every hacking certification under the sun, but if you walk into the interview gloating about some illegal stunt you pulled, nobody will risk hiring you. The white hat community often deal with highly sensitive data — your employer and your clients need to be able to trust you.
On that note, when you’re in an interview and you don’t know the answer to a technical question, it’s better to say “sorry, I don’t know, but I will be sure to research that later!” than to try to bluff your way through an answer. The person interviewing you will be able to tell, and they are probably more interested in you being honest and genuine than correct. At this point in time, experienced security professionals are rare, so many companies are hiring less experienced staff with the right mindset and attitude, then putting them through training to learn the technical skills.
Frankly, many certifications in this field aren’t a good indicator of someone’s technical ability. Having said that — you’re more likely to get a job if you have them. It shows that you’re invested in the craft, you have spent time/money skilling up, and you are interested. There are a few great certifications out there, and some that aren’t so good. If you’re not sure which ones are good, ask someone who knows!
Bug Bounties, CTFs and Challenge Sites
Have you been in a HackerOne/BugCrowd hall of fame? Found a RCE in a bug bounty? Did you do well in a CTF at a hacking conference? Are you highly ranked on hackthebox.eu? Put it on your CV! These things might seem like games, but they’re also proof that you’re passionate about the craft, and have some skills.
Don’t Be Afraid of Recruiters
Recruiters get a bad name for relentlessly calling you and using dodgy tactics to get the right contacts, but they’re not all like that. Finding a quality recruiter with good connections can make all the difference. When you are looking for a recruiter for a hacking gig, find one that specialises in infosec. A standard IT recruiter probably won’t know the right people.
Make Your Current Role a Security Role
Are you a developer? Find a bug in the application you develop, show it to your boss, ask permission to conduct more in depth security testing. Are you a sysadmin? Find a security hole in your network (you probably already know where to look), communicate the risk to your boss and ask for permission to conduct further testing. Whatever role you’re in — there’s a good chance you can make a name for yourself as the in-house security expert.
Now in your infosec interview/CV, you can say you were the in-house security expert, even though your official title was just “developer.” You can also fill out the “responsibilities” section of your role with some security related tasks.
Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations
had been stolen from its Starwood database.
One problem: the email sender’s domain didn’t look like it came from Marriott at all.
Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.
But what makes matters worse is that the email is easily spoofable.
Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.
Companies should host any information on their own websites and verified social media pages to stop bad actors from hijacking victims for their own gain. But once you start setting up your own dedicated, off-site page with its unique domain, you have to consider the cybersquatters — those who register similar-looking domains that look almost the same.
Take “email-marriot.com.” To the untrained eye, it looks like the legitimate domain — but many wouldn’t notice the misspelling. Actually, it belongs to Jake Williams, founder of Rendition Infosec, to warn users not to trust the domain.
“I registered the domains to make sure that scammers didn’t register the domains themselves,” Williams told TechCrunch. “After the Equifax breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals.”
Equifax, the biggest breach of last year, made headlines not only for its eye-watering hack, but its shockingly bad response. It, too, set up a dedicated site for victims — “equifaxsecurity2017.com” — but even the company’s own Twitter staff were confused, and inadvertently sent concerned victims to “securityequifax2017.com” — a fake site set up by developer Nick Sweeting to expose the company’s vulnerable incident response.
With the Equifax breach not even a distant memory, Marriott has clearly learned nothing from the response.
Many others have sounded the alarm on Marriott’s lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant’s use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords.
Williams isn’t the only one who’s resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named “email-mariott.com” on the day of the Marriott breach.
“Please watch where you click,” he wrote on the site. “Hopefully this is one less site used to confuse victims.” Had Marriott just sent the email from its own domain, it wouldn’t be an issue.
A spokesperson for Marriott did not respond to a request for comment.
Source: Tech Crunch
Question-and-answer website Quora has been hacked, with the names and email addresses of 100 million users compromised. The breach also included encrypted passwords, and questions people had asked.
In a statement, Quora said the situation had been “contained”.
Last week, hotel chain Marriott admitted that personal information on up to 500 million guests had been stolen.
Quora released a security update in a question-and-answer format.
“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” it began.
“We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing. We have notified law enforcement officials.”
It said it was also in the process of notifying all affected customers and reassured them that it was “highly unlikely” that the incident would lead to identity theft “as we do not collect sensitive information like credit card or social security numbers”.
Security expert Troy Hunt was one of those affected. He tweeted: “Short of not using online services at all, there’s simply nothing you can do to ‘not’ be in a breach, there’s only things you can do to minimize the impact when it inevitably happens.
Users were asked to reset their password and will be prompted to do so when they next try to log in. Those wishing to delete their account can do so in the settings section and the deactivation will happen immediately.
Some users commented on Twitter that they had forgotten they used the service.
One tweeted: “Nothing like a data breach to remind me that I have a Quora account.”