June 28, 2022

TheCyberThrone

Thinking Security ! Always

Most Headlined Data Breaches in 2021

The Identity Theft Research Center reports the number of data breaches this year has already surpassed the total number in 2020 by 17% by end of third quarter of 2021. And this could be a record-breaking year for data compromises.there has been an increase in a lack of transparency in breach notices at both the organization and government level. If the trend was to continue, the ITRC says, it could lead to a significant impact on individuals. 

Here are the list of data breaches that headlined the most in Alphabetical order

Android Users Data Leak 

Date: May 2021

Impact: 100+ million

In May, security researchers discovered the personal data of more than 100 million Android users exposed due to several misconfigurations of cloud services. Unprotected in real-time databases used by 23 apps, the downloads ranged from 10,000 to 10 million and included internal developer resources.

Check Point researchers discovered anyone could access sensitive and personal information, including names, email addresses, dates of birth, chat messages, location, gender, passwords, photos, payment information, phone numbers and push notifications.

In addition, of the 23 apps that Check Point researchers analysed, a dozen had more than 10 million installations on Google Play. Most of them had the real-time database unprotected, exposing sensitive user information. While the misconfigured databases are not a surprise, the findings show the lack of basic security practices in many applications. The misconfigurations also put users’ personal data at risk.

Advertisements

Brazilian Database 

Date: January 2021

Impact:  223 million

In January, the largest personal data breach in Brazilian history was discovered. The data sets were discovered by PSafe and then reported by Tecno blog. The databases included names, unique tax identifiers, facial images, addresses, phone numbers, email, credit score, salary and more. The data also contains the personal data of several million deceased individuals. In addition, 104 million vehicle records were available.

The information, Open Democracy says, is typically used by credit scoring bureaus, which led researchers to suspect the leak may have originated from Serasa Experian, the leading Brazilian credit-scoring bureau.The data was offered for free on a Darknet forum.

Bonobos

Date: January 2021

Impact: 12.3 million records

Men’s clothing store Bonobos suffered a data breach in 2021 after a cybercriminal compromised its backup server containing customer data.

The following categories of data were accessed, amounting to the 12.3 million total:

  • 7 million shipping address records
  • 1.8 million account information records
  • 3.5 million partial credit card records.

This database was not connected to Bonobo’s private data, which was siloed for protection. But threat actors could still exploit the stolen information. After the stolen data was dumped on a hacker forum, a threat actor claimed to have uncovered 158,000 hashed SHA-256 passwords. But the remaining passwords hashed with SHA-512 could not be cracked.

Bykea

Date: January 2021

Impact: 400 million

Led by researcher Sen, the Safety Detectives team discovered an Elastic server vulnerability during routine IP-address checks on specific ports. The exposed server contained API logs for Bykea — transportation, logistics and cash on delivery payments company with headquarters in Karachi, Pakistan.

Researchers discovered Bykea publicly exposed all its production server information without password protection or encryption and allowed access to more than 200GB of data containing more than 400 million records. The data contained people’s full names, locations, and other personal information that hackers could potentially harness to cause financial and reputational damage.

Bykea’s CEO, Muneeb Maayr, described the cyberattack as “nothing out of the ordinary given that Bykea is a mobility-based tech firm, Safety Detectives reports. It remains unclear whether this latest breach is related to a hack the company suffered earlier, during which attackers reportedly deleted the company’s entire customer database.”

Cognyte 

Date: October 2021

Impact: 5 billion

Diachenko discovered a massive database of more than 5 billion records, collected from previous data incidents, exposed on the web without a password or any other authentication required to access it, according to Comparitech.

The database was stored by Cognyte, a cybersecurity analytics firm that stored the data as part of its cyber intelligence service, which is used to alert customers to third-party data exposures. Diachenko alerted Cognyte, who secured the database three days later.

“Thanks to the information provided by the security researcher, Volodymyr “Bob” Diachenko, Cognyte was able to rapidly respond to and block a potential exposure. We appreciate such a responsible and constructive approach, which helps raising awareness and induces companies and organizations to implement security safeguards and better protect their data,” Cognyte said in a statement to Comparitech.

Stored on an Elasticsearch cluster, the database was exposed for four days and contained 5,085,132,102 records. Not all the data breaches from which the data was sourced included passwords, however we could not determine an exact percentage of records that contained a password, Comparitech says.

 All or some contained the following information:

  • Name
  • Email address
  • Password
  • Data source

 

Advertisements

Facebook 

Date: April & September 2021

Impact: 553 million

Security researcher Alon Gal discovered a leaked database belonging to Facebook, containing 533 million accounts.

The data includes the personal information of Facebook users from 106 countries, including more than 32 million records on users in the U.S., 11 million on users in the U.K. and 6 million on users in India. Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. Insider also confirmed records by testing email addresses from the data set in Facebook’s password-reset feature, which can be used to partially reveal a user’s phone number.

According to Gal, “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts.”

Graff

Date: November 2021

Impact: 1.1 million records

Exclusive UK Jeweller, Gaff, suffered a data breach that compromised many of its famous clients. The Russian cybercriminal group, Conti, was responsible for the attack which involved the deployment of ransomware.

After stealing Gaff’s sensitive data and encrypting their internal systems, Conti started publishing some of the stolen records on the dark web, promising to only stop of their ransom of up to ten millions of pounds is paid.To prove they weren’t bluffing, Conti published 11,000 records on the dark web, which according to the Russian cybercriminals, represents just 1% of the total records that were stolen. The stolen records include client names, addresses, invoices, receipts, and credit notes.

Some of the high-profile customers reportedly impacted by this breach include:

  • Donald Trump
  • David Beckham
  • Oprah Winfrey
  • Alec Baldwin
  • Sir Philip Green
  • Ghislaine Maxwell
  • Saudi Crown Prince Mohammed bin Salman
  • Sheikh Mohammed bin Rashid Al Maktoum

LinkedIn

Date: June 2021

Impact: 700 million users

Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. This exposure impacted 92% of the total LinkedIn user base of 756 million users.

The data was dumped in two waves, initially exposing 500 million users, and then a second dump where the hacker “God User” boasted that they were selling a database of 700 million LinkedIn.

The hackers published a sample containing 1 million records to confirm the legitimacy of the breach. The data included the following:

  • Email addresses
  • Full names
  • Phone numbers
  • Geolocation records
  • LinkedIn username and profile URLs
  • Personal and professional experience
  • Genders
  • Other social media accounts and details

The hacker scraped the data by exploiting LinkedIn’s API.LinkedIn claims that, because personal information was not compromised, this event was not a ‘data breach but, rather, just a violation of their terms of service through prohibited data scraping.

MeetMindful

Date: January 2021

Impact: 2.28 million users.

MeetiMindful, a dating app focusing on the mindful community, was breached by a well-known hacker by the name of ShinyHunters.

ShinyHunter posted the exfiltrated data for free on a hacker forum on the dark web

Breached MeetMindful data dumped on dark web hacker forum -Personal messaged between users was not compromised, but the following private information was exposed:

  • IP addresses
  • Real names
  • Email addresses
  • City, state, and ZIP details
  • Facebook user IDs
  • Facebook authentication tokens
  • Dating preferences
  • Marital status
  • Birth dates
  • Bcrypt-hashed account passwords
Advertisements

Neiman Marcus

Date: September2021

Impact: 4.8 million customers

US-based retailer, Neiman Marcus, has confirmed in a statement that an “unauthorized party” can access to sensitive customer information including:

  • Usernames.
  • Passwords.
  • Security questions
  • Financial information.

The breach impacted almost 3.1 million payment and virtual gift cards, of which more than 85% were either expired or no longer valid. After learning of the incident, Neiman Marcus Group contacted impacted customers that had not changed their password since May 2020, urging them to immediately do so. The incident highlights the danger of using the same password across different registrations. If this cybersecurity best practice isn’t followed, a single compromise could result in a victim suffering multiple breaches.

Pixlr

Date: January 2021

Impact: 1.9 million users

A database of 1.9 million user records belonging to online photo-editor Pixlr was dumped on a dark web hacker forum by notorious cybercriminal ShinyHunters.

Exposed data included:

  • Usernames
  • Email addresses
  • Country
  • Hashed passwords

The data was stolen when the 123RF data breach occurred.

Raychat 

Date: January 2021

Impact: 150 million

Iran business and social messaging application Raychat suffered a large data breach. Millions of its user records were exposed to the internet and then destroyed by a cyberattack involving a bot.

According to a Gizmodo report, the company stored its user data on a misconfigured MongoDB database, a NoSQL database used by companies who handle large volumes of user data. When misconfigured, the database can leave millions of documents vulnerable. Diachenko, who discovered the breach, said he found the vulnerability using publicly accessible open-source search tools. In a Twitter DM to Gizmodo, Diachenko said that several NoSQL databases like Mongo are targets “for bot attacks operated by malicious actors who scan the internet for open and unprotected dbs [databases] and wipe their contents, with only a ransom note left.” Diachenko says a README ransom note demanded 0.019 in bitcoin (or $700).

Stripchat

Date: November 2021

Impact: 200 million

Diachenko discovered an Elasticsearch database containing 200 million records belonging to Stripchat an adult cam site. The database included 65 million user records that contained email addresses, IP addresses, the number of tips they gave to models, a timestamp of when the account was created and the last payment activity.

Diachenko also found another database containing about 421,000 records for the platform’s models, including usernames, gender, studio IDs, tip menus and prices, live status, and the model’s “strip score.”Stripchat’s Max Bennet told Threatpost by email, “Information on 134 million transactions occurring were exposed; however, no information was leaked regarding the payment details. Finally, information on at least 719,000 chat messages (was exposed). No content of the private messages was revealed, though.”. Diachenko said the exposure could pose risks for both Stripchat viewers and models.

Sociallarks

Date: January 2021

Impact: 200 million records

Sociallarks, a rapidly growing Chinese social media agency suffered a monumental data leak in 2021 through its unsecured ElasticSearch database.

Sociallarks’ server wasn’t password-protected, wasn’t encrypted, and it was a publicly exposed asset. This lethal combination meant that anybody with knowledge of the server IP address could access the leaked sensitive data, and that’s exactly what happened.The breached database stored the scraped data of over 200 million Facebook, Instagram, and LinkedIn users.

Exposed data included:

  • Names
  • Phone numbers
  • Email addresses
  • Profile descriptions
  • Follower and engagement data
  • Locations
  • LinkedIn profile links
  • Connected social media account login names
Advertisements

Tackle Warehouse LLC, Running Warehouse LLC, Tennis Warehouse LLC, and Skate Warehouse LLC Data Breaches

Date: October 2021 (disclosed December 2021)

Impact: 1.8 million people

Four online sports stores fell victim to a cyberattack resulting in the theft of highly sensitive customer information including credit card data.The data breach was disclosed in December 2021 by a law firm representing each sports store. The data breach was discovered by the impacted websites on October 15.

The following websites were impacted:

  • Tackle Warehouse LLC (tacklewarehouse.com)
  • Running Warehouse LLC (runningwarehouse.com)
  • Tennis Warehouse LCC (tennis-warehouse.com)
  • Skate Warehouse LLC (skatewarehouse.com)

The specific security vulnerabilities and attack methods that facilitated the breach have not been disclosed, but it’s speculated that access was achieved via a database breach.

The following data was compromised in the cyberattack:

  • Customer names
  • Credit card numbers (with CVV)
  • Debit card numbers (with CVV)
  • Website account passwords

It’s unknown whether the compromised credit card numbers were complete or hashed. Even if hashed, they could still be unencrypted with sophisticated brute force methods. Whoever is at fault for this breach will likely suffer tough financial regulatory consequences for their security negligence.

Twitch

Date: October 2021

Impact: 7 million users

Twitch, an Amazon-owned company, suffered a breach of almost its entire code base. The exact impact of the incidents hasn’t been confirmed, but given its depth of compromise, it has the potential of impacting all of Twitch’s users.125GB of sensitive data was posted via a torrent link on the anonymous forum 4chan.

The sensitive data leaks include:

  • The entirety of Twitch’s source code.
  • Three years of payout reports for creators (including high-profile creators.
  • All of Twitch’s properties (including IGDB and CurseForge).
  • Code related to proprietary SDKs and internal AWS services used by Twitch.
  • The identity of an unreleased steam competitor from Amazon Game Studios – “Vapor”
  • Twitch’s internal ‘red teaming tools’, used by internal security teams for cyberattack training exercises.

Though Twitch admitted in its statement that a subset of creator payout data was also accessed, the company assures that credit card number and bank information was not compromised.The security vulnerability that made the breach possible was a server configuration change permitting unauthorized access by third parties. This has now been remediated.

Most cybercriminals post stolen data for sale after a breach, but the unidentified cybercriminal – who was likely using a proxy server – was not interested in monetary gain. Instead, their objective was to call a mass disruption to punch Twitch for fostering a toxic community of users.

Thailand Visitors 

Date : August 2021

Impact: 106+ million

In August, Comparitech cybersecurity researcher Bob Diachenko stumbled across his own data online after discovering an unsecured database, which contained the personal information of millions of Thailand visitors.

The unprotected Elasticsearch database dated back ten years and contained the personal information of more than 106 million international travellers, including:

  • Date of arrival
  • Full name
  • Sex
  • Passport number
  • Residency status
  • Visa type
  • Arrival card number
Advertisements

Volkswagen Group of America

Date: June 2021

Impact: 3.3 Million

A third party obtained information received from or about United States and Canadian customers and interested buyers through a vendor used by Audi, Volkswagen and some deals, Volkswagen disclosed in June. The exposed information was gathered for sales and marketing purposes between 2014 and 2019 and was left unsecured by the vendor between August 2019 and May 2021, Volkswagen said.

Roughly 90,000 Audi customers or prospective buyers had their driver’s license numbers exposed, while a smaller number had additional sensitive information exposed such as date of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers. All these people will receive credit monitoring services, $1 million of insurance, and assistance in the event of identity theft.

For the remaining 97 percent of impacted individuals, the exposed information consists solely of contact and vehicle data. This could include the Audi customer or prospect’s: first and last name; home or business address; email address; phone number; Vehicle Identification Number (VIN); make; model; year; color; and trim packages, according to Volkswagen.

%d bloggers like this: