Monthly Breach Report: May 2020 Edition

Until a few months ago, work-life for many individuals involved commuting to work and meeting colleagues and/or clients in person. But with the COVID-19 outbreak, ‘homes’ have become temporary offices. As a result, digital transformation has become foundational for many businesses to support the remote working model. Since the transition to remote working happened so quickly, it has already taken a toll on the security landscape of businesses. This also brings up important questions, such as, what should businesses be doing to discover and protect their sensitive data from breaches as remote working becomes the new normal?

The onus continues to be on organizations to ensure proper handling of sensitive data across system-diverse ecosystems (on-prem, cloud, applications). As data has emerged as the key to winning the war against COVID-19, organizations must continue to comply with data privacy regulations and ensure the implementation of data privacy measures.

Below, you will learn about some of the data breaches from April to provide a view into the companies and industries most heavily impacted, as well as the things to keep in mind when implementing a proper privacy management strategy.

Nintendo

Apr 30, 2020: Over 160,000 Nintendo users suffered the wrath of a data breach when hackers compromised Nintendo accounts payment information. The Japanese video game company said cybercriminals intruded and compromised the linked payment services such as credit cards and PayPal account linked to the Nintendo accounts via Nintendo Network ID (NNID) used by players to access online content on the Wii U and 3DS. While both Wii U and 3DS are now-discontinued consoles, Nintendo retained support for the NNID system to enable older players to log into newer consoles.

The news about the breach grabbed the eyeballs of many when Nintendo users complained about account misuse to make purchases for V-Bucks, Fortnite currency, Nintendo games, etc. The gaming company has said that this security breach resulted in account takeovers and financial losses for many users.

Meanwhile, Nintendo has notified the affected users about the incident and discontinued NNID support. Post this incident, Nintendo users are only allowed to access their Nintendo accounts using their email address.
Source: CSHub

Zoom

Apr 13, 2020: Over 500,000 Zoom users were in for a rude shock when reports surfaced last month that user account details are available for purchase on the dark web and hacker forums for less than a penny each.

Cybercriminals leveraged credential stuffing attack to gather the user credentials of the California-based video conferencing platform. The intruders used previously hacked Zoom account logins from earlier data breaches.

Third-party cyber risk intelligence platform Cyble discovered the leak on April 1 when they noticed Zoom accounts available for free on hacker forums. The user account details were available on text sharing sites, offering lists of email and password combinations. Cyble bought 530,000 Zoom credentials, containing the user’s email address, password, personal meeting URL, and their HostKey, for less than a penny each.

Soon after becoming aware of the breach, Zoom issued a statement, “It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere. This kind of attack generally does not affect our large enterprise customers that use their own single sign-on systems. We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials.”
Source: BleepingComputer

WHO, CDC, Gates Foundation

Apr 23, 2020: In a notorious hacking incident, the National Institutes of Health (NIH), the World Health Organization (WHO), the Gates Foundation, and a few other agencies working to combat the COVID-19 pandemic became the target of cybercriminals. The SITE Intelligence Group, which monitors online extremism and terrorist groups, stated that a data breach leaked the information of nearly 25,000 employees at these high-profile health organizations.

According to The Washington Post, SITE shared a report including a list of the number and source of the email/password combinations affected by the breach. The report found that the National Institutes of Health was the most impacted with approximately 9,938 email and password combinations leaked. The Centers for Disease Control and Prevention was a close second at 6,857 user credentials affected, 5,120 credentials from World Bank, 2,732 email and password combinations from WHO, and 269 came from the Gates Foundation.

Rita Katz, SITE’s Executive Director, said, “Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues. Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the COVID-19 pandemic.”

The platforms used to share the leaked data include the Neo-Nazi channel “Terrorwave Refined,” a recruiting and support channel for Azov Battalion, The Base, and Nordic Resistance Movement.
Source: CNET

Kinomap

Apr 22, 2020: A massive data breach hit the French fitness company Kinomap when it accidentally exposed 42 million records. The leaked data was open and viewable for a month. The misconfigured database included 40GB of records from the UK, Europe and the US, affecting the entire user base. The exposed users PII comprised full names, usernames for Kinomap accounts, email addresses, home country, gender, timestamps for exercises, as well as the date they joined Kinomap.

On March 16, the vpnMentor team discovered the leak. While awaiting a response from Kinomap after informing them about the security incident, vpnMentor contacted the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s independent data privacy regulatory body. vpnMentor also confirmed that Kinomap didn’t lock the affected data repository until April 12.

Founded in France in 2002, Kinomap develops immersive workout videos for individuals exercising on cycling and rowing machines and treadmills. It also creates personal coaching and trainer videos.

A statement issued by vpnMentor said, “By not having more robust data security in place, Kinomap made its users vulnerable to a wide range of frauds. With millions of people across the globe now under quarantine at home due to the Coronavirus pandemic, the impact of a leak like this grows exponentially. A data leak of this nature could seriously endanger the health and finances of the company.”
Source: ITPRO

Webkinz World

Apr 18, 2020: An anonymous hacker leaked and dumped the usernames and passwords of nearly 23 million Webkinz World players on the Dark Web. Webkinz World is an online children’s game managed by Canadian toy company Ganz.

ZDNet received a copy of the exposed file after the hacker posted a part of the game’s database on a hacking forum. The compromised 1 GB file uploaded online included 22,982,319 pairs of usernames and passwords.

The hacker gained access to the registered users’ database using an SQL injection vulnerability on the Webkinz website.

A statement posted on Ganz website read, “ For security purposes, during the archiving process, we remove all information associated to the account other than then User Name and Password. Please note that if an account remains inactive for a period of 7 years, Ganz will then delete that account.”
Source: ZDNet

PAAY LLC

Apr 22, 2020: A massive data breach involving mobile payments solutions provider PAAY LLC hit in April impacting its database containing 2.5 million credit card records online. The New York-based card payments processor said that it verifies payments on behalf of selling merchants to avoid fake transactions.

Security researcher Anurag Sen, who uncovered the breach, reported that the leaked database included credit card numbers, expiration dates and amount transacted dating back to September of last year from several merchants, but did not include the cardholder name or card verification values.

PAAY Co-founder Yitz Mendlowitz, said, “On April 3, we spun up a new instance on a service we are currently in the process of deprecating. An error was made that left that database exposed without a password.” He further added that PAAY LLC has collaborated with a forensic auditor to identify the impact of this data breach.
Source: TechCrunch

Email.it

Apr 7, 2020: Email.it, the Italian email service provider, admitted last month that it suffered a data breach from January 2018 involving personal data of 600,000 customers, which is now available for sale on the Dark Web.

The hacker group named NN Hacking Group claimed responsibility for the breach on Twitter and said in a post on its website, “We breached Email.it Datacenter more than 2 years ago and we plant ourselves like an APT. We took any possible sensitive data from their server and after we choosen to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn’t contact their users/customers after breaches!”

The stolen dump comprises 44 databases including usernames, plain text passwords, security questions, email messages, related attachments for all 600K email accounts, along with SMS and Fax sent and received by the users. Also, it contains data of users who signed up for free Email.it accounts.

Meanwhile, Email.it notified the Italian Postal Police (CNAIPIC) about the breach.
Source: ZDNet

Aptoide Android App

Apr 21, 2020: Portugal-based third-party app store for Android applications Aptoide fell prey to a data breach leaking personal data of its 20 million users on a hacking forum.

The leaked database included sensitive data from users who registered or used the Aptoide app store app from July 21, 2016, to January 28, 2018, and included such information as user names, email, date of birth, sign-up date, IP address, and device details.

Meanwhile, Aptoide said in a blog that it was working with data center partners to understand the scope of the breach. It also clarified that 97% of its users are not affected by the breach as they never signed up.
Source: ZDNet

RigUp

Apr 9, 2020: Austin-based labor and marketplace provider RigUp Inc. was targeted by cybercriminals last month and impacted 70,000 private files belonging to its US energy sector clients. Found by the vpnMentor research team, the breached database included more than 76,000 confidential files over 100GB of data from July 2018 to March 2020.

vpnMentor said that the leaked database was an Amazon Web Services (AWS) S3 bucket, labelled “ru”. Also, many of the files stored within this live database included RigUp’s name, which helped the vpnMentor team to confirm the exposed database’s owner.

The affected database appeared to be a ‘file dump’ used by RigUp to save different types of files, belonging to the Human Resources department, customers, contractors, etc.
Source: Security Magazine

Monte dei Paschi di Siena

Apr 12, 2020: A cyberattack rocked the Italian state-owned bank Monte dei Paschi di Siena (MPS) when hackers infiltrated some of its employee mailboxes.

On March 30, the banking institution notified its customers about the security lapse stating messages containing voice mail attachments were sent using the hacked employee accounts.

Monte dei Paschi di Siena has yet to clarify if any of the company or customers’ data has been affected as a result of this attack.
Source: Reuters