CSA Editor’s Comment: We would like to share this blog post contribution from Taylor Armerding, Software Security Expert at Synopsys Software Integrity Group, which we think will really interest our readers. In this post, Taylor shares six of the biggest data breaches that has happened in 2019 (so far), which has affected hundreds of millions of people and up to 2 billion records globally. The troubling reality is that most these breaches and others that have occurred throughout the year could have been prevented with basic security hygiene.
The full blog post follows:
“Another day, another data breach” is, unfortunately, not just a cliché. It is a reality. But all data breaches are not equal. While they are all bad, some are much worse than others.
And 2019 has had its share of “much worse” data breaches. So, while we’re not trying to spoil “the most wonderful time of the year,” it is clear we need reminders that we have a long way to go to make the online world a safe place.
Yes, it is criminal hackers, scammers, and fraudsters who are directly to blame for data breaches. But the troubling reality is that most data breaches from 2019, including all those summarised below, could have been prevented with basic security hygiene. It’s a bit like a car getting stolen or vandalised. Those who committed the crime are directly responsible, but if the owner left the doors unlocked and windows open in a sketchy neighbourhood, it’s appropriate to ask, “What were you thinking?”
Here are a half dozen of the worst data breaches in 2019 (so far) in terms of the number of people affected.
Verifications.io, an email validation service, apparently left a massive database of records in the open, according to Security Discovery researcher Bob Diachenko. He reported in a March 7 blog post that on Feb. 25 he had found the trove in a “non-password protected” 150 GB MongoDB database containing more than 808 million records. When he tracked it back to Verifications.io and reported it to the company, the site was taken offline.
Diachenko also connected with Troy Hunt, the ethical hacker who runs the Have I Been Pwned website. After analysing the database, they determined that while the compromised information didn’t include credit card details or passwords, it did include names, physical addresses, phone numbers, email addresses, dates of birth, genders, employers, geographic locations, IP addresses, and job titles.
A day later, however, UK-based DynaRisk told SC Media that the data breach was nearly three times larger, at more than 2 billion records. DynaRisk also reported that the data breach included more information: credit scores, interest rates, personal mortgage amounts, and emails linked to social media profiles on Facebook, Instagram, and LinkedIn.
2. First American Financial
First American Financial Corp., a Fortune 500 financial services company, exposed about 885 million records of mortgage transactions dating back to 2003. The vulnerability was first reported by security blogger Brian Krebs in May, who wrote that he had been tipped off by a real estate developer.
Krebs confirmed what the tipster had told him: Anyone who had ever been emailed a link to a document by the company could access the records, simply by changing a single digit in the document link.
The digitised records included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images.
First American shut down the compromised website after Krebs notified the firm.
In a response to Krebs, First American called the vulnerability a “design defect.” Krebs wrote that he had no evidence that the data had been mass harvested. However, he said, it “would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property owners into wiring funds to fraudsters.”
3. “Collection #1”
This massive and unique collection, presented by Troy Hunt on his Have I Been Pwned website, was sitting in a cloud storage service called MEGA.
Hunt, a Microsoft Regional Director, wrote about it on his blog after “multiple people reached out” and directed him to MEGA. Hunt said by the time of his writing, the data had been removed from MEGA.
He said the collection included more than 12,000 separate files and more than 87 GB of data.
“One of my contacts pointed me to a popular hacking forum where the data was being socialised,” where the root folder identified it as “Collection #1.”
He said he hadn’t verified the origin of all the data breaches listed. But, he said, “my own personal data is in there and it’s accurate; right email address and a password I used many years ago.”
Hackers are most likely using the data for credential stuffing, a brute force attack cited by Synopsys CSO Deirdre Hanford in a recent interview at the end of National Cybersecurity Awareness Month.
It was Jan. 10, 2019, when security firm Upguard Cyber Risk first notified the Mexico-based digital media company Cultura Colectiva that it had discovered more than 540 million Facebook user IDs, account names, likes, and comments exposed on a publicly accessible server.
Upguard sent another notification on Jan. 14. It got no response.
The company then notified Amazon Web Services on Jan. 28, since the data was stored on an Amazon S3 cloud storage bucket. Amazon replied Feb. 1 that it had notified Cultura Colectiva.
But it wasn’t until April 3, after Bloomberg contacted Facebook for comment, that the bucket was finally secured.
In an Oct. 30 post, Upguard said while the social media giant has tried to limit third-party access, “the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”
“Combine that … with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”
The company added in the same post, updated 11 months after they first notified Cultura of the compromised data, that “to this day there has been no response.”
According to Check Point Research, hackers were able to gain access to user accounts through “multiple vulnerabilities in (owner) Epic Games’ online platform.” The vulnerability allowed a cross-site scripting (XSS) attack if a user clicked on a link sent by the hacker.
Check Point reported that the vulnerability could allow hackers to “take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency, and eavesdrop on and record players’ in-game chatter and background home conversations.”
Check Point reported it to Epic Games, which patched the vulnerability.
6. Elasticsearch cloud storage
An online casino group turned out to be a bad bet (sorry, couldn’t resist) for users when the records of their activities and personal information were stored on an Elasticsearch server that hadn’t been secured with a password.
ZDNet reported that security researcher Justin Paine found that the database contained players’ names, email addresses, home addresses, phone numbers, bets, wins, deposits, and withdrawals. There were also some credit card details, but they were partially redacted and therefore unusable to hackers.
Despite only one server being unsecured, it handled “a huge swath of information that was aggregated from multiple web domains, most likely from some sort of affiliate scheme, or a larger company operating multiple betting portals,” ZDNet reported.
Elasticsearch, described as a “portable, high-grade search engine that companies install to improve their web apps’ data indexing and search capabilities,” is meant to be kept on internal networks, not exposed online.
The company told InfoSecurity that the data breach was “not related to defects or vulnerabilities in Elastic-developed software.” Instead, it occurred because “individuals or organisations have actively configured their installations to allow unauthorised and authenticated users to access their data over the internet.”
Which may have happened because those organisations failed to realise that they had to pay for Elastic’s security features.
“The free version of the software only includes the security options as a trial. You have to pay for the premium product to turn the security features on,” InfoSecurity noted.