At a glance.
- Data breach at beverage supplier Drizly.
- ShinyHunters dump for free.
- OKCupid fixes vulnerability.
- Avon secures exposed server.
- Promo.com data breach affects 22 million records.
Drizly bared.
TechCrunch reports that the online, alcohol-beverage delivery startup Drizly has warned its customers of a data breach. Up to two-and-a-half million customer accounts may have been affected, although accounts differ as to exactly what data were compromised. Drizly says no credit card information was lost, for example, but the criminals now hawking the stolen data in a dark web souk say that it did. There's been no publicly shared word about how the attackers compromised Drizly.
Saryu Nayyar, Gurucul CEO, thinks the most striking thing about the breach is the attackers' reported dwell time and the gap between detection and disclosure of the incident. The data's availability was announced on the dark web in mid-February, but Drizly only identified the information loss on July 13th, notifying its customers yesterday. “That is a 2-week delay between identifying the breach and informing affected customers," she said. "More importantly, indications are that the threat actor had access to Drizly's systems for roughly 6 months, at least, before they were identified."
ShinyHunters dump for free.
In the grip of either public-spirited altruism or a mean desire to lowball the criminal competition (or some mix of both), the ShinyHunters have flooded the underground market with 386 million user records from eighteen companies, all dumped with no charge. Someone purporting to speak for the ShinyHunters told BleepingComputer that "I just thought: 'I've made enough money now' so I leaked for everyone's benefit. Obviously, some people are a little upset because they paid resellers a few days ago, but I don't care," We assume their secret is volume.
OKCupid patches vulnerability.
Online dating service OKCupid fixed a cross-site-scripting vulnerability in its service that could have exposed members' profiles to unauthorized parties, and that might have permitted attackers to send messages from user accounts. The initial compromise would have been accomplished by phishing. Threatpost reports that Check Point discovered the issue and notified OKCupid, which addressed the problem within forty-eight hours. The problems affected both the dating service's website and its Android app. The data at risk included "user’s full profile details, private messages, sexual orientation, personal addresses and all submitted answers to OKCupid’s profiling questions."
Avon secures misconfigured server after data exposure.
Cosmetics company Avon has secured a server that exposed unprotected data to the Internet, the Safety Detectives report. The security firm found and notified Avon of a data exposure that included both personal information (full names, phone numbers, dates of birth, email addresses, physical addresses, geolocation, last payment amounts, what appear to be names of company employees, and administrator user emails) and technical information (more than 40,000 security tokens, OAuth tokens, internal logs, account settings, and technical server information.
James McQuiggan, Security Awareness Advocate at KnowBe4, commented:
"Unfortunately, this type of discovery could have already been discovered by a black hat hacker and possibly collected all of the information for their misdeeds. The Personal Identifiable Information (PII) that was collected will create well-crafted spear phishing emails to target the victims for additional credential-stealing or ransomware attacks. The opportunity to collect the technical logs could pose a severe threat, as the information can provide additional insight to target the organization's infrastructure.
"Organizations want to verify that all developmental, testing, and production servers are configured with limited access controls and avoid providing access openly, especially when connected to the internet."
22 million Promo.com users exposed in data breach.
Promo.com, a producer of marketing videos, disclosed this week that it had been breached, and 22 million of its users' records exposed in a hacker forum. The disclosure suggests that the breach derived from a vulnerability on a third-party server. "On July 21, 2020, our team became aware that a data security vulnerability on a 3rd party service had caused a breach affecting certain non-finance related Slidely and Promo user data," Promo said in its incident FAQ, adding, "We immediately stopped all suspicious activity and launched an internal investigation to further learn about what happened."
BleepingComputer says that the data were posted for free, offered without charge. The data posted included email addresses, names, genders, geographic location, and 2.6 million hashed passwords. 1.4 million of the passwords were advertised as having been cracked, which of course opens them up for immediate use.
We received several comments on the breach. Felix Rosbach, product manager at data security specialist comforte AG, recommends that organizations consider ways of rendering it more difficult for attackers to take advantage of data stolen in breaches. "Personal identifiable information and especially decrypted passwords are always valuable," he wrote. "Too many users use the same credentials for multiple accounts. Therefore it is no surprise that bad actors frequently target companies that process this critical data. While there is no sure-fire way to prevent attackers from getting access, there are solutions that protect the valuable information itself. Being able to not only protect passwords but also related personal data reduces the risk of account takeover attacks drastically. Companies should look to deploy data security tactics such as stateless tokenization to protect the privacy of their customers."
Paul Bischoff, privacy advocate with Comparitech, wondered what a third-party was doing with passwords, if third-party breach it was, which seems a good question. “Promo blamed a third-party vendor for exposing the passwords, but why is Promo sharing its users' passwords with third parties in the first place?" he asked. "Furthermore, Promo must have been using an outdated hash algorithm to encrypt passwords if hackers were able to crack them. To add insult to injury, the data was posted on a forum before Promo even knew about the breach and was able to alert customers. That's three strikes against Promo. Promo users should change their passwords on any accounts that use the same password as their Promo account. Otherwise, those passwords will be used in credential stuffing attacks to break into other accounts with the same password.”
And Chris Hauk, consumer privacy champion at Pixel Privacy, wearily suggests that this is another opportunity for credential-stuffing, and that the affected users should take steps to protect themselves: "I feel like a recording, but since passwords were included as part of the data breach, promo.com users need to take immediate action, changing all of their social network passwords. Users also need to double-check their password usage on other websites and online services, ensuring they are not using the same passwords on those accounts.”