At a glance.
- Animal Jam breached.
- Facebook's "Vanish Mode."
- "Human error" cited in Public Health Wales breach.
Animal Jam breached.
It’s all fun and games until player data is stolen. Children’s gaming platform Animal Jam was the victim of a data breach that compromised 46 million player accounts, Bleeping Computer reports. This sounds huge, but it’s actually only a fraction of the popular game’s more than 130 million registered players, as a new account is created every 1.4 seconds. The breach was discovered by Animal Jam’s creator WildWorks after a cybercriminal, crediting infamous hacker ShinyHunters, released the data for free on underground forum raidforums.com. As the game is designed for kids ages seven to eleven, most of the data belongs to the adults who create the accounts for their children. As WildWorks detailed in an alert on their website, the stolen data included usernames (which are not players’ legal names), hashed passwords, and billing addresses. WildWorks is being very transparent about the incident and is drafting a report for the Federal Bureau of Investigation’s Cyber Task Force.
We heard from two industry sources on the Animal Jam breach. Saryu Nayyar, CEO of Gurucul, wrote to express approval of how WildWorks handled the incident. “The data breach at Animal Jam is concerning mostly because many of the accounts belong to children. Fortunately, there does not appear to be any financial information exposure and little of the released data appears to be directly useful. However, the attackers could use the exposed email addresses to launch social engineering against the young users," she said, and then added, "WildWorks has set a fine example by responding quickly and transparently. Parents should monitor their kid's email for related attacks, and take the opportunity to teach them about managing their passwords and how to identify malicious emails.”
“ShinyHunters did it again, fresh off of their leak of a massive Mashable database," said Point3 Security's VP of strategy, Chloé Messdaghi. "It’s important for all to understand that it’s never appropriate to target kids’ data, and the services that make this available need to be stopped. A lot of companies use communications apps such as Slack without 2FA, which seems to be the case with Animal Jam." She thinks complacency over multi-factor authentication could have contributed to the breach. "Instead," she said, "companies assume they’re not targets, or mistakenly believe that using a password that’s too short is sufficient. This just underscores that any shared service - GitHub, Citrix, whatever – needs to be protected with multi-factor authentication apps or preferably a token, and just how important password managers are. All employees should have password managers and be required to use multifactor authentication. The reality is these people have lots and lots of stolen data, and it’s highly categorized and organized for cross referencing, making targeted attacks easier than ever before." Why would criminals be interested in a children's game? Identity theft. And the victims might be unaware of their loss for years. "The end result might be that some kids go for a social security number at age 4, 10 or even later, or go for their first school loans when applying for college, only to learn they’ve maxed out their credit.”
Vanish Mode is Facebook’s latest trick.
Facebook has released its long-awaited Vanish Mode setting for its products Instagram and Messenger, reports TechCrunch. Messaging competitor Snapchat is known for the fact that all user messages are deleted as soon as they’ve been viewed. Now Instagram and Messenger users can replicate this disappearing act by activating Vanish Mode. Though this auto-delete feature does improve security, in a sense, by shortening the shelf-life of a user’s data, the new setting isn’t actually any more secure than Messenger’s already end-to-end encrypted Secret Conversations mode. Facebook’s motivation is not so much security as it is marketability, as the goal is to attract Snapchat's user base.
Public Health Wales exposes COVID-19 test data.
Public Health Wales, an agency of the National Health Service of Wales, released a statement confirming they suffered a breach that released the private data of 18,000 Welsh residents who had tested positive for COVID-19. The breach was the result of an accidental disclosure; due to human error, a database containing personally identifiable information was uploaded to a public server. The upload occurred on August 30 and the data was public for only twenty hours before the error was discovered and it was taken down, but in that time records show the database was viewed more than fifty times. Tracey Cooper, Chief Executive of Public Health Wales, stated that an investigation carried out by the Head of Information Governance and the Information Sharing and Governance Manager at the NHS Wales Informatics Service indicated that the “the pressures of work” might have been partially at fault for the incident, as employees are overwhelmed with data due to the pandemic. In response, Public Health Wales has created an Incident Management Team to improve data handling procedures, and all future uploads will be handled by senior staff.
Saryu Nayyar, CEO of Gurucul, expanded on the role fatigue, stress, and operator mistakes can play in data exposure. “Human error is, unfortunately, a common root cause for data exposure, as it was here in the Public Health Wales case," she said. "However, it also appears there were issues with policies and procedures that made the human error possible. Information Security is not a set it and forget it process. Organizations need to continually review and revise their tools and procedures to keep them effective. Process needs to be in place to minimize the risk of human error, and tools like behavioral analytics need to be deployed to recognize and mitigate risk before it leads to exposures like this one.”
Chloé Messdaghi, VP of Strategy at Point3 Security, notes that the Public Health Wales disclosure was light on specifics. "More than 18,000 who tested positive for COVID-19 have their data exposed," she said, "but this notice doesn’t inform about what personal data has been leaked and is now out there – leaving those impacted and their families hanging. They did apologize but we can only hope they’ve been more forthcoming with the victims than with the public."
She also points out that "human error" is a large explanatory category. “Also not shared is how this occurred. They said it’s the result of human error but that’s a pretty vast array of possibilities. Was it because someone didn’t know what they’re doing? Is the current staffing stretched too thin, or hobbled by WFH constraints and processes? Was there a leak related to an entry afforded by an unsecured home network? Is employee burnout a factor? Did someone receive incorrect instructions? Was a server left unprotected? Was there a third party involved in the leak?" An after action review might yield useful lessons from the incident.