Twitter investigates apparent data breach. LockBit holds Canadian town's data hostage. Indian grocery’s customer delivery data exposed. Third-party breach affects Smithsonian data.

Summary

By the CyberWire staff

At a glance.

Twitter investigates apparent data breach.
LockBit holds Canadian town's data hostage.
Indian grocery’s customer delivery data exposed.
Third-party breach affects Smithsonian data.

The “devil” may be in the Twitter details.

A hacker who goes by the handle “devil” has posted data he claims is connected to 5.4 million Twitter user accounts, the Record by Recorded Future reports. He’s offering the data for sale on hacking site BreachForums for a cool $30,000, and according to devil, the stolen data include emails and phone numbers of “celebrities, companies, randoms, OGs, etc.” Researchers say the data are linked to a vulnerability discovered on Twitter’s platform last January that would allow a hacker to search for a twitter account by its phone number or email even if the user has the necessary privacy settings turned on. “Zhirinovskiy,” the researcher who detected the bug, explains, “The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.” (“Zhirinovsky” is also a nom-de-hack, probably an homage to the since-deceased, fanatically nationalist Russian politician Vladimir Volfovich Zhirinovsky.)

9to5Mac adds that even suspended accounts are accessible. Twitter was informed of the issue upon detection and shortly thereafter stated it had been resolved, but apparently not before devil or an associate was able to extract the data that are now being offered for sale. A Twitter spokesperson stated, “We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this. We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”

Aaron Sandeen, CEO and co-founder, Cyber Security Works, notes that even the big operations can be afflicted by vulnerabilities.

“This latest Twitter incident is unfortunate, but it’s nothing new to those of us who work in vulnerability management. What makes this breach stand out is that it was one of the most prominent tech companies, but vulnerabilities don’t discriminate and are consistently leaving millions of people at risk. This situation highlights the delayed reactions organizations have when it comes to reporting or remediating vulnerabilities in the products they create or depend on to operate.

"It is crucial that organizations and enterprises are aware of the vulnerabilities that threat groups and attackers exploit, and curate a plan to patch them. Knowing how vulnerable you are to cyberattacks and evaluating your security posture through constant vulnerability management and proactive penetration testing is crucial to building more robust protection as new hacking groups emerge."

LockBit holds data of Canadian town hostage.

Officials in the town of St. Marys, located in Ontario, Canada, first became aware that an attacker had locked and encrypted its internal server last Wednesday. On Friday, ransomware gang Lockbit boasted on its dark web portal that it had stolen 67 gigabytes of data from St. Marys, including confidential info and financial documents, and Global News reports that a St. Marys spokesperson has confirmed the incident was the work of the infamous hacker group. According to a timer on the Lockbit site, the town has until July 30 to meet the threat actors’ ransom demands, or else they’ll publish the sensitive data. It’s unclear how much money LockBit is asking for, but so far St. Marys has not given in. Mayor Al Strathdee explained, “We’re going to act on our legal advice. As well, we’re engaged with the [Ontario Provincial Police] and we’re waiting to take their advice and we will follow legal advice on all steps.”

Indian grocery’s customer delivery data exposed.

Indian supermarket chain Spinneys has disclosed that a security incident last week resulted in the exposure of customer data stored for its online delivery service. According to an email notification sent to customers, the compromised data include “the name, email address, mobile number, delivery address and previous online delivery details [products, delivery time and order value] of customers who used our online shopping channels.” The National adds that no banking details were exposed, as fortunately that information is not stored on the store’s servers. An investigation is ongoing and more details will be released to customers as they emerge.

Smithsonian data exposed in third-party data breach.

The Smithsonian’s National Zoo & Conservation Biology Institute released a statement on Friday confirming that institute data were exposed in a cybersecurity incident impacting digital marketing firm WordFly, which the institute uses for sending community email notifications. WorldFly suffered a ransomware attack earlier this month that shutdown its website and other services. A few days after the incident, WordFly confirmed that Smithsonian data had been exported as part of the attack, though WordFly says the attackers have deleted the information. “We will continue to monitor this situation and receive updates from WordFly and the forensic experts assisting them with this incident,” the Smithsonian’s statement adds.

Selected Reading

Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k (9to5Mac) A Twitter data breach has allowed an attacker to get access to the contact details of 5.4M accounts. Twitter has confirmed the security vulnerability which allowed the data to be extracted. The data – which ties Twitter handles to phone numbers and email addresses – has been offered for sale on a hacking forum, for […]

Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum (The Record by Recorded Future) Twitter said it is investigating the authenticity of a batch of information connected to 5.4 million accounts that is being sold on Breach Forums.

Magecart Hacks Food Ordering Systems to Steal Payment Data from Over 300 Restaurants (The Hacker News) Magecart hackers took over three restaurant ordering platforms, MenuDrive, Harbortouch, and InTouchPOS, and stole more than 50,000 payment card record

Cyber attack on subsidiary: Entega customer data published en masse on the dark web | tellerreport.com (Teller Report) Numerous customer data of the Hessian energy supplier Entega have now been published on the dark web after a hacker attack in June. These are mainly names, addresses and consumption data, but in some cases also bank details.

Spinneys suspects some customer data was compromised in last week’s cyber attack (The National) Data stored for online delivery details may have been exposed, but no personal banking information was leaked, retailer says

Smithsonian Statement: WordFly Data Security Incident (Smithsonian's National Zoo) We want to let you know about an incident that occurred at a company that we use to send email communications to our community about our programs and events. The company, WordFly, was the victim of a ransomware attack.

Online insurer Policybazaar says customer data was exposed by ‘unauthorized access’ (TechCrunch) Indian online insurer Policybazaar said on Sunday that it was subject to an unspecified security incident but found that “no significant” customer data was exposed — or in other words, some was. Policybazaar, which sells a range of insurance coverage, said in a stock exchange filing tha…

St. Marys, Ont. grapples with cyberattack as ransomware group threatens to publish stolen data (980 CFPL) St. Marys spokesperson Brett O'Reilly confirmed to Global News that a cyberattack was the result of the notorious ransomware group LockBit, which has been active since late 2019.

UK cybersecurity chiefs back plan to scan phones for child abuse images (the Guardian) Heads of GCHQ and NCSC say client-side scanning could protect children and privacy at the same time

FCC chair tries to find out how carriers use phone geolocation data (Ars Technica) Inquiry launched as Congress debates bill that could gut FCC's privacy authority.

T-Mobile reaches $350M settlement in 2021 cyberattack and data breach impacting 76M people (GeekWire) T-Mobile agreed Friday to pay $350 million to settle class-action lawsuits brought over an August 2021 cyberattack in which a hacker infiltrated its computer systems to steal sensitive data relating… Read More

DOJ’s Civil Cyber-Fraud Initiative Secures More Than $9 Million in Two False Claims Act Settlements for Alleged Cybersecurity Violations (Privacy Law Blog) Last fall, the United States Department of Justice (“DOJ”) launched its Civil Cyber-Fraud Initiative (“CCFI”) as part of its effort to “combat new and

After Huge Illuminate Data Breach, Ed Tech’s ‘Student Privacy Pledge’ Under Fire (The 74) A few months after education leaders at America’s largest school district announced that a technology vendor had exposed sensitive student information in a massive data breach, the company at fault — Illuminate Education — was recognized with the software industry’s equivalent of the Oscars. Since that disclosure in New York City schools, the scope of the […]

Uber Enters Non-Prosecution Pact With DOJ Over Data Breach (Bloomberg Law) Uber Technologies entered a non-prosecution agreement to resolve a criminal probe into the cover-up of a data breach in 2016, the DOJ said.

T-Mobile to Pay $350 Million for Fund in 2021 Customer Data Leak (Wall Street Journal) The wireless carrier said the settlement, which could win approval as soon as December, includes no admission of responsibility for the theft.