At a glance.
- Signal informs customers of third-party data breach.
- North Carolina healthcare system says Meta Pixel exposed patient data.
- Shanghai COVID-19 app allegedly hacked.
Signal informs customers of third-party data breach.
The data of users of Signal’s encrypted instant messaging service were potentially exposed in a recent phishing attack targeting Twilio, the communications company that provides Signal with phone number verification services. Signal has confirmed that a small percentage of its customer base, approximately 1,900 users, were impacted in the breach and that the attacker could have used the compromised data to re-register their numbers to other devices. The affected individuals are being notified directly via SMS. Signal explains that an attacker gained access to Twilio’s customer support console via a phishing attack, revealing the SMS verification code some customers used to register with Signal. It’s this code that could be used to re-register their numbers. As a precaution, Signal is unregistering the impacted users on all devices and they are being directed to re-register on their preferred device.
Erich Kron, security awareness advocate at KnowBe4, sees the significance of the Twilio incident in the erosion of trust it entailed, as opposed to the sensitivity of the data leaked.
“While not a lot of sensitive information was leaked, with applications such as Signal which are privacy focused, the erosion of trust can be a significant issue itself. Just the knowledge that a phone number is registered with Signal, can be used by potential attackers to craft very specific phishing text messages that could lead to further compromise. This is also a lesson in the impact that trusted vendors, in this case Twilio, can have on your own organization.
"Phishing remains a potent weapon for cybercriminals, so organizations should ensure employees are trained in spotting and reporting any phishing attempts by bad actors. Organizations would be wise to ensure that partner organizations are also taking the threat of social engineering seriously and are addressing it in their own security as well.”
North Carolina healthcare system says Meta Pixel exposed patient data.
The Winston-Salem Journal reports that Novant Health, a healthcare provider with fifteen hospitals in the US state of North Carolina has disclosed that patients’ protected health information may have been improperly shared as part of a marketing campaign that began in May 2020. Novant explains that the breach involved the use of a Facebook-related tracking pixel, which was “configured incorrectly and may have allowed certain private information to be transmitted to (Facebook parent company) Meta from the Novant Health website and MyChart portal.” Though the number of impacted individuals has not been confirmed, Novant sent out 1.3 million notification letters, and the compromised data include patient contact information, appointment details, and physician info. The breach did not impact patient Social Security numbers or financial information unless the patient entered that data into a free text box, and the notification letter will specify if that is the case. According to a report from investigative media outlet the Markup in June, Novant is just one of thirty-three US healthcare systems who found that patient data were being made available to Facebook through the Meta Pixel tracking tool.
Shanghai COVID-19 app allegedly hacked.
A hacker who goes by the handle “XJP” has claimed to have acquired the personal data of 48.5 million users of Shanghai’s COVID-19 health code mobile app and is offering it up for sale on hacker marketplace Breach Forums for $4,000 (lowered from an original ask of $4,850). A sample provided by XJP includes the phone numbers, names, Chinese identification numbers, and health code status of nearly fifty individuals, and Reuters says it has verified the data of eleven of the victims. In his post offering the database for sale, XJP stated, “This DB (database) contains everyone who lives in or visited Shanghai since Suishenma's adoption,” Suishenma being the name of the mandatory health code system Shanghai established in 2020 to combat the spread of COVID-19. Users access Suishenma via the Alipay app, owned by fintech giant Alibaba. It’s worth noting that this is Shanghai’s second recent alleged data breach; in June a hacker attempted to sell a database (also hosted on Alibaba’s cloud platform) containing the info on a staggering one billion Chinese residents he claimed to have stolen from the Shanghai National Police.