At a glance.
- Private dating app data found on open web.
- Texas city launches investigation into ex-employee email data breach.
- Data breach at Estée Lauder.
Dating app left personal details exposed in an unsecured AWS S3 bucket.
Bad news for the lonely-hearted. An unprotected Amazon Web Services S3 storage bucket belonging to online dating platform 419 Dating - Chat & Flirt has exposed 260,000 dating app account records and 340 gigabytes of pictures and messaging logs. Discovered by independent researcher and co-founder of Security Discovery Jeremiah Fowler, the database included names, email addresses, and geolocation data for users largely located in the US and Canada, as well as pictures and chat messages shared privately between daters. Over 260,000 user account email addresses tied to Gmail, Yahoo Mail, and iCloud Mail accounts were found in just one of the six hundred compressed server logs exposed. Fowler told SC Media that he found the data, which was accessible via the public internet, last April and immediately informed the app’s Hong Kong-based developer Siling App.
The database was secured within weeks, but it’s unclear just how long it had been exposed. Fowler says the data, if accessed by a third party, could easily have been cross-referenced to reveal the users’ true identities. “The volumes of adult content exposed raise serious risks,” Fowler added. “In the wrong hands this data could open a user to extortion attacks, social engineering scams and harmful privacy violations.” Not long after Fowler’s discovery, the 419 Dating app was removed from the Google Play marketplace and Apple’s App Store, but the Android version is still available in third-party Android app marketplaces. It’s worth noting that development files for dating sites called Meet You - Local Dating App and Speed Dating App For American were also exposed, but no personal user data from these apps were compromised. "These other apps claim to be separate companies, but it is possible they use the same source code and functionality to clone their product under different brand / app names to distance themselves from 419 dating," Fowler explained.
Dan Elead, VP of Data at Laminar, wrote that, of course you should look for love cautiously, but that the companies that run dating services need to up their game with respect to data protection. “In this incident, cybersecurity experts are warning consumers to be careful when choosing which dating apps to use. However, I would encourage the organizations behind these apps to consider how they are safeguarding their data — both known and shadow data. Dating apps contain tons of sensitive information including personally identifiable information (PII) about the user, their sensitive chat history, medical statuses, how they identify all that most users do not want exposed," Elead said. "One in five publicly facing cloud storage buckets contain sensitive data. Legacy security infrastructure is no longer sufficient enough to defend customer, employee, and partner data against adversaries. These exposures are often blamed on ‘misconfiguration’ but often it is more about misplaced data that should have never been in an open bucket in the first place." He sees a place for automation in solving the problem. "The problem is that most IT and security teams lack the visibility into where sensitive data resides. This unknown or ‘shadow’ data is growing and is a top concern for 93% of data security and governance professionals. Fortunately, with automated monitoring and control of valuable data, enterprises will have the clarity they need to keep up with today’s fast-paced, cloud environment and avoid similar exposures.”
Aviral Verma, threat intelligence analyst with Securin, sees misconfigured cloud storage as a more general problem, with implications that extend far beyond dating apps. “An improperly misconfigured AWS S3 bucket is an unfortunate reason for a data leak as many companies have been documented to have suffered similar exposures for the exact reason. A routine check of all publicly accessible endpoints, cloud assets, and a proper risk assessment could have prevented the exposure of hundreds of gigabytes of intimate user information; however, limited IT resources could lead to these gaps in security, and leave these exposures unchecked. Most of the misconfiguration issues that arise from Simple Storage Service (S3) buckets arise from access permissions. Either they are made publicly available or users with access are given more permissions than necessary, as was the case with Sega Europe when it experienced a similar incident. With technology becoming such an inseparable part of everyone’s daily lives, there is a direct link between cybersecurity and protecting an individual’s privacy. Companies have the responsibility to protect their users along with their data.”
Texas city launches investigation into ex-employee email data breach.
Odessa City Council (that’s Odessa, Texas, not Odessa, Ukraine) has disclosed it suffered a data breach and is currently conducting an investigation. It was discovered that an email account belonging to former city attorney Natasha Brooks, who was terminated from her position last December, had been accessed numerous times after her firing. Odessa Mayor Javier Joven says the intruder accessed a wide variety of the city’s document databases and downloaded approximately two hundred 200 documents. Immediately after Brooks was fired, Former assistant city manager Cindy Muncy and former IT director Mike Parrish were instructed to deactivate Brooks’ email account, but apparently this never happened. Joven added that the email account of another former official was also accessed but did not reveal this official’s identity. Joven has authorized the Odessa Police Department to conduct a criminal investigation into the records breach assisted by the Texas Attorney General’s Office. The Texan notes that Brooks recently filed a complaint with the Equal Opportunity Employment Commission claiming her termination was racially motivated, and she has threatened to take legal action against the city.
Data breach at Estée Lauder.
The Estée Lauder Companies Inc. disclosed an incident in which unauthorized parties gained access to some company systems. The cosmetics giant believe the intruders were able to make off with some data, but the company continues to investigate so that it might identify the extent of the compromise. Law enforcement authorities have been notified. It appears to have been a ransomware attack. The Record reports that both Cl0p and BlackCat have claimed responsibility. BlackCat acknoweldged Cl0p's claims, but says that, whatever Cl0p may have done, BlackCat acted independently.
Darren Williams, CEO and Founder at BlackFog, commented on the unusual circumstance of two gangs making competing claims of having hit the victim. "What is interesting about the attack on Estée Lauder is that two ransomware groups have come forward to claim it. Both BlackCat and Clop have come forward and listed the cosmetics giant as a victim, with BlackCat calling out the fact that they hadn’t bothered to encrypt the data, thus leaving the systems accessible to the company. This further reinforces the fact that cybercriminals have truly moved on from encryption and are only interested in exfiltration and extortion. Data is the ultimate prize, and with 66,000 employees and millions of customers, there is little doubt that the criminal gangs will profit from this attack. With almost 90% of attacks exfiltrating data, organizations need to adopt anti data exfiltration technology to secure their environments and protect the data that has been entrusted to them."
Erich Kron, security awareness advocate at KnowBe4, runs through the various consequences and costs a ransomware attack can impose on an organization. “In these days, when timing is critical for the production of items, cyberattacks can cause far more issues than many organizations are prepared for. Ransomware can seriously impact production, and data theft can lead to very significant regulatory fines, especially for multinational or global organizations. Protecting against attacks like this can be challenging and requires the use of technical security controls, as well as having employees who are educated and trained to spot and report the most common way that breaches like this start, and that is simple phishing emails.”
(Added, 6:15 PM ET, July 19th, 2023. Stephan Chenette, Co-Founder and CTO at AttackIQ, wrote to offer some perspective on BlackCat specifically. "BlackCat (a.k.a ALPHV) ransomware group, formally known as the DarkSide/BlackMatter gang, the group responsible for the Colonial Pipeline attack. It emerged as ransomware-as-a-Service (RaaS) as early as mid-November 2021, providing would-be attackers with a highly configurable multi-platform ransomware strain written in Rust," Chenette said. "Ransomware attacks are an ever-looming threat, as reported in the 2023 DBIR Verizon Report, ransomware is present in more than 62% of all incidents committed by organized threat groups and 59% of all incidents with a financial motivation. The attack on Estee Lauder is another reminder of ransomware attacks are not slowing. To prevent similar attacks in the future, organizations must gain knowledge of the common tactics, techniques, and procedures used by common threat actors, which will help them build more resilient security detection, prevention, and response programs mapped precisely to those known behaviors. Organizations should also use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to better prepare for the next threat.")
(Added, 7:45 PM ET, July 20th, 2023. Lior Yaari, CEO and co-founder of Grip Security, thinks the disclosures so far leave a number of questions unanswered. “This disclosure by Estee Lauder raises a lot of questions about how severe the breach was and what sensitive or confidential data is at risk," Lior wrote. "If the ransomware gangs do have sensitive data, the company should contact the parties at risk so they can take measures to protect themselves. The amount of data that appears to be held for ransom is significant, so there is likely to be impacts to Estee Lauder’s employees, customers, or partners.”)