The Data Breach Thread

[Kraken]

I use (free) Credit Karma for monitoring so I went for the cash, and claimed an hour for the time I spent freezing and unfreezing my reports at all three agencies. As I understand it, once the initial pool of money is depleted, Equifax has to come up with a supplemental appropriation. The story I read said it might take up to 4.5 years to get our money, and even then it probably won't be the full $125...but it will be more than the pittance in the initial payout.

[Isgrimnur]

Zynga

A hacker is reportedly claiming responsibility for a September data breach of popular mobile game Words with Friends that may have resulted in the theft of information from more than 200 million players accounts, including names, email addresses, login IDs and more.

A hacker that goes by the name Gnosticplayers said they stole data from over 218 million Words with Friends player accounts, according to a report from Hacker News on Sunday. The hacker accessed a database that included data from Android and iOS players who installed the game before Sept. 2, according to the report.

[Rumpy]

Ouch, what a pain Zynga is. Yeah, I have a Words with Friends account, linked through Facebook no less. I've been playing WWF on my tablet. Following the breach, I've decided that I wanted to delete my data and my account. Should be relatively simple, right? Somewhere along the way, they introduced a Zynga ID and PIN system for such circumstances. The problem is, this feature is ONLY available in the newer Words with Friends 2. They actively tell people to download WWF2 to get to those features. Here's where the fun stuff starts. My tablet is isn't supported by the newer version of the game, so I have to email them directly with a request. *sigh* In other words, my data is stuck in limbo unless I have the newer version of the app, which doesn't seem right at all as I doubt I'm the only one in a similar situation. Good thing I'm not in the EU!

[Isgrimnur]

Won't someone think of the children?!?

FBI Director Christopher Wray said Friday that Facebook’s proposed move to encrypt its popular messaging program would turn the platform into a “dream come true for predators and child pornographers.”

[Pyperkub]

How in the hell is Equifax still in business?

In addition to having admin and the user and the password, they stored unencrypted information on a public-facing server...

..."And, when Equifax did encrypt data, it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data."

[coopasonic]

Hey, not everyone can be good at the cyber!

[Isgrimnur]

ars technica

As many as 2,000 users of NordVPN, the virtual private network service that recently disclosed a server hack that leaked crypto keys, have fallen victim to credential-stuffing attacks that allow unauthorized access to their accounts.
...
Without exception, all of the plain-text passwords are weak. In some cases, they’re the string of characters to the left of the @ sign in the email address. In other cases, they’re words found in most dictionaries. Others appear to be surnames, sometimes with two or three numbers tacked onto the end. These common traits mean that the most likely way these passwords became public is through credential stuffing. That’s the term for attacks that take credentials divulged in one leak to break into other accounts that use the same username and password. Attackers typically use automated scripts to carry out these attacks.
...
It’s important for readers to know these lists don’t signal a breach on any NordVPN servers. The lists also don’t indicate that the breach disclosed 11 days ago was worse than the company said it was. Rather, these lists are the result of mistakes both on the part of users and NordVPN. For users, the error is choosing easy-to-guess passwords and using them on multiple sites. Security practitioners almost universally recommend people choose a long, random password that is unique for every account.

I’d argue that NordVPN shares the bulk of responsibility for the high incidence of compromised accounts on its site. Many services such as Google and Facebook proactively sift through credential lists available on both public sites and the Dark Web. When the sites find credentials that match those of their users, the sites notify the users and require a password reset. The sites increasingly are not allowing users to choose weak passwords in the first place or credentials that have been exposed in online dumps in the past.

Fidelity actually required a password update from me that they stated was due to a find in the credential list.

[Isgrimnur]

Krebs

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.
...
This is especially ghastly news for companies that may already face steep fines and other penalties for failing to report breaches and safeguard their customers’ data. For example, healthcare providers are required to report ransomware incidents to the U.S. Department of Health and Human Services, which often documents breaches involving lost or stolen healthcare data on its own site.

While these victims may be able to avoid reporting ransomware incidents if they can show forensic evidence demonstrating that patient data was never taken or accessed, sites like the one that Maze Ransomware has now erected could soon dramatically complicate these incidents.

[Rumpy]

This just happened in Canada with LifeLabs, a company providing general diagnostics and laboratory testing. They were hit with ransomware, and to prevent a leak of that data from being published, they paid off the ransom.

https://www.sudbury.com/local-news/life ... ck-1971429

[Isgrimnur]

The Hill

Apple and Google have reportedly both removed the messaging app ToTok from their online stores after The New York Times reported that it is a spy tool used by the United Arab Emirates (UAE) government.

Google removed the app from its store on Thursday and Apple removed it Friday, according to the Times. An Apple spokesman told the newspaper that the company was still researching the app.

People who have already downloaded ToTok can reportedly still use it until they decide to remove it.
...
The Times reported Sunday the UAE government uses the app in an attempt to track users' conversations, movement, relationships, appointments and images.

[Isgrimnur]

WBOC

The Wawa convenience store chain is facing a wave of lawsuits over a data breach that affected its 850 locations along the East Coast.

Wawa Inc. discovered malware on its payment processing servers this month before stopping the breach Dec. 12, the company has said. Officials with the company, based in Wawa, Pennsylvania, believe the malware had been collecting card numbers, customer names and other data since as early as March.

The Philadelphia Inquirer reported Friday that at least six lawsuits seeking class-action status have been filed in federal court in Philadelphia.
...
The breach affected all stores, which stretch along the East Coast from Pennsylvania to Florida. In-store payments and payments at fuel dispensers were affected, but cash machines were not.

Wawa has said it will offer free credit card monitoring and identity theft prevention services to anyone whose information might have been collected.

Police are investigating, and the company has also hired a forensics firm to conduct an internal investigation.

[Pyperkub]

Uh, Defense Information Systems Agency...

The Defense Information Systems Agency, which calls itself a combat support agency of the Department of Defense on its web site, employs 8,000 military and civilian employees.

The letter says that between May and July 2019, personal data may have been compromised “in a data breach on a system hosted by,” the agency.

[RMC]

Uh, Defense Information Systems Agency...

The Defense Information Systems Agency, which calls itself a combat support agency of the Department of Defense on its web site, employs 8,000 military and civilian employees.

The letter says that between May and July 2019, personal data may have been compromised “in a data breach on a system hosted by,” the agency.

They lost my data back in the day as well. Wonder whose payroll they lost this time...

[Anonymous Bosch]

Unsurprisingly, China's aiming to thieve their way towards a COVID-19 treatment or vaccine to mask their humiliation over what Xi spread...

People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC affiliated cyber actors and non-traditional collectors. These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.

The FBI and CISA urge all organizations conducting research in these areas to maintain dedicated cybersecurity and insider threat practices to prevent surreptitious review or theft of COVID-19-related material. FBI is responsible for protecting the U.S. against foreign intelligence, espionage, and cyber operations, among other responsibilities. CISA is responsible for protecting the Nation’s critical infrastructure from physical and cyber threats. CISA is providing services and information to support the cybersecurity of federal and state/local/tribal/territorial entities, and private sector entities that play a critical role in COVID-19 research and response.

RECOMMENDATIONS
• Assume that press attention affiliating your organization with COVID-19 related research will lead to increased interest and cyber activity.
• Patch all systems for critical vulnerabilities, prioritizing timely patching for known vulnerabilities of internet-connected servers and software processing internet data.
• Actively scan web applications for unauthorized access, modification, or anomalous activities.
• Improve credential requirements and require multi-factor authentication.
• Identify and suspend access of users exhibiting unusual activity.

VICTIM REPORTING AND ADDITIONAL INFORMATION
The FBI encourages victims to report information concerning suspicious or criminal activity to their local field office (www.fbi.gov/contact-us/field). For additional assistance and best practices, such as cyber hygiene vulnerability scanning, please visit https://www.cisa.gov/coronavirus.

[Max Peck]

I doubt that this is a uniquely Chinese activity. I expect that every country with an espionage capability is trying their best to see what every country with a vaccine research capability is cooking up.

[Unagi]

Also a sad illumination to the fact that the world can’t work together to solve a common problem of this magnitude

I imagine if aliens invaded, we would all be busy undermining each other’s efforts to ‘save the world’ , because there is no way we are letting those commies save ‘Mercia !

[stessier]

Also a sad illumination to the fact that the world can’t work together to solve a common problem of this magnitude

Yeah - I was thinking rather than guarding the secrets, they should be opening the servers and making sure everyone knows what is being tried. My bad.

[Anonymous Bosch]

Also a sad illumination to the fact that the world can’t work together to solve a common problem of this magnitude

Yeah - I was thinking rather than guarding the secrets, they should be opening the servers and making sure everyone knows what is being tried. My bad.

Good luck convincing the Maoist totalitarian state that deliberately and brutally suppressed and destroyed vital evidence of the coronavirus outbreak and refused to provide live samples to international scientists working on a vaccine:

Coronavirus NSW: Dossier lays out case against China bat virus program

China deliberately suppressed or destroyed evidence of the coronavirus outbreak in an “assault on international transparency’’ that cost tens of thousands of lives, according to a dossier prepared by concerned Western governments on the COVID-19 contagion.

The 15-page research document, obtained by The Saturday Telegraph, lays the foundation for the case of negligence being mounted against China.

It states that to the “endangerment of other countries” the Chinese government covered-up news of the virus by silencing or “disappearing” doctors who spoke out, destroying evidence of it in laboratories and refusing to provide live samples to international scientists who were working on a vaccine.

[malchior]

I doubt that this is a uniquely Chinese activity. I expect that every country with an espionage capability is trying their best to see what every country with a vaccine research capability is cooking up.

Definitely. It's national security for every major power now. That anyone thinks we don't have people 'thieving' too would be pretty naive.

[Isgrimnur]

PKD Foundation

[Kraken]

PKD Foundation

MHS alert! I knew it wasn't going to be about Phillip K Dick.

[Pyperkub]

Barnes & Noble:

The effects of the collapse were first felt on Sunday, with owners of B&N's Nook tablets discovering they were unable to download their purchased e-books to their gadgets nor buy new ones. That is to say, if they had bought an e-book and hadn't downloaded it to their device before B&N's cloud imploded, they would be unable to open and read the digital tome. The bookseller's Android and Windows 10 apps were similarly affected.

It soon became clear the problem was quite serious when some cash registers in Barnes and Noble’s physical stores also briefly stopped working...

...B&N has yet to confirm any details of the ongoing network collapse – which has spanned at least three days now – though it is whispered that malware may have taken hold of the bookseller's machines and spread to stores and the Nook cloud. The company told The Register it has “a network issue and are in the process of restoring our server backups,” which sounds like a ransomware attack.

[Smoove_B]

Proctortrack:

The online proctoring service ProctorTrack has disabled access to their service after its parent company was hacked.

With many schools and colleges performing remote learning, including tests, online proctoring services are increasingly being used to prevent students from cheating.

...

Starting yesterday, students began receiving emails sent by the hacker from the Verificient Support account. This email contained racial slurs, and falsely stated that the company and ProctorTrack were ceasing operations.

To add further damage, the hackers trolled Verificient by defacing the company's website to display the video for Rick Astley's "Never Gonna Give You Up."

...

In addition to this week's hack, the source code for various Verificient apps were leaked last week on Twitter and Telegram.

The source code was leaked by Tillie Kottman, who also leaked the source code for dozens of companies in July and Intel source code in August.

[Jaymann]

WTF? Barnes & Noble? Sounds like a death knell.

[MHS]

PKD Foundation

MHS alert! I knew it wasn't going to be about Phillip K Dick.

I just saw this! They definitely have a lot of my information.

[Anonymous Bosch]

PKD Foundation

MHS alert! I knew it wasn't going to be about Phillip K Dick.

I just saw this! They definitely have a lot of my information.

If you have not already done so, be sure to freeze your credit files at the major bureaus along with Innovis and the National Consumer Telecommunications and Utilities Exchange (NCTUE). Doing so is completely free, and the aforementioned link provides the relevant details for each of 'em.

[MHS]

PKD Foundation

MHS alert! I knew it wasn't going to be about Phillip K Dick.

I just saw this! They definitely have a lot of my information.

If you have not already done so, be sure to freeze your credit files at the major bureaus along with Innovis and the National Consumer Telecommunications and Utilities Exchange (NCTUE). Doing so is completely free, and the aforementioned link provides the relevant details for each of 'em.

Thanks.

[LordMortis]

CNBC is reporting on FireEye and the Treasury department attacks along side Google experiencing outages without comment this morning.

[RMC]

CNBC is reporting on FireEye and the Treasury department attacks along side Google experiencing outages without comment this morning.

Yeah, lots of kids getting home schooling using google docs are having a nice little "snow day" today.

[Paingod]

We're on DAY 11 of our outage with Netgain. All of our patient data is tied up on their cloud servers and they're not releasing any of it.

They were hit with Russian ransomware that permeated their Domain Controllers and they had to saturation bomb their environment to get rid of it - rebuilding everything. I'm guessing it even ruined their backups. They flipped the switch on the business and went dark on December 3rd when they realized what was happening. It may have protected client data - all the thousands of servers they're hosting - but no one is being allowed to access their data in any fashion. They claim to be working with both law enforcement and disaster recovery specialists to get us back online. They've said four times now that they were bringing things back up, and four times it's been delayed. There's a chance that client data was destroyed, but they're keeping quiet about what is or isn't salvageable. As far as we know, our data is safe and simply dormant. It could be that our virtual server was encrypted and everything was lost. We have no idea. The folks I report to are chewing on their desks in anger and anxiety. I'm just glad it's not my fault.

11 Days. Nothing is out for 11 days on the internet, ever. This kind of event shapes policies and what's considered "best practice" for years to come.

I also expect Netgain will be out of business within 6 months and another big company will gobble up their infrastructure to recycle it.

[RMC]

CNBC is reporting on FireEye and the Treasury department attacks along side Google experiencing outages without comment this morning.

Yeah, lots of kids getting home schooling using google docs are having a nice little "snow day" today.

And found out FireEye was hit from Solarwinds? Solarwinds is a patching and server monitoring software. Apparently Solarwinds allowed the bad guys in, and then they were able to push thier own "patches" out to servers.

We have Solarwinds, but have not been breached, but the government is supposed to shut down all solarwinds servers ASAP. Wow...

[malchior]

CNBC is reporting on FireEye and the Treasury department attacks along side Google experiencing outages without comment this morning.

Yeah, lots of kids getting home schooling using google docs are having a nice little "snow day" today.

And found out FireEye was hit from Solarwinds? Solarwinds is a patching and server monitoring software. Apparently Solarwinds allowed the bad guys in, and then they were able to push thier own "patches" out to servers.

It looks like what we call a supply chain hack. This isn't a new technique but this probably had the biggest consequences in recent memory. What happened from publicly released information is this is believed to be the work of APT29 aka Cozy Bear aka other names (different threat intel providers have different labels for these groups). In essence, it means the Russian military. They breached SolarWinds and set up shop. They then allegedly injected backdoors into the Solarwinds Orion code base. This is a very sophisticated and time consuming operation. They likely were in SolarWinds for awhile to be able to pull this off.

We have Solarwinds, but have not been breached, but the government is supposed to shut down all solarwinds servers ASAP. Wow...

Hopefully this is true. It likely comes to which product you have, what version, and when it was last updated. This might be one of those rare times where bad security hygiene actually pays off.

Context for others:
Orion is Solarwind's enterprise network monitoring product. If you are familiar with WhatsUpGold...it is that products big brother. It can monitor up/down on servers/network ports etc. through ping, SNMP, and other protocols. Many, many corporations use it to monitor their networks which is why everyone is having a bit of a meltdown over the weekend over this.

What does this mean? On the surface, there are a couple of things you can surmise. SolarWinds themselves weren't doing enough to protect their network, were blind to a long-term intrusion, and had lax protection for their premier network monitoring product. That code was inserted and made it through to the customer patch pipeline is not great. It isn't clear yet if this was pushed out to multiple customers or what version was affected.

I've seen a little threat intel coming through on suspected code versions but that is why they are just telling everyone to just shut them down at the moment while the investigation continues. The bad thing is that shutting it down leaves you blind to other attacks because now you aren't monitoring your network. Is it better to shut it down? Isolate it? Cut it off from the Internet? All questions people are wrestling with at this time.

[malchior]

I was at an industry networking event tonight (via Zoom naturally) and one of the participants called out that Solarwinds had fired his company during a security assessment because they pointed out the supply chain attack risk. I put it out there as a really? moment because usually people don't talk about their clients this openly but also not right after they are in the headlines. Very unusual but interesting information if this turns into lawsuits.

[FishPants]

This is a very very difficult week in cyber security; more or less a seismic event that will definitely change the course in what we do in a LOT of ways.

That being said - take it from this guy, don't just look at your version of Solarwinds and say you aren't affected. Go read those indicators of compromise and check for those DLL files, and absolutely check your DNS logs and web logs for connections to that CNC infrastructure. The virus lays dormant for up to 2 weeks (dormancy period is randomized based on system variables, naming etc all put through an algorithm) and generates a request to a random subdomain of the CNC infrastructure. Once it communicates, your shit is popped. <-- technical term.

[Freyland]

Do we lay-people use Solar Winds?

[RMC]

Do we lay-people use Solar Winds?

No, it's a server monitoring tool.

[Freyland]

Do we lay-people use Solar Winds?

No, it's a server monitoring tool.

Ty!

[Pyperkub]

Brazil. The whole damn country, and then an additional ~15%.

Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website....

...The data leak exposed people’s full names, addresses, phone numbers, and full medical records of Brazilians that signed up for the government’s public-funded healthcare system.

Approximately 32 million medical records belonged to deceased Brazilians, given that the country’s population was 211 million in 2019.

[Max Peck]

Cyberpunk 2077 makers CD Projekt hit by ransomware hack

The maker of popular video game Cyberpunk 2077 has been hacked in a ransomware attack.

CD Projekt Red said hackers had accessed its internal network, digitally scrambled some of its data servers and tried to blackmail it.

The perpetrators claim to have stolen source code for several of the firm's games which they said they would leak unless a payment was made.

But the Polish games company said it would not negotiate.

In a statement on Twitter, CD Projekt Red posted a copy of the ransom note which said the hackers had copied code from Cyberpunk 2077, Gwent, and Witcher 3, including an unreleased version of the latter.

[Rumpy]

Well, they're going to be disappointed in Cyberpunk 2077 Unless they think they can improve on it??