Monthly Breach Report: May 2021 Edition
Breaches in 2021 continue to become more sophisticated and even more bizarre. The amounts of reported stolen personal data have been extraordinary. On those counts, April 2021 held up the trend.
Facebook Proves Itself Tone Deaf, Again
Sensitive, personal information of over a half-billion Facebook users has been publicly posted online. The data belonging to users from 106 countries includes personal facts such as full names, phone numbers, relationship status and partner names, birth dates, bios, locations, Facebook IDs, and email addresses.
The entire set of leaked data published online was discovered and reported by a cybercrime intelligence firm, Hudson Rock. “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” noted a spokesperson. Impersonating users in transactions and tricking victims into handing over credentials in phony offers to help solve a contrived issue are ways cybercriminals use these personal data elements.
While the public posting of the personal data occurred in April 2021, the actual leak reportedly occurred in 2019. At that time, Facebook did not reach out to those users, simply offered a reference page for anyone interested in modifying privacy settings.
The only options available to concerned users are third-party security sites that will discover when and where their leaked data has been found. As to the dataset itself, Facebook noted it is striving to have it taken down and “will continue to aggressively go after malicious actors who misuse our tools wherever possible.”
Days after the Facebook trove was discovered in April, an aggregation of LinkedIn scraped data was discovered up for sale on a hacker forum. Over 780,000 associated email addresses are revealed, belonging to more than a half billion people. Leaked data included full names, genders, email addresses, phone numbers, work histories and titles, workplaces information, and other work-related information, all potentially resulting in privacy impacts.
The personal information itself has been put up for sale by auction. As the story unfolded, additional collections were put up for sale by other criminals, claiming they too had the original 500 million users’ information plus the same types of personal information of an additional 327 million LinkedIn profiles.
LinkedIn, owned by Microsoft (which has been experiencing its own cybersecurity vulnerabilities this year), indicates the data was not from a breach. Attackers use the exact same APIs that web and mobile applications use to extract the data. Then, they engage automation to amass the datasets at scale and aggregate it to become valuable for other criminal uses like brute forcing, phishing, social engineering, credential stuffing, and spamming. The aggregated information also makes quasi-intelligent, accurate guessing of passwords more likely.
Had the personal data that LinkedIn held been identified at the outset, classified, and immediately and persistently been protected, no matter what the APIs held, the extracted data would have been meaningless to criminals and of no value in attempting to sell. Protecting personal data is always in the company’s best reputation and revenue interest and deepens the company’s customers’ trust and ongoing use.
Washington, D.C. Police Department May Need More Overhaul
At least 26 government entities and additional police departments across the US have been identified as under cyberattack in 2021 already. During April, the Washington, D.C. Police Department is reported to have been breached, with personal information stolen and held by cybercriminals.
A Russian-speaking criminal organization claims to have pulled down over 250 gigabytes of sensitive and personal data from the police servers. The group, Babuk, has already briefly released some sensitive data as proof, including reports of the Chief of Police, lists of the department’s arrests, and even identifying information of persons of interest. Typically, if Babuk’s demands are not answered, data is leaked. This would put police and the public in serious danger.
The FBI has been brought in to assist in the investigation. The Biden administration assigned an acting deputy attorney general to lead a ransomware taskforce of the FBI and Justice Department prosecutors of criminal and national security division teams to identify the security weaknesses, block further damage, and stem the leaks.
The Biden administration is also issuing an executive order to shore up US cyberdefenses against both domestic and foreign adversaries.
Clubhouse, a newer invitation-only social company that emerged in 2019, acts somewhat like a conference center offering various rooms for people to talk about just about anything and invite guests to listen in with them. It’s audio-only and forbids users from recording. It’s being used well in playful pursuits and intellectual conversations, though also misused to spread misinformation about important current topics, sparking controversy and protests. Clubhouse has an uncanny amount of venture buzz and investment. It attracts attention. Some of that attention would seem undesirable, yet Clubhouse remains characteristically relaxed about it.
Much like the giants Facebook and LinkedIn, Clubhouse users’ personal information was scraped in April—likely via their API—and put in a SQL database containing 1.3 million user records. The database has been leaked for free in a popular hacker forum. The company claims Cluhouse itself did not experience a leak and that anybody can go collect and download public profiles’ information on any scale.
There’s also a privacy issue being reported about the social media platform itself. It seems to have no security tools in place to make it hard to scrape the data. Further, the company itself does record conversations in rooms, which they say is purely for investigation purposes, then deletes the recordings if there is no incident. However, those audio files are not encrypted end-to-end. That is just one of several areas Clubhouse doesn’t meet EU regulations; others include the storage and use of data.
The personal information scraped in the April 2021 incident includes names, user IDs, photos, usernames, Twitter and Instagram handles, and the chain of user file invitations to the app or rooms. Plenty of the information can be used to derive insights into people’s lives beyond the immediate data itself. The carefree company attitude and the lack of measures to protect users privacy may be seen as somewhat reckless.
Dark Web Vaccine Marketplace Hacked and Refunded Fake Orders in Bitcoin
In a very twisted pandemic-times series of events, and as April Fool’s Day rolled in, a dark web marketplace advertising and selling COVID-19 vaccines and documentation—including fake vaccination certificates or fake COVID-19 test results—was taken down by a hacker. The report notes that dark web advertising for vaccines increased over 300 percent in 2021. The target buyer market include employees, and those wanting to travel, cross borders, and attend events. “The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine,” according to the reported research.
The hacker created fake orders, then immediately cancelled them using the seller account, which in turn generated refunds to the hacker, which the hacker withdrew instantly. The hacker’s take was in Bitcoin and is valued at over $752,000.
Make sure your private data isn’t next month’s big headline. Find out how PK Protect can safeguard your business’ data and its reputation. Get a free demo now.