In a week full of cyber-incidents and marked by the Valentine’s Day holiday, data breach news was surging. Equifax may have been hacked by spies, two huge credential spills on the Dark Web did their part to endanger people online and several companies admitted to data exposures, data breaches and web vulnerabilities that threatened privacy. Plus, a facial-recognition company in China is collecting all kinds of information on random citizens, one researcher says.
Checkout our overview of the week’s data-exposure highlights (or low-lights, depending on your perspective), below.
It’s been 17 months since the infamous 2017 Equifax data breach was revealed to have compromised the data of about 147.9 million people (i.e., almost every adult in the U.S., with more than 45 percent of the population directly affected by the incident). But an investigative report from CNBC found that, curiously, the data hasn’t yet turned up on the Dark Web. According to the outlet’s threat-hunter sources, it’s increasingly looking like it was a spy job, carried out by a nation-state; not criminals bent of ID theft or financial gain.
Unlike Equifax, the stolen records from the March 2018 MyFitnessPal breach, which affected 150 million users of that app, have finally made an appearance on the criminal underground, as part of a much larger credential spill that we’ll discuss in a moment. Victims’ user names, email addresses and hashed passwords are caught up in the incident – but until now, the data was nowhere to be found.
The MyFitnessPal data makes up one part of the 617 million records stolen from 16 hacked websites that are now for sale on the Dark Web. Information from Dubsmash, Armor Games, Whitepages, ShareThis and more are collectively going for less than $20,000 in Bitcoin on the Dream Market underground forum. The data, uncovered by the Register, consists of account names, email addresses and hashed passwords; and in some cases, location and other personal details, and social media authentication tokens. No credit-card info though.
Popular dating app Coffee Meets Bagel this week sent its users an email notifying them that their data may have been “acquired by an unauthorized party.” The dating site said users’ names and email addresses that were added to the system prior to May 2018 may be impacted. Users received notice of the breach (ironically) on Feb. 14, in an email which was shared with Threatpost. It turns out the information is part of the aforementioned massive 6.2 million-record database dump.
Just in time for Valentine’s Day, when cybercriminals turn their sights to romance-seekers leading up to the holiday, a critical flaw in the OkCupid app was found that could allow a bad actor to steal credentials, launch man-in-the-middle attacks or completely compromise the victim’s application, exposing sensitive data. Unfortunately, the newly disclosed vulnerability is incredibly easy to exploit, researchers said. And earlier in the week, the dating app suffered a separate account-takeover incident likely involving credential-stuffing, where users were locked out of accounts; the site denied a data breach.
File under here we go again: Just days after the 6.2 million records showed up on Dream Market, the same cybercriminals (going by the handle “gnosticplayers”) released a fresh batch of 127 million records stolen from eight companies. According to reports, the data carried an asking price of $14,500 in Bitcoin. In addition to names, emails and hashed passwords, this cache also includes cracked passwords and passport numbers. Among the impacted companies are the popular online home goods store Houzz, travel site ixigo and gaming destination StrongHoldKingdoms.
The photo-sharing site 500px allows photographers to display and sell their work online; but it said this week that a hack of its servers last summer allowed criminals to abscond with user data from 14.8 million accounts. Names, usernames, email addresses, hashed passwords, birthdays, geographic location and gender were all caught up in the heist. 500px discovered the issue Feb. 8, shortly before the data turned up on the Dark Web as part of – you guessed it, the 6.2 million-record data dump.
SenseNets, a Chinese company that boasts of its technology’s ability to track people across cities and pick specific faces out of crowds, inadvertently exposed more than 2.5 million facial recognition records to anyone with an internet connection this week. Victor Gevers, a Dutch security researcher with the GDI Foundation, said he found an open, unprotected database containing peoples’ their ID card numbers, their addresses, birthdays and locations where the facial recognition spotted them – information that can be used for physical as well as cyber-attacks. Also, 6.8 million people passed through the system this week he said, so potentially there are other open databases impacting even more people.