Breach Trends And Insights – April 2021

MBR apr2021

Data breaches are on the surge as per the Verizon Business 2021 Data Breach Investigation report. 

It has analyzed 29207 incidents, of which 5258 were confirmed breaches. It is a third more breach analyzed than last year. 

The attack techniques cover a good mix of attacking wrong configuration, mistake by oversight as well as some novel zero-day attack.

In this report, we will talk about some of the important cyberattacks that have taken place during the last month. 

Analyzing the attacks, the following key insights are gained:

  1. The key reasons for breaches still remain unpatched vulnerability. Not identifying assets on a large attack surface is a key reason for missing out on vulnerabilities exposed assets.
  2. Publicly available data that might seem innocuous can be used to attack. 
  3. Scrapping of public data is turning into a major ingredient of phishing attack
  4. Multi-stage attacks created with the help of publicly available data are on the rise.
  5. Third-party data breaches are on the rise and not having a connection between third-party systems with enterprise systems is no guarantee to safeguard against attack due to the technique of turning data into an attack vector.
  6. Leaked data, although might give false positive, must be carefully validated since this has been used in attacks. 
  7. FireCompass, by using its EASM and CART technologies has discovered and indexed 6.7 Billion leaked credentials out of which a number of them have been successfully used in breaching systems. Also, FireCompass, by continuous monitoring of attack surfaces, is regularly finding a steady rise in open assets that are accessible from the internet, and a significant number of them are unpatched. By the proactive, continuous monitoring provided by FireCompass, customers were timely alerted which helped them put countermeasures on time.

Following is a summary of the significant breaches in the month of April 2021.

Facebook Data Breach Exposed 533 Million User’s Phone Numbers And Other Personal Information

The mobile phone numbers and other personal information for approximately 533 million Facebook users worldwide has been leaked on a popular hacker forum for free.

The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members. What made this leak stand out was that it contained member information that can be scraped from public profiles and private mobile numbers associated with the accounts.

This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” a Facebook spokesperson told BleepingComputer. While the data may be from 2019, it is common for phone numbers and email addresses to remain the same over a period of many years, making this valuable to threat actors.

Impact: The sold data included 533,313,128 Facebook users, with information such as a member’s mobile number, Facebook ID, name, gender, location, relationship status, occupation, date of birth, and email addresses.
Cause: Threat actors exploited an unpatched vulnerability in Facebook’s “Add Friend” feature that allowed them to gain access to member’s phone numbers.

Source: Bleeping Computer 

Data From 500 Million LinkedIn Users Has Been Scraped And Put Online

Data from over 500 million LinkedIn users are being sold online to hackers, marking the second major cybersecurity incident to be revealed in the past week, following news of a similar occurrence involving Facebook.

CyberNews analysts discovered the scraped data set on an online forum for hackers and were able to verify that the data was associated with LinkedIn user accounts. It’s unclear how old the data is, however, and how the bad actors obtained it.

Although the scraped LinkedIn data set doesn’t include sensitive information like credit card information or Social Security numbers, it does include data that could help bad actors perform other sophisticated hacking attempts. For instance, hackers could use data like email addresses and phone numbers to conduct more convincing phishing attacks, in which they send people bogus emails that look real but contain links to malicious websites.

Impact: LinkedIn data includes user IDs, full names, email addresses, phone numbers, professional titles, and other work-related data


Cause: Hackers found scraped data set which was associated with Linkedin user Accounts

Source: Fortune.com.

Geico Admits Fraudsters Stole Customers’ Driver’s License Numbers For Months

Fraudsters stole customers’ driver’s license numbers from its website by obtaining unauthorized access to the driver’s license number through the online sales system on Geico’s website.

Some Geico customers were notified in April that their personal information – specifically their drivers license number – had been compromised in a data breach caused by a security bug on the insurer’s website, TechCrunch’s Zack Whittaker first reported.

Geico directly notified some customers on April 9 that “fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on [Geico’s] website”. Geico said it has since secured its website from the vulnerability.

The insurer warned that fraudsters would likely use the license numbers to fraudulently apply for unemployment benefits, which often require a state ID. A Geico spokesperson did not immediately respond to a request for comment on the number of customers affected and whether the data had been tied to confirmed cases of unemployment fraud. In the notice sent to customers who were affected, Geico urged vigilance and offered a one-year subscription to IdentifyForce, an “identity-theft protection service.” Geico said in the notice that it did not know for certain whether the customer’s driver’s license number had been fraudulently used, but that it was a possibility.

Impact: customer driver’s license numbers were accessed between January 21 and March 1.

Cause: Unauthorized access to driver’s license number through the online sales system on the website

Source – Techcrunch

Patient Data From Multiple Providers Leaked In Third-Party GitHub Incident

The patient data from multiple providers appear to have been captured and subsequently leaked on the data repository GitHub Arctic Code Vault by third-party vendor MedData.

The majority of the data appeared to be claims data, or Electronic Data Interchange (EDI), from multiple providers, which pointed to the data stemming from a third party. The data belonged to a healthcare business associate, MedData. MedData was notified of the incident in early December, but Ursem and Dissent did not receive a response until several weeks and multiple failed attempts later. The vendor was then provided links to the repositories leaking the PHI.

The databases were taken down on December 17. MedData recently released a notice that detailed the massive patient data breach, which involved information provided to the vendor for processing services.

The notice confirms MedData was contacted by Ursem and Dissent in early December, to notify the vendor that patient data tied to its clients had been uploaded to a public website. An internal investigation was launched to validate the claims. Officials discovered that an employee had saved files to personal folders created on the GitHub repository between December 2018 and September 2019, during their employment.

Impact: The impacted data included patient names combined with one or more data elements, such as subscriber ID, Social Security numbers, diagnoses, conditions, claims data, dates of services, medical procedure codes, insurance policy numbers, provider names, contact details, and dates of birth.

Cause: An employee of third-party vendor MedData uploaded troves of patient data from multiple providers onto the public data repository, GitHub Arctic Code Vault.

Source: Healthit Security

Phone House Spain Hit By Major Ransomware Attack

The chain of stores selling mobile phones Phone House in Spain has suffered a cyberattack by ransomware that has resulted in the theft of data from 3 million clients in our country, highly sensitive information that attackers could use in the future for social engineering.

According to Elconfidencial, the Spanish division of Phone House has suffered a cyberattack this weekend in which cybercriminals have taken millions of data not only from customers but also from their employees in Spanish territory. Apparently, those responsible for the cyberattack are Babuk, and according to what Elconfidential have learned, the attackers have a large amount of data from the Spanish company, employees, and customers.

Cybercriminals claim they have 10 databases containing the private information of more than 3 million customers and employees of the Spanish division of Phone House. They threaten that, if the company does not pay, all this information will be published in a public blog and dark web forums, and on top of that the data will be sent to competitors.

The data seems real since the attacking group has spread different images that seem to prove that they really have this data from more than 3 million Spanish clients. However, Elconfidential has contacted two people who appear in these databases and have confirmed that they have been Phone House customers.

Impact: data of more than 3 million customers and employees of the company have been stolen.3 million users affected. Data includes the full name of the clients, date of birth, ID, bank account, mobile phone, email, home address, and company where they work

Cause: Cyberattack by Ransomware

Source: ElConfidential



Revil Gang Tries To Extort Apple, Threatens To Sell Stolen Blueprints

The Revil ransomware gang asked Apple to “buy back” stolen product blueprints to avoid having them leaked on REvil’s leak site before the Apple Spring Loaded event.

Revil tried to extort Apple only after Quanta Computer, a leading notebook manufacturer and one of Apple’s business partners, refused to communicate with the ransomware gang or pay the ransom demanded after they allegedly stole “a lot of confidential data” from Quanta’s network.

Quanta is a Taiwan-based original design manufacturer (ODM) and an Apple Watch, Apple Macbook Air, and Apple Macbook Pro maker. Quanta has a long list of high-profile customers, including Apple, Dell, Hewlett-Packard, Alienware, Lenovo, Cisco, and Microsoft.

According to the Tor payment page shared with BleepingComputer, Quanta has to pay $50 million until April 27th, or $100 million after the countdown ends.

Impact: A lot of confidential data stolen from Quanta’s network. Large quantities of confidential drawings and gigabytes of personal data with several major brands.

Cause: Cyberattack by Ransomware

Source: Bleeping Computer

Clubhouse Data Leak: 1.3 Million Scraped User Records Leaked Online For Free

The clubhouse has issued a statement about the incident on social media, saying they have not experienced a breach of their systems. The company said that the data is already publicly available and that it can be accessed by “anyone” via their API.

According to CyberNews senior information security researcher Mantas Sasnauskas, the posting of scraped Clubhouse user data reveals a potential privacy issue within the social media platform itself: “The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire.”

Impact: The leaked database contains a variety of user-related information from Clubhouse profiles, including User ID, Name, Photo URL, Username, Twitter handle, Instagram handle,.etc. The data from the leaked files can be used by threat actors against Clubhouse users by carrying out targeted phishing or other types of social engineering attacks.


Cause: An SQL database containing 1.3 million scraped Clubhouse user records leaked

Source: Cyber News

BigBasket Data Allegedly Leaked On Dark Web

BigBasket confirmed a data breach in November last year that is said to be associated with the latest leak. BigBasket database of over 20 million customers has allegedly been leaked on the dark Web, months after the online grocery delivery platform confirmed a data breach. The data allegedly carries physical addresses and the date of birth of BigBasket users. Although the database that is available for free access on the dark Web includes user passwords in an encrypted form, another hacker has claimed to have decrypted some of the leaked passwords.

The alleged BigBasket database has been put on the dark Web by a hacker group infamously known as ShinyHunters. It includes details such as email addresses, names, dates of birth, and phone numbers.

Impact: Database of 20 million customers which includes the email addresses, phone numbers, and hashed passwords of the affected customers.

Source: NDTV