The popular ticket distribution service Ticketfly was taken offline last week after a hacker defaced its homepage and stole customers’ personal data. The hacker threatened to release the data online if a 1 Bitcoin ransom was not received. Ticketfly did not pay the ransom and the hacker subsequently posted online the details of over than 26 million users, including email addresses with corresponding home and mailing addresses and phone numbers, according to researcher Troy Hunt. The company confirmed it is working with third-party forensic and cybersecurity experts. The NJCCIC recommends all users of Ticketfly review the Bleeping Computers article and visit Ticketfly’s update page for more information. Additionally, users are advised change their passwords for Ticketfly accounts and any other account using the same password as soon as possible.
Security researcher Oliver Hough discovered that a popular fitness app company, PumpUp, left a backend server exposed to the internet without a password, allowing unauthorized access to over six million users’ private and sensitive data. The exposed server, hosted on Amazon’s cloud, contained users’ email addresses, personal information entered into the app, full resolution profile photos, IP addresses, session tokens, and, in some cases, unencrypted credit card data including card numbers, expiration dates, and card verification values. The NJCCIC recommends PumpUp app users review the ZDNet report and change their passwords for all accounts associated with the app immediately. Additionally, we recommend administrators of Amazon cloud services review our previous NJCCIC Cyber Alert on the risks associated with misconfigured databases, audit their security settings, and implement the mitigation strategies provided as soon as possible.
On September 1, 2017, law enforcement officials notified Coca-Cola that a former employee of the company was found to be in possession of an external hard drive containing personal information of approximately 8,000 Coca-Cola employees. Coca-Cola is in the process of notifying those impacted by the incident and will offer one year of free identity monitoring services to affected employees. The NJCCIC recommends Coca-Cola employees monitor their financial accounts for suspicious activity and report any unauthorized charges immediately. We also recommend impacted individuals take advantage of the free monitoring services offered.
A UK-based security researcher found two servers used by the popular mobile app “TeenSafe” unsecured and publicly accessible without a password. The app, used by parents to monitor their children’s phone activity, stored thousands of accounts on the Amazon cloud servers that contained parents’ email addresses, the child’s Apple ID email address, the child’s device name, the device’s unique identifier, and the plaintext passwords for the child’s Apple ID. The company was notified by the researcher, and both servers were taken offline. TeenSafe is in the process of alerting customers who may have been impacted by the breach. The NJCCIC recommends parents who use TeenSafe review the ZDNet report. Additionally, users should change their passwords for all accounts associated with the app.
On May 12, Brinker International announced some Chili’s restaurants were impacted by a data breach incident that occurred from March-April 2018. Payment details, including card numbers and cardholder names, were compromised at undisclosed Chili’s locations as a result of malware installed on their payment systems. Brinker International will provide credit monitoring and fraud resolution services to affected customers. There are 24 Chili’s locations in New Jersey. The NJCCIC recommends patrons of Chili’s restaurants during the impacted timeframe review the Brinker International News Release and monitor their financial accounts for unauthorized activity and immediately report any fraudulent charges to their financial institutions. Members are encouraged to place fraud alerts on their credit file with the three national credit reporting agencies.
Drupe, an Android application designed to enable communication via phone calls, text messages, and through integrations with social media chat applications such as Skype and WhatsApp, left some of their users’ pictures and audio messages publicly accessible via unsecured Amazon Web Services (AWS) S3 buckets. According to a post published by the Drupe Team on May 7, the flaw only affected those who used the Drupe Walkie Talkie feature to send messages or the Drupe special messaging infrastructure to send images. These features are reportedly utilized by approximately three percent of Drupe users. The NJCCIC recommends administrators of AWS S3 buckets and other cloud databases review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible.
LocalBlox, a company that collects data from public web profiles, left details of over 48 million users publicly accessible via an unsecured Amazon Web Services (AWS) S3 bucket. On February 28, an UpGuard researcher discovered the S3 bucket containing a 1.2 TB file of what appeared to be a backup of the LocalBlox database; UpGuard notified LocalBlox who secured the server that same day. The file contained publicly accessible data collected from Facebook, LinkedIn, Twitter, and Zillow, and included names, physical addresses, dates of birth, LinkedIn job history, Twitter handles, and some IP and email addresses. While the information contained in the S3 bucket is public information, it highlights the continued risk associated with misconfigured and unsecured AWS S3 buckets. The NJCCIC recommends administrators of AWS S3 buckets and other cloud databases review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible.
On Monday, April 16, a user of the online freelance marketplace TaskRabbit reported via her Twitter account that she had identified a phishing attack targeting TaskRabbit users along with a website that appeared to reveal TaskRabbit’s private GitHub account, daily transaction volumes, and key employee information. After disclosing these findings to the company, the TaskRabbit service was taken offline while an investigation into the incident took place. On April 17, TaskRabbit posted an account security update on its website to update its users on the status of the investigation. The NJCCIC recommends all TaskRabbit account holders who use the same login credentials for other online accounts proactively change those credentials and enable two-factor authentication (2FA) on any account that offers it to prevent additional account compromise.
Best Buy announced that a small number of customers who made online purchases between September 27 and October 12, 2017 may have had their payment information exposed. According to Best Buy’s statement, the data breach resulted from a cyber intrusion of 7.ai, a third-party vendor used to provide chat services for Best Buy’s customers via telephone or computer. Best Buy will offer free credit monitoring services to impacted customers who are interested and will notify affected individuals directly. The NJCCIC recommends all Best Buy customers monitor their financial accounts for suspicious activity and report any unauthorized charges immediately. We also recommend impacted customers take advantage of the free credit monitoring services offered.
Under Armour announced that, in February 2018, an unauthorized party obtained access to data associated with MyFitnessPal user accounts. Information exposed in the breach includes usernames, email addresses, and hashed passwords. The NJCCIC recommends that MyFitnessPal users immediately change the passwords to their accounts and be on alert for phishing campaigns associated with, and resulting from, this breach.
Saks Fifth Avenue and Lord & Taylor department stores released a statement regarding a data breach that resulted in the theft of customer payment card data. According to Gemini Advisory, a cybersecurity firm that specializes in tracking stolen financial data, the compromise likely occurred beginning May 2017 and the majority of stolen payment card information was obtained from the companies’ New York and New Jersey locations. Saks Fifth Avenue and Lord & Taylor will offer impacted customers free credit and web monitoring services, as well as free identity protection services. The NJCCIC recommends affected customers take advantage of the free credit and web monitoring services, as well as the identity protection services offered, monitor their financial accounts for suspicious activity, and notify their card issuers immediately if they notice unauthorized charges made to their accounts.
On April 2, security researcher Brian Krebs reported that, for at least eight months, Panerabread[.]com had been leaking millions of customer records that included names, email addresses, home addresses, dates of birth, customer loyalty card numbers, and the last four digits of their payment card numbers. In August 2017, another security researcher, Dylan Houlihan, had reportedly notified the company about the data exposure but the company did not address the issue until April 2, 2018. Cybersecurity firm Hold Security suggests that the number of exposed records likely exceeds 37 million and that the data leak may also impact Panera’s commercial division. The NJCCIC recommends all Panera Bread customers monitor their financial accounts and loyalty accounts for suspicious activity and report any unauthorized charges immediately. Additionally, we recommend Panera Bread customers be on alert for phishing campaigns associated with, and resulting from, this data leak.
CareFirst BlueCross BlueShield reported that, on March 12, 2018, an employee within the company took action on a phishing email and, as a result, may have exposed the personal information of 6,800 of the insurer’s members. The employee’s account was used to send spam emails to recipients who are not associated with CareFirst. The unauthorized access of the employee’s email account could have potentially exposed CareFirst member names, identification numbers, and dates of birth. Eight members’ Social Security numbers may have also been exposed. CareFirst is offering two years of free credit monitoring and identity theft protection services to affected members. The NJCCIC recommends affected members take advantage of the free credit monitoring and identity theft protection services offered.
A legacy travel booking platform owned by Orbitz, the popular travel booking site, was accessed by an unauthorized party between October 2017 and December 2017. Data accessed from the company’s legacy systems includes customer information for purchases made between January 2016 to December 2017 including, names, dates of birth, postal and email addresses, gender, and payment card information. Orbitz revealed that approximately 880,000 payment cards were exposed in the hack, but there is currently no direct evidence that customers’ personal information was downloaded from the platform. Orbitz is in the process of notifying impacted customers and partners and is offering one year of complimentary credit monitoring and identity theft protection. The current orbitz[.]com site was unaffected by the breach. The NJCCIC recommends customers who made purchases through Orbitz during the impacted timeframe monitor payment card statements for unauthorized charges, consider placing a freeze on their credit, and immediately notify their banks if fraudulent activity is observed. Additionally, we recommend impacted customers take advantage of the free credit monitoring and identity theft protection services offered.
Security firm Kromtech revealed that Walmart partner MBM Company Inc., which operates Limogés Jewelry, left the personal information of 1.3 million customers exposed via an unsecured Amazon S3 bucket. The open S3 bucket, named “walmartsql,” contained customers’ names, addresses, ZIP codes, phone numbers, email addresses, IP addresses, plaintext passwords, encrypted credit card numbers, and payment details for purchases made between 2000 and early 2018. The database was left publicly available from January 13, 2018 until it was recently secured by Walmart. This latest incident follows many recent breaches resulting from unsecured or misconfigured S3 buckets. The NJCCIC highly encourages MBM Company Inc. customers immediately change their account passwords, enable two-factor authentication, and monitor their bank and credit card accounts for fraudulent activity. Additionally, we recommend administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible.
RMH Franchise Holdings announced that diners who visited one of their 167 Applebee’s restaurants between November 23, 2017 and January 2, 2018 may have had their payment card information compromised via point-of-sale malware. RMH Franchise Holdings discovered the incident on February 13, 2018 and took steps to investigate and remediate the infection. The breach does not impact payments made online or those made using tabletop self-pay devices. The NJCCIC recommends those who have dined at one of the impacted locations monitor payment card statements for unauthorized charges, consider placing a freeze on their credit, and immediately notify banks if fraudulent activity is observed on their accounts.
Security researcher Troy Hunt recently discovered a collection of nearly 3,000 possible data breaches accompanied by data from previously confirmed breaches on a hacking forum located on the clear web. He states that almost all of the obtained files contain email addresses – 80,115,532 in total – and plaintext passwords. Hunt is still analyzing the data and has yet to determine where the possible breaches occurred, as there does not appear to be a direct correlation between the accounts and the associated source file at this time. Hunt owns and operates the website HaveIBeenPwned.com where users can check to see if their email addresses have been included in any previous data breaches. The NJCCIC recommends all users assume that their email addresses and passwords have been, or will be, involved in a data breach, and enable multi-factor authentication (MFA) on every account that offers it to protect themselves against credential compromise. For accounts that do not offer MFA, we recommend creating lengthy, complex passwords for those accounts and monitor them regularly for unauthorized activity. We strongly advise against password reuse.
Lgtm security researchers discovered a critical vulnerability (CVE-2017-8046) affecting various projects in Pivotal Spring, a framework used to build web applications. If exploited, this vulnerability could allow a remote threat actor to execute arbitrary code on any system running an application built using Spring Data REST. Researchers liken this vulnerability to CVE-2017-5638 that affected Apache Struts and led to the Equifax data breach. This vulnerability impacts Spring Data REST components, versions prior to 2.5.12, 2.6.7, and 3.0RC3, as well as Spring Boot versions prior to 2.0.0M4, and Spring Data versions prior to Kay-RC3. The NJCCIC recommends all developers using affected Spring products and components review the lgtm blog and update to the latest versions as soon as possible.
Equifax announced that an additional 2.4 million Americans were impacted by the data breach first disclosed in September 2017. The data stolen includes names and partial driver’s license numbers. Equifax will notify impacted customers and provide the same credit monitoring and identity theft protection services. The NJCCIC recommends those impacted by the Equifax breach take advantage of the credit and identity theft services offered and strongly consider placing a security freeze on their credit files in order mitigate the risk of identity theft and financial fraud.
NIS America notified customers via email and social media that store.nisamerica[.]com and snkonlinestore[.]com sites were breached, compromising personal data for new accounts. The data breach occurred between January 23rd, 2018 and February 26th, 2018 and allowed unauthorized access to customer payment and address information corresponding to new credit card orders placed between those dates. The store pages have been taken offline by NIS America to prevent further unauthorized access. The NJCCIC recommends patrons that made purchases during the affected time frame closely monitor their financial accounts and immediately report any unauthorized activity to their financial institutions.