Keytronic confirms that personal information was compromised after a ransomware group leaked allegedly stolen data.

The post Keytronic Says Personal Information Stolen in Ransomware Attack appeared first on SecurityWeek.

US insurance company Globe Life is investigating a data breach involving unauthorized access to consumer and policyholder information. 

The post Insurance Company Globe Life Investigating Data Breach appeared first on SecurityWeek.

The LA County’s Department of Public Health says the personal information of 200,000 was compromised in a data breach.

The post 200,000 Impacted by Data Breach at Los Angeles County Public Health Agency appeared first on SecurityWeek.

On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant amount of data allegedly stolen from Truist Bank for sale.

Truist is a US bank holding company and operates 2,781 branches in 15 states and Washington DC. By assets, it is in the top 10 of US banks. In 2020, Truist provided financial services to about 12 million consumer households.

The online handle of the seller immediately raised the suspicion that this was yet another Snowflake related data breach.

The post also mentions Suntrust bank because Truist Bank arose after SunTrust Banks and BB&T (Branch Banking and Trust Company) merged in December 2019.

For the price of $1,000,000, other cybercriminals can allegedly get their hands on:

• Employee Records: 65,000 records containing detailed personal and professional information.
• Bank Transactions: Data including customer names, account numbers, and balances.
• IVR Source Code: Source code for the bank’s Interactive Voice Response (IVR) funds transfer system.

IVR is a technology that allows telephone users to interact with a computer-operated telephone system through the use of voice and Dual-tone multi-frequency signaling (DTMF aka Touch-Tone) tones input with a keypad. Access to the source code may enable criminals to find security vulnerabilities they can abuse.

Given the source and the location where the data were offered, we decided at the time to keep an eye on things but not actively report on it. But now a spokesperson for Truist Bank told BleepingComputer:

“In October 2023, we experienced a cybersecurity incident that was quickly contained.”

Further, the spokesperson stated that after an investigation, the bank notified a small number of clients and denied any connection with Snowflake.

“That incident is not linked to Snowflake. To be clear, we have found no evidence of a Snowflake incident at our company.”

But the bank disclosed that based on new information that came up during the investigation, it has started another round of informing affected customers.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The Chinese University of Hong Kong (CUHK) has been confronted by a massive data breach that has compromised personal information of precisely 20,870 students, staff and past graduates. The CUHK data breach was initially identified on June 3, 2024, prompting swift action by the institution. An investigation is currently underway to trace the culprits and to take corrective measures.

Understanding the CUHK Data Breach

The CUHK is one of the premier institutes in China which was established in 1963 and is the first research university in Hong Kong. The cyberattack on CUHK reportedly took place on June 1 at its School of Continuing and Professional Studies (CUSCS). In a statement put out by the school on June 13, CUSCS said that it had undertaken an investigation into the breach on June 3. An information technology security consultant was appointed by the college to assess the breach. The investigation revealed that the school’s “Moodle learning management system” was hacked. Moodle is an open-source learning management system designed. It allows educators, administrators and learners to create personalized learning environments for online projects in schools, colleges and workplaces. Moodle can be used to create custom websites with online courses and allows for community-sourced plugins. [caption id="attachment_77266" align="alignnone" width="1196"] Source: CUSCS Website[/caption] According to the CUSCS, the leaked data included the names, email addresses, and student numbers of 20,870 Moodle accounts of tutors, students, graduates, and visitors. This personal data was reportedly stolen after a server at one of the institution’s schools was hacked. Despite the university management stating that the sensitive data was not leaked on any public platforms, the breached information was found to be readily available on the dark web domain BreachForums. A Threat Actor (TA), who goes by the alias “Valerie”, put up a post on dark web stating that the hacker was willing to sell the data. The TA noted that, “75 per cent of the stolen data was sold to a private party, which financed the breach.  The rest of the data was not shared. So upon multiple offers, we decided to make a public sell.” To claim that the data was credible, the TA provided samples, which included the username, first name, last name, institution, department, mobile number and city of the victims of the data breach.

Investigation Status of CUHK Data Breach

The CUSCS stated that as soon as its investigation revealed a massive data breach, it had deactivated the relevant account and reset the password. It added that, apart from the relevant server, the online learning platform has been moved, and security measures have been strengthened to block any account after three unsuccessful login attempts. “CUHK has also been notified of the incident. The college has also established a crisis management team composed of the dean, deputy dean, information technology services director, administrative director and communications and public relations director to assess the risks,” CUSCS said. The college also had filed a complaint over the data breach to the local police. The university, too, has notified the city’s privacy watchdog-Office of the Privacy Commissioner for Personal Data (PCPD), in accordance with established procedures. The PCPD acknowledged receipt of the complaint on June 13.

CUHK Data Breach: Institutions in Hong Kong Under Scanner

In what is becoming a trend, CUHK has become the third educational institute in Hong Kong this year to fall victim to cyberattacks. In May, the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, fell victim to a ransomware attack where the data of over 600 people was leaked. Similarly, in April, a private medical facility, Union Hospital, suffered a ransomware attack affecting its servers, which allegedly resulted in operational paralysis. The Hong Kong College of Technology too suffered a ransomware attack in February, which led to the data of around 8,100 students being breached.

Ascension says patient information was stolen in an early-May ransomware attack that involved an employee downloading malware.

The post Ascension Says Personal, Health Information Stolen in Ransomware Attack appeared first on SecurityWeek.

The U.S. food chain giant Panera Bread has begun notifying its employees of a significant data breach that occurred as a result of a ransomware attack in March 2024. The company, along with its franchises, operates 2,160 cafes under the names Panera Bread or Saint Louis Bread Co, spread across 48 states in the U.S. and Ontario, Canada. The Panera Bread data breach was disclosed in notification letters filed with the Office of California's Attorney General, where Panera detailed its response to what it termed a "security incident." Upon detecting the Panera Bread data breach, the company acted swiftly to contain it, enlisting external cybersecurity experts to investigate and inform law enforcement of the situation. The files involved were reviewed, and on May 16, 2024, we determined that a file contained your name and Social Security number. Other information you provided in connection with your employment could have been in the files involved. As of the date of mailing of this letter, there is no indication that the information accessed has been made publicly available," reads Panera's official notification.

Panera Bread Data Breach: Impact on Employees and Operations

The ransomware attack has had substantial repercussions on Panera's operations and its employees. Many of Panera's virtual machine systems were reportedly encrypted during the attack, leading to a significant outage that crippled internal IT systems, phones, point of sale systems, the company’s website, and mobile apps. During this outage, employees were unable to access their shift details and had to contact their managers to obtain work schedules. The stores faced further disruption as they could only process cash transactions, with electronic payment systems down. Additionally, the rewards program system was inoperable, preventing members from redeeming their points. The most concerning aspect of the breach for employees is the compromise of sensitive personal information. Panera has confirmed that files containing employee names and Social Security numbers were accessed. There is also the potential that other employment-related information was compromised. However, the company has assured employees that, as of the notification date, there is no evidence that the accessed information has been publicly disseminated. To mitigate the potential impact on affected individuals, Panera is offering a one-year membership to CyEx's Identity Defense Total, which includes credit monitoring, identity detection, and identity theft resolution services. This proactive measure aims to help employees safeguard their identities and respond swiftly to any signs of fraudulent activity.

The Bigger Picture: Unanswered Questions

Despite the detailed notifications to employees, Panera has yet to publicly disclose the total number of individuals impacted by the breach. The identity of the threat actors behind the ransomware attack also remains unknown. No ransomware group has claimed responsibility, which raises speculation that the attackers might be awaiting a ransom payment or have already received it. Moreover, Panera has not responded to requests for comment from The Cyber Express regarding the outage and the ransomware attack. This lack of communication leaves several critical questions unanswered, particularly about the measures being taken to prevent future incidents and the ongoing efforts to recover from the current breach.

Implications for Panera Bread Data Breach

The implications of this ransomware attack extend beyond the immediate disruption and data breach. Panera Bread's reputation is at stake, as customers and employees alike may question the company's ability to protect sensitive information. The operational disruptions also highlight vulnerabilities in the company’s IT infrastructure that need to be addressed to prevent similar incidents in the future. In response to the data breach, Panera has committed to enhancing its existing security measures. The company is likely to conduct a thorough review of its cybersecurity policies and practices to identify and address any gaps. Additionally, ongoing communication with employees and stakeholders will be crucial in rebuilding trust and ensuring that all affected parties are adequately supported. As the investigation continues, further details may emerge about the nature of the breach and the steps Panera is taking to strengthen its defenses.

Dordt University, a distinguished private Christian liberal arts college renowned for its reformed Christian perspective on education, has encountered a cybersecurity incident carried out by the BianLian ransomware group. The Dordt University data breach has listed a substantial amount of sensitive information online, leaving both the institution and its stakeholders in a state of vulnerability. The ramifications of this Dordt University data leak are profound, with a staggering revenue of $36.2 million and a data cache of approximately 3 terabytes compromised. Among the trove of exposed data are intricate financial records, personnel files, vital databases, internal and external email correspondences, incident logs, as well as comprehensive student profiles encompassing both local and international enrollees. 

Unverified Claims of Dordt University Data Breach

[caption id="attachment_77186" align="alignnone" width="1240"] Source: Dark Web[/caption] According to the threat actors, even minors' data has reportedly fallen prey to this Dordt University breach, alongside personally identifiable information (PII) and protected health records (PHI). Despite the gravity of the situation, official responses from Dordt University have yet to materialize, leaving the authenticity of the claims surrounding the Dordt University data leak in a precarious limbo.  Notably, the BianLian ransomware group seems to have targeted the database infrastructure rather than executing a frontal assault on the university's website, suggesting a meticulously orchestrated campaign targeting the institution's digital backbone.

The Rise of BianLian Ransomware Group

The BianLian ransomware group has carried out similar cyberattacks in the past and this Dordt University data leak has prompted a collaborative effort from cybersecurity agencies, including the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC), to disseminate crucial intelligence on the modus operandi of the BianLian ransomware and data extortion group. Originating in June 2022, BianLian has brazenly targeted critical infrastructure sectors in both the United States and Australia, leveraging tactics such as exploiting valid Remote Desktop Protocol (RDP) credentials and employing open-source tools for reconnaissance and credential harvesting. The evolution of BianLian's extortion tactics, transitioning from double-extortion encryption schemes to data exfiltration-based coercion since January 2023, highlights the escalating sophistication of cyber threats faced by modern organizations. In response, FBI, CISA, and ACSC have issued a joint cybersecurity advisory, urging critical infrastructure entities and small- to medium-sized organizations to fortify their defenses against ransomware groups by implementing robust mitigation strategies outlined in the advisory. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Life360 says hackers attempted to extort it after stealing personal information from a Tile customer support platform.

The post Life360 Says Personal Information Stolen From Tile Customer Support Platform appeared first on SecurityWeek.

A significant data breach has exposed the private information of more than 1,200 Baw Baw Shire residents who contacted customer service after-hours over a nearly two-year period, the Baw Baw Shire council revealed. The breach occurred at OracleCMS, a third-party call center contracted by the council to field inquiries outside normal business hours. It reportedly does not impact the council's own systems and databases.

Over 1,200 Baw Baw Shire Residents Affected

The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.

OracleCMS Provider Implicated in Other Breaches

Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:

OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.

The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.

OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.

As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

It’s no secret that hospitals and other health care organizations are among the top targets for cybercriminals. The ransomware attacks this year on UnitedHealth Group’s Change Healthcare subsidiary, nonprofit organization Ascension, and most recently the National Health Service in England illustrate not only the damage to these organizations’ infrastructure and the personal health data that’s..

The post Connecticut Has Highest Rate of Health Care Data Breaches: Study appeared first on Security Boulevard.

A threat actor on a dark web forum has listed data from Truist Bank for sale following a cyberattack on the banking institution. Meanwhile, Kulicke and Soffa Industries, Inc. (K&S) is also dealing with a data breach. Reports indicate that Truist Bank client data, including sensitive information such as employee details and bank transactions, has been put up for sale on the dark web. The alleged Truist Bank data leak is attributed to a threat actor known as Sp1d3r. The data, reportedly obtained via the Snowflake breach, raises questions about the security measures in place at Truist Bank.

Truist Bank Data Breach Allegedly Goes on Sale on Dark Web

According to the threat actor’s post, the Truist Bank data breach is now selling for $1 million. The compromised data includes details of 65,000 employees, bank transactions containing names, account numbers, balances, and the source code for IVR funds transfers. [caption id="attachment_77051" align="alignnone" width="595"] Source: Dark Web[/caption] The post by the threat actor provides specific information about the data for sale and contact details for purchase. Additionally, the post includes various usernames, threads, reputation points, and contact information such as XMPP handles and email addresses associated with the threat actor. Meanwhile, Kulicke and Soffa Industries, a renowned semiconductor and electronics manufacturing company, disclosed a breach compromising millions of files. Initially detected on May 12, 2024, the breach exposed critical data, including source codes, engineering information, and personally identifiable information.

Two Cybersecurity Incidents at Once

In response to the Kulicke and Soffa data breach, K&S swiftly initiated containment measures in collaboration with cybersecurity experts and law enforcement agencies. The company's cybersecurity team worked diligently to isolate affected servers and prevent further intrusion. Despite the breach, K&S remains committed to safeguarding its systems and data integrity. In a filing with the U.S. Securities and Exchange Commission (SEC), K&S detailed its efforts to mitigate the impact of the breach. The company assured stakeholders that, as of the filing date, the incident had not materially disrupted its operations. However, investigations are ongoing to ascertain the full extent of the breach and increase the cybersecurity measures in place. The Truist Bank data breach and the Kulicke and Soffa cyber incident highlight the persistent threat of cyberattacks faced by organizations worldwide. While both entities are actively addressing the breaches, the incidents highlight a broader case of cybersecurity measures and their impact in safeguarding sensitive information and maintaining trust in the digital age. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Life360 Inc., the parent company of Tile, has recently disclosed that it was the victim of a criminal extortion attempt involving stolen customer data. The incident, the Life360 data breach, which was communicated by CEO Chris Hulls, highlights the growing threat of cyberattacks targeting companies that handle large amounts of user information. Chris Hulls, CEO of Life360 Inc., provided details about the extortion attempt in an official release: "Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information." Upon receiving these emails, Life360 swiftly initiated an investigation. The company detected unauthorized access to a Tile customer support platform, though notably, the breach did not affect the Tile service platform itself. The compromised data includes customer names, addresses, email addresses, phone numbers, and Tile device identification numbers. Crucially, it does not include sensitive information such as credit card numbers, passwords, log-in credentials, location data, or government-issued identification numbers, as these were not stored on the affected support platform. "We believe this incident was limited to the specific Tile customer support data described above and is not more widespread," Hulls assured. We take this event and the security of customer information seriously. We have taken and will continue to take steps designed to further protect our systems from bad actors, and we have reported this event and the extortion attempt to law enforcement. We remain committed to keeping families safe online and in the real world."

About Tile and Life360

Tile, much like Apple's AirTag, produces small Bluetooth-enabled devices that help users locate and track items such as keys, wallets, and bags. These devices work in conjunction with a mobile app, allowing users to find lost items using sound alerts or by viewing the last known location of the Tile tracker on a map. Tile is a subsidiary of Life360, the leading connection and safety app used by one in nine U.S. families. With over 66 million members, Life360 offers driving, location, and digital safety features that keep loved ones connected. The app's extensive user base makes the implications of any data breach potentially far-reaching.

Implications of the Life360 Data Breach

While the Life360 data breach did not include highly sensitive data, the exposure of personal information such as names, addresses, and phone numbers can still have significant implications. Such data can be used for targeted phishing attacks, identity theft, and other malicious activities. The breach highlights the importance of cybersecurity measures, particularly for companies managing large databases of personal information. Life360's swift response to the incident and its cooperation with law enforcement demonstrates the company's commitment to transparency and user security.

Moving Forward

In response to the breach, Life360 has reiterated its commitment to enhancing its security infrastructure and safeguarding user information. The company is taking proactive steps to prevent future cybersecurity incidents, including strengthening its cybersecurity protocols and continuing to monitor its systems for potential vulnerabilities. "We remain committed to keeping families safe online and in the real world," Hulls emphasized. The company’s prompt action and transparent communication are crucial in maintaining user trust and addressing concerns related to the breach.

A resident of Moreton Bay, Australia was shocked to discover that the private information of several resident ratepayers in the region, including their friends and neighbors, had been accidentally published on the Moreton Bay council's official website. The leaked information included names, residential addresses, email addresses, and phone numbers, as well as resident complaints to the council and details about council investigations.

Data Breach Discovered By Local Resident

City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers,  complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."

City of Moreton Bay Responses to Data Breach

After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]

We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.

The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The United Kingdom and Canada privacy watchdogs announced a joint investigation this week to determine the security lapses in the genetic testing company 23andMe’s October data breach, which leaked ancestry data of 6.9 million individuals worldwide. The UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will lead the investigation, pooling the resources and expertise of their respective offices.

Focus of 23andMe Data Breach Investigation

The joint investigation will examine three key aspects:

• Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
• Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
• Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.

Edwards said the investigation was needed to garner the trust of people in organizations that handle sensitive personal data. He stated:

“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.

“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.

Genetic Testing Company 23andMe Data Breach Timeline

23andMe first disclosed details of the October data breach in an 8-K filing with the U.S. Securities and Exchange Commission. The genetic testing company said attackers scraped profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. This profiling feature connects users with genetic distant relatives - or other 23andMe users who share their bits of DNA. The attackers used credential stuffing attacks that affected 0.1% of user accounts, the company told SEC. Using these accounts as a launchpad, hackers were able to access “a significant number of files containing profile information about other users' ancestry.” Threat actors claimed on underground forums that they were able to siphon “20 million pieces of code” from 23andMe. The claimed data set included information DNA ancestry backgrounds belonging to more than 1.3 million Ashkenazi Jewish and Chinese users. By the end of October, another threat actor claimed compromise of 4 million genetic profiles, which the company also investigated. The genetic testing company 23andMe said it notified the affected 6.9 million users - 5.5 million DNA Relatives profiles and 1.4 million Family Tree profile – in December. The company told federal regulators that the data breach incident was set to incur between $1 million and $2 million in one-time expenses. The company faces at least 30 class action lawsuits in U.S.state and federal jurisdictions as well as in Canada. 23andMe blamed the customers’ poor security hygiene for the breach and has since made two-step verification a prerequisite for account logon. It also mandated customers to reset their passwords. *Update 1 (June 12 – 12:00 AM EST): Added response from the 23andMe spokesperson.

Pure Storage, a provider of cloud storage systems and services, has confirmed and addressed a security incident involving unauthorized access to one of its Snowflake data analytics workspaces. This workspace contained telemetry information used by Pure Storage to provide proactive customer support services. The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number. Importantly, no sensitive information like credentials for array access or any other data stored on customer systems was compromised. "Such information is never and can never be communicated outside of the array itself, and is not part of any telemetry information. Telemetry information cannot be used to gain unauthorized access to customer systems," stated Pure Storage in an official statement.

Pure Storage Data Breach: Investigation Ongoing

Upon knowing about the cybersecurity incident, Pure Storage took immediate action to block any further unauthorized access to the workspace. The company emphasized that no unusual activity has been detected on other elements of its infrastructure. “We see no evidence of unusual activity on other elements of the Pure infrastructure. Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems,” reads the official statement. Preliminary findings from a cybersecurity firm engaged by Pure Storage support the company's conclusions about the nature of the exposed information. Pure Storage simplifies data storage with a cloud experience that empowers organizations to maximize their data while reducing the complexity and cost of managing the infrastructure behind it. Thousands of customers, including high-profile companies like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast, use Pure Storage's data storage platform.

Context of Recent Snowflake Cybersecurity Incidents

Before the Pure Storage data breach, Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, allegedly suffered a massive data breach. A threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of three terabytes of data from the company’s Snowflake cloud storage, which is reportedly being sold for $1.5 million. Live Nation, the parent company of Ticketmaster, also confirmed "unauthorized activity" on its database hosted by Snowflake, a Boston-based cloud storage and analytics company. In a joint advisory with Mandiant and CrowdStrike, Snowflake revealed that attackers used stolen customer credentials to target accounts lacking multi-factor authentication protection. Mandiant linked these attacks to a financially motivated threat actor tracked as UNC5537 since May 2024. This malicious actor gains access to Snowflake customer accounts using credentials stolen in historical infostealer malware infections dating back to 2020. These cyberattacks have targeted hundreds of organizations worldwide, extorting victims for financial gain. So far, the cybersecurity firm has identified hundreds of customer Snowflake credentials exposed in Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer malware attacks. Snowflake and Mandiant have notified around 165 organizations potentially exposed to these ongoing cyberattacks.

In the first part of our series, we disclosed how an exclusive report by The Cyber Express played a pivotal role in the arrest of the hacker responsible for the Hawk Eye app data breach in India. In this second article, we highlight the methods employed by the police to track down the hacker, explore his motives, and discuss the future direction of the investigation.

Hawk Eye App Data Breach: Who is the hacker?

The breach of the Hawk Eye App, a crime reporting forum for citizens in the Indian state of Telangana, was unearthed after a threat actor, who goes by the name “Adm1nFr1end”, offered the personal data of over 200,000 citizens for sale on the BreachForums online hacker site. The hacker shared sample data containing names, email addresses, phone numbers, physical addresses, and location coordinates. Soon after The Cyber Express reported the incident on May 31, the Telangana Police registered a suo moto case just days later on June 4. In its First Information Report (FIR), a written document prepared by the police in India to detail a cognizable offense, the cops in Telangana acknowledged The Cyber Express report and confirmed that the app had been breached.  Meanwhile, the hacker “Adm1nFr1end” continued his spree of cyberattacks and on June 5, breached another app of the Telangana Police called TSCOP which had data of police officers, criminals and gun license holders. The police quickly got into the act and a team of investigators from the Telangana Cyber Security Bureau (TG-CSB) tracked down the accused hacker in Greater Noida, a prominent suburb close to the nation’s capital, New Delhi.  The accused was identified as Jatin Kumar, a 20-year-old undergraduate student pursuing BCA (Bachelor of Computer Applications). 

Hacker Planned Cyberattacks on More Indian Cities

An investigating officer from the Telangana Police, who did not wish to be named, told The Cyber Express that, “Accused Jatin had initiated comprehensive monitoring and vulnerability assessment & penetration testing (VAPT) not only from the Telangana Police but also gained access to police data in the external and internal storage networks and mobile apps in Delhi, Mumbai and other metro cities. He planned to carry out cyberattacks on those cities as well.  “As far as Telangana police data is concerned, prima facie, it looks like the accused gained access to certain data on Hawk Eye app due to weak or compromised password. Despite his best efforts to mask his identity, we tracked him down,” the police source stated.  Without revealing much, the source in the Telangana Police said that the TG-CSB traced him by “running a parallel operation using advanced software and social engineering techniques.”  The police added that Jatin used a fake identity and conducted transactions in cryptocurrency using multiple addresses.  Investigation revealed that the accused had reportedly been into hacking since 2019 and had saved the breached data in his system. Jatin had a history of alleged cybercrimes and was previously arrested in 2023 in New Delhi for leaking data on Aadhar (a biometric identity card for Indian citizens) and sensitive data related to other agencies. However, a chargesheet has yet to be filed against him.  Hawk Eye App Data Breach: A Larger Network of Hackers? Despite the arrest of Jatin, the police are now investigating the possible involvement of a larger network of hackers.  “Jatin had posted the breached data on BreachForums and was selling it for $150 USD. He then asked interested buyers to contact him through Telegram IDs ‘Adm1nfr1end’ and ‘Adm1nfr1ends’ to purchase the data for HawkEye and TSCOP apps. But we are not sure if he is the only culprit. We are now probing if the app data was sold and if so, are tracking down the purchasers through data from crypto wallets,” the police official told The Cyber Express.  The Telangana Police are still currently in New Delhi and are completing the paperwork to bring the accused on a transit remand to Hyderabad (the capital of Telangana) for custody and further investigation.

In a massive breakthrough, an exclusive news report published by The Cyber Express has led to the arrest of a hacker who threatened to sell sensitive data of 200,000 citizens in Telangana State in India. The Hawk Eye App Data Breach was reported by The Cyber Express on May 31, 2024, which stated how a hacker claimed to reveal personal information of users of Hawk Eye, a popular citizen-friendly app of the Telangana State police. [caption id="attachment_73712" align="alignnone" width="720"] Source: Hawk Eye App on Android[/caption] The Telangana Police further acknowledged that the news report on The Cyber Express gave them crucial leads that led to the arrest of the hacker. In the First Information Report (FIR), a written document prepared by the police in India to detail a cognizable offence, the Telangana Police revealed that it was based exclusively on this report by The Cyber Express, that they were also able to verify the data breach on the Hawk Eye app.

Background of Hawk Eye App Data Breach

The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. On May 29, 2024, a threat actor, who goes by the name “Adm1nFr1end”, revealed that he had breached the Hawk Eye app. He shared that the stolen database had sensitive data of over 200,000 citizens, including their Personally Identifiable Information (PII), names, email addresses, phone numbers, physical addresses, IMEI numbers, and location coordinates. The threat actor had posted samples of the data breach on hacking website BreachForums and was selling this compromised data for USD $150. [caption id="attachment_73714" align="alignnone" width="1123"] Source: X[/caption]

Arrest of Hawk Eye App Data Breach Hacker

In the aftermath of the news report published on this website, the Telangana Police registered a suo moto case on June 4. “We have registered a case and are investigating the hacking allegations and suspected data breach,” said Telangana Cyber Security Bureau (TGCSB) Director Shikha Goel. On June 9, the Telangana Police reported that its Cyber Security Bureau has apprehended a hacker involved in the Hawk Eye app data breach. “Acting swiftly, the TGCSB investigators travelled to Delhi, where they identified and arrested the hacker, who had claimed to have posted the compromised data on a public platform for a price,” the police said in a statement. Sharing details of the arrest, Director General of Police of Telangana Police, Ravi Gupta, who is the top cop of the state, said that the police had used advanced tools to successfully unveil the hacker's identity. He, however, refrained from elaborating on the techniques used to arrest the hacker to ensure secrecy. “The hacker had posted details of the breach on databreachforum.st, offering the compromised data for sale at $150 USD. He provided the Telegram IDs “Adm1nfr1end” and “Adm1nfr1ends” for interested buyers to contact him regarding the Hawk Eye data,” Ravi said. The alleged hacker was identified as Jatin Kumar, a 20-year-old student and a resident of Greater Noida, a prominent suburb in Delhi's National Capital Region. The police also shared that he was arrested earlier in a case for cybersecurity fraud. (This is Part 1 of the article. Click here to learn more about the hacker, why he was selling the data and how the police tracked him down)

Data breaches affecting customers of the cloud storage provider Snowflake have hit about 165 organizations so far, according to a Google Mandiant report published today. While initial claims linked the Snowflake breach to the cloud provider’s own environment, Mandiant said its investigation backs up Snowflake’s assertion that the breaches came from compromised customer credentials, many of which did not have multi-factor authentication enabled. Some of the high-profile organizations hit in the attack have included Ticketmaster, Advance Auto Parts, Santander, and more.

Snowflake Breach Discovered in April

Mandiant is attributing the breach to UNC5537, “a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.” The threat group is based in North America, with an additional member in Turkey, Mandiant said. “Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment,” Mandiant researchers wrote. “Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.” Mandiant first saw evidence of the Snowflake data breach campaign in April, when the company “received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance.” In the subsequent investigation, Mandiant found that the organization’s Snowflake instance had been compromised by a threat actor using credentials previously stolen with infostealer malware. “The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data,” Mandiant said. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled.

Hackers Used Credentials from Infostealer Campaigns

Mandiant said its investigations so far into hacked Snowflake customers found that UNC5537 was able to obtain access via stolen customer credentials that were “primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems.” Some of those infostealer infections date back as far as 2020, using infostealer malware variants such as VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. Initial access to Snowflake customer instances often occurred via the native web-based UI (SnowFlake UI AKA SnowSight) or command-line interface (CLI) tool (SnowSQL) running on Windows Server 2022. Mandiant identified additional access leveraging an attacker-named utility, “rapeflake,” which Mandiant is tracking as FROSTBITE. [caption id="attachment_76343" align="alignnone" width="750"] Snowflake breach attack path (source: Mandiant)[/caption] In addition to a lack of MFA, Mandiant said some affected accounts had not updated credentials since they had been stolen, even after significant time had elapsed. The affected Snowflake instances also did not use network allow lists to only allow access from trusted locations. A list of suspect IP addresses can be found on VirusTotal, and Snowflake has also published detailed security information, including indicators of compromise (IoCs).

A dark web actor named "komarod” is claiming credit for a June 8 Shadow PC data breach, allegedly stealing data from the UK-based cloud service provider. The Shadow PC cybersecurity incident has raised concerns about the security of Shadow's systems and the safety of user data. The leaked database shared on an English-language cybercrime forum called Leakbase contains a staggering 545,014 records. These records encompass a range of data fields such as ID, email, first name, last name, user creation date, and billing address, all encapsulated in a JSON format.

Understanding the Shadow PC Data Breach Claims

[caption id="attachment_76271" align="alignnone" width="988"] Source: Dark Web[/caption] Shadow.tech, a cloud computing service developed by the French company Blade, has been at the forefront of innovative cloud technology, offering users the capability to run video games and other Windows software applications remotely on Windows 10 servers. This service, acquired by OVHcloud founder Octave Klaba in 2021, has garnered significant attention in the IT & ITES industry. The impact of the Shadow PC data breach extends to both Shadow.tech and its parent company, Blade. With the leak affecting users primarily in the United Kingdom and across Europe, concerns about the safety of personally identifiable information (PII) have heightened. While the cyberattack has yet to be officially confirmed by Shadow.tech or Blade, the threat actor's post on the cybercrime forum indicates a breach in the system's security defenses. The lack of an official statement or response from the organization has left the claims regarding the Shadow data breach unverified.

Previous Shadow.tech Cybersecurity Incidents

Interestingly, despite the Shadow PC data leak, the website remains operational, showing no immediate signs of a cyberattack. This suggests that the hacker group may have targeted the backend of the website, focusing on data extraction rather than launching a front-end assault such as a DDoS attack or website defacement. However, this is not the first time Shadow.tech has faced cybersecurity challenges. In a previous incident in 2023, the company experienced a similar breach where customer data was compromised due to a social engineering attack against one of its employees. Over half a million customers were potentially impacted by the breach, raising concerns about the security measures in place at Shadow. CEO Eric Sele, while acknowledging that breach, refrained from disclosing the exact number of individuals affected. Despite claims from the threat actor regarding the sale of stolen data on a cybercrime forum, the company remained tight-lipped about the specifics of the breach and its implications for customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

VIT Bhopal University, a leading academic institution in India, has allegedly been hit by a significant data breach, raising concerns among 8,000+ students and faculty alike. The alleged VIT Bhopal Data Breach was first reported on June 10, 2024, on the notorious data hacking website BreachForums.The Threat Actor (TA) has claimed to have leaked valuable data, raising concerns about the security of sensitive student and faculty information.

VIT Bhopal Data Breach Decoded

VIT Bhopal was established in 2017 and is a deemed university located on the outskirts of Bhopal, the capital city of the state of Madhya Pradesh. The institution is authorized by the University Grants Commission (UGC), which is a statutory organization of the Government of India for the maintenance of standards of teaching, examination, and research in university education. VIT Bhopal ranks among the top universities in India. As per the National Institutional Ranking Framework (NIRF) Ranking, it stands in 65th position amongst all the universities in India. It offers specialized programs across various disciplines, including engineering, technology, management, and architecture. Streams like mechanical engineering, computer science and engineering, artificial intelligence and robotics are particularly popular among students pursuing higher education here. [caption id="attachment_76218" align="alignnone" width="792"] Source: FalconFeedsio on X[/caption] According to a post on BreachForums, the threat actor has shared screenshots of the hack and claims to possess the following information:. ID: Unique Identification number assigned to each student and faculty member of the university Username: Login credentials of all the stakeholders used to access university portals, maintain and share records, post newsletters, and research materials confined to the institution. Full name: First and last name of the students and faculty of VIT Bhopal. Email: This contains email addresses of stakeholders, which is the official mode of communication for announcements, course materials and student-faculty interactions. Password: If this data is compromised, it poses significant risk as it could grant unauthorized access to personal accounts and university resources. User Activation Key: This could be a unique code required for initial account activation or password resets.

VIT Bhopal Data Breach Leaves Students Anxious

The news of the alleged data breach has understandably caused anxiety among the current batch of students. They are worried over the threat of stolen passwords, emails, and information, including research material, being used for malicious purposes. The students are worried of being vulnerable to targeted phishing attacks, where hackers use stolen email addresses to send data that appears to be from legitimate sources, such as the university administration. These emails might trick students into revealing their personal data or clicking on malicious links that could infect their devices with malware. The university has yet to react to the alleged data breach. There is no clarity yet on the extent of the breach, the extent of the information compromised, or the steps taken by the university to address the situation. The article will be updated once there is any public information shared by the university. While the university investigates the situation, students and staff can take a few healthy steps to protect themselves. This includes being wary of phishing attempts by hackers, monitoring suspicious links, and keeping an eye out for any unusual activity on their accounts, such as unauthorized login attempts or changes to their profile information. They can also enhance their security measures by enabling Two-Factor Authentication (2FA) and change their passwords regularly. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The New York Times has issued a statement after someone leaked source code allegedly belonging to the news giant. 

The post New York Times Responds to Source Code Leak appeared first on SecurityWeek.

Absolute Telecom Pte Ltd, a prominent telecommunications company based in Singapore, has fallen victim to an alleged cyberattack.  The Absolute Telecom data breach, allegedly on May 15, 2024, has been attributed to a hacker known as "GHOSTR," who claims to have infiltrated and compromised the company's server networks.  This Absolute Telecom data leak has resulted in the exposure of sensitive data totaling over 34GB, including internal information such as login credentials, passwords, and subscriber details.

Decoding the Absolute Telecom Data Breach Claims

[caption id="attachment_76122" align="alignnone" width="1280"] Source: Dark Web[/caption] The compromised data in this Absolute Telecom data breach encompasses a range of crucial information, including corporate records, accounting data, sales statistics, customer particulars, full credit card details, and call records. GHOSTR, in a post on a hacker forum, boasted about the successful breach and the acquisition of the extensive database belonging to Absolute Telecom Pte Ltd. Attempts to reach out to Absolute Telecom for clarification on the extent and impact of the breach have been impeded by the unavailability of their website, which is currently offline and unresponsive. This outage has hindered communication with the organization, leaving many questions unanswered regarding the security implications and measures being taken to address the breach. After the alleged cyberattack on Absolute Telecom's website, users attempting to access the site may encounter a 'took too long to respond' error message. This service disruption indicates the impact of the breach on the company's digital infrastructure, highlighting the severity of the situation and the challenges faced in restoring normalcy to their online operations.

Who is the GHOSTR Hacker Group?

GhostR, a financially driven threat actor, gained notoriety for pilfering a confidential database of 5.3 million records from World-Check. They also leaked approximately 186GB of data from a stock trading platform. GhostR's activities on Breachforums include exposing extensive data breaches affecting Thai users, and revealing personal information like full names, phone numbers, email addresses, and ID card numbers. As of now, there are no associated families linked with this actor. The cyberattack on Absolute Telecom underscores the persistent threat posed by malicious actors seeking to exploit vulnerabilities in digital infrastructure. As organizations continue to rely heavily on technology to conduct their operations, safeguarding against cyber threats remains paramount to protect sensitive data and maintain the trust of customers and stakeholders alike. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on the alleged Absolute Telecom data breach or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Auction house Christie's says the data breach caused by the recent ransomware attack impacts the information of 45,000 individuals.

The post Christie’s Says Ransomware Attack Impacts 45,000 People appeared first on SecurityWeek.

Hackers claim to have hit BlackBerry Cylance and The New York Times in separate, unrelated incidents, but only the New York Times hack may be significant, as BlackBerry officials say that data purporting to be from their company appears to be several years old and out of date. Data from both incidents have been put up for sale on the dark web. The New York Times confirmed that its code base was hacked on GitHub, while Blackberry may have been the victim of an old third-party data breach dating from before its acquisition of Cylance.

Cylance Breach Claims Disputed By BlackBerry

Claims of the Cylance breach were posted on BreachForums by a poster who goes by Sp1d3r and discussed on X and Reddit, among other places. The poster claims to have data from Cylance customers, partners and employees, and 34 million customer and employee emails. The seller is asking $750,000 and claims to have:

• Customer and prospect email and personally identifiable information
• Products used by organizations
• Sales prospects list with activity status
• Cylance partners list
• Cylance users list

The seller posted a list of the data sets in their possession, which looks like it could be from a CRM database: In a statement to The Cyber Express, BlackBerry Cylance said its investigation is ongoing, but “BlackBerry Cylance systems and products remain secure and are being closely monitored by our security operations team as part of our ongoing commitment to the security of our customers’ data. Based on our investigation to date, we do not believe that BlackBerry data and systems related to our customers, products, and operations have been compromised.” The company’s initial reviews of the data in question suggest that “no current Cylance customers are impacted, and no sensitive information is involved. The data in question was accessed from a third-party platform unrelated to BlackBerry and appears to be from 2015-2018, predating BlackBerry’s acquisition of the Cylance product portfolio.” “We continue to monitor this situation closely and will take all necessary precautions to maintain the integrity of our products and systems and the trust of our customers.”

New York Times Source Code Hacked on GitHub

News of the New York Times data breach was initially reported by vx-underground, which said someone on 4chan had leaked 270GB of source code belong to the newspaper. The poster claimed the Times has more than 5,000 source code repositories, and less than 30 are encrypted. The data included 3.6 million files in all. While the hacked data appears to include IT documentation and source code, the organization reported that its corporate systems and operations are unaffected.

In episode 333 of the Shared Security Podcast, Tom and Scott discuss a recent massive data breach at Ticketmaster involving the data of 560 million customers, the blame game between Ticketmaster and third-party provider Snowflake, and the implications for both companies. Additionally, they discuss Live Nation’s ongoing monopoly investigation. In the ‘Aware Much’ segment, the […]

The post Ticketmaster Data Breach and Rising Work from Home Scams appeared first on Shared Security Podcast.

The post Ticketmaster Data Breach and Rising Work from Home Scams appeared first on Security Boulevard.

💾

A major French telecommunications company, Corse GSM, has allegedly been hit by a massive data breach. It could have a potential impact on millions of its customers. The Corse GSM data breach claims was made by a threat actor, using the alias "ssh_xyz," on popular data hack site BreachForums. In the post, the threat actor claimed to have stolen a massive amount of data containing information on 200,000 users of the telecom company. The hacker claimed that the data was exfiltrated between May 3 and May 25, 2024. To support these claims, the TA included a sample of the data in JSON format, a common method for storing and transmitting data between servers and web applications.

Exploring the Corse GSM Data Breach

The threat actor provided a detailed sample dataset that provided a look into the kind of information that may have been compromised in the breach. The leaked data consists of: User Identification: This covers fields like ID and possibly other unique markers used by Corse GSM for tracking purposes. Personal Details: The breach reportedly involves customer information such as name, last name and phone number. Contact Info: It is said that hackers have also accessed customer email addresses. This raises concerns about targeted phishing attempts. Subscription Information: This may encompass subscription plans, internet packages, and other services subscribed to by customers of Corse GSM. Financial Information: The TA had shared details about the presence of fields like BIC (Business Identifier Code), IBAN (International Bank Account Number), and KYC (Know Your Customer) data. If the above information is true, then it could possibly leverage the risk of financial fraud or identity theft. Blacklist Status: If this data field is included in the leak, it might expose details of a customer who could be blacklisted by Corse GSM for reasons like missed payments or service violations.

Corse GSM Hacker Claims Possession of Financial Details of Customers

If the sample above seems like a precarious scenario for the privacy of customers, the hacker further alleged that the entire leaked database contains a much broader range of information, including: National Identity Card (CNI) Details: CNI or France’s National Identity Card details allegedly leaked by the threat actor could put citizens at huge security risk. The CNI contains fingerprint details, which is a major security breach if the corresponding data is compromised. SEPA Information: Single Euro Payments Area or SEPA data could include bank account details critical for financial transactions. The threat actor is seeking substantial sums for the database on the dark web, suggesting that the hacker believes the information holds significant value for malicious actors.

Corse GSM Yet to React to Data Breach Claims

Corse GSM has not reacted or issued any official statement regarding the alleged data breach. This article will be updated once the company responds to the allegations and takes action to prevent crucial data from being misused. Meanwhile, customers can take preventive steps like changing passwords and login credentials of accounts linked to Corse GSM. They should also be wary and not fall victim to phishing attempts. Fraudsters could use the leaked email addresses to send fraudulent links. They should also monitor their bank accounts linked to the subscription of Corse GSM mobile plans. They should also relay information of any suspicious activity to law enforcement authorities. The potential data breach at Corse GSM highlights the ever-present threat of cyberattacks and the importance of robust data security practices. Telecommunications companies handle a vast amount of sensitive customer information, making them prime targets for hackers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor has come forward, asserting responsibility for a significant breach in the security infrastructure of HopSkipDrive, a well-known rideshare service connecting families with reliable drivers. This HopSkipDrive data breach, allegedly occurring in June 2023, has led to the unauthorized access of sensitive data belonging to the company's drivers. According to the claims made by the hackers, HopSkipDrive's network and cloud infrastructure fell victim to this breach, resulting in the exposure of detailed personal information stored within its database. This compromised data reportedly includes a trove of 60,000 folders, each containing comprehensive details about individual users, ranging from driving licenses and insurance documents to vehicle inspection records and more.

Decoding the HopSkipDrive Data Breach Claims

The threat actor has purportedly made public a staggering 500GB of sensitive information, encompassing various personal identifiers such as first and last names, email addresses, Social Security Numbers (SSNs), home addresses, zip codes, and even countries of residence.  Additionally, the leaked data from this data leak HopSkipDriveallegedly includes source code snippets, including private admin panel information, alongside driving licenses, insurance particulars, vehicle inspection records, selfie photographs, and even criminal records. In a dark web post, the threat actor claimed responsibility, stating, "We disclose all HopSkipDrive data publicly. Indeed, in June 2023, we compromised the company's network and cloud infrastructure of HopSkipDrive." The HopSkipDrive data leak post further details the nature of the compromised data, providing evidence of the breach's magnitude and the extent of information exposed.

HopSkipDrive Data Leak Investigation

Efforts to verify these claims have been met with silence from HopSkipDrive, as the organization has yet to issue an official statement or response regarding the alleged data breach. Despite this lack of confirmation, the severity of the situation cannot be overstated, with the potential implications for affected drivers and their privacy remaining a cause for concern. Interestingly, despite the reported breach, the HopSkipDrive website appears to be operational, showing no immediate signs of an attack. This suggests that the threat actor may have gained access to the data without launching a visible front-end assault, such as a Distributed Denial of Service (DDoS) attack or website defacement. As the investigation into the HopSkipDrive data breach continues, the priority lies in addressing the security vulnerabilities that allowed such unauthorized access to occur. Additionally, affected individuals must remain vigilant and take necessary precautions to safeguard their personal information against potential misuse or exploitation in the aftermath of this breach. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged HopSkipDrive data leak or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Guardian Analytics Inc. and Webster Bank N.A. have agreed to pay over $1.4 million to resolve claims stemming from a data breach in 2022. The Guardian Analytics and Webster Bank data breach compromised the personal information of approximately 192,000 individuals, leading to allegations of inadequate protection of sensitive customer data. The settlement, which received final approval in federal court, addresses grievances brought forward in a consolidated class action lawsuit. Plaintiffs contended that both Guardian Analytics, a provider of data analytics services to financial institutions, and Webster Bank, failed to implement sufficient measures to safeguard sensitive customer information, including names, Social Security numbers, and financial account details.

Going Back to Guardian Analytics and Webster Bank Data Breach

During the Guardian Analytics data breach, unauthorized individuals gained access to Guardian's network systems between November 27, 2022, and January 26, 2023, obtaining the personally identifiable information (PII) of plaintiffs and class members. This data breach left affected individuals vulnerable to identity theft and other forms of fraud. The plaintiffs alleged that the defendants, Guardian Analytics and Webster Bank, breached their duty to implement and maintain adequate security measures, thereby allowing the breach to occur. As a result, plaintiffs and class members suffered various damages, including a significant risk of identity theft, loss of confidentiality of their PII, and financial losses due to inadequate data security measures.

The $1.4 Million Data Breach Lawsuit

The Guardian Analytics and Webster Bank data breach settlement agreement includes provisions to reimburse affected individuals for monetary losses, covering up to $5,000 for direct financial losses and up to $250 for ordinary losses. Additionally, the agreement compensates for four hours of lost time incurred by plaintiffs dealing with the aftermath of the breach. Individual plaintiffs, including Mark S. Holden, Richard Andisio, Edward Marshall, Ann Marie Marshall, Arthur Christiani, Johnielle Dwyer, Pawel Krzykowski, and Mariola Krzynowek, represented the class action lawsuit. Each plaintiff cited damages suffered as a result of the breach, ranging from financial losses to significant time spent rectifying the situation and monitoring accounts for fraudulent activity. The settlement serves as a reminder of the importance of robust data security measures in an era where cyber threats are increasingly prevalent. Both Guardian Analytics and Webster Bank have emphasized their commitment to enhancing security protocols to prevent similar incidents in the future. The legal proceedings shed light on the grave consequences of data breaches, including prolonged periods of identity theft resolution and financial instability for affected individuals. As technology continues to evolve, businesses must prioritize cybersecurity to protect customer data and maintain trust in an increasingly digital world.

Frontier Communications is notifying over 750,000 individuals that their personal information was stolen in a recent data breach.

The post 750k Impacted by Frontier Communications Data Breach appeared first on SecurityWeek.

A massive data breach has allegedly been reported in the Indian state of Tamil Nadu, where apparently data of over 600,000 migrant employees has been leaked on dark web. A thread actor, who identified himself as Pills, claimed to have allegedly leaked the data. In a post on June 4, 2024, on the popular hacking site BreachForums, the threat actor claimed to be selling the complete database of migrant workers in Tamil Nadu.

Why Migrant Workers Flock to Tamil Nadu for Employment?

Tamil Nadu is one of the most industrialized states in India and is the country’s major hub for automobile manufacturing, textiles, agritech, and electronics parts and equipment. Owing to huge demand for workers in these sectors, which offer better salaries and continuous employment, laborers from other states tend to migrate to Tamil Nadu. Though the exact number of migrant workers currently working in the State is unknown, the number of workers registered on the Labor Department’s portal as of March 2023 is 600,000.

Portal to Track Migrant Workers in Tamil Nadu Allegedly Hacked

To keep track of the influx of migrant workers into the state and to ensure that they are provided with proper facilities, the Tamil Nadu Government launched a portal, http://labour.tn.gov.in/ism, in June 2023. Local entrepreneurs who employed these workers in shops, commercial establishments, hotels, restaurants, agriculture, schools, colleges, local bodies, and motor establishments were asked to create a login ID, submit details like a registration certificate, license number issued by the Labor Department, and fill in details about the migrant workers, such as their name, mobile number, date of birth, bank account details, address, and educational qualifications. [caption id="attachment_75460" align="alignnone" width="1920"] Source: Tamil Nadu Labor Department Website[/caption] Additionally, migrant workers in the construction sector were asked to furnish their employment certificate, age proof (to ensure no minors below the age of 18 were employed),  bank passbook, and documents for legal heir or nominee as a legal heir were to be submitted so that the kin of workers would be eligible for a claim of INR (Indian Rupees) 500,000 in case of death to the worker. Additionally, the workers were eligible for insurance coverage of up to INR 200,000.

Decoding Tamil Nadu Migrant Workers Data Breach

Thread Actor Pills on BreachForums has allegedly carried out a data breach on the above portal, which, at the time of writing this article, continues to remain inactive. According to the information posted by the threat actor, Pills is selling the full database of laborers, that includes a list of registered users and applications. The price quoted by the TA for selling the database is, however, not clear. A closer inspection on the sample data shared by the threat actor revealed that there are 2,356,430 rows of applications, 101,446 rows of contractors and 66,917 rows of registered users. The Tamil Nadu government officials are yet to react to this alleged data breach. The article would be updated based on further input. This is not the first time that a key website of the Tamil Nadu Government has been breached. In May 2024, miscreants hacked the Facial Recognition Software (FRS) portal of Tamil Nadu police.  The portal contained more than 60 lakh records of individuals, including pictures, names, FIR numbers, and details of police officers. It was being used by more than 46,000 people in the department across the state to identify and track suspects, missing people, and others through facial recognition. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, has allegedly suffered a massive data breach. A threat actor going by the handle "Sp1d3r" claimed Advance Auto Parts data breach. The threat actor further claims to have stolen three terabytes of data from the company's Snowflake cloud storage. The stolen information is allegedly being sold for US$1.5 million. According to the threat actor, Sp1d3r, post the stolen data includes:

• 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses, and more.
• 44 million Loyalty/Gas card numbers, along with customer details.
• Information on 358,000 employees, though the company currently employs around 68,000 people. This discrepancy suggests the data might include records of former employees.
• Auto parts and part numbers.
• 140 million customer orders.
• Sales history
• Employment candidate information, including Social Security numbers, driver's license numbers, and demographic details.
• Transaction tender details.
• Over 200 tables of various data.

The threat actor has specified that a middleman is required to facilitate the sale of the stolen data, and no dealings will be conducted via Telegram. Furthermore, what’s worth noting is that in its post, the threat actor claimed to sell the stolen information of 358,000 employees, despite the fact that the organization now employs approximately 68,000 people. The disparity could be due to old data from former employees and associates. [caption id="attachment_75319" align="aligncenter" width="815"] Source: X[/caption] [caption id="attachment_75320" align="aligncenter" width="346"] Source: X[/caption] To find answers to these doubts and verify the threat actor's claims, The Cyber Express Team reached out to the officials to verify the breach, however, as of writing this news report no response has been received. Therefore, the confirmation or denial of these claims has yet to be verified. Advance Auto Parts operates 4,777 stores and 320 Worldpac branches primarily within the United States, with additional locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The company also serves 1,152 independently owned Carquest branded stores across these locations, as well as in Mexico and various Caribbean islands.

Advance Auto Parts Data Breach: Linked to Snowflake Cyberattacks

The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of Snowflake, a cloud storage company. These attacks have been ongoing since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. However, Snowflake did not provide specific details about the nature of the cyberattacks or confirm if data had been stolen from customer accounts. This incident follows another significant breach involving Live Nation, the parent company of Ticketmaster. Hackers claimed to have stolen personal details of 560 million customers, and the stolen data was hosted on Snowflake's cloud storage. Live Nation disclosed this breach in a filing to the U.S. Securities and Exchange Commission (SEC), revealing that a criminal actor had offered the company's user data for sale on the dark web. In response to the breach, Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, issued a joint statement regarding their ongoing investigation into the targeted threat campaign against some Snowflake customer accounts. They are working diligently to understand the extent of the breach and mitigate its impact. Screenshots shared by the threat actor indicate that the leaked data contains numerous references to 'SNOWFLAKE,' supporting the claim that it was stolen during the recent Snowflake data theft attacks. The full extent of the data breach and its implications for Advance Auto Parts and other companies using Snowflake remains to be seen. With Snowflake's large client base and the significant volume of data they manage, the repercussions could be widespread. Only time will tell how many more companies will disclose their data breaches linked to the recent Snowflake attacks. In the meantime, affected customers and employees are advised to monitor their personal information closely and take necessary precautions to protect their data. Companies utilizing Snowflake's services should stay vigilant and follow cybersecurity best practices to safeguard their data against potential threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A hack on Malaysia's Railway Assets Corporation (RAC) has been reported by a dark web actor. The key entity under Malaysia's Ministry of Transport was the target of the RAC data hack. The threat actor "billy100" carried out this breach and posted its allegations on the BreachForums platform.  The RAC data breach, which was made public on a dark web forum, refers to personnel records that have been allegedly leaked and connected to the Railway Assets Corporation (RAC). There are 481 lines of documents in the compromised database, according to billy100. As evidence, the threat actor provided samples from the CSV files "users_id" and "detail," which included hashed passwords, email addresses, and usernames.

RAC Data Breach Allegedly Exposes Sensitive Information

[caption id="attachment_75309" align="alignnone" width="1445"] Source: Dark Web[/caption] Established under the Railways Act of 1991, the Railway Assets Corporation (RAC) is a federal statutory entity tasked with supporting Malaysia's railway infrastructure. Since its founding in 1992, RAC has played a significant role in bringing the nation's railway industry up to par with other leading nations. Since the corporation is in charge of managing and growing railway assets, it is very important. Sensitive employee data is purportedly hidden in the RAC data breach exposed database. Information about several aspects of personnel records is one of the disclosed details. The two main files that make up the stolen data are users_id.csv, which contains vital user information like IDs, names, emails, passwords, and more, and detail.csv, which offers additional in-depth employee information such as personal identifiers, department information, salary, and dates of birth.

Investigation and Cyberattacks on the Railway Sector

Inquiries on the RAC data loss and potential ransomware gang involvement have been made to the organization by The Cyber Express. However, as of the time of this writing, no formal response or statement had been made, so the allegations regarding the RAC data leak remain unsubstantiated.  Railroads, being essential infrastructure in the digital age, are increasingly vulnerable to cyber threats that endanger both their daily operations and public safety. Attacks on international railway networks in recent times have brought attention to the need for stronger cybersecurity protections. Vulnerabilities brought on by outdated systems, unsecured networking, and IoT devices raise the risks.  Rail operators need to prioritize asset visibility, implement strong authentication, encrypt communication networks, and keep a stockpile of up-to-date patches and upgrades to strengthen security. Ensuring that staff members receive comprehensive cybersecurity training is also essential. If transportation is to continue being reliable and secure in the future, cybersecurity must be fully integrated into railway operations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A cybercriminal using the handle Sp1d3r is offering to sell 3 TB of data taken from Advance Auto Parts, Inc. Advance Auto Parts is a US automotive aftermarket parts provider that serves both professional installers and do it yourself customers.

Allegedly the customer data includes:

• Names
• Email addresses
• Phone numbers
• Physical address
• Orders
• Loyalty and gas card numbers
• Sales history

The data set allegedly also includes information about 358,000 employees and candidates—which is a lot more than are currently employed by Advance Auto Parts (69,000 in 2023).

The cybercriminal is asking $1.5 Million for the data set.

Advance Auto Parts has not disclosed any information about a possible data breach and has not responded to inquiries. But BleepingComputer confirms that a large number of the Advance Auto Parts sample customer records are legitimate.

Interestingly enough, the seller claims in their post that the data comes from Snowflake, a cloud company used by thousands of companies to manage their data. On May 31st, Snowflake said it had recently observed and was investigating an increase in cyber threat activity targeting some of its customers’ accounts. It didn’t mention which customers.

At the time, everybody focused on Live Nation / Ticketmaster, another client of Snowflake which said it had detected unauthorized activity within a “third-party cloud database environment” containing company data.

The problem allegedly lies in the fact that Snowflake lets each customer manage the security of their environments, and does not enforce multi-factor authentication (MFA).

Online media outlet TechCrunch says it has:

“Seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known.”

TechCrunch also says it found more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for Snowflake environments, belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others.

Meanwhile, Snowflake has urged its customers to immediately switch on MFA for their accounts.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While the Advance Auto Parts data has yet to be confirmed, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Less than a week after The Cyber Express exposed the data breach of a crime reporting app in India’s Telangana State, a hacker has now claimed to have engineered yet another cyberattack on Telangana Police's data. The Thread Actor (TA) has claimed to have carried out the TSCOP App Cyberattack, which is the Telangana Police’s internal crime detection app across all its wings. The massive data breach claims to expose the personal details of police officers, criminals, and gun license holders in Telangana.

Understanding the TSCOP App Cyberattack

TSCOP app was launched on January 1, 2018, to ensure better collaboration and operational efficiency of the police at all levels across the state of Telangana. The app received a boost when it was equipped with the Facial Recognition System (FRS) whereby the police could identify criminals in a few seconds by comparing a suspect's face with lakhs of digital photographs of people, including previous offenders, wanted and those missing stored in the central database. The App was also adjudged the ‘Best IT Project’ in India, for empowering police with information technology. [caption id="attachment_74941" align="alignnone" width="1200"] Source: Telangana Police Website[/caption] The TSCOP App Cyberattack was masterminded by a threat actor who goes by the name “Adm1nFr1end.” The same thread actor was responsible for Telangana Police’s Hawk Eye app data breach last week. The claims of cyberattack on the TSCOP app emerged on June 5, 2024, when the TA posted the alleged leaked data on BreachForums site. According to the TA, the leaked data includes the names, phone numbers and email addresses of police personnel from the Anti-Corruption Bureau, the Anti-Narcotics Bureau, Intelligence, Greyhounds (counter-insurgency wing against terrorists), Home Guards, and a host of other wings of the Telangana Police.

TSCOP App Cyberattack Samples

To substantiate the claims of cyberattack, the thread actor shared a few samples which revealed the phone number, name and designation of police officers. In a few cases, the district and zone of the concerned police officer were also leaked, along with the cop’s IMEI mobile number. But what could be major concern to the police is the leak of data related to criminals who were recently booked. The TA shared samples of offenders who were recently booked, which revealed the operations carried out by the concerned police station, the names, ages, mobile numbers, and addresses of the accused, the date on which they were booked, and in a few cases, the crime for which they were booked. The hacker also shared another sample, which could be of critical concern owing to breach of privacy of citizens. This data breach revealed the names, addresses, voter ids, date of birth and license number of citizens who had applied for a gun license and the reason for holding a weapon.

Experts Site Weak System Behind TSCOP App Cyberattack

When the Telangana Police’s website was hacked last week, cybersecurity experts had warned the cops of multiple attacks in the future. India’s popular data security researcher Srinivas Kodali said, “It is easy to hack into their system as they used basic authentication and encoding.” He condemned the state police for not hiring proper developers and putting the privacy of several thousand users at risk. [caption id="attachment_74951" align="alignnone" width="687"] Source: X[/caption] The Cyber Express has reached out to the Telangana Police, seeking their response on the cyberattack. We will update this story as we get more information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor known as Sanggiero has claimed responsibility for a data breach affecting the UK-based e-commerce platform PandaBuy. The threat actor, who operates on BreachForums, posted an advertisement offering more than 17 million user records for sale. The announcement of PandaBuy data breach comes after Sanggiero partially shared PandaBuy's data on March 31, 2024. PandaBuy, a Chinese online marketplace known for selling counterfeit products, has over one million downloads on Google Play Store and 2.95k reviews. According to the TA's post on the breach fourm, the compromised data includes first name, last name, user ID, email address, order data, order ID, login IP address, country, name of the employee, and hashed password. To prove the authenticity of the breach, Sanggiero shared a screenshot of the compromised JSON file and the total number of records. The hacker claims the data was obtained by exploiting critical vulnerabilities in PandaBuy’s platform and plans to publicly disclose these weaknesses on their blog soon. I would also explain on my blog all the vulnerabilities which have not yet been fixed by PandaBuy," the hacker stated.

PandaBuy Data Breach: Threat Actor Set a Price Tag

Sanggiero is offering the complete database for a price of $40,000. The hacker's post read, “We sell the whole database of PandaBuy. Indeed, you will have seen a few months ago we partially disclosed PandaBuy data. Now we sell all of the data that include 17 millions of lines on users for a price of $40,000.” In addition to the ransom, Sanggiero warned of disclosing the names of PandaBuy employees along with their passwords, which are encoded in base-64. The post also left an open invitation for PandaBuy to resume negotiations to prevent further disclosures. “The names of the employees will also be disclosed with their passwords (encoded in base-64). If PandaBuy wants to resume negotiations, they are welcome. No more time to waste.”

PandaBuy Legal Troubles

This data breach adds to the growing list of troubles for PandaBuy. In April 2024, Chinese authorities targeted the platform for supplying counterfeit goods. Police raided its warehouses, which held millions of packages destined for overseas buyers. The crackdown involved more than 200 public security branch officers, 50 private sector investigators, and local police. The raids led to the detention of over 30 people and the seizure of millions of parcels, including hundreds of thousands of fake branded sports shoes. Prior to this, PandaBuy faced legal action from 16 brands over copyright infringement. The Hangzhou office and several warehouses of PandaBuy were raided, resulting in significant legal and reputational challenges for the company. The investigation, first publicized by World Trademark Review, was carried out in cooperation with the City of London police and several intellectual property protection firms, including Corsearch, Rouse, and Rouse’s China-based strategic partner Lusheng Law Firm.

What This Means for PandaBuy Users

For PandaBuy users, this alleged data breach is a serious concern. The compromised data includes sensitive personal information that could be used for identity theft, phishing attacks, and other malicious activities. Users are advised to:

• Change their PandaBuy passwords immediately.
• Monitor their email accounts for suspicious activity.
• Be wary of phishing emails or messages that may try to exploit the stolen data.

Additionally, PandaBuy users should consider using two-factor authentication (2FA) for their accounts to add an extra layer of security.

Looking Ahead

For PandaBuy, the road to recovery will be challenging. The company not only needs to address the security flaws that led to the alleged PandaBuy data breach but also rebuild trust with its users and partners. The ongoing legal battles over counterfeit goods add another layer of complexity to their situation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The BianLian ransomware gang has leaked data allegedly stolen from Australian mining company Northern Minerals.

The post Ransomware Gang Leaks Data From Australian Mining Company appeared first on SecurityWeek.

The US debt collection agency Financial Business and Consumer Solutions (FBCS) has filed a data breach notification, listing the the total number of people affected as 3,226,631.

FBCS is a nationally licensed, third-party collection agency that collects commercial and consumer debts, with most of its activity involving the recovery of consumer debts on behalf of creditors. According to the official statement provided by FBCS, the exposed data includes:

• Full names
• Social security numbers
• Birth dates
• Account information
• Drivers license or other state ID numbers

In some cases, it also includes medical claims information, provider information, and clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS has sent data breach notifications to those affected, detailing what data was compromised and offering 12 months of free credit monitoring.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Scan for your exposed personal data

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The RansomHub ransomware group claims to have stolen the information of over 2 million Frontier Communications customers.

The post Ransomware Group Claims Cyberattack on Frontier Communications appeared first on SecurityWeek.

Singapore and Jakarta-based news website Tech in Asia has reportedly suffered a massive data breach. The alleged ‘Tech in Asia Data Breach’ seems to have affected a massive userbase of 230,000 users. The leaked data allegedly contains sensitive user information, which has raised concerns about potential identity theft and targeted attacks.

Understanding the Tech in Asia Data Breach: What Data Was Leaked?

Tech in Asia is headquartered in Singapore and the news website covers topics on startups and innovation in Asia. It was founded in August 2010. Threat Actor (TA) Sanggiero has claimed responsibility for the Tech in Asia Data Breach. The TA has allegedly published the leaked data on a popular hacking forum Breach Forums. The leaked data allegedly contains a significant amount of information pertaining to 230,000 users. Sanggiero also claimed that the sensitive information was breached in June 2024. According to the TA, the following data has been exposed. User ID: Each of 230,000 users has unique ids assigned within the Tech in Asia platform. Tech in Asia ID: The ID is potentially an internal identity which is specifically associated with the news platform Email Address: This is the crucial sensitive information that the users have submitted to the organization which the website uses to communicate apart from verifying their credentials. User Roles: The information that could be exposed includes the permission or access level granted to a user within the platform. Examples includes subscriber, writer or editor. Full Name: This includes sensitive information like both the first and last name details of the user. Display Name: This is the name chosen by the user to be displayed publicly on the Tech in Asia website which may or may not be the actual name. Registration Date: This is the date on which the user created his or her account on the news platform. Avatar URL: The avatar is nothing but the web address of the user's profile picture on Tech in Asia. Author URL: It could potentially be a link to the user’s home page or portfolio on which he or she publishes articles on within the Tech in Asia platform.

Exploiting Vulnerabilities: How Did Tech in Asia Data Breach Occur?

Threat Actor Sanggiero has claimed that he hacked the website and gained access to this large database by exploiting the vulnerabilities within the Tech in Asia's API (Application Programming Interface). API is a software intermediary that allows the TA to run two software applications to communicate with each other. Vulnerabilities within the Tech in Asia’s API could have allowed the hacker to gain unauthorized access to the data of 200,000 + users. The TA infact identified other bugs that allowed him to gain access to the website’s internal services.

What Should Affected Users Do?

These types of data breaches have become common across the globe. While it is currently unclear as to how the TA intends to use the stolen data, users in Tech in Asia must take the following precautionary steps: Change password: Users must immediately change their password on Tech in Asia platform apart from any other accounts that use the same login credentials. Beware of phishing attempts: Now that the hacker revealed that the email ids have been leaked, the users must be wary of targeted phishing attacks. They should not click any emails which requests them to share personal information or that share suspicious links. Monitor accounts: The users must also stay alert for unusual activity on their accounts in the news website or any accounts linked with the leaked email addresses. Tech in Asia Response Awaited At the time of publishing this article, Tech in Asia has yet to release an official statement regarding the data breach. However, it is expected that they will soon address the data breach and outline steps to users to safeguard their data and also on the efforts taken to prevent future data breaches. The article will be updated as more the organization updates its response. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recent series of cyberattacks observed on the British Columbia government networks from state hackers may have compromised the personal information of its employees, authorities said. Shannon Salter, head of the B.C. Public Service, on Monday, provided an update on a recent cyber investigation. She disclosed that hackers, who attacked government networks in April "may have" accessed 22 email inboxes of provincial employees. Among these, a few inboxes contained sensitive personal information on 19 individuals, primarily consisting of employee personnel files. Salter confirmed that individuals potentially impacted by the breach have been notified. As a precaution, they will be offered credit monitoring and identity protection services. Despite the potential access, there has been no identified misuse of the information or evidence indicating that specific files were accessed by the threat actor. The investigation so far has not found hackers accessing any sensitive information collected by the government in the delivery of public services. Additionally, officials clarified that the cyberattack was not a ransomware attack and appears to have been carried out by a state or state-sponsored actor. Public Safety Minister Mike Farnworth reiterated Salter's comments and told reporters in a press briefing:

"At this time, we have no indication that the general public's information was accessed."

British Columbia Cyberattacks Timeline

A database linked to an Indian architecture and interior designing firm, Archi Hives, was compromised in a cyberattack. The Archi Hives data breach was attributed to a threat actor known as SirDump. He shared the information regarding a data breach at Archi Hives on June 2, 2024, on the nuovo BreachForums platform, where the threat actor disclosed sensitive details. The stolen information, which was in the form of a zipped file with two CSV files, revealed a wealth of personal and organizational information. Social media handles, billing, and shipping information, and nicknames were all included in the first CSV file.  The second file presents a worrisome image of the scope of the Archi Hives database leak by containing more information such as user logins, passwords, and activation keys. Archi Hives is a well-known architecture and interior design firm founded in the early 1990s and is run by individuals with experience in both fields. 

Archi Hives Data Breach Claimed on Dark Web

The incident had a ripple effect not only on the company but also on the construction sector in India and the larger Asia & Pacific (APAC) region, with the leak's epicenter being its website, archihives.co.in. [caption id="attachment_74580" align="alignnone" width="1262"] Source: Dark Web[/caption] To find out more about the Archi Hives data breach allegations, The Cyber Express contacted the company. However, no official comment or remark has been received regarding this Archi Hives database leak. This leaves the claims for this cyberattack stand unconfirmed right now.

Cyberattacks on Interior Designing Firms

Cyberattacks are a harsh reality for interior design companies, increasing the possibility of data breaches and monetary losses. Studies show that it typically takes 73 days to contain an attack, which can seriously impair operations and cause 60% of small enterprises to fail in less than six months. Each breached record can cost £15,300 to rectify, denting profits, reported Wealth & Finance International. Strong IT rules, frequent data backups, and personnel training are all components of defense. Creating comprehensive incident response protocols and working with 24/7 cybersecurity monitoring services are crucial. Given the constantly changing nature of cyber threats, interior design firms must give top priority to implementing comprehensive cybersecurity measures to safeguard their operations in an increasingly hostile digital environment. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Dkhoon Emirates, a well-known fragrance brand recognized for previous partnerships with Mariaceleste Lombardo and Dominique Moellhausen, has fallen victim to a significant data breach. A cybercriminal has openly taken credit for the attack and is allegedly selling the compromised databases on the dark web. The Dkhoon Emirates data breach potentially exposes personal information from approximately 1,187,492 customer records. The threat actor, Ddarknotevil, also denoted that these documents are said to contain sensitive information such as complete identities, phone numbers, email addresses, and physical addresses. The asking price for this data is set to $4,800 for a one time deal with transactions limited to XMR and BTC.

Dkhoon Emirates Data Breach Claims Surfaces on Dark Web

[caption id="attachment_74222" align="alignnone" width="873"] Source: Dark Web[/caption] If there are no buyers for the information, the cybercriminal responsible for the possible Dkhoon Emirates data breach has made claims, threatening to make the data public. Although the authenticity of these accusations is still unknown, Dkhoon Emirates users need to be on the lookout for any potential phishing attacks. The Cyber Express has reached out to Dkhoon Emirates for clarification and further information regarding the alleged breach. But as of this writing, no formal answer or comment has been received. As a result, the assertions regarding the Dkhoon Emirates data leak are now unsubstantiated.  Interestingly, Dkhoon Emirates is relatively new to the market and has a collection of 22 perfumes in its fragrance base. The threat actor has not disclosed how they obtained the information or whether they plan to negotiate a ransom deal. Rather, the databases are being sold directly on a well-known dark web forum. 

Cyberattack on Fashion and Lifestyle Brands

The Dkhoon Emirates cyberattack joins a trend of targeting fashion and lifestyle brands. One of the most well-known examples of this threat is the hack that happened barely a year ago against Estée Lauder Companies (ELC). Estée Lauder had to take down sections of their network to prevent further data theft, while Dkhoon Emirates is allegedly coping with an issue involving a persistent threat actor.  Notably, the threat actor linked to the Dkhoon Emirates data leak has a history of involvement in prior cyberattacks. The same threat actor claimed responsibility for a breach that in March 2024 affected 3,800 users of cloud solutions provider Okta. On closer inspection, however, contradictions in the claims were found, refuting the allegation that the breach was merely a renaming of previously stolen content. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Sp1d3r, a dark web actor, allegedly stole 2 TB of compressed data from QuoteWizard, a US-based insurance business. According to the threat actor’s post, over 190 million people's sensitive personal data was compromised in this alleged QuoteWizard data breach, which was made public on the dark web forum nuovo BreachForums. The threat actor also claim that the cyberattack on QuoteWizard produced stolen data that included a variety of documents including personally identifiable information (PII), including complete names, partially completed credit card numbers, driving records, and other background information. Furthermore, it was reported that the stolen dataset included more than 3 billion tracking pixel data entries, including addresses, ages, mobile information, and accident at-fault details. Sp1d3r provided a few sample entries from the database and suggested a high asking price of USD 2 million for prospective customers in order to support the assertions.

The Overview of QuoteWizard Data Breach Claims

[caption id="attachment_74008" align="alignnone" width="1332"] Source: Dark Web[/caption] The firm has not disclosed any notice regarding the authenticity of the QuoteWizard data breach, despite the claims of intrusion and the data being auctioned for USD 2 million. However, the dire implications of this breach extend not only to QuoteWizard but also to the broader insurance industry, especially the parent company LendingTree, LLC. Moreover, the threat doesn’t stop here nor does the list of long claims. As Sp1d3r suggests the data stolen from QuoteWizard also includes information from other insurance carriers as well. A huge amount of private information in the wrong hands presents an immediate threat to people's security and privacy.

QuoteWizard Faces Connectivity Issues

In an attempt to find out more about this QuoteWizard data breach, The Cyber Express tried to make contact with the company. However, QuoteWizard's website displays a "403 Forbidden" error notice, suggesting that the company is experiencing difficulties connecting to the internet. This error typically indicates that the server is preventing access to particular resources or portions of the website because it has detected threats or unauthorized activity on the website. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Live Nation, the parent company of Ticketmaster, has confirmed "unauthorized activity" on its database after hackers claimed to have stolen the personal details of 560 million customers. The revelation of the Ticketmaster data breach came through a filing to the U.S. Securities and Exchange Commission (SEC), where Live Nation disclosed that a criminal actor had offered what was purported to be company user data for sale on the dark web. In a filing to the US SEC, Live Nation said that on 27 May "a criminal threat actor offered what it alleged to be Company user data for sale via the dark web", and that it was investigating.

Company Mitigating Ticketmaster Data Breach

The company further informed in the filing that they are working to mitigate risk to their users and the Company, and have notified and are cooperating with law enforcement. "As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information," reads the filling. The Ticketmaster data breach was initially identified on May 20, 2024. This is when Live Nation detected unauthorized activity within a third-party cloud database environment primarily housing data from its subsidiary, Ticketmaster L.L.C. On knowing this, Live Nation immediately launched an investigation with forensic investigators to determine the extent and nature of the data breach. According to the filing, the company is working diligently to mitigate risks to both its users and its overall operations. The company said in the filing that as of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. “We continue to evaluate the risks and our remediation efforts are ongoing,” said the Officials of Live Nations in the filling.

Snowflake Coming Into Picture

What is more interesting is that a spokesperson for Ticketmaster told TechCrunch that its stolen database was hosted on a Boston-based cloud storage and analytics company, Snowflake. The Cyber Express earlier reported that a threat actor had allegedly taken responsibility for data breaches of Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake. However, at that time, Snowflake shot down these data breach claims, attributing the breaches to poor credential hygiene in customer accounts instead. But now in light of the data breach, Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, provided a joint statement related to their ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts. Snowflake said in a post that it had informed a “limited number of customers who we believe may have been impacted” by attacks “targeting some of our customers’ accounts.” However, Snowflake did not describe the nature of the cyberattacks, or if data had been stolen from customer accounts. “We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity. To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” reads the Snowflakes bog.

Some of the Key Findings of Snowflake’s Investigation

• No evidence suggests that the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.
• There is no evidence pointing to compromised credentials of current or former Snowflake personnel.
• The campaign appears to be targeted at users with single-factor authentication.
• Threat actors have leveraged credentials obtained through infostealing malware.
• A threat actor accessed demo accounts of a former Snowflake employee, which did not contain sensitive data and were not connected to Snowflake’s production or corporate systems. The accounts were not protected by Multi-Factor Authentication (MFA).

Along with the findings, they have also suggested some of the steps that affected organization need to take:

Recommendations for Enhanced Security

1. Enforce Multi-Factor Authentication (MFA) on all accounts.
2. Set up Network Policy Rules to allow access only to authorized users or from trusted locations (e.g., VPN, Cloud workload NAT).
3. Reset and rotate Snowflake credentials for impacted organizations.

Live Nation’s infrastructure, including that of Ticketmaster, is primarily hosted on Amazon Web Services (AWS). Although AWS had not commented on the breach, a customer case study mentioning their involvement was recently removed from Amazon’s website. Before this, Australian authorities, the Department of Home Affairs announced that it is investigating a cyber incident impacting Ticketmaster customers, “working with Ticketmaster to understand the incident,” said a spokesperson from the department

Ticketmaster and other organizations have been affected by a data breach at cloud AI data platform Snowflake.

The post Snowflake Data Breach Impacts Ticketmaster, Other Organizations appeared first on SecurityWeek.

Dark web actor 888 on BreachForums has alleged a Heineken data breach. The cyber intrusion, according to the threat actor’s post, surfaced on the dark web forum on Monday and alleged leaked databases containing information about “8,174 employees from several countries”. The Cyber Express has analyzed parts of the sample data provided by the threat actor and found that it contains sensitive information about the company’s employees, including ID numbers, emails, and roles of employees within the organization. This dataset is highly sensitive as threat actors could use this data for various malpractices including phishing, blackmailing, and impersonating employees and managers. 

Decoding the Heineken Data Breach Claims 

The threat actor, identified as 888 has claimed similar breaches in the past and for this cyber intrusion, the hackers have listed the names of several employees, along with their email addresses and their work profiles.  The employee names and related email addresses, together with their responsibilities at Heineken, were identified as "sample" in the shared data.  [caption id="attachment_74095" align="alignnone" width="1740"] Source: Dark Web[/caption] The Cyber Express has contacted Heineken to find out additional information regarding the veracity of the data breach. However, at the time of writing this, no official statement or response has been received, thus the allegations regarding the Heineken data leak remain unsubstantiated.  Heineken's website seems to be operating regularly in spite of the purported Heineken data leak. This suggests that the attack may have been directed at particular datasets or databases rather than the company's websites. This observation points to a more focused strategy on the part of the threat actor, who may be trying to obtain confidential employee data without wreaking havoc on the system by deploying techniques like DDoS attacks or website vandalism.

Previous Cybersecurity Incident

Heineken has faced cybersecurity issues before, prior to this event. Over 1.5 million people were impacted by a significant Dutch data breach that the organization was involved in in March 2023. This specific Heineken data leak, which involves the software provider for a market research agency, compromised information from multiple sources, including respondents to surveys for Heineken-sponsored events. Personal information such as gender, age, education, province, and email addresses were among the data leaked in the previous incident. Heineken, along with other affected entities, promptly notified individuals impacted by the breach and reported the incident to the relevant authorities, including the Dutch Data Protection Authority. As for the current claims by TA 888, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged breach by 888 or any official confirmation regarding the authenticity or the denial of the intrusion. Media Disclaimer: The information presented on this website is sourced from various internal and external research. While we strive for accuracy, the information is provided for reference purposes only and is not independently verified..

The University of Hyderabad (UoH), a prominent academic institution in India, finds itself entangled in a cybersecurity challenge as a recent data breach seems to have affected the top management and students of the institution. Speaking to The Cyber Express, senior faculty members and top management expressed surprise over the University of Hyderabad data breach, which has left students worried over the repercussions. The university is situated in Telangana, a state in southern India and had recently achieved a prestigious ranking of being among the top 12 per cent of universities worldwide for international students.

Decoding University of Hyderabad Data Breach

The UoH data breach was first reported in the last week of May 2024. A Threat Actor (TA), who used the alias "nik20", shared a post on the data breach site BreachForums. The TA claimed to possess a database stolen from the university, allegedly in SQL format, a common database language used by many websites and applications.

What Was Leaked?

• User ID: A unique identifier assigned to each user within the UoH system.
• User Login: The username or credential used by users to access UoH online services.
• Hashed User Password: Passwords are typically stored in a hashed format, a one-way encryption process that makes it difficult, but not impossible, for attackers to decipher the original password.
• User Nickname: An optional field that users may choose to display instead of their full name.
• User Email Address: The primary email address associated with the user's account in the university. This is a critical piece of information often used for communication and account verification purposes.
• User URL: Potentially a link to a user's profile page or other online presence associated with the UoH account.
• User Registration Date: The date the user created their account within the UoH system.
• User Activation Key: A unique code used to verify a user's email address during the account registration process.
• User Status: An indicator of the user's account status, such as active, inactive, or suspended.
• Display Name: The name a user chooses to be displayed within the UoH system which may differ from their actual name.
• Access to spam and deleted messages’ folders of the users.

The TA shared that few of the users whose accounts were reportedly compromised included the UoH’s Admin, Public Relations Officer (PRO), UoH Herald-newsletter of the university and Vasuki Belavadi- a former dean and professor at the Department of Communications. The post by the TA also suggested that the database was originally dumped on BreachForums in March 2023. There is a possibility that “nik20” obtained the data from a previous breach that wasn't widely publicized or that the information is outdated.

University of Hyderabad Database Leak: University Puzzled but Promises Action

When The Cyber Express spoke to stakeholders at the university regarding the data breach, they initially expressed shock but later accepted the possibility of a breach owing to their previous experiences. A student named Balakrishna, who is currently pursuing PhD at the university, was apprehensive and shared that he was concerned over his research papers being compromised due to the data breach. However, Sanjay Kumar Sharma, Director, Computer Network Facility, UoH, who is responsible for all technology related undertakings at the institute, was confident that the breach was not alarming as sensitive data was not compromised. “Previously there was a similar hack in the School of Life Sciences. So there is a possibility of this data being breached too. However, I can assure you that the data that could be breached is not that sensitive since it could only contain research material from students, which is publicly available anyway,” he said. “We will be constantly checking what is happening. There have been many data breach attempts previously, and our security is such that the attempt was rendered disabled in the initial stages itself. I agree there could be deficiencies and we will keep improving. We will cross-check this data breach and alert all our users. We will not take it casually,” Sanjay added.

User Vigilance Can Help Avoid Cyber Incidents

While the University of Hyderabad investigates the situation, users outside can take cue from this breach and take a few healthy steps to protect themselves. This includes being wary of phishing attempts by hackers, monitoring suspicious links and keeping an eye out for any unusual activity on their accounts, such as unauthorized login attempts or changes to their profile information. They can also enhance their security measures by enabling Two-Factor Authentication (2FA) and change their passwords regularly.

Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

In a filing with the SEC, Live Nation said on May 20th it identified “unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary)” and launched an investigation.

The third party it refers to is likely Snowflake, a cloud company used by thousands of companies to store, manage, and analyze large volumes of data. Yesterday, May 31st, Snowflake said it had “recently observed and are investigating an increase in cyber threat activity” targeting some of its customers’ accounts. It didn’t mention which customers.

In the SEC filing, Live Nation also said:

On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

The user data likely refers to the sales ad for 560 million customers’ data that was posted online earlier this week by a group calling themselves ShinyHunters. The data was advertised for $500,000 and says it includes customer names, addresses, emails, credit card details, order information, and more.

Bleeping Computer says it spoke to ShinyHunters who said they already had interested buyers, and believed one of the buyers that approached them was Ticketmaster itself.

Ticketmaster says it has begun notifying its users of the breach. We are likely to hear more in the coming days, and will update you as we do.

For now, Ticketmaster users should keep an eye on their credit and bank accounts for an unauthorized transactions and follow our general data breach tips below.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Scan for your exposed personal data

While the Ticketmaster data is yet to be published in full, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.