92 Million User Passwords Compromised From DNS Testing Site MyHeritage

  • MyHeritage, a genealogy and DNA testing site, disclosed that a security researcher found a file on the Internet containing email addresses and hashed passwords of at least 92 million users. It is really a head-scratcher to think that someone can just find a file with so much sensitive information sitting out there on the Internet.
  • MyHeritage stated that the researcher notified them on June 04, 2018, but the breach itself occurred on October 26, 2017. That time difference suggests that MyHeritage had no clue that the file was compromised, and it took an overt action for them to learn of the matter. This is an example of why many security experts are recommending the use of threat hunting as a valuable element of a strong cyber security program.
  • Although MyHeritage has not disclosed the specific form of password obfuscation, information on company blogs indicates that the company uses a hashing algorithm with a “salt” added. Put simply, hashing takes a plain text password and runs it through a mathematical algorithm to make it "scrambled." There are some security problems with basic hashing, so "salting" adds an additional layer of "scrambling" to make the password even more difficult to crack.
  • MyHeritage originally encouraged users to change their passwords, but later decided to force all users to change their passwords. That is a wise move. All companies that have passwords compromised should immediately and automatically force all users to change passwords. Better yet, start forcing users to use two-factor authentication.

Financial and Health Data Exposed Through Fitness App PumpUp

  • Fitness app PumpUp left data on a cloud based server unsecured. This has been a common theme over the past year or more. Companies fail to understand that security on the cloud is their responsibility, not the cloud provider.
  • The exposed data includes credit card numbers, private messages, and health data.The app also allows users to post photos to a PumpApp social network, for other users to encourage your progress. Wow, that is a very serious collection of sensitive data. Credit card numbers, well, okay, yawn, but the other data is really personal and sensitive.
  • The data was not password protected. So would that be "no-factor" authentication? That is extremely negligent.
  • PumpUp said that other than the researcher who uncovered the flaw, they are unaware of anyone else who has accessed the information. "Unware" being the operative word here.

Bank details, TFNs, personal details of job applicants potentially compromised in major PageUp data breach

  • The personal details of thousands of Australians may have been compromised through the HR company PageUp. According to reports, PageUp contacted the Australian Cyber Security Centre for reporting and assistance. The ACSC stated that "malicious code was executed inside the system," without elaborating. My guess is SQL injection.
  • PageUp counts around 2 million users in 190 countries, and many prominent Australian companies and organizations including Australia Post and the Reserve Bank of Australia. Compromised information may include bank account details, Tax File Numbers, drivers license numbers, and more.
  • PageUp is cooperating with the Australian Cyber Security Centre and equivalent UK authorities. Many companies that use PageUp as part of their hiring process have stopped using PageUp.
  • This appears to be the first major breach since the Australian government introduced new data breach reporting rules in February. It could also end up being one of the largest data compromises in Australian history.

Hacker Stole 26 Million Email and Home Addresses of Ticketfly Users

  • Last week, a hacker took control of the ticket-distribution website Ticketfly, defacing its homepage, and stealing customers’ personal data. The hacker also posted some of the stolen information online, and threatened to post more, but has yet to follow through on his threat. So far the compromised information appears to include passwords, home addresses, and phone numbers.
  • Motherboard shared some of the compromised data now made publicly available with Troy Hunt, founder of the Have I Been Pwned website, a site dedicated to informing users of data breaches. There is no good way to learn that your organization has been compromised, but finding your client data posted on sites such as Mr. Hunt's adds an additional layer of misery.
  • The attacker told Motherboard that he/she/they contacted Ticketfly and demanded a ransom of one Bitcoin to help them fix the flaw. So the attacker wanted the equivalent of about $7,600 US dollars in exchange for helping Ticketfly fix the problem. As far as I know Ticketfly did not have a bug bounty program in place (retail sites rarely do), so this is extortion, pure and simple.
  • Ticketfly issued a statement that said, in part, “Last week we learned that Ticketfly.com was the target of a cyber incident. In consultation with leading third-party forensic and cybersecurity experts, we confirmed that some customer information has been compromised as part of the incident, including names, addresses, emails, and phone numbers of Ticketfly fans. We understand the importance our customers place on the privacy and security of their data and we deeply regret any unauthorized access to it. This is an ongoing investigation and we will continue to provide updates as appropriate.” Very, very typical corporate public statement language. In the aftermath, Ticketfly was offline for at least five days.