Search This Blog

Showing posts with label Customer Data. Show all posts

Information of European Hotel Chain’s Customers Discovered in Unprotected Server

A researcher has recently found an unprotected server storing the personal data of several Falkensteiner hotel chain clients in Europe. 

Falkensteiner, the Austria-based hotel chain has hotels that are spread across Central and Eastern Europe, including Austria, Italy, Croatia, Slovakia, Serbia, and the Czech Republic. 

The compromised data of Falkensteiner was apparently discovered by researcher Anurag Sen, from the cloud security company CloudDefense.AI. Sen most recently found a US government computer that was leaking private emails from the US military. 

In an analysis conducted by Sen, it was found that the exposed customer data was linked to Gustaffo, a firm providing IT solutions for the hospitality sector. 

The researcher claims that he alerted Falkensteiner and Gustaffo, but neither one of them responded. Sen informed the company, but shortly thereafter he found that the server was protected. 

According to Sen, before it was taken offline, the compromised Elasticsearch server hosted more than 11 GB of data. In the exposed database, he discovered more than 102,000 records with full names, contact information (phone and email), and booking information. 

The researcher has shown his discontent with how the impacted companies have addressed the issue. “They haven’t responded to his emails and haven’t notified customers about the data breach,” he says. 

Gustaffo, however, claims that after learning about the leak from another researcher, they actually secured the server. The Austria-based company, which does have a responsible disclosure procedure, informed that its analysis revealed the problem was contained to a single system and that only about 13,000 individuals' personal information was compromised. 

Gustaffo representatives further explain that many of the records are probably duplicates, taking into account that the company does not store data of more than 13,000 customers. 

The company adds that it has taken every necessary measure and performed security updates to its system and is in contact with the government authorities to help handle the situation. 

Moreover, while no initial statement was provided by Falkensteiner, the company has recently addressed the issue and said, “we have been informed about a possible weakness in the database access systems at one of our subcontractors. FMTG takes the security of our customer’s data very seriously. Therefore, we are looking closely into this issue and cooperating with the subcontractor to improve their IT systems. We also informed the relevant data protection authority.”  

 Digital Resignation is Initial Stage of Safeguarding Privacy Online


Several internet businesses gather and use our personal information in exchange for access to their digital goods and services. With the use of that data, they can forecast and affect our behavior in the future. Recommendation algorithms, targeted marketing, and individualized experiences are examples of this type of surveillance capitalism.

Many customers are unhappy with these methods, especially after knowing how their data is obtained, despite tech companies' claims that these personalized experiences and advantages improve the user's experience.

Digital resignation refers to the circumstance in which users of digital services continue to do so while being aware that the businesses providing those services are violating their privacy by conducting extensive monitoring, manipulating them, or otherwise negatively affecting their well-being.

The Cambridge Analytica scandal and Edward Snowden's disclosures about widespread government spying shed light on data-collecting techniques, but they also leave individuals feeling helpless and accustomed to the idea that their data will be taken and exploited without their express agreement. Digital resignation is what we call this.

Acknowledging and improving these tactics is the responsibility of both policymakers and businesses. Dealing with data gathering and use alone will not result in corporate accountability for privacy issues.

Our daily lives are completely surrounded by technology. But it's impossible to obtain informed consent when the average person lacks the motivation or expertise necessary to understand confusing terms and conditions rules.

However, the European Union passed regulations that acknowledge these destructive market dynamics and have begun to hold platforms and internet giants accountable. 

With the passage of Law 25, Québec has updated its privacy rules. The purpose of the law is to give people more protection and control over their personal information. It grants individuals the right to seek the transfer of their personal data to another system, its correction or deletion (the right to be forgotten), as well as the right to notice before an automated decision is made.

Additionally, it mandates that businesses designate a privacy officer and committee and carry out privacy impact analyses for any project involving personal data. Also, it is necessary to gain explicit agreement and to communicate terms and rules clearly and transparently. 

Major Experian Security Vulnerability Exploited, Attackers Access Customer Credit Reports


As per experts, the website of consumer credit reporting giant Experian comprised a major privacy vulnerability that allowed hackers to obtain customer credit reports with just a little identity data and a small change to the address displayed in the URL bar. 

Jenya Kushnir, a cybersecurity researcher, discovered the vulnerability on Telegram after monitoring hackers selling stolen reports and collaborated with KrebsOnSecurity to investigate it further. The concept was straightforward: if you had the victim's name, address, birthday, and Social Security number (all of which could be obtained from a previous incident), you could go to one of the websites offering free credit reports and submit the information to request one.

The website would then redirect you to the Experian website, where you would be asked to provide more personally identifiable information, such as questions about previous addresses of living and such.
And this is where the flaw can be exploited. 

There is no need to answer any of those questions; simply change the address displayed in the URL bar from "/acr/oow/" to "/acr/report," and you will be presented with the report. While testing the concept, Krebs discovered that changing the address first redirects to "/acr/OcwError," but changing it again worked: "Experian's website then displayed my entire credit file," according to the report.

The good news (if it can be called that) is that Experian's reports are riddled with errors. In the case of Krebs, it contained a number of phone numbers, only one of which was previously owned by the author.

Experian has remained silent on the matter, but the issue appears to have been resolved in the meantime. It's unknownfor how long the flaw was active on the site or how many fraudulent reports were generated during that time.

FCC Wants Telecom Companies to Notify Data Breaches More Quickly


The Federal Communications Commission of the United States intends to improve federal law enforcement and modernise breach notification needs for telecommunications firms so that customers are notified of security breaches as soon as possible.

The FCC's proposals (first made public in January 2022) call for getting rid of the current requirement that telecoms wait seven days before notifying customers of a data breach. 

Additionally, the Commission wants telecommunications providers to notify the FBI, Secret Service, and FCC of any significant breaches. 

According to FCC Chairwoman Jessica Rosenworcel, "We propose to eliminate the antiquated seven business day mandatory waiting period before notifying customers, require the reporting of accidental but harmful data breaches, and ensure that the agency is informed of major data breaches.

In a separate press release, the FCC stated that it was considering "clarifying its rules to require consumer notification by carriers of inadvertent breaches and to require notification of all reportable breaches to the FCC, FBI, and U.S. Secret Service." 

In 2007, the Commission passed the first regulation mandating that telecoms and interconnected VoIP service providers notify federal law enforcement agencies and their clients of data breaches. 

The severity of recent telecom hacks demonstrates the need for an update to the FCC's data breach rules to bring them into compliance with federal and state data breach laws governing other industries. For instance, Comcast Xfinity customers reported in December that their accounts had been compromised as a result of widespread attacks that avoided two-factor authentication.

Verizon informed its prepaid customers in October that their accounts had been compromised and that SIM swapping attacks had used the exposed credit card information.

According to reports, T-Mobile has also experienced at least seven breaches since 2018. The most recent one was made public after Lapsus$ hackers broke into the business' internal systems and stole confidential T-Mobile source code.

Finally, in order to end an FCC investigation into three separate data breaches that affected hundreds of thousands of customers, AT&T paid $25 million in April 2016.

"The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements," Rosenworcel stated. "To better protect consumers, boost security, and lessen the impact of future breaches, this new proceeding will take a much-needed, fresh look at our data breach reporting rules."

Hackers Had Internal Access for 4 Days

Password management solution LastPass has confirmed that the company was hacked and the hackers had access to its development system for four days. The company stated in a blog post that nearly two weeks back, it detected some “unusual activity” in portions of its “LastPass development environment”, and immediately carried out an investigation for the same. 

As per the company’s reports, the hackers likely gained access to some of its source code through “a single compromised developer account”. The hackers were able to compromise a company developer’s endpoint to gain access to the Development environment, impersonating the developer after he “authenticated using multi-factor authentication,” which allowed them to get hold of some of the source code and “some proprietary LastPass technical information”. However, the company claims that no user data was compromised during the action.  

The company states that all of its “products and services are operating normally.” The Investigation for the hack is still ongoing and the company states that it has “implemented additional enhanced security measures.” 

LastPass CEO Karim Toubba stated that “There is no evidence of any threat actor activity beyond the established timeline [...] there is no evidence that this incident involved any access to customer data or encrypted password vaults”. 

The company restated that despite the unauthorized access, the hacker did not succeed in getting hold of any sensitive user data owing to system design and zero trust access (ZTA) is put in place to avert such incidents in the future. 

ZTA includes complete segregation of the Development and Production environment and the company’s own inability to access any of its customer’s password vaults without the master password set by the customers. “Without the master password, it is not possible for anyone other than the owner of a vault data,” the CEO stated. 

Lastly, LastPass also mentioned that it has restored to the services of a leading cybersecurity firm to enhance its source code safety practices and will ensure its system’s security, deploying additional endpoint security guardrails in both Development and Production environments to better detect and prevent any attack aiming at its systems.

Russian Hackers Employ Malicious Traffic Direction Systems to Spread Malware

Researchers have discovered possible linkages among a subscription-based crimeware-as-a-service (Caas) solution as well as a cracked copy of Cobalt Strike according to what they presume is being offered as a tool for customers to stage post-exploitation operations. 

Prometheus is an open-source activity monitoring and warning system for cloud applications that are based on metrics. Nearly 800 cloud-native companies, namely Uber, Slack, Robinhood, as well as others, employ it. 

Prometheus offers convenient observation of a system's state along with hardware and software metrics like memory use, network utilization, and software-specific defined metrics by scraping real-time information from numerous endpoints (ex. number of failed login attempts to a web application).

Prometheus has an understood policy of omitting built-in support for security features like authentication and encryption because the numeric metrics it collects are not deemed sensitive data. This allows the company to focus on creating monitoring-related services. It's being advertised on Russian underground forums as a traffic direction system (TDS) which allows bulk phishing redirection to rogue landing pages, designed to deliver malware payloads on targeted computers for $250 per month. 

"A system of a malicious technology, malicious email circulation, illicit folders across authorized platforms, traffic diversion, and the capacity to deliver infected files are the significant elements of Prometheus," the BlackBerry Research and Intelligence Team stated in a report. 

The redirection comes from one of two places: malicious advertisements on normal websites, or websites that have been tampered with to install harmful code. The attack network begins with a spam email that contains an HTML file or a Google Docs page; when opened, it redirects the victim to a compromised website that hosts a PHP backdoor fingerprint smudges the machine to determine whether to serve the victim with malware or redirect the user to another page that may contain a phishing scam.

While TDS's aren't a novel concept, the level of sophistication, support, and cheap financial cost lend validity to the hypothesis that this is a trend that will likely emerge in the threat environment in the near future, the researchers wrote.

In addition to enabling these techniques, it is strongly advised for anyone with a Prometheus implementation to query the previously listed endpoints to see if sensitive data was exposed before the identification and TLS functionalities in Prometheus were implemented. Service was Seized Because it was Used by Criminals to Spread Ransomware


Following a coordinated worldwide police investigation, a VPN service used by criminals to spread ransomware, malware, and facilitate other forms of cybercrime has been knocked offline. The 15 servers used by the service have been seized or disrupted as part of a combined operation by Europol, Germany's Hanover Police Department, the FBI, the UK's National Crime Agency (NCA), and others. 

According to Europol, was founded in 2008 and provides services based on OpenVPN technology and 2048-bit encryption to give online anonymity for as little as $60 per year. The service also offered a double VPN, with servers located in a variety of countries. "This made a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities," the agency said. 

According to Europol, several investigations have revealed criminals using the service to enable illegal operations such as virus dissemination. Other incidents demonstrated the service's usage in the setup of infrastructure and communications for ransomware operations, as well as the actual deployment of malware. Cybercriminals also utilized the site to spread malware while evading authorities — but now that the servers have been seized, law enforcement is reviewing customer data in an attempt to identify cybercriminals and victims of cyberattacks.

The domain presently shows a warning telling visitors that the domain has been seized by legal enforcement. According to the statement, authorities obtained consumer data held on confiscated servers, and an inquiry has been initiated. Europol has not revealed which types of malware and ransomware were distributed using the VPN provider. As a consequence of the investigation, more than 100 organizations have been identified as being vulnerable to cyberattacks, and law enforcement is collaborating with them to mitigate any possible compromise. 

"The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online," said Edvardas Šileris, head of Europol's European Cybercrime Centre (EC3). "Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches," he added. 

On January 17, 2022, authorities from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States, and the United Kingdom joined forces to disrupt VPNLab, with assistance from Europol.

FinTech Company Struck by Log4j Says "No" to Paying the Ransom


ONUS, one of the largest Vietnamese crypto trading platforms, was recently hit by a cyberattack. Hackers aimed for the company's payment system, which was running a vulnerable version of Log4j. 

Following the cyberattack, extortion began, with hackers apparently blackmailing the company into paying a $5 million ransom, or user data would be made public. According to BleepingComputer, the corporation refused to pay, and as a result, information of about nearly 2 million ONUS users showed up for sale on forums. 

Around December 9, a Proof of Concept (POC) exploit for the well-known and presently making headlines Log4j vulnerability, CVE-2021-44228, appeared on Github. Threat actors have spotted a chance to substantially exploit it since then. ONUS's Cyclos server, which used a vulnerable version of Log4Shell, was one of their targets. 

Between December 11 and December 13, the hackers were able to successfully exploit it. They also installed backdoors to increase the access's power. On December 13, a Cyclos alert apparently informed ONUS that its systems needed to be fixed; nevertheless, even if the Cyclos instance was patched, it appeared to be a late response. Threat actors had plenty of time to steal important data. According to BleepingComputer, the databases held nearly 2 million customer records, including E-KYC (Know Your Customer) information, hashed passwords, and personal information. It's worth noting that the Log4Shell flaw was discovered on a sandbox server used "for programming purposes only." 

However, hackers were able to get access to other storage sites, such as Amazon S3 buckets, where production data was stored, due to a system misconfiguration. The threat actors reportedly demanded a $5 million ransom from ONUS, which the business refused and instead decided to inform customers about the cyberattack through a closed Facebook group. 

Chien Tran, the CEO from ONUS declared that “As a company that puts safety first, we are committed to providing our customers with transparency and integrity in business operations. (…) That is why, after careful consideration, the right thing we need to do now is to inform the entire ONUS community about this incident.” 

According to an ONUS announcement on the subject, hackers were able to obtain the following consumer data from the fintech firm: 
• Name, phone number, and email address; 
• Address; 
• KYC data (procedures used by Fintech enterprises to get identification documents and customers’ proofs along with “video selfie” for an automated check); 
• Encrypted history; 
• Transaction history; 
• Other encrypted data. 

The Misconfiguration in the Amazon S3 Buckets 

Besides Log4j, which facilitated an entry for the threat actors, there was another issue too with ONUS’ Amazon S3 buckets linked to improper access control. CyStack started an investigation on the incident and published their report with details about the cyberattack and the backdoor the hackers managed to plant on the impacted system.

“During monitoring, CyStack – ONUS’s security partner, detected and reported a cyberattack on ONUS system to us. The hacker took advantage of a vulnerability in a set of libraries on the ONUS system to get into the sandbox server (for programming purposes only). However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system (Amazon S3) and stole some essential data.” 

“Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information. (…) To facilitate access, the attackers downloaded and ran a backdoor on the server. This backdoor was named kworker for the purpose of disguising as the Linux operating system’s kworker service. (…) The kworker backdoor obtained was written in Golang 1.17.2 and built for Linux x64. It was used as a tunnel connecting the C&C server and the compromised server via SSH protocol (a wise way to avoid detection!).” 

According to BleepingComputer, because the organisation declined to pay the requisite ransom to hackers, customer data was for sale on a data breach marketplace by December 25. Hackers claim to have 395 copies of the ONUS database tables, which contain personal information and hashed passwords. 

CyStack advised ONUS to fix Log4j, deactivate any exposed AWS credentials, and properly configure AWS access rights, as well as the recommendation that public access to crucial S3 buckets be blocked. Users should upgrade to the current Log4j version 2.17.1 as soon as possible. ONUS also stated that none of its assets was harmed and that the company's team has been working with security specialists to identify and address flaws. 

The company's asset management and storage system, ONUS Custody, was also improved. In the case of a property loss, the firm must ensure that the ONUS Protection Fund would take care of the problem.

McMenamins Struck by Ransomware Attack, Employee Data at Risk


McMenamins, a Portland hotel and brewpub chain, was struck by a ransomware attack on Wednesday that may have stolen employees' personal information, but no customer payment information seems to have been compromised. 

The ransomware attack was discovered and stopped on December 12, according to McMenamins. The company stated it alerted the FBI and contacted a cybersecurity firm to figure out where the attack came from and how extensive it was. 

Employee data such as names, residences, dates of birth, Social Security numbers, direct deposit bank account information, and benefits records may have been acquired, according to the firm in a news release, but "it is not currently known whether that is the case." 

"To provide employees with peace of mind, McMenamins will be offering employees identity and credit protection services, as well as a dedicated helpline through Experian," the company stated. "A payment processing service manages the collection of such information. Further, this information is not stored on company computer systems impacted by the attack."  

Many operational systems have been taken offline, including credit card scanners, necessitating temporary alterations in payment procedures at some McMenamins sites. There is "no indication" that consumer payment data has been hacked, according to the firm. 

The co-owner, Brian McMenamin stated, “What makes this breach especially disheartening is that it further adds to the strain and hardship our employees have been through in the past two years.” 

“We ask that our customers give our employees extra grace as we make temporary adjustments in the way we process transactions and reservations, given the impacts to our systems by this breach.” 

The company stated that it is unclear when the problem would be rectified and systems restored. There are a few things firms can do to assist mitigate these attacks, according to Kerry Tomlinson, a cyber news reporter with Ampere News. 

"As a business, you need to have backups," Tomlinson said. "If ransomware hits and they're demanding ransom for you to get your files back, you can say thanks a lot but I already have backups." 

"It will happen more and more and it's only going to get bigger. If you're not paying attention now, you need to pay attention." 

Employees should be especially cautious to help prevent cyber assaults, according to Tomlinson, by avoiding questionable emails, setting unique passwords for each website visited, and adding a multi-factor authentication process to offer an extra layer of security. It is worth noting that despite the breach, all McMenamins locations are open.

Panasonic Suffers Data Breach After Network Hack


Panasonic, a Japanese multinational giant, revealed a security breach this month after unidentified threat actors got access to computers on its network. 

The company stated in a press release issued Friday, "Panasonic Corporation has confirmed that its network was illegally accessed by a third party on November 11, 2021. As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion." 

Panasonic has reported the issue to the appropriate authorities and has taken steps to restrict external servers from accessing its network. The Japanese electronics behemoth has also recruited a third party to examine the attack, which Panasonic described as a "leak" in a press release, and determine whether any of the data acquired during the hack included customer personal information. 

"In addition to conducting its own investigation, Panasonic is currently working with a specialist third-party organization to investigate the leak and determine if the breach involved customers' personal information and/or sensitive information related to social infrastructure," the company added. 

When approached by BleepingComputer, a Panasonic official was not immediately available for comment. 

"Panasonic would like to express its sincerest apologies for any concern or inconvenience resulting from this incident", said the organization. 

In June, Panasonic servers were reportedly hacked

While the press statement does not include many specifics about the attack timeframe, Japanese media sites such as Mainichi and NHK stated that the attackers gained access to Panasonic's systems between June and November, as originally reported by The Record. 

Furthermore, they acquired access to critical customer and customer and employee data until Panasonic discovered the illicit activity on November 11. The attack on Panasonic's server is the latest in a lengthy line of instances affecting Japanese corporations in recent years. 

Security incidents and, in some circumstances, data breaches have also been reported by Kawasaki, NEC, Mitsubishi Electric, and defence contractors Kobe Steel and Pasco.

Amazon's Twitch Blames Server Error for Massive Data Leak


Twitch disclosed a massive data breach on Wednesday, attributing it to an "error in a Twitch server configuration change" that exposed certain data to the internet. 

The purportedly stolen material includes the source code for Amazon's streaming platform, reports on creator payments, and information regarding an unannounced Steam competitor from Amazon Game Studios. Twitch acknowledged the incident in a tweet on Wednesday. The firm will provide further information in a blog post later, stating that it is still trying to determine the entire scope of the event. 

The company wrote, "We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." 

"Our teams are working with urgency to investigate the incident." 

Twitch said there's no indication that login credentials were exposed. The streaming platform also said, "full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed." 

Twitch's brief statement demonstrates that the company is in full crisis mode. IT professionals and security specialists are still attempting to determine the severity of the data breach. The attack was caused by a "server configuration" issue, according to the explanation. In other words, someone misconfigured the computers that contain Twitch's sensitive data, allowing hackers to discover and download it. 

The organization has not yet stated when this error occurred. Some of the stolen data dates back three years, so the computers might have been a victim for a while - or the error could have just left the door open for a few days or weeks. Attackers are always searching and analyzing the internet for open databases, and someone may likely have informed hackers about the internal IT mistake. 

Making these types of blunders, however, is costly, especially when the target is as large as Twitch. Numerous streamers informed BBC News that the payment data was correct for their own earnings and this poses issues for the firm. Candid Wuest from cyber-security company Acronis stated, "A lot more damage is now in store for Twitch. The breach is already harming Twitch on all the fronts that count." 

The leaked data "could contain nearly the full digital footprint of Twitch, making it one of the most severe data breaches of late." "Releasing payout reports for streaming clients will not make the influencers happy either," Mr. Wuest added. 

The download released online is also labeled "part one," implying that there may be more data to be published on the internet.

Elastic Stack API Security Vulnerability Exposes Customer and System Data


The mis-implementation of Elastic Stack, a collection of open-source products that employ APIs for crucial data aggregation, search, and analytics capabilities, has resulted in severe vulnerabilities, according to a new analysis. Researchers from Salt Security uncovered flaws that allowed them to not only conduct attacks in which any user could extract critical customer and system data, but also to create a denial of service condition in which the system would become inaccessible. 

“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO, Salt Security. “The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.” 

The vulnerability was originally detected while safeguarding one of their customers, a huge online business-to-consumer platform that provides API-based mobile applications and software as a service to millions of consumers around the world, according to the researchers. 

 Officials at Salt Security were eager to point out that this isn't a flaw in Elastic Stack itself, but rather a problem with how it's being deployed. According to Salt Security's technical evangelist Michael Isbitski, the vulnerability isn't due to a fault in Elastic's software, but rather to "a common risky implementation set up by users." 

"The lack of awareness around potential misconfigurations, mis-implementations, and cluster exposures is largely a community issue that can be solved only through research and education," Isbitski said. API threats have increased 348% in the last six months, according to the Salt Security State of API Security Report, Q3 2021. The development of business-critical APIs, combined with the advent of exploitable vulnerabilities, reveals the substantial security flaws that occur from the integration of third-party apps and services.

The impact of the Elastic Stack design implementation flaws rises considerably when an attacker chains together multiple attacks, according to Salt Labs researchers. Attackers can use the lack of authorization between front-end and back-end services to establish a working user account with basic permission levels, then make educated assumptions about the schema of back-end data stores and inquire for data they aren't authorized to access. 

Salt Labs was able to gain access to a large amount of sensitive data, including account numbers and transaction confirmation numbers, as part of its research. Some of the sensitive information was also private and subject to GDPR regulations. Attackers could use this information to access other API-based features, such as the ability to book new services or cancel existing ones.

Thailand's Data on 106 Million Visitors has been Breached


After uncovering an unsecured database collecting the personal information of millions of tourists to Thailand, a British cybersecurity researcher unexpectedly stumbled upon his own personal data online. An unencrypted Elasticsearch server was discovered by Bob Diachenko, a cybersecurity researcher and security leader at Camparitech, exposing the personal data of approximately 106 million international passengers to Thailand. The data was accessible online in an unsecured database, allowing anyone to access it. 

Threat actors are constantly on the lookout for unprotected servers. There is no proof of how long the database was exposed before Diachenko's disclosure in this case. A honeypot, on the other hand, was set up to monitor hacker intrusions.

 “Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added. 

A honeypot is a security tool that detects or prevents unauthorized network and information system breaches. The organization set up a honeypot to see how quickly hackers would attack an Elasticsearch server using a dummy database and fake data. From May 11 until May 22, 2020, Comparitech left the data exposed. It discovered 175 attacks in just eight hours after the service went live, with a total of 22 attacks in a single day. 

After he reported the problem to Thai authorities, the database was safeguarded. According to Diachenko, every visitor who visited Thailand in the last ten years may have had their personal information exposed as a result of the event. Over 200GB of user data was stored in the database. Date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number were among the data disclosed. 

“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects,” Diachenko stated. 

“No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive,” Diachenko added.

McDonald’s Password for the Monopoly VIP Database Leaked


The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

Hackers Target American Retail Businesses, FINRA Scolds Brokerage Firms


Besides the American corporations facing threats from overwhelming cyberattacks, American retail businesses are also struggling to fight against the rise of hackers hacking into their accounts and investments. FINRA (Financial Industry Regulatory Authority), the market's self-regulatory body, in a recent notice said that it received several complaints related to customer accounts being hacked. The incident involved attackers using stolen customer information like login credentials to hack into online customers' brokerage accounts. 

According to Market Watch "Ari Jacoby, chief executive and co-founder of cybersecurity firm Deduce, backed up this statement with data showing that account-takeover fraud increased by roughly 250% from 2019 to 2020. He told that account-takeover prevention is a $15 billion market that is “growing significantly year-over-year.“ FINRA finds two factors that might be responsible for the surge in account takeover incidents. 

First is an increase in the use of online services and brokerage apps, that allows hackers to break into user accounts using login I'd and passwords that they buy from Darkweb. It becomes very easy for hackers to find the login credentials of the customers as many users use the same password combinations for multiple accounts. The second aspect is the Covid-19 factor. "Customer account-takeovers have been a recurring issue, but reports to FINRA about such attacks have increased as more firms offer online accounts, and as more investors conduct transactions in these accounts. In part due to the proliferation of mobile devices and applications and the reduced accessibility of firm’s physical locations due to the COVID-19 pandemic," reports FINRA. 

The Security and Exchange Commission is also keeping an eye on this incident and is pressing hard on brokerage firms for not keeping a check on suspicious activities. Market Watch says "But most individual investors don’t have to wait for the SEC or FINRA to come to their rescue, because this sort of criminal activity is largely enabled by a lack of vigilance on the part of victims, including requesting that their broker send them suspicious login alerts and using two-factor authentication, according to Jacoby."

Furniture Village Hit by a Week-Long Cyber Attack


Customers have been left 'with nothing to sit on' and unable to pay while waiting for sofas, beds, and tables as a result of a week-long cyber-attack on Furniture Village. The Slough-based store revealed yesterday that it had been the 'subject of a cybersecurity attack,' but that 'to the best of its knowledge,' no customer data had been disclosed. 

Internal systems are momentarily down, according to the company's website, although orders are still being taken online and in stores. The problem was discovered six days ago, on May 29, when Furniture Village said that its systems were experiencing technical difficulties and that its phone lines had been disconnected. 

Customers have been complaining on social media for over a week about not being able to get refunds or contact customer service, as well as delays or cancellations in delivery. The company confessed in a tweet that deliveries are taking longer than normal since its 'warehouses are currently operating manually.' 

In a statement released yesterday, Furniture Village said: "Frustratingly, our company was recently the target of a cybersecurity attack, however, by immediately implementing security protocols, including shutting down the affected systems, we were able to restrict the scope of the attack. Thankfully, to the best of our knowledge, no personal data has been lost or compromised." 

"We're working around the clock to restore all system-related functions of the business as soon as it’s safe to do so. The business remains healthy, and our teams are focused on supporting our customers, resorting to manual processes where necessary," the company added. 

The precise nature of the attack is unknown at this time, however, some industry experts suspect the retailer was the victim of a ransomware campaign. No formal confirmation has been given as to whether or not law enforcement agencies have been alerted. 

The National Crime Agency of the United Kingdom released its 2021 National Strategic Assessment last week, claiming that criminals are using technological advancements to fuel "serious and organised crime." Ransomware assaults have "grown in frequency and impact," according to the report.

"It is estimated 50 percent of all ransomware attacks included a threat to publish stolen data and over the last year there were £3bn of estimated fraud losses for UK individuals and businesses, but an accurate figure is constrained by significant under-reporting," it said.

Researchers Flag Serious Authentication Bypass Vulnerability After Pega Infinity Hotfix Released


After security researchers discovered a flaw in the Pega Infinity enterprise software platform, users are being advised to upgrade their installations. 

CVE-2021-27651 is a critical-risk vulnerability in Pega's Infinity program versions 8.2.1 to 8.5.2, according to the research team of Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert. 

The proof-of-concept shows how an intruder can circumvent Pega Infinity's password reset system. Via administrator-only remote code execution, assailants could then use the reset account to “fully compromise” the Pega case. It includes modifying complex pages or templating. The researchers collaborated with the developer Pegasystems, to construct a hot patch. According to the vendor, customers running the program on-premises should check if their version is affected and apply the relevant hot patch. 

With over 2,000 users, Pega Infinity is a common enterprise software suite. Customer service and sales automation, an AI-driven ‘customer decision hub,' workforce intelligence, and a ‘no-code' development platform are all included in the kit. The Pega Infinity vulnerability was discovered as a result of the security researchers' involvement in Apple's bug bounty program. 

“We’d been hacking on Apple's bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig. 

“After reading a blog post from two amazing researchers, we agreed to take a different approach and target vendors [supplying technology to Apple].”Curry has written about his experiences with Apple's bug bounty program in the past. 

Burp Suite was used by the researchers to find the password reset flaw in Pega Infinity. According to Curry, this allows for a complete compromise of any Pega instance with "no prerequisite information." Justin Rhinehart also developed a Nuclei template for determining whether or not the software is running Pega Infinity. 

“Pega's customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.” 

Curry states that Pega was able to collaborate with the researchers to patch the flaw, although they needed time for customers using Infinity on-premises to upgrade their installations. Curry mentioned that the procedure took more than three months.

Amazon Fake Reviews Scam Exposed in Data Breach

The identities of over 200,000 people who appear to be participating in Amazon fraudulent product review schemes have been exposed by an open database. 

There is an ongoing struggle between the e-commerce giant and shady traders all over the world who want to hamstring rivals and gain an advantage by creating fake product feedback. The ways in which they function and remain under Amazon's radar differ, but an open ElasticSearch server has revealed some of their inner workings. 

Researchers from Safety Detectives reported on Thursday that the server, which was open to the public and accessible online, held 7GB of data and over 13 million documents appeared to be connected to a widespread fake review scam. It is unknown who owns the server, but due to messages written in Chinese that were leaked during the incident, there are indications that the company might be based in China. 

The database includes the user names, email addresses, PayPal addresses, links to Amazon accounts, and both WhatsApp and Telegram numbers, which also included records of direct messages between consumers willing to provide false reviews and traders willing to pay them. The leak may implicate "more than 200,000 people in unethical activities," according to the team. 

The database, as well as the messages it included, exposed the strategies used by suspicious sellers. One approach involves sending a customer a connection to the goods or products for which they want 5-star ratings, and the customer then makes a purchase. After a few days, the customer leaves a positive review and sends a message to the vendor, which will result in payment via PayPal — which could be a 'refund,' while the item is kept for free. It's more difficult to spot fraudulent, paid reviews because refund payments are held off the Amazon website. 

On March 1, an open ElasticSearch server was discovered, but the owner could not be identified. On March 6, however, the leak was detected and the server was secured. 

"The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors," the researchers speculated. "What's clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon's terms of service." 

Vendors are not allowed to review their own goods or receive a "cash incentive, discount, free products, or other compensation" in exchange for positive reviews, according to Amazon's spokesperson and review policy which includes third-party organizations. However, since Amazon is such a popular online marketplace, it's likely that some vendors will continue to try to take advantage of review systems in order to increase their profits. 

"We want Amazon customers to shop with confidence, trusting that the reviews they read are genuine and appropriate," a spokesperson for the company said. "We have clear policies for both reviewers and selling partners that forbid the misuse of our community features, and we suspend, ban, and taint people who break them," states the company.

Hackers Target Rogers With a New SMS Phishing Campaign


Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Hotbit Shut Down all Services After a Cyberattack


After an alleged cyberattack on Thursday, cryptocurrency trading site Hotbit has shut down all of its services. A note on the platform's website reads, “Hotbit just suffered a serious cyber-attack starting around 08:00 PM UTC, April 29, 2021, which led to the paralysation of a number of some basic services.”   

While the hackers were unable to obtain access to Hotbit's wallets, they were able to penetrate the platform's user database. Customers should ignore all contact from people pretending to be members of the exchange, according to the Hotbit team. Hotbit has reported that pending trading orders are cancelled to avoid damages when all regular activities are suspended during the ongoing maintenance. During the upkeep, the exchange also agreed to cover all damages incurred by exchange-traded funds listed on its website.

Before restoring servers and facilities, the exchange is looking for any evidence of computer tampering that may have contaminated any of the frequently backed up data. Due to the time required to review backup data before beginning the system restoration process, customers were advised that the investigation and recovery process could take anything from 7 to 14 days. 

The attackers have obtained access to plain text customer information (phone number, email address, and asset data) contained in Hotbit's servers, according to the company. Despite the fact that customers' passwords and 2FA keys were secured, the exchange advised consumers to update their passwords on all other web sites where they used the same credentials. 

Alex Zhou, Hotbit's chief security officer, told users on the exchange's Telegram group that customer funds were unaffected by the attack, saying: “The attacker tried to break into the wallet server to steal funds but the action was identified and blocked successfully by Hotbit risk control system. All users’ funds are safe. At the same time, Hotbit is in the process of transferring all funds in hot wallet to cold wallet, the details of the whole integration could be seen on the chain,” he said. 

Multiple token outflows from one of Hotbit's established wallets to another address that currently holds around $14 million in many altcoins, according to data from Ethereum transaction tracking platform Etherscan.

According to comments on social media and in the platform's Telegram forum, the length of time provided for the maintenance is causing considerable unrest among Hotbit users.