Search This Blog

Showing posts with label E-commerce Firm. Show all posts

Shopify Risking Customers Data by Employing Weak Password Policy

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week disclosing that e-commerce giant, Shopify with more than 3.9 million live websites globally, employs weak password policies on the user-facing section of its website. 

To create a Shopify account, users only need to create a password that is at least five characters in length and that does not begin or end with a space. 

Threat analysts at Specops examined a list of a billion breached passwords and unearthed that nearly every (99.7%) of those passwords comply with Shopify's requirements. However, this does not mean that Shopify customers' passwords have been breached, in fact, it only highlights the threats linked with using weak passwords. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. 

Risk of using weak passwords 

According to security analysts at Specops, password attacks work because the majority of businesses require users to set short-length passwords. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Earlier this year, Hive Systems, a cybersecurity firm, analyzed the amount of time required to brute force crack passwords of multiple lengths and with different levels of complexity. The security analysts discovered that a five-character password can be easily breached, irrespective of complexity. Given the ease with which hackers can crack shorter passwords, organizations ideally require complex passwords that are at least 12 characters in length. 

Enterprises risking users’ data safety 

According to the survey conducted by identity management vendor Hitachi ID, nearly 46% of enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It suggests that businesses aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

Enhancing IT security 

This, of course, raises the question of what businesses require to strengthen their overall password security. Perhaps the most critical recommendation would be to set a password requirement that is longer and more complex than what is currently used. Businesses can employ Windows operating systems containing account policy settings to control password length and complexity requirements.

Additionally, organizations can use Specops Password Policy to restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. This might include using consecutive repeating characters (such as 99999) or replacing letters impersonating symbols (such as $ instead of s).

 New Mexico Jail went on Lockdown due to Cyberattack

 

The Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico, went on lockdown five days after the new year. In the wake of a ransomware attack, an Albuquerque jail lost access to its video feeds and its automatic door mechanisms were rendered ineffective. As a result, inmates have been confined to their cells as technicians work to restore service. The jail's internet connection has been knocked out by a ransomware attack, putting most of their data systems, security cameras, and automatic doors inoperable. While MDC personnel worked to get everything back up and running, inmates were confined to their cells. 
 
"Most county buildings are closed to the public," officials said shortly after the incident in a statement. "However, given the circumstances, county personnel are working remotely and will assist the public as much as possible. County system vendors are notified, and are working to resolve the problem and restore system functionality." 

The Metropolitan Detention Center in the state lost access to some of its most important security technologies, such as camera feeds and automated jail doors. For obvious reasons, the county was compelled to lock down the whole jail, confining all of the inmates to the cells for the time being. 

Ransomware is becoming one of the most serious dangers to both commercial companies and government institutions around the world. As more official and commercial businesses are conducted online, ransomware attacks, in which a hacker steals data from the victim or takes control of a computer system until a ransom is paid, are becoming more widespread. 

A township spokeswoman, Tia Bland, said workers had some luck getting MDC cameras to work over the weekend. Officials at the facility expressed optimism that additional progress would be made on Monday. Beginning Monday at 8 a.m., public access to the county headquarters at Alvarado Square will be restricted. Following this, companies and organizations are under a lot of pressure to pay up not only to get the company's data unlocked but also to avoid enraged clientele and authorities who issue severe warnings about giving money to criminals.

Brazilian E-commerce Giant Hariexpress Leaks 1.75 billion Records

 

Cybersecurity researchers at SafetyDetectives uncovered that Brazilian marketplace integrator platform Hariexpress exposed nearly 1.8 billion records-worth of the private customer and seller data, after misconfiguring an Elasticsearch server. 

Earlier this year in June, SafetyDetectives researchers unearthed exposed data and were able to trace the leak back to Hariexpress. Hariexpress is a firm that allows vendors to manage and automate their activity across several marketplaces such as Facebook, Amazon, Magazine Luiza, and Mercado Livre.

According to researchers, the company’s Elasticsearch server was left unencrypted with no password protection in place. It contained 610GB of data, including users’ full names, home, and delivery addresses, contact numbers, and billing details including billing addresses. Also leaked were vendors’ full names, CPF numbers, billing details, contact numbers, email and business/home addresses, and CNPJ numbers (National Register of Brazilian business).

However, SafetyDetectives could not estimate the total number of victims due to the size of the trove and the potential for fake email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” SafetyDetectives stated. 

Additionally, it is not possible to know if another party has accessed the data, according to researchers. Experts have warned that datasets containing information that directly identifies customers in the marketplace integrated by the firm could be used in phishing and social engineering attacks. The report also includes the purchase of intimate products, so the exposed data includes residence and company addresses, blackmail, and other types of crimes such as robbery are possible. 

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach,” researchers added. 

According to security experts, victims can cover up their damage because Brazil’s data protection law, the Lei Geral de Proteção de Dados (LGPD), apparently provide regulators the power to fine companies a maximum of 2% of the previous year’s revenue for violating the law, up to 50 million Brazilian reals ($10m). Due to the scale of the problem, Safety Detectives also recommends ecommerce users double their awareness of phishing attempts and particularly social engineering frauds.