Cyber security stories that will scare you into action
(Last updated on July 29, 2019)
We live in a scary world of cybercrime. In celebration of Cyber Security Awareness Month and Halloween (of course), we are sharing tales of security gone wrong. If you think American Horror Story is scary, try reading these!
The breach that affected nearly half the US
The Equifax breach in 2017 affected 147.9 million users, compromising personal information like social security numbers, personal dispute data, and credit card numbers. The breach was the result of negligence. Equifax had failed to patch a two-month old known bug. Shortly after the breach went public, an independent IT security firm uncovered another vulnerability, this time affecting operations in Argentina. It was revealed that an online employee tool used in the country could be accessed using “admin” as both the username and password, granting access to customer data including national identity numbers.
A masterclass in how NOT to handle a security breach
A vulnerability in Panera Bread’s online order portal triggered the leak of customer data, to the tune of 37 million, including names, usernames, email addresses and phone numbers. The vulnerability was reported eight months prior to the breach by security researcher Dylan Houlihan. Panera Bread’s inaction, led Houlihan to involve Brian Krebs, a cybercrime investigative reporter who publicly broke the news in this post. Panera Bread responded by taking down their site for an hour. They claimed that they fixed the issue, and that it only affected 10 thousand customers. However, Krebs found that the issue was not fully addressed, and the same vulnerability existed in their catering application. This one brings the Equifax breach full circle as the Director of Information Security, Mike Gustavison, who Houlihan reported this to, used to work at Equifax from 2009 – 2013.
Fitness apps came under fire for leaks
Hackers breached Under Armour’s MyFitnessPal app in late February, compromising usernames, email addresses, and the passwords of roughly 150 million users. Even though the passwords were hashed, Under Armour admitted that only a portion of them were hashed using the robust function called Bcrypt. Everything else was protected with a weaker hashing scheme SHA-1. This is not the only fitness app that disclosed data breach this year. News broke a few months later that PumpUp, a fitness app, left a backend server on Amazon Cloud exposed without a password, revealing health data and private messages of six million users. In some cases, even unencrypted credit card data including card numbers, expiry dates and card verification values were revealed.
The hack that exposed the weakness of 2FA
In August this year, Reddit announced a breach that affected users who subscribed to their newsletter from June 3 to June 17. The breach also affected historical user data – every user who created an account between 2005 and 2007. A hacker gained access to backend systems by intercepting SMS text messages used by employees for two-factor authentication. Account credentials such as email addresses, usernames, and passwords were exposed. While Reddit did not disclose the exact number of accounts at risk, given that it is the third-most visited website in the United States, we can only imagine how severe the impact was.
Social media breaches that resulted in a breach of trust
2018 has been a rocky year for Facebook and Google+. Just as Facebook was scrambling to build trust following the Cambridge Analytica scandal, its reputation took another blow. In September, Facebook announced that hackers were able to use login codes to access the information of 50 million users, including Mark Zuckerberg’s account. A month after the breach, we still don’t know who hacked the accounts or what happened to the information they uncovered.
Another social networking site had it worse – Google+ was hit by its latest breach so hard that it is shutting down for consumers. Google+ announced that private profile data of at least 500,000 users may have been exposed to hundreds of external developers. The information exposed in the Google+ incident includes full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. The issue was discovered and patched in March, but Google chose not disclose it. While Google is legally in the clear since the incident did not meet the reporting thresholds, their decision had raised eyebrows in the cyber security community.
Is your environment an unsecured haunted house?
If you do not want to be a part of a security horror story, it is time for you to take action. A penetration testing can identify vulnerabilities in your environment such as weak password policies, service and application flaws, improper configurations, and risky user-behaviors.