Australian retail giant Woolworths disclosed a data breach that impacted 2.2 million MyDeal customers. In September 2022, Woolworths purchased 80% of MyDeal.
According to the company, a threat actor leveraged a user’s compromised credentials to access the MyDeal customer relationship management (CRM) system.
This gave the attacker access to MyDeal customer data, including name, email address, phone number, delivery address and, in some cases, date of birth. Woolworths said 1.2 million of the impacted customers only had their email address compromised. Payment, drivers license, or passport details were not accessed, because MyDeal does not store this information. In addition, no customer account passwords were accessed.
Woolworths itself was not impacted by the security breach.
Japanese giant Toyota Motor Corporation disclosed in a statement that nearly 300,000 customers may have had their personal data leaked, after a third party mistakenly uploaded part of the T-Connect source code to their GitHub account while it was set to be public in December 2017. The source code contained the access key to a data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted. The server contained customer email addresses and management numbers.
T-Connect is an app developed by the company that allows car owners to control the vehicle’s infotainment system and monitor the access of the vehicle
The silver lining to the data leak is that customer names, phone numbers, credit cards, etc., were not exposed. With no additional personal information about the user, threat actors cannot tailor their social engineering efforts while carrying out phishing attacks, making them a bit less severe.
Telstra Telecom, Australia’s largest telecommunication company, reported on October 4, 2022, that it was the victim of a data breach through a third-party. This occurred nearly two weeks after its main rival, Optus, reported a data breach of its own. In total, the first names, last names and the email addresses of 30,000 Telstra employees and former employees have been leaked on a hacking forum.
“There has been no breach of Telstra’s systems. And no customer account data was involved”, said in a statement Narelle Devine, the company’s Chief Information Security Officer for the Asia Pacific region.
American Airlines has recently suffered a data breach. Threat actors compromised a limited number of employee Microsoft 365 email accounts, and as a result gained access to sensitive customer and employee personal information. The information included names, email addresses, passport numbers, date of birth, driver’s license numbers, mailing addresses, phone numbers, and certain medical information.
The company filed a data breach notification letter with Montana’s State Attorney General’s Office on September 16, 2022, disclosing that the breach was discovered in July, approximately two months earlier. The notification reads: “In July 2022 we discovered that an unauthorized actor compromised the email accounts of a limited number of American Airlines team members. Upon discovery of the incident, we secured the applicable email accounts and engaged a third party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident. Our investigation determined that certain personal information was in the email accounts. We conducted a full eDiscovery exercise and determined some of your personal information may have been contained in the accessed email accounts. We have no evidence to suggest that your personal information was misused.”
The company did not disclose how many customers were impacted by the data breach.
American Airlines employs about 123,000 employees, and makes about 6,800 daily flights to 350 destinations in over 50 countries. It is the world’s largest airline when measured by fleet size, scheduled passengers carried, and revenue per passenger mile.
InterContinental Hotels Group PLC (IHG) disclosed on September 9, 2022 that has been breached. Parts of its technology systems have been subject to unauthorized activity. The attack significantly disrupted IHG’s booking channels and other applications, which implies that the company may have been subject to ransomware attack. The attack impacted also third-party sites, such as Expedia and Booking.com.
IHG operates 17 brands, including Regents, InterContinental, Crowne Plaza and Holiday Inn.
The hacking group AgainstTheWest recently published a post on the Breach Forums message board, claiming to have hacked TikTok and stolen source code and user data. The group published screenshots of an alleged stolen data, it claims to have had access to an Alibaba cloud instance containing data for both TikTok and WeChat users. The group claims to hold 2.05 billion records in a massive 790GB database containing user data, platform statistics, software code, cookies, auth tokens, server info, and more.
TikTok has told Bleeping Computer that the claims of the company being hacked are false: “This is an incorrect claim — our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code, which has never been merged with WeChat data.” TikTok further said: “We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases. We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community.”
Popular data breach hunter Bob Diachenko and his team analyzed the publicly exposed data and confirmed its authenticity, and noted that the data’s source was Hangzhou Julun Network Technology Co., Ltd and not TikTok.
Troy Hunt, a regional director at Microsoft and the creator of the Have I Been Pwned tool, called the hackers’ data “inconclusive,” but added that “it could be non-production or test data” that likely wasn’t taken through a data breach.
This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It's a bit of a mixed bag so far.
Google announced it has fended off the largest ever HTTPS-based Distributed Denial of Service (DDoS) attack, which peaked at 46 million requests per second. According to Google, the DDoS attack was quickly detected and stopped at the edge of Google’s network, and the customer that was attacked was not impacted.
On June 1, 2022, starting 9:45 AM PDT, a Google Cloud Armor customer was targeted with a series of HTTPS DDoS attacks which peaked at 46 million requests per second. To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.
Cloud Armor Adaptive Protection was able to detect and analyze the traffic early in the attack lifecycle. Cloud Armor alerted the customer with a recommended protective rule which was then deployed before the attack ramped up to its full magnitude. Cloud Armor blocked the attack ensuring the customer’s service stayed online and continued serving their end-users.
“There were 5,256 source IPs from 132 countries contributing to the attack. Approximately 22% (1,169) of the source IPs corresponded to Tor exit nodes.”
The attack lasted 69 minutes, ending at 10:54 AM PDT.
Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks to steal Microsoft 365, Fedex and Docusign credentials.
Open redirect occurs when a website provides a URL which direct to another URL, and it fails to validate user input, allowing attackers to redirect victims to malicious sites. Victims will trust the link, because the first domain name in the manipulated link is a trusted domain, such as American Express or Snapchat. An example of such URL is https://safe.com/redirect?url=https://malicious.com.
“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” says a post published in August 2022 by Inky.
During a two-and-a-half-month period, INKY engineers detected the snapchat[.]com open redirect vulnerability in 6,812 phishing emails originating from various hijacked accounts.
Open Bug Bounty reported the Snapchat vulnerability to the company on Aug. 4, 2021. However, it remains unpatched.
American Express quickly fixed the issue in late July 2022.
When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.
Web sites owners should allow redirects to go only back to their web site.
The US Federal Communications Commission (FCC) warned Americans of the rising threat of robotext (smishing) attacks.
“Substantial increases in consumer complaints to the FCC, reports by non-government robocall and robotext blocking services, and anecdotal and news reporting make it clear that text messages are increasingly being used by scammers to target American consumers”, reads the alert.
Scam text message senders want you to engage with them. Like robocallers, a robotexter may use fear and anxiety to get you to interact. Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions against you.
Some scammers may be after your money, but others may simply be trying to collect personal information or confirm that a number is active for use in future scams. Do not respond or click on any links in the message
Some independent reports estimate billions of robotexts each month.
What should you do to protect Yourself:
Do not respond to suspicious texts, even if the message requests that you “text STOP” to end messages.
Do not click on any links.
Do not provide any information via text or website.
File a complaint.
Forward unwanted texts to SPAM (7726).
Delete all suspicious texts.
Update your smart device OS and security apps.
Consider installing anti-malware software.
Review companies’ policies regarding opting out of text alerts and selling/sharing your information.
Review text blocking tools in your mobile phone settings, available third-party apps, and your mobile phone carrier’s offerings.
Social media site Twitter has suffered a data breach of over 5.4 million accounts, that are now for sale on a hacking forum. The hacker, who goes by the alias ‘devil’, claimed in a post on Breach Forums that the dataset stolen includes email addresses and phone numbers from “Celebrities, to Companies, randoms, OGs, etc.” ‘OGs’ refers to Twitter handles that are desirable – either short, or a desirable word.
Back in January 1, 2022, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and the email address associated with Twitter accounts, even if the user has hidden these fields in their privacy settings.
“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.” reads the description in the report submitted by zhirinovskiy.
“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.”
Five days after posting the report, Twitter acknowledged this to be a “valid security issue”. After further investigating the issue Twitter fixed the vulnerability, and awarded user zhirinovskiy with a $5,040 bounty.
A threat actor is now selling the data that was acquired from this vulnerability for at least $30,000. It is being offered on Breached Forums, the same forum that posted 23 terabytes of data leaked from 1 billion Chinese Citizens.
