Cyber Victor – a leading blog on cyber security

US telecommunications giant T-Mobile disclosed on its web site that it recently suffered a data breach on its e-mail vendor.

“Our Cybersecurity team recently identified and shut down a malicious attack against our email vendor that led to unauthorized access to certain T-Mobile employee email accounts, some of which contained account information for T-Mobile customers and employees.” reads the data breach notification.

According to T-Mobile, the information access may have included customer names, addresses, phone numbers, account numbers, rate plans and features, as well as billing information. The company stressed that customers’ financial information (such as credit card information) and Social Security numbers were not breached.

T-Mobile didn’t disclosed how many users were impacted by the data breach.

T-Mobile disclosed a similar security breach in November 2019, that according to the company impacted a small number of customers of its prepaid service.

Read more about it here.

A recent ZDnet exclusive revealed that personal information of 10.6 million guests who stayed at MGM Resorts hotels was stolen by hackers last summer and posted on a hacking forum last week.

The 10,683,188 records included full names, home addresses, phone numbers, emails, and dates of birth. The list of customers whose data were stolen includes tech CEOs and celebrities, such as Twitter CEO Jack Dorsey and pop star Justin Bieber.

In a statement made by MGM: “We are confident that no financial, payment card or password data was involved in this matter.” None of the guests stayed at the hotel past 2017.

In November 2018, the Marriott hotel chain announced that data of 500 million hotel guests was hacked in 2014.
The Marriott incident is the biggest data breach for the hospitality industry.

Read more about it here.

The FBI’s Internal Crime Complaint Center (IC3) has released its FBI 2019 Internet Crime Report. The report highlights Cybercrime trends in 2019.

“IC3 received 467,361 complaints in 2019 – an average of nearly 1,300 every day – and recorded more than $3.5 billion in losses to individual and business victims. The most frequently reported complaints were phishing and similar ploys, non-payment/non-delivery scams, and extortion.”

“While email is still a common entry point, frauds are also beginning on text messages—a crime called smishing—or even fake websites—a tactic called pharming.”

“You may get a text message that appears to be your bank asking you to verify information on your account.”

Business email compromise (BEC), or email account compromise, recorded 23,775 complaints in 2019, causing $1.7 billion in losses – about half of the total losses.

Read more about it here.

The city of Racine, Wisconsin, joined the long list of US municipalities that were hit with ransomware attack. On January 31, 2020, the city’s computer systems were infected by ransomware.

As of this writing, the city’s website, email and online payment collection systems are still offline. Residents who needed services were asked to come to City Hall.

Racine Mayor Cory Mason said that the city hasn’t received a specific ransom demand, and even if they did, they wouldn’t pay it.

Racine has a cyber-insurance policy, which should cover most of the expenses incurred restoring computer services.

Read more about it here.

Popular researcher Bob Diachenko found an unprotected database containing over 250 million customer support records, including some personally identifiable information. The unprotected database contained support requests submitted to Microsoft from 2005 to December 2019.

A post published by Microsoft on January 22, 2020 says: “Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics. While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”

Diachenko confirmed the presence of many records containing the following attributes:

• Customer email addresses
• IP addresses
• Locations
• Descriptions of CSS (Customer Service and Support) claims and cases
• Microsoft support agent emails
• Case numbers, resolutions, and remarks
• Internal notes marked as “confidential”

Most, but not all, personally identifiable information was redacted from the records.
Here is the timeline of the data breach:

• December 28, 2019: The databases were indexed by search engine BinaryEdge
• December 29, 2019: Diachenko discovered the databases and immediately notified Microsoft.
• December 30-31, 2019: Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
• January 21, 2020: Microsoft disclosed additional details about the exposure as a result of the investigation.

Read more about it here.

Mariah Carey’s Twitter account was hacked on New Year’s Eve. The attackers posted a series of offensive, racist and lewd tweets, including a personal insult against rapper Eminem.

The tweets began around 3 pm PST and continued throughout the day. It is not clear how the account was hacked. Access was regained later that evening. At 9:51 PM on December 31, 2019, the vocalist tweeted: “I take a freaking nap and this happens?”

Read more about it here.

The Wawa convenience store chain, with 850 stores along the US east coast, has been breached. Wawa disclosed that on December 10, 2019, a malicious code was found on its Point of Sale systems. Officials with the company, based in Wawa, Pennsylvania, believe the malware had been collecting card numbers, cardholder names and other data since as early as March 4, 2019. The malware was removed on December 12.

According to the Philadelphia Inquirer, at least six lawsuits seeking class-action status have been filed in federal court in Philadelphia. “The data breach was the inevitable result of Wawa’s inadequate data security measures and cavalier approach to data security”, said one suit.

Read more about it here.

Independent researchers, who requested to stay anonymous, compiled and shared with security firm NordPass a list of the 200 most popular passwords that were leaked in data breaches just in 2019. The database contains 500 millions leaked passwords.

“The most popular passwords contain all the obvious and easy to guess number combinations (12345, 111111, 123321), popular female names (Nicole, Jessica, Hannah), and just strings of letters forming a horizontal or vertical line on a QWERTY keyboard (asdfghjkl, qazwsx, 1qaz2wsx, etc.). Surprisingly, the most obvious one — “password” — remains very popular: 830,846 people still use it.”

Below are the recommendations provided by the experts:
1.Go over all the accounts you have and delete the ones you no longer use.
2.Update all your passwords and use unique, complex passwords to protect your accounts. Use a password generator.
3.Use 2 Factor Authentication if you can.
4.Set up a password manager.
5.Be vigilant for suspicious activities. If you notice something unusual, change your password immediately.

Read more about it here.

On Dec. 13, 2019, Facebook informed its employees that hard drives containing information about 29,000 of its workers’ payroll were stolen from a car.

The hard drives were unencrypted, and contained information on US employees of Facebook that worked in 2018, exposing their bank account numbers, employee names, the last four digits of their Social Security Numbers, their salaries, bonuses and equity details.

The theft took place on November 17, 2019, and Facebook discovered it on November 20.

The hard drives were left in the car by a member of Facebook’s payroll department. They were not supposed to leave the office.

Read more about it here.

British music streaming service Mixcloud disclosed that hackers gained access in early November 2019 to some of their systems. The hacker was able to access users data, including usernames, email addresses, SHA-2 hashed passwords, account sign-up dates, country from which the user signed up, last login date, IP addresses, and links to profile photos. The actual passwords were stolen, and the SHA-2 encrypted passwords are considered nearly impossible to unscramble.

Although Mixcloud hasn’t revealed the true scale of the attack, the alleged hacker told various news sources that the trove contained details of at least 20 million customers, and offered it for sale on the dark web for 0.5 Bitcoin (about $4,000).

Read more about it here.