InForce Cyber

Threat Report April 2021

The month of April was the month of the Data Leak attacks. Here are some topics to support this statement:

DigitalOcean admits data breach exposed customers’ billing details

DigitalOcean, the popular cloud-hosting provider, has told some of its customers that their billing details were exposed due to what it described as a “flaw.” In an email sent out to affected users, DigitalOcean explained that an unauthorised party had managed to exploit the flaw to gain access to billing information between April 9 and April 22, 2021      

British Prime Minister’s Cell Phone Number Exposed

A personal cell phone number belonging to the UK’s prime minister, Boris Johnson, has reportedly been publicly accessible online for fifteen years. Johnson’s number was listed on a think tank press release published on the internet back in 2006 when he was the Member of Parliament for the riverside town of Henley in Buckinghamshire. The security breach was first reported by the website Popbitch in a piece headlined ‘Hoping not to butt-dial Boris’. “It’s not as though the Prime Minister’s personal phone number could just be floating out there on the internet, is it?“ quipped the site. 

Credit Scores of Americans were Exposed Through Experian API

According to a researcher, almost every American’s credit score was leaked due to an API platform used by the Experian credit bureau that was left accessible on a lender’s website without even basic security safeguards. Experian, for its part, dismissed security experts’ fears that the problem could be structural.

‘Paleohacks’ Has Exposed the PII of 70,000 of Its Customers

The paleo diet online resource ‘Paleohacks’ has failed to secure its Amazon AWS S3 bucket properly, leaving the sensitive details of over 70,000 of its customers exposed online. The data ranges between 2015 and 2020, so it could be a backup – while the scope is global, as the platform has visitors from around the world.

Facebook will not notify more than 530m users exposed in 2019 breach

Facebook has not notified the more-than 530m users whose details were exposed on a hacker forum in 2019 and has no plans to do so, according to company representatives. Business Insider reported last week that phone numbers and other details from Facebook user profiles were available in a public database. The social media company acknowledged in a blogpost on Tuesday that “malicious actors” had obtained the data prior to September 2019 by “scraping” profiles using a vulnerability in the platform’s tool for syncing contacts. Facebook has said it plugged the hole after identifying the problem at the time. 

ParkMobile Breach Leaves 21M User Data Exposed

The account information of 21 million customers of ParkMobile, a very popular mobile parking app from North America, is now being sold online due to a data breach. The information includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords, and mailing addresses.

 643GB of Customer Information Exposed in a Data Breach Suffered by Bizongo

The issue of data fraud has been on a rapid rise, as of late, and evidently so as data breaches are a matter of serious concern for data applications in all aspects of life. In recent days, few Indian start-ups have suffered several data violations. In the light of that, an alarming data violation within the packaging acquisition company Bizongo, a digital platform located in Mumbai, India, was discovered by the Website Planet Security Team. As just at end of December 2020, the team disclosed an incorrect bucket belonging to Bizongo that leaves highly confidential data potentially exposed to hackers and other unauthentic sources. Due to the complexity of the breach, more than a thousand organizations and hundreds of thousands of people could be affected. 

 ‘HelloMobile’ App Exposed User Data to Anyone Who Entered Their Number

The official ‘HelloMobile’ app named ‘My Mobile Account’ has been exposing since at least December 2020 various sensitive subscriber information to anyone who has their phone number and nothing else. Users have noticed this and repeatedly reported it to the company, but no action to fix the obvious lack of security was made. The only thing that someone would have to do to access a ‘HelloMobile’ subscriber information was to install the app on a device and enter the target’s number.

Data Breaches
Eventus Media International (Germany)
Zerforschung researchers discovered personal data of individuals tested at the company’s COVID-19 centres in Hamburg, Berlin, Leipzig and Schwerte. Leaked data included names, addresses, dates of birth, telephone numbers, email addresses, and test results.
The American Society for Clinical Pathology
The ASCP revealed that attackers targeted its e-commerce site. The attackers had access to the site on or between March 30th, 2020 and November 6th, 2020. The attackers may have had access to payment card information such as names, credit, or debit card numbers, CVV numbers, and more.
Clubhouse (US) 
An unidentified actor leaked 1.3 million scraped user records belonging to the communications platform Clubhouse on the dark web. The leaked SQL database contains names, Twitter and Instagram handles, URL to user photos, and more. The company stated that the leaked data is publicly available via the platform’s API.
Tata Communications (India)
An unidentified actor claims to have obtained a 50GB database belonging to the tech giant, containing customer login credentials and phone numbers, backups of employee emails, and more. OpIndia was informed that the data was obtained by compromising the subdomains of Route Mobile, the company’s server manager. Both companies deny having been hacked.