Data Breaches - W/E - 071318
About 340 Million Records Leaked Thanks to Data Broker Exactis (07/06/2018)
Wired has reported that security researcher Vinny Troia found an exposed database containing about 340 million individual records. The haul, which belonged to data broker Exactis, was found on a publicly available server and contained data on American adults as well as businesses. Payment information doesn't appear to be exposed but the records contain highly personal data including phone numbers, email addresses, and the number, age, and gender of the person's children. Troia said, "It seems like this is a database with pretty much every US citizen in it... I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen."
Wired has reported that security researcher Vinny Troia found an exposed database containing about 340 million individual records. The haul, which belonged to data broker Exactis, was found on a publicly available server and contained data on American adults as well as businesses. Payment information doesn't appear to be exposed but the records contain highly personal data including phone numbers, email addresses, and the number, age, and gender of the person's children. Troia said, "It seems like this is a database with pretty much every US citizen in it... I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen."
Adidas Discloses Its US Shopping Site Has Been Breached (07/10/2018)
Adidas customers using the sportswear company's US Web site may have had their data compromised. The Wall Street Journal reported this incident on June 28, two days after the German company said that it first learned of the breach. It is not clear how many individuals were affected or what the timeframe is for this breach, but Adidas said that a "few million" customers using the US shopping site may be affected.
Adidas customers using the sportswear company's US Web site may have had their data compromised. The Wall Street Journal reported this incident on June 28, two days after the German company said that it first learned of the breach. It is not clear how many individuals were affected or what the timeframe is for this breach, but Adidas said that a "few million" customers using the US shopping site may be affected.
Data Breach at Macy's Went Undetected for Nearly Two Months (07/10/2018)
In a letter mailed to customers, retailer Macy's has warned that a data breach occurred between April 26 and June 12, the Detroit Free Press has reported. Between this time period, a third-party used valid usernames and passwords to access customer accounts. The third-party obtained the information from a source that was not Macy's. The suspicious activity was first discovered on June 11. It is not known how many customers have been affected.
In a letter mailed to customers, retailer Macy's has warned that a data breach occurred between April 26 and June 12, the Detroit Free Press has reported. Between this time period, a third-party used valid usernames and passwords to access customer accounts. The third-party obtained the information from a source that was not Macy's. The suspicious activity was first discovered on June 11. It is not known how many customers have been affected.
DOJ Says It Erred in Connecting ID Fraud Case to 2015 Data Breach (07/10/2018)
The Justice Department (DOJ), which previously said that data a Maryland woman obtained from the 2015 Office of Personnel Management (OPM) breach was used to steal identities, has backtracked on that June 18 statement. In a letter from Assistant Attorney General Stephen E. Boyd to Senator Mark R. Warner, it has been noted that an investigation "has not determined how their identity information used in this case was obtained and whether it can, in fact, be sourced directly to the data OPM breach. Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another source." The June 18 press release claimed that Karvia Cross had pled guilty in a scheme related to using stolen personal data that had resulted from the OPM breach.
The Justice Department (DOJ), which previously said that data a Maryland woman obtained from the 2015 Office of Personnel Management (OPM) breach was used to steal identities, has backtracked on that June 18 statement. In a letter from Assistant Attorney General Stephen E. Boyd to Senator Mark R. Warner, it has been noted that an investigation "has not determined how their identity information used in this case was obtained and whether it can, in fact, be sourced directly to the data OPM breach. Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another source." The June 18 press release claimed that Karvia Cross had pled guilty in a scheme related to using stolen personal data that had resulted from the OPM breach.
Ticketmaster Data Breach Reaches Other Companies Thanks to Magecart Attacks (07/11/2018)
A data breach that hit Ticketmaster was revealed on June 27 and blamed on a third-party supplier named Inbenta. Ticketmaster has claimed that less than 5% of its global customer base had been affected. However, researchers at RiskIQ have stated that this breach was part of a larger scheme that involved digital credit card skimming and hit over 800 ecommerce sites worldwide. Magecart is the cybercriminal gang behind this scheme, which uses scripts injected into Web sites to steal data entered into online payment forms on ecommerce sites. Hackers placed one of these digital skimmers on Ticketmaster Web sites through the compromise of Inbenta.
A data breach that hit Ticketmaster was revealed on June 27 and blamed on a third-party supplier named Inbenta. Ticketmaster has claimed that less than 5% of its global customer base had been affected. However, researchers at RiskIQ have stated that this breach was part of a larger scheme that involved digital credit card skimming and hit over 800 ecommerce sites worldwide. Magecart is the cybercriminal gang behind this scheme, which uses scripts injected into Web sites to steal data entered into online payment forms on ecommerce sites. Hackers placed one of these digital skimmers on Ticketmaster Web sites through the compromise of Inbenta.
Timehop Reports Data Breach Affecting 21 Million Users (07/10/2018)
Timehop experienced a network intrusion that led to a breach of some data, according to a statement issued by the company. The incident was detected on July 4 when a cyber attack took place, but in its preliminary investigation, Timehop said that an unauthorized third-party used an administrator's credentials to log into the company's cloud computing provider on December 19, 2017. This unauthorized user created a new administrative user account, and conducted reconnaissance activities on four separate occasions. Twenty-one million Timehop users have had their personal data compromised as a result.
Timehop experienced a network intrusion that led to a breach of some data, according to a statement issued by the company. The incident was detected on July 4 when a cyber attack took place, but in its preliminary investigation, Timehop said that an unauthorized third-party used an administrator's credentials to log into the company's cloud computing provider on December 19, 2017. This unauthorized user created a new administrative user account, and conducted reconnaissance activities on four separate occasions. Twenty-one million Timehop users have had their personal data compromised as a result.