(not) Safe digest: passwords by default, personal data and salary for phishers
We continue to collect “classic” and non-trivial information security incidents, which were reported by foreign and Russian media in January. Today’s issue is full of stars: UN, Russian Railways, Nissan, Vodafone.
They have
Factory checkpoint
What happened: In the public domain found themselves internal developments of Japanese automakers Nissan and Infiniti. The drain included the source code for Nissan’s mobile applications, market research tools, customer search and retention systems, and critical components of diagnostic systems. Confidential information was actively disseminated through hacker forums and Telegram channels.
Who is guilty: The entry point for the attackers was an open Git server, on which the sysadmins did not bother to change the factory login and password – admin / admin. The automaker has already confirmed the leak and is investigating the incident. The scale of the consequences of employee sloppiness has yet to be established.
Draining in a row
What happened: To the Network flowed away data from over 11 million Instagram accounts, 66 million LinkedIn profiles and 81 million Facebook accounts. The total amount of compromised data, including phone numbers and email addresses of users, amounted to 408 GB.
Who is guilty: The leak was caused by the Chinese company Socialarks, which specializes in managing content for social networks. Its specialists left the Elasticsearch server without control: there was not only encryption, but even a password.
This isn’t the first time Socialarks has been pierced this way. Last summer, in a similar way, the Chinese “lit” the data of 150 million users of the same social networks.
Energy surcharge
What happened: British electricity supplier People’s Energy confessedthat disclosed the details of all current customers and many of those who previously worked with the company. In the hands of a “third party” were the names of customers, their addresses, phone numbers, dates of birth, email, People’s Energy account numbers, as well as information on tariffs and identification numbers of gas and electricity meters. In a small number of cases (0.1%), users’ financial data were also compromised. The company sent these victims detailed instructions on how to prevent possible dangerous consequences.
Who is guilty: According to People’s Energy, the incident was caused by “an unfavorable coincidence.” An external organization that specializes in cybersecurity and data loss protection was hired to investigate the details. For the near future, the company recommended its customers not to follow the links from suspicious letters (including those associated with People’s Energy itself) and not to respond to messages and calls from unknown numbers. Nevertheless, users are assured that there is no need for complete blocking of accounts, since passwords from personal accounts have not been compromised.
International “abandonment”
What happened: In the public domain discovered data on UN projects on environmental protection and information on 100 thousand employees of the organization.
Who is guilty: UN officials left a number of abandoned subdomains unattended, including ilo.org, where user credentials were stored unprotected. With their help, it was possible to log into the database with information about 102 thousand UN employees, projects in which they participated, dates and purposes of business trips, grants, etc. Fortunately, the first to get to the data were not hackers, but pentesters from Sakura Samurai – as part of a vulnerability check initiated by the UN itself.
Italian Job
What happened: Hackers stole data from 2.5 million subscribers of Italian mobile operator Ho Mobile, owned by Vodafone. Leakage discovered before the New Year, when the database was put up for auction on the darknet.
Who is guilty: The cause of the leak is called a cyber attack, but details are not disclosed – the case is being investigated by law enforcement officers. The operator has already apologized to the victims and offered everyone to reissue SIM-cards for free. True, this is unlikely to solve the problems of subscribers, because in addition to phone numbers, the hackers got their personal data: from full name, dates of birth and information about nationality to home addresses and social insurance numbers.
Million dollar newbie
What happened: US Department of Justice fined ticket service Ticketmaster for $ 10 million for industrial espionage. The company has repeatedly tried to obtain data from competitor CrowdSurge. They succeeded several times.
Who is guilty: Behind everything was a former CrowdSurge employee who had recently joined Ticketmaster. The manager came to a new place with a “dowry” – the CrowdSurge trade secret and passwords to the ex-employer’s databases. And this despite the NDA and the non-competition agreement signed before the dismissal.
The price of love
What happened: The Briton lost access to his wallet with 7,500 bitcoins, which he received in 2009. In January 2021, their price reached $ 258 million.
Who is guilty: According to one of the versions – matters of the heart. In 2013, a man met a girl who was wildly annoyed by the sound of a working crypto farm – and she demanded to stop mining. The offended boyfriend, in a fit of feelings, threw the equipment into a landfill. There was also a hard drive with a key to a crypto wallet. Another version is more prosaic: the guy could accidentally throw out the disc while cleaning the office.
The news took on a second wind this year when the British applied to the city authorities for help. To find a disk with a cryptocurrency, he offered to shovel the dump – and for this he is ready to give the city 25% of the value of the lost bitcoins (more than $ 70 million at the current exchange rate).
We have
Wages
What happened: Hackers kidnapped a construction company from Yalutorovsk has 10.5 million rubles. The amount was transferred to “left” cards under the guise of a salary and cashed through ATMs.
Who is guilty: On the eve of the incident, the chief accountant of the construction firm opened a letter with a viral “stuffing”. Attackers gained remote access to her computer and carried out the transaction.
A month later, the police managed to find one of the criminals. Although he returned the stolen goods (and even with interest – a total of 11 million 980 thousand rubles), he faces up to 10 years under Art. 159 of the Criminal Code of the Russian Federation – for fraud in the field of computer information, committed by a group of persons by prior conspiracy and on an especially large scale.
Sim sim shut up
What happened: Habitat hacked into the internal network of Russian Railways and told the company about it. And then he helped to eliminate vulnerabilities.
Who is guilty: It was possible to get into the internal network through an unpaired router. As a result, researcher @LMonoceros gained access to more than 20,000 cameras at train stations and company offices, IP phones, servers and network devices. And I found out that many of them have factory passwords, and there are practically no protection tools on the network.
After the publication of the hack, Russian Railways specialists contacted the author and used his advice to close the security holes. The company’s press service, however, is public opposed “Unauthorized access to information systems and publication of data related to information security in open sources.” Russian Railways also stressed that the vulnerability did not lead to a leak of passenger data and did not pose a threat to traffic safety.
