Breaches: What you should know about them

163.5 million people have been affected by data breaches so far in 2020. Statistics show a 72% increase in accounts compromised due to data breaches. 

1 in 4 people is likely to be a victim of data breaches. Have you ever been exposed? Find out now with Bitdefender’s Digital Identity Protection.

Top 5 major breaches of 2020:

Nintendo Data Breach– Nintendo admitted 300,000 accounts had been compromised. Hackers used the stolen accounts to purchase valuable digital items. 

Easy Jet – The low-cost airline based in the UK reported that cybercriminals stole 9 million data records and information on 2,200 credit cards from their customers.

The Marriot hotel chain suffered a cyberattack that impacted data of more than 5.2 million hotel guests who used the loyalty application of their company. 

Zoom –  More than 500,000 stolen Zoom passwords available for sale in dark web crime markets shook the users of the application. 

Spotify reset the passwords of up to 350,000 accounts that were breached in a credential-stuffing attack.

It’s easier to prevent a data breach than to recover from one. Protect your digital identity before it’s too late! With Bitdefender’s Digital Identity Protection.

Data breach – you’ve heard the name, but what does it mean?

Data breaches happen when companies and other organizations are hacked. If you are a customer of that organization, your details from the database fall into the hands of cybercriminals. 
 
How can a data breach affect you? 

In a data breach, someone gains access to your personal information. Names, emails, bank details and Social Security numbers – all your personal information – can be exposed to and exploited by criminals. 
 
How does it happen? 

When hackers get the email/ username and password for one of your accounts, they have an open door to your digital identity. They use these credentials to break into your other accounts and gather as much personal information about you as they can. This strategy works because most people reuse their passwords. 
 
What do cybercriminals do with your information?

If they get into an account that contains your credit card details, they can use them to buy things with your money, pay for services or apply for loans in your name. Or sell it on underground markets so others can commit fraud. 

They can also start impersonating you by creating new accounts on social media or taking over your existing ones. 

Considering the extent of damage that identity theft can do to your life, the best option is to prevent becoming a victim. Find out how our Digital Identity Protection solution can help you.

With Digital Identity Protection, you can: 

  • Monitor your digital footprint starting with an email address and phone number
  • Find your private information online, in legal and illegal collections of data.
  • Check if your personal information was exposed on the Dark Web.
  • Benefit from ongoing breach monitoring for five email addresses
  • Get instant alerts to new breaches and privacy threats.
  • Detect your Social Media impersonators

Give it a try to stay on top of breaches. Get Digital Identity Protection now

Phishing Campaign Uses New York Department of Labor Logo and Pandemic Aid Info to Steal Private Information

Security researchers have identified a new phishing campaign using a message purportedly from the New York Department of Labor to trick people into giving the attackers personal data.

Threat actors often target personal user data in phishing campaigns because they can easily help in fraud and identify theft. Such credentials are highly sought on the black market, which is why many phishing emails aim in this direction.

In this situation, the attackers take a subject of great interest in the United States, such as the currently discussed pandemic aid, and try to convince people to offer their details in a spoofed website.

“The attacker impersonates the New York Department of Labor by disguising their identity with the display name ‘noreply@labor.ny.gov’ and displaying the New York State logo at the top of the email,” says Abnormal Security.

“However, a closer look reveals the true sender to be ‘naij30@naija9icevibes.com’, a Panamanian-registered domain with no association to the New York state government. The attacker claims that the government will administer a $600 relief fund to citizens who fill out the indicated form.”

If successful, the attacker gets the user’s name, address, date of birth, social security number and driver’s license.

The email also adds a sense of urgency to the claim and the use of official logos and seemingly official email address helps to make this an efficient way to steal private information.

As usual, the best protection against this kind of attack is to always keep in mind that such private data should never be shared online and that authorities will never ask for it in such a manner. The same goes for financial information. If you believe you’ve fallen for such an email, keep an eye on your financial situation and report any suspicious activity.

Were you a victim of a data breach? Time to find out with Bitdefender’s Digital Identity Protection tool. 

Hacker publishes stolen email and mailing addresses of 270,000 Ledger cryptocurrency wallet users

Hacker publishes stolen email and mailing addresses of 270,000 Ledger cryptocurrency wallet users

  • Details of Ledger hardware wallet customers provides golden opportunity for scammers
  • Scams include threats to break into homes of customers if ransom is not paid

The phone numbers, email and postal addresses of over 270,000 owners of the Ledger cryptocurrency hardware wallet have been made freely available for download from a hacking forum.

The information, which is accompanied by the email addresses of over one million people who have subscribed to the Ledger newsletter, is believed to have originally fallen into the hands of criminals following a security breach at the firm back in June 2020.

Initially made available for sale through underground hacking forums populated by cybercriminals, the data is now available at no cost.

And that, inevitably, means that more and more malicious parties may attempt to exploit the information in an attempt to defraud the unwary and intimidate Ledger customers.

Such attacks are already occurring on a regular basis.

Earlier this month, for instance, Bleeping Computer reported that Ledger customers have been receiving breach notification emails saying that users need to install a new version of the Ledger Live software and reset their PIN.

However, despite appearances, the emails did not really come from Ledger but were instead sent by cybercriminals to direct unsuspecting users to a fake version of Ledger Live for Windows which would steal wallet users’ recovery phrase and secret passphrase (if they have enabled that extra layer of security).

With such information, an attacker could gain full access to a users’ cryptocurrency funds.

And just today, Ledger warned customers about another scam which has seen attackers demand a $500 ransom not to invade recipients’ homes, using information presumably leaked from the company’s servers.

At the time of writing, Ledger says it has shut down 171 phishing sites in the last two months. With the data related to Ledger’s customer base being so freely available, the number of phishing sites targeting users is only going to rise.

Ledger is asking customers who receive fake communications pretending to be from the company to report it to them.

Ledger emphasises to customers that it will never deactivate users’ devices (it’s not uncommon for phishing attacks to make such threats to trick unsuspecting users into making poor decisions), and will never contact customers via text message or phone call.

But perhaps most importantly of all, Ledger says that users should never share the 24 words of their recovery phrase “with anyone under any circumstances.” The secret recovery phrase should only ever be entered onto the Ledger device itself. or your cryptocurrency holdings could slip through your fingers.

Thousands of Student Records Remain Unrecoverable after Baltimore County Public Schools Ransomware Attack

The aftermath of the cyberattack that forced Baltimore Public Schools (BCPS) to cancel remote classes before Thanksgiving holiday is still unraveling, as school officials struggle to recover most of their student records and replace compromised devices.

According to an online media journal, the Student Information System (SIS) was fully compromised, and most student records are “presumed completely unrecoverable,” as per information provided by an unnamed BCPS employee.

Making matters worse, a backup of the SIS, housing students’ educational tools, grades, score tests and student identification numbers was apparently housed on the same server, rendering both systems inoperative.

Another employee also hinted that BCPS is struggling to track down any student data with the help of third-party vendors. “BCPS is coming up with new tools and workarounds because we don’t have access to old programs,” the source said. “They are using third-party programs or they are rebuilding.”

It’s not just student identification numbers and state test scores that may never be recovered. Employees using USB flash drives during the attack may have lost entire curriculums and lesson plans. The attack “wiped out everything,” an employee noted. “In some cases, teachers lost up to 20 years’ worth of lesson plans and curriculum.”

The school district has also scheduled students and staff members in possession of compromised school-issued devices to come in for replacements. “At this point in our recovery from the ransomware attack, we may have few updates as staff are digging deeply into systems and solutions,” BCPS said in an official update. “For all students and staff with a BCPS HP device, please come to any BCPS high school during the dates and times on the BCPS Device Reimaging Schedule to have your device replaced. You will trade in your device and receive a re-imaged device that has extra protection. This is an important step in our recovery. You will not get your device back.”

Cyber Thieves Attack Renewable Energy Supplier to Steal Personal Info of 250,000 Customers

UK-based renewable energy supplier People’s Energy has disclosed that cybercriminals accessed the personal details of its entire 250,000 customer database in a data breach.

“On Wednesday 16 December, we discovered that an unauthorised third party had gained access to one of the systems we use to store some of our members’ data,” the company said in a press release. “As soon as we became aware of what was happening, we acted immediately to close down the route being used to get into our system, and to stop access to any further information.”

The company said no financial information for domestic customers was accessed during the attack. However, the attackers did manage to view a comprehensive list of customer details, including names, addresses, phone numbers, email addresses, dates of birth, People’s Energy account numbers, tariff details, and gas and electricity meter identification numbers.

Small-business customers were not so lucky, though. In an interview with the BBC, co-founder Karin Sode said the cyber thieves had accessed bank accounts and sort codes of 15 of their business members.

People’s Energy also emphasized that they have informed the Information Commissioner’s Office and energy industry regulator and have set up a dedicated phone number and email address for customers in need of additional information.

The energy supplier is not calling for a mandatory reset of online account password but urges members to watch out for suspicious emails and phone calls.

“If you’re suspicious about an email, call or letter that appears to come from People’s Energy, please contact us straight away,” People’s Energy added. “You can reach us on our dedicated phone number 0131 378 2357, or by emailing helpline@peoplesenergy.co.uk.

Were you a victim of a data breach? Time to find out with Bitdefender’s Digital Identity Protection tool. 

Spotify Hit by Yet Another Data Leak

Spotify Hit by Yet Another Data Leak

Spotify is now dealing with a third security incident in the span of a couple of months after account registration data was mistakenly exposed to some of the company’s business partners.

The music streaming company is going through a rough patch, with yet another security incident involving its users’ private data. Just a few weeks ago, threat actors used login credentials from a third party in a massive credential-stuffing attack, compromising over 300,000 user accounts. And after that, the service had to deal with a security breach affecting its offering for artists.

“Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify,” said the company. “Spotify did not make this information publicly accessible. We estimate that this vulnerability existed as of April 9, 2020 until we discovered it on November 12, 2020, when we took immediate steps to correct it.”

While that the company said it believes the leaked information hasn’t been used and won’t be used, it did urge users to change the passwords of all other online accounts if the credentials are shared with other online services.

Unfortunately for Spotify, security researchers found private data from their services on the dark web. In 2019, police in Australia arrested a man who allegedly made AU $300,000 (US $211,000) running a website that sold account passwords of popular online subscription services, including Spotify.

Many users share credentials on multiple online services, making Spotify and other similar platforms prime targets for similar attacks. The best course of action for users is to change their passwords, again, even if there’s no indication so far that the data leak hit the dark web.

Ransomware attackers are making threatening phone calls to their victims, warns FBI

Ransomware attackers are making threatening phone calls to their victims, warns FBI

  • DoppelPaymer ransomware victims are being called by hackers, post-infection
  • Family members have also been called, as threats are made to visit victims’ homes

It’s scary to receive a ransom demand from a cybercriminal, but I would argue it’s even more frightening to receive a threatening phone call from your attackers if you refuse to pay.

As ZDNet reports, the FBI has sent out a PIN (Private Industry Notification) alert to private sector companies warning them that not only are hackers using the DoppelPaymer ransomware in an attempt to extort money from affected organisations, but that they are also making follow-up phone calls to apply further pressure for victims to pay up.

According to the FBI’s PIN, shared by Catalin Cimpanu of ZDNet, the extortion phone calls date back as far as February 2020.

Not content with communicating via more “traditional” channels for ransomware negotiations, the FBI reports that hackers who had infected organisations with DoppelPaymer threatened and intimidated victims in phone calls, whilst hiding their real location.

In one instance, the attacker used “a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom.”

In subsequent calls to the same victim, the criminal threatened to “send an individual to the home of an employee and provided the employee’s home address.” Several of the employee’s relatives were also contacted.

It’s understandable that someone receiving such calls, particularly if their family members were also called by the extortionist, would feel extremely rattled.

It’s one thing receiving an email or picking up a ransom note on a computer from an anonymous attacker, it feels quite a lot more personal if the person threatening you reveals that they know where you live and know how to contact your family.

Nonetheless, it’s probably important to recognise that although a ransomware attacker might be prepared to publish files and databases stolen from your network, it’s not necessarily so likely that they will follow through with physical real-world threats.

As ever, the FBI’s official advice is that companies should avoid paying their extortionists a ransom if at all possible, as it just encourages more ransomware attacks to be launched in the future.

Past victims of the DoppelPaymer ransomware include technology manufacturer Foxconn, the city of Florence in Northern Alabama, the city of Torrance in the Los Angeles metropolitan area, Newcastle University in the UK.

Perhaps most infamously, DoppelPaymer was the ransomware used in the attack against a German hospital that resulted in a patient dying as they were moved to an alternative hospital.

Feeling Lucky This Holiday Season? COVID-19, Google and Microsoft ‘Lotteries’ are Out for Your Info and Money

“Congratulations, You’ve Won the Lottery!” Such emails are popping up in inboxes across the world as scammers take advantage of the financial difficulties brought about by the ongoing pandemic.

Fraudsters are using popular brand names, existing lottery names and the coronavirus to mislead recipients into believing that they have won millions of dollars in various online lotteries. Each year, online lottery scams dupe unsuspecting users into providing their personal and banking details in mass-market spam campaigns which reign in millions to fraudsters.

As in previous years, these messages appear to be sent from a “Lottery” you never participated in, but lure you with the prospects of becoming an overnight millionaire. They are riddled with grammatical mistakes, and urge you to act fast or risk forfeiting your winnings.

Haven’t you heard of the Covid-19 Lottery Draw?

Scammers are piggybacking on the Coronavirus crisis and economic hardship to trick you into believing you’re the lucky winner of 8.5 million dollars. How? In one version of the scam, your email address has been randomly selected from a batch of 50 million international addresses in a lottery organized by global brands and organizations such as Microsoft, Coca-Cola, World Health Organization, Intel and Toyota, “to encourage the use of Internet and also advertise the coronavirus Covid-19 Worldwide.”

If you pay attention to the message, you’ll notice it’s riddled with grammar mistakes and absurd explanations of the origins of the lottery draw – does the coronavirus really need advertising?

As with any lottery or sweepstakes scam, a time limit for claiming your prize is provided. You have until 31 December to contact the “Department of Finance” or the funds return to the organization.

Sample 1. Covid-19 lottery scam

In a second version of the scam, picked up by Bitdefender Antispam Lab, fraudsters impersonate the transnational EuroMillions lottery that wishes to compensate individuals for Covid lockdown measures.

“We are happy to inform you officially about the result of the Interlotto Euromillion Bonus Lotto Program that was conducted on 14TH JUNE, 2020 with cooperation of the World Tourism Organization, To compensate many people around the world (Globe) due to: CORONAVIRUS Disease (COVID-19) OUTBREAK LOCK DOWN,” the message reads.

As a lucky winner, you are asked to contact a South African claim agent by July 27, 2021. Additionally, you are enticed with the prospect of receiving an instant cash-down amount of $10,000 US dollars through MoneyGram.

Sample 2. Covid-19 lottery scam

Spanish and UK lottery impersonations

Lottery scammers also used the names of legitimate lotteries such as El Gordo (in Spain) and the Camelot group, official operator of the UK National Lottery. Recipients are asked to provide their personal details including name, address nationality, occupation, date of birth, phone number, office number and a copy of their ID to receive the funds. The crooks want these details so they can steal your identity and the money in your bank account.

Sample 3. El Gordo lottery scam

Sample 4. Camelot lottery scam

Yahoo, Google, Microsoft and Mastercard lottery scams

Tech giants, email providers and credit card companies have also been used in spam campaigns promoting online lotteries. Cyber thieves impersonating Yahoo, Google and Mastercard attempt to dupe recipients into accessing malware-infected PDF files that contain the documentation needed to cash in their prize. At the same time, “Microsoft 2020 Christmas Promo” entices recipients with the thrill of receiving 450,000 pounds as a result of the pandemic.

Sample 5. Google lottery scam

Sample 6. Mastercard lottery scam

Sample 7. Yahoo lottery scam

Sample 8. Microsoft lottery scam

How to avoid lottery fraud

“Have I entered an online lottery?” should be the first question you ask yourself when receiving an email claiming you’ve won any prize. Remember, you can’t win a cash prize in any lottery if you haven’t bought a ticket. Look for grammar mistakes and typos when reading the message – you’ll find some red flags.  The risk of infecting your devices with malware and info-stealing Trojans is also possible, so never access any documents or attachments.

Make sure not to contact the sender or provide your personal information. Scammers make money by stalling your so-called “prize money” and asking you to pay processing, insurance or bank fees. Additionally, most messages will encourage “winners” to not reveal their winnings to anyone, to maintain “security” of the funds. This step is meant to make sure you don’t start researching the lottery or contact any official organizations.

Dutch Hacker Who Allegedly Broke into Trump’s Twitter Account Walks Free

Victor Gevers, the ethical hacker who earlier this year claimed to have broken into President Trump’s Twitter account, will not be punished, a Dutch prosecutor announced Wednesday.

“Logging in to the Twitter account of US President Trump by a Dutch ethical hacker in October 2020 was not punishable. That is the conclusion of the Public Prosecution Service after an investigation by the Team High Tech Crime of the National Unit,” reads a rough translation of the news release.

Much like everywhere else in the civilized world, hacking is a felony in the Netherlands. However, not all hacking is malicious, and Dutch authorities determined that Gevers indeed was wearing his white hat while breaking into Trump’s Twitter account.

Police documented his responsible disclosure of the hack, including his move to contact American authorities to report that he guessed Trump’s password – “maga2020!

“The hacker released the login himself,” the news release continues. “He later stated to police that he had investigated the strength of the password, because there were major interests involved if this Twitter account could be taken over so shortly before the presidential election.”

It’s worth noting that the White House denied the hack at the time, and still does. Twitter, for its part, said it has seen no evidence of Gevers’ claims.

But according to the Dutch Public Ministry (Openbaar Ministerie), “the OM assumes that the hacker has actually penetrated Trump’s Twitter account, but has met the criteria that have been developed in case law to go free as an ethical hacker.”

After the White House and Twitter denied that he ever broke into Trump’s account, Gevers said the password had changed and two-factor-authentication (2FA) had been enabled.

As reported by Silviu Stahie in October, this was not the first time hackers allegedly guessed Trump’s Twitter password. In fact, three hackers – all from the Netherlands – are said to have accessed Trump’s account in 2016 after guessing that his password was “yourefired,” his catchphrase from The Apprentice. Like with Gevers’ alleged hack, American officials refuted the claims at the time.

It seems unfortunate that Gevers had to defend himself for what all parties involved say was either an ethical hack, or no hack at all. If anything, his actions/allegations have probably made Trump’s Twitter account more secure.

Leaky Databases Expose over 45 Million Medical Images and Patient Data

Unsecured servers and medical devices around the world are leaking over 45 million medical imaging files and associated healthcare data, according to researchers.

A six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM) conducted by the analyst team at CybelAngel has found millions of sensitive medical records and images, including X-rays, CT scans and MRI images, left unencrypted on unsecure servers.

“The analysts found that openly available medical images, including up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password,” CybelAngel said. “In some instances login portals accepted blank usernames and passwords.”

What makes their findings even more concerning is the simplicity with which they were able to access the medical data, since none of the databases required a username or password.  

“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” David Sygula of CybelAngel said. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

During their investigation, the researchers scanned 4.3 billion IP addresses, which led to the discovery of over 2,140 unprotected servers across 67 countries including the United States, UK, France and Germany.

The report also highlights risks to victims, as bad actors could use the information in ransomware attacks and blackmail. Medical data costs a pretty penny on black markets, and can be used for various forms of fraud and medical identity theft. The researchers advise healthcare organizations to ensure proper network segmentation of connected medical imaging equipment and conduct audits of third-party partners to check for nonconformities within security policies and protocols.

Posts navigation

1 2 3 4 5
Scroll to top