Dutch Energy Supplier Blames Cyber Intrusion on Data Breaches Suffered by Other Companies

Dutch energy supplier Eneco has warned tens of thousands of clients, including business partners, to change their passwords amid a recent data breach.

Eneco, a producer and supplier of natural gas, electricity and heat in the Netherlands, serves more than 2 million business and residential customers.

In a recent statement, the company said that “cyber ​​criminals have used email addresses and passwords from previous thefts at other websites to gain access to approximately 1,700 private and small business My Eneco accounts, the online environment for Eneco customers.”

It claims affected customers may have had their data “viewed and possibly changed by third parties,” but doesn’t go into detail about the nature of the data, nor does it mention that attackers may use it to conduct phishing campaigns or fraud – which is typically the case in such attacks.

The company adds that “affected customers have been notified and must create a new account with a different password.”

“We are investigating whether we can also take additional measures to further secure logging in to My Eneco,” adds the notice, obtained by Databreaches.net.

All affected customers have been sent an email with instructions on how to create a new My Eneco account.

A separate group of approximately 47,000 customers is also being informed by email about the incident “as a precaution.” Eneco claims that, for this group, there is no reason to assume that their accounts have been viewed. However, because these customers also used the service around breach time, “they are advised to change their password as a precaution.”

The company seems to be taking little responsibility for the incident, despite suffering what appears to be a textbook, credential-stuffing attack.

Furthermore, it seems to place the burden on users to create a new account and password when it should have automatically reset all affected users’ passwords as soon as it learned of the intrusion, as a first step towards severing the attackers’ access to their profiles.

The attackers apparently used a classical credential stuffing technique leveraging stolen data from previous breaches, meaning such an attack could have been prevented as easily as by enforcing multi-factor authentication for customer accounts.

To its credit, the firm swiftly reported the incident to the Dutch Data Protection Authority and is now informing all customers through various channels of the importance of good password hygiene, “so that such attacks can be prevented even better in the future, both at Eneco and other online accounts,” it says.

Australian Police Email Mistakenly Identifies Gun Owners

The Queensland Police Service has mistakenly sent an email that revealed information on about 500 gun owners, which could have been used to determine their location or real names.

It’s easy to think about data breaches in terms of hacking, but many data breaches stem from negligence or human error. People don’t secure databases, let other users access resources they shouldn’t or send emails with more information than necessary. Whatever the cause, accidental data breaches are a fact of life.

Burglars hit the Moreton Police District and stole a substantial number of firearms. The Queensland Police Service sent an email with the subject line “weapons audits,” advising people to remember to lock their guns. The problem was that the email contained 500 email addresses of firearm owners, which everyone could see. It’s easy to make determinations just from the email address, including the full name.

The police department quickly sent another email asking people to delete the previous email.

“Dear recipient, earlier today an email was sent from our Crime Prevention Unit, Caboolture Police to a number of individuals with an overall strategy of sharing information and ensuring the security of weapons is optimally maintained, compliant with weapons licensing requirements,” said District Officer Superintendent John Hallam, the Sydney Morning Herald reported. “Regrettably, an error occurred in that individual email addresses were visible in the email.”

John Hallam wasn’t the one who sent the original email. An investigation is now underway to determine how this privacy leak was possible in the first place. The law enforcement agency apologized for the confusion and for revealing the gun owners’ names to the public.

FTC Orders Popular Women’s Fertility-Predictor App to Stop Misleading Users about Health Info Shared with Data Analytics Providers

Flo Health, Inc., the developer of a popular period and fertility-tracking app, has reached a settlement with the Federal Trade Commission after the company shared private health information of more than 150 million users to data analytics providers such as Google and Facebook.

The digital fertility predictor, period tracker and pregnancy app for women claimed to correlate provided health information and intimate details of its users, promising to keep the information private.

However, the FTC complaint describes how sensitive health information shared in the Flo App, such as the user’s pregnancy status, was disclosed to third parties through “app events.”

“Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook’s analytics division, Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry,” the FTC said.

The agency noted that the developers of the app violated the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks. The Privacy Shield framework requires companies to follow strict privacy principles to ensure that users are asked for permission to share their personal information to third parties.

Flo Health was ordered to notify users whose personal information was disclosed while instructing any third-party recipient of users’ health information to destroy the data immediately.

Moreover, the company has agreed to ask for users’ consent before sharing information in the future and review its alleged privacy-oriented promises, offering precise representations of any entity to whom it may disclose collected information.

“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” said the director of the FTC’s Bureau of Consumer Protection, Andrew Smith. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”

The FTC’s mission also focuses on spreading awareness on the increased use of health apps that ask for your personal or sensitive health information. In some cases the risks may outweigh the benefits, compromising user privacy.

Users are urged to compare privacy policies for apps providing similar services to find the most suitable application. Make sure that the app sharing your information tells you what and why. Freedom to tweak the settings of the app is a plus, as it may give users more control over what the app collects and shares with third parties.

Unfortunately, not all app developers stand by their privacy policies, so if you suspect that health app provider is not fulfilling its promised, make sure to notify the agency or local privacy watchdog.

Banking Organizations May Face New Breach Notification Requirements from US Regulatory Bodies

US regulators have released a Notice of Proposed Rulemaking (NPRM) that would oblige banking organizations and bank service providers in the country to adhere to more stringent reporting requirements for security incidents.

The rule would require notifications of any “computer-security incident” that rises to the level of a “notification incident” within 36 hours of the organizations discovering the incident.

The proposed regulation, entitled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule), would also oblige bank service providers to notify at least two individuals “at affected banking organization customers” immediately after a security incident disrupts, degrades or impairs services for at least four hours.

The notice, released January 12 by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC), follows an increase in cyberattacks reported to federal law enforcement in the past years.

“These types of attacks may use destructive malware or other malicioussoftware to target weaknesses in the computers or networks of banking organizations supervised by the agencies,” the notice reads. “Some cyberattacks have the potential to alter, delete, or otherwise render a banking organization’s data and systems unusable. Depending on the scope of an incident, a banking organization’s data and system backups may also be affected, which can severely affect the ability of the banking organization to recover operations.”

The regulation also lists computer-security incidents that should be considered “notification incidents,” such as:

  • Large-scale DDoS attacks that disrupt customer account access (for four or more hours)
  • Widespread system outages and undeterminable recovery time experienced by a bank service provider used by a banking organization
  • A hacking incident that disables or disrupts banking operations for an extended period of time
  • The dispersion of malware on a financial institution’s network that would call for the organization to take all Internet-enabled network connections offline
  • Ransomware attacks that encrypt core banking systems or backup data

If the Proposed Rule passes, regulatory reporting obligations for banks and banking service providers will increase sharply, subjecting organizations to the most stringent federal incident reporting regulations to be implemented in the United States.

1 in 4 people is likely to be a victim of data breaches. Have you ever been exposed? Find out now with Bitdefender’s Digital Identity Protection.

Pfizer and BioNTech COVID-19 Documents Stolen in EMA Cyberattack

The European Medicines Agency (EMA), responsible for overseeing and approving the development of COVID-19 vaccines, has acknowledged that cybercriminals stole COVID-19 vaccine data from developers Pfizer and BioNTech in early December.

“Some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet,” the latest cyberattack update reads. ”Necessary action is being taken by the law enforcement authorities. The Agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access.”

According to Bleeping Computer, which also discovered one of the alleged leaks on a popular hacking forum, the stolen data includes email screenshots, EMA peer review comments, Word documents, PDFs and PowerPoint presentations.

In a joint statement released by the two pharmaceutical giants, the developers of the BNT162b2 COVID-19 vaccine disclosed that only some of their confidential documents were accessed during the cyberattack.

“Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyberattack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,” the press release said. “It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”

EMA said its medicine-related regulatory network is fully functional, and that its evaluation process for the approval of coronavirus drugs and medications is not affected by the breach.

The agency offered no additional information regarding the leaked data, saying it would prejudice the ongoing investigation.

“EMA will continue to provide information in due course, to the extent possible, given its duty towards the ongoing investigation,” the cyberattack update concluded.

International Task Force Takes Down Largest Dark Web Market

Europol has announced the shutdown of DarkMarket, the world’s largest illegal marketplace on the dark web, which housed more than 2,400 sellers and half a million users.

The dark web is home to many such criminal enterprises, but DarkMarket was the largest. The operation was already under investigation when German authorities captured an Australian citizen who is the enterprise’s alleged operator. Following that arrest, law enforcement dismantled the entire infrastructure in a matter of days.

“The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor’s Office, allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure – more than 20 servers in Moldova and Ukraine supported by the German Federal Criminal Police office (BKA),” said Europol. “The stored data will give investigators new leads to further investigate moderators, sellers, and buyers.”

Numerous countries and agencies worldwide participated in the operation, including Germany, Australia, Denmark, Moldova, Ukraine, the UK (the National Crime Agency), and the US (DEA, FBI, and IRS).

In total, DarkMarket was home to over 320,000 transactions worth 4 650 bitcoin and 12 800 monero transferred, which corresponds to a sum of more than €140 million ($170 million.)

Places like the DarkMarketare often used to sell stolen information such as credentials, financial data, databases, zero-day vulnerabilities, and much more. Having such a large operation taken offline will eventually make the life of companies and regular users a little bit easier, at least for the short term.

Korean Dating App Leaks 1 Million Private Photos Shared By Users

CyberNews researchers have stumbled on an unsecured database leaking over 1 million NSFW photos shared by users of a Korean dating app.

The database contained mostly image files, with over 880,000 files pointing to explicit images sent by users through private messages. Researchers believe that the leaked pictures belong to Sweet Chat or Sweet Talk, a free Korean dating app for teenagers.

“We cannot state with 100% certainty that this bucket actually belongs to the app 스윗톡 (Sweet Talk),” researchers said. “However, a short journey brought me to that conclusion. There are images in the database for the service SweetChat that lead to the website sweet.chat.”

Although the data collection included no personally identifiable information (PII), such as names, usernames or email addresses, all of the exposed images seem to contain a numerical user ID that could be used to locate the exact username of individuals.

 The team warned that the files could have been accessed by other individuals who may have had access to the link.

“If we assume that this unsecured bucket belongs to Sweet Talk/Sweet Chat, then that means that Sweet Talk users have had some of their most private and explicit images leaked online, accessible to anyone who has the link,” CyberNews explained. “Unfortunately, accessing an unsecured Amazon S3 bucket is remarkably easy – and there are many people who know how to find these buckets.”

Criminals could use the sensitive images to extort identified users by threatening to release the data to friends and family unless their demands are met.

Unfortunately, the research team was not able to confirm their findings with Sweet Talk/Sweet Chat.

“We contacted the app maker via email, but have not received any response yet,” investigators added. “Fortunately, Amazon was able to close off the unsecured bucket on December 23, 14 days after we first contacted them.”

Check now if your personal info has been stolen or made public on the internet, with Bitdefender’s Digital Identity Protection tool.

Kosovo Hacker Faces Extended US Prison Stay After Allegedly Committing Crimes from His Cell

A Kosovo hacker serving prison time in the US for aiding a terrorist organization is facing new charges just as the judge presiding over his case granted him a reduction to time served. The reason, feds say, is that he kept at it – from prison.

Ardit Ferizi had been sentenced in 2016 to 20 years in prison for providing personally identifiable information of US government personnel to the Islamic State of Iraq and al-Sham (ISIS).

Ferizi’s sentence was reduced in December 2020 to time served, plus 10 years of supervised release to be served in Kosovo, following the granting of a motion for compassionate release by a federal judge, the DOJ reports.

But an FBI investigation discovered that Ferizi had been involved in multiple fraudulent schemes from prison. Between 2017 and 2018, he allegedly coordinated with a family member who was operating his email accounts from Kosovo.

“Ferizi instructed the family member to ‘keep my email alive and not expiring’ and passed his email addresses and passwords on to his family member,” according to an FBI agent’s affidavit filed in support of the criminal complaint. “The FBI was able to determine that at least one email account included large databases of stolen personally identifiable information, extensive lists of stolen email accounts, partial credit card numbers, passwords, and other confidential information.”

“Based on an IP address resolving to Kosovo, login activity to Ferizi’s other e-mail accounts, and other investigative information, it was determined the family member downloaded the databases of stolen information to liquidate the proceeds of Ferizi’s previous criminal hacking activity,” the FBI agent said.

If convicted of the feds’ new findings, Ferizi now faces a maximum penalty of 22 years behind bars and a fine of $250,000, the DOJ said.

Over 200 Million Facebook, Instagram and LinkedIn Profiles Exposed Through Unsecured Database Held by Chinese Startup

Chinese social media management company Socialarks leaked personally identifiable information (PHI) of over 200 million Facebook, Instagram and LinkedIn users, according to researchers from SafetyDetectives.

The data leaked trough an unsecured ElasticSearch harbored 408GB of personal data of regular users, social media influencers and even celebrities.

Investigators found that the leaked data appeared to have been scraped from popular social media platforms, in violation of the terms of service of the social media giants.

The leaky database included the following information:

  • 81,551,567 Facebook account profiles
  • 66,117,839 LinkedIn user profiles
  • 11,651,162 Instagram aficionados accounts

Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection!

Researchers also noted that an additional 55.3 million Facebook user profiles were deleted hours after their discovery.

“From the leaked data we discovered, it was possible to determine people’s full names, country of residence, place of work, position, subscriber data and contact information, as well as direct links to their profiles,” SafetyDetectives explained.

The exposed information for each social media platform varies, but it paints a complete picture of the user’s profile that could allow threat actors to choose their most profitable targets.

Leaked Instagram user accounts revealed full names, over 6 million phone numbers, 11 million email addresses, profile links, pictures, profile descriptions, number of followers, country of residence and most frequently used hashtags.

The Facebook account information shows similar information, alongside Like, Follow and Rating count, Messenger ID and profile description.

In the case of LinkedIn profiles, the records exposed user job profile, job title and seniority level, company name and revenue margin together with the full name and email address of users.

Although some scraped personal information did not fully expose data for all users, the investigators noticed that the database contained phone numbers and email addresses for users who opted not to make the information public on their profiles.

“Socialarks’ database stored personal data for Instagram and LinkedIn users such as private phone numbers and email addresses for users that did not divulge such information publicly on their accounts,” the report reads. “How Socialarks could possibly have access to such data in the first place remains unknown.”

The China-based company suffered a similar data breach in August 2020, which exposed information on 150 million LinkedIn, Facebook and Instagram users. Investigators said the unsecured server was discovered on December 12, 2020. Two days after confirming the origin of the database, the cybersecurity team contacted Socialarks to disclose the breach.

“The company did not respond to our correspondence but the server was secured on the same day,” SafetyDetectives added.

The leak and unethical scraping of user data poses a serious security risk to exposed users. The information could be “weaponized to carry out a specific goal of extracting personal information for criminal purposes,” the report warned. “Potential ramifications of exposing personal information include identity theft and financial fraud conducted across other platforms including online banking.”

Ubiquiti users told to change their passwords following security breach

Ubiquiti users told to change their passwords following security breach

  • Breach occurred at third-party cloud provider used by IoT device manufacturer
  • Email addresses, names, and hashed and salted passwords exposed

IoT device vendor Ubiquiti has told customers that they should change their passwords after a security breach left user details exposed.

In an email sent to users, router and access point manufacturer Ubiquiti explained that it had recently become aware of a breach at a “third party cloud provider” used by the firm to host some of its infrastructure.

Data that may have been accessed includes:

  • Customers’ email addresses
  • Customers’ names
  • Customers’ hashed and salted passwords
  • Customers’ addresses and phone numbers (where provided)

What isn’t made clear in the email advisory is whether the exposed data was stumbled across by a security researcher who then informed Ubiquiti, or whether it was accessed by someone with malice in mind.

If malicious hackers were able to use the information to access the profiles of Ubiquiti customers, they would be able to change the settings of the customers’ IoT devices remotely, as well as access the support portal. And if a hacker were not able to determine account passwords from the breached data they would still have been able to use the leaked contact details to target Ubiquiti customers with scams and phishing attacks.

Ubiquiti says that it has not seen any evidence of unauthorised account access as a result of the incident.

However, the company advises that, as a precaution, customers should change their account passwords, and ensure that the same password is not being used anywhere else on the internet.

Far too many people still use the same password in multiple places online, making it easier for hackers to leverage one breach to break into accounts elsewhere on the net.

In addition, Ubiquiti recommends that customers enable two-factor authentication (2FA) for an additional layer of protection.

Ideally, Ubiquiti might have done well to reconsider how it chose to communicate the breach to its customers.

In the advisory it has sent to customers Ubiquiti encourages them to click on buttons within the email to change their passwords and enable 2FA, rather than recommend they visit the account.ui.com website. This is a trick often used in phishing emails to trick unsuspecting users into entering their login credentials on bogus lookalike websites.

Under the circumstances, might have done well to make their announcement a little less phishy-looking, and reduce the concern of their users.

Posts navigation

1 2 3 4 80 81 82
Scroll to top