Media
Blockpass Data Breach Intelligence Report - January 2019
February 2019
In January, the Blockpass Research Team analyzed 9 data breach events, chosen either for their significant impact on consumers, or their implication on global politics. In this, we found that the most significant data breaches this month have occurred with KYC data. Indeed, the biggest leak we’ve seen so far in our reporting: Collection #1,” a stolen database which contains the personal data of 773 million people.
It would not be a surprise to anybody that companies want to look out for themselves, and oftentimes the best way for them to do this is by seeking to find out who their customers are. This process, called KYC (Know Your Customer), is all-the-more important in today’s digital world, where we rarely meet face to face and where business is done across great distances. For many types of companies, such as those in the financial sector, KYC is not just a matter of due-diligence, but one of regulatory compliance. Leaked KYC data leads to the victimisation of millions upon millions of people every day and can have a significant and potentially dangerous impact on their lives.
This report, for the month of January, is the third of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”
Centralized third-party data storage is a risk we identified before we launched the Blockpass project. While it is true that sometimes, for the purposes of KYC/AML compliance, companies are required to collect their customers’ data, it must be done with the utmost of care and respect for consumers’ privacy and security. For many companies and organizations, like the ones below, this is a lesson that ends up being learned far too late.
“Collection #1” | Worldwide | 773,000,000
A discovery made by renowned data security researcher Troy Hunt has set 2019 off to a startling start. On January 15th, Hunt announced to his Twitter followers that he had been tipped off to a “MASSIVE” list of emails and passwords that were being sold to spammers. Following overwhelming community approval, he uploaded the list to his well-known data theft awareness site “‘‘;--have i been pwned?”
The list, which took more than 12 hours for Hunt, who also serves as a regional VP at Microsoft, to upload, included a staggering 773 million user records. In addition to the leaked email addresses, the database included around 11 million passwords. Initially, Hunt found the 83 gigabyte file stored on the MEGA cloud service. After being taken down from that system, the file remained online for sometime on a popular hacking forum.
This megaleak is particularly dangerous due to its extreme size. By feeding the data into specialized software, Hackers can carry out millions of attempts to achieve entry into users’ online accounts. Any casual internet user who used the same password for multiple sites could find themselves affected by multiple attacks.
While how and when the data was initially stolen has still to be determined, researchers have confirmed that it comes from multiple sources and that the data was fed to the database over the course of numerous hacks. Anyone interested in seeing if they themselves have been affected should check by visiting https://haveibeenpwned.com.
Sources:
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
https://www.wired.com/story/collection-one-breach-email-accounts-passwords/
Ascension | United States | >24,000,000
On January 23rd it was reported by journalist Zack Whittaker of Techcrunch that more than ten years of mortgage records had been exposed on a server maintained by Ascension, a data analytics company that specializes in the financial industry. The security breach included the records of more than 24,000,000 mortgages obtained or applied for in the United States over the last decade. Records include intimate financial details such as loan and mortgage agreements, payment schedules, and tax documents.
Techcrunch’s investigation found that the records - which were saved in a database that was not password protected - were gathered as a result of banks using Ascension’s document digitization service. The general counsel of Ascension’s parent company, Rocktop Partners, has confirmed the incident.
Sources:
https://techcrunch.com/2019/01/23/financial-files/
https://www.housingwire.com/articles/47992-millions-of-sensitive-mortgage-documents-exposed-in-massive-data-breach
Twitter | Worldwide | 10s of Millions
On January 17th social-media platform Twitter revealed on its website that a software issue had potentially leaked the tweets of tens of millions of its users. According to Twitter’s official statement, a bug was fixed on January 14th which had apparently been leading to user data being sent out without their permission. The bug, which affected Android users who had sometime since November 3rd, 2014 updated their profile or settings, disabled the “Protect Your Tweets” security feature, even if it had been enabled by the user.
Normally, the “Protect Your Tweets” feature restricts the visibility of the user’s tweets only to those twitter accounts that they had followed. During the more than four years that the bug was in effect, these tweets were visible to all twitter users. Security conscious Twitter users have beenleft wondering what the point of the privacy settings is at all.
Not surprisingly, certain national governments have taken note. Particularly in the Europe Union, where the bug likely meant a violation of GDPR. Already, a probe has been announced by the Irish Data Protection Authority. Penalties could reach as much as four percent of the company’s revenue.
Sources:
https://thehill.com/policy/cybersecurity/427028-irish-data-protection-authority-reveals-probe-into-twitter-data-breach
https://www.theverge.com/2019/1/17/18187143/twitter-bug-android-protected-tweets-turned-off
State Bank of India | India | 10s of Millions
An unsecured server owned by the State Bank of India, the largest bank in that country, gave wrongdoers this month access to potentially tens of millions of customers’ data. On January 27, it was reported by Techcrunch that a Mumbai-based server, which hosted the bank’s text message and call-based support systems had been left fully accessible without password protection.
The server was responsible for holding data regarding bank accounts that was requested by customers. SBI is a Fortune 500 company with hundreds of millions of customers. The server has now been secured but the banking information of potentially many millions has already been exposed, and potentially tens of millions of identities have been stolen.
Source:
https://techcrunch.com/2019/01/30/state-bank-india-data-leak/
BlankMediaGames | Worldwide | 8,000,000
At the start of the month the security researchers at DeHashed received a tip from an anonymous sender providing evidence of access to a server containing the personal data of BlankMediaGames’ popular browser-based game, Town of Salem. The vulnerable database included usernames, emails, passwords, addresses, payment information, and game activity.
Certain users who had paid for premium features had had their billing information, apart from credit card numbers, leaked. The data base included 8.388,894 rows and 7,633,234 unique email addresses.
BlankMediaGames finally made an official statement a few days after being contacted by DeHashed and announced that they had resecured their server.
Source:
https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/
Bannerbit | Worldwide | 213,415
At the beginning of the month, the security researchers at Have I Been Pwned were tipped off by a third party to a large breach coming from Bannerbit.com, a marketing platform that auctions off access to the contact information of potential clients. The leaked database includes 213,415 email addresses and plain text passwords.
The security researchers made multiple attempts to contact Bannerbit but has not received a reply. No official statement has been made and it is unclear if there will be any legal repercussions.
Source:
https://haveibeenpwned.com/PwnedWebsites
Binance, Bitfinex, Poloniex et al | Worldwide | 100,000
On January 20th, it was reported by the journalists at CCN that a mass amount of KYC data was up for sale on the darknet. As early as July 2018, an anonymous user under the pseudonym ExploitDOT had made a post claiming to have hacked into databases containing the identity data of the users of several major cryptocurrency exchanges, including Binance, Bitfinex, and Poloniex.
Allegedly, the stolen data includes hundreds of thousands of images of passports and national IDs, as well as high resolution selfie images of exchange users. There is some indication that the data was “dumped” by a third-party KYC provider after having succumbed to a security breach.
Sources:
https://www.ccn.com/hacked-customer-data-from-world-leading-cryptocurrency-exchanges-for-sale-on-the-dark-web/
https://www.theblockcrypto.com/2019/01/21/a-darknet-vendor-is-allegedly-selling-images-and-data-associated-with-crypto-exchange-identity-verification-processes/
Ministry of Health | Singapore | 14,200
Singapore is proud of its “smart nation,” where data about all its citizens is easily accessible through the use of smart ID cards, and where all identity information is centrally stored in the databases on government ministries. That being said, on January 28th it was reported by the New York Times that the Singaporean Ministry of Health had unwittingly released the medical records of 14,200 individuals who had tested positive for HIV.
The ministry claims that the leaked data has not “emerged in any form” online and that the perpetrator is known to them, and contrasting reports as to who the wrongdoer may have been have been made. Access to the data has apparently been disabled by the authorities. However, in Singapore, where homosexual intercourse is still illegal, any information coming out could have disastrous consequences for victims, even though HIV can be contracted by anyone of any orientation.
Sources:
https://www.nytimes.com/2019/01/28/world/asia/singapore-hiv-records.html?module=inline
https://www.nytimes.com/2019/01/29/world/asia/singapore-data-breach-hiv.html
Airbus | European Union | Thousands
In a press release dated January 30th, 2019, Airbus announced that their information systems had succumbed to a cyber attack. Airbus security teams have been able to determine that the contact and IT identification details of a number of employees located in Europe had been leaked. The press release claims that no impact is to be expected for its commercial operations. Airbus stated that the company is now in contact with European regulatory authorities, pursuant to the General Data Protection Regulation (GDPR).
Source:
https://www.airbus.com/content/dam/corporate-topics/publications/press-release/EN-Airbus-Cyber-Security-Statement.pdf
| # of Events Analyzed | 9 |
| # of Identities Lost | approx. 825,328,615 |
| % of World Population | 11% |
| Industry Hardest Hit | Various - KYC Data |
This report, for the month of January, is the third of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”
Centralized third-party data storage is a risk we identified before we launched the Blockpass project. While it is true that sometimes, for the purposes of KYC/AML compliance, companies are required to collect their customers’ data, it must be done with the utmost of care and respect for consumers’ privacy and security. For many companies and organizations, like the ones below, this is a lesson that ends up being learned far too late.
“Collection #1” | Worldwide | 773,000,000
A discovery made by renowned data security researcher Troy Hunt has set 2019 off to a startling start. On January 15th, Hunt announced to his Twitter followers that he had been tipped off to a “MASSIVE” list of emails and passwords that were being sold to spammers. Following overwhelming community approval, he uploaded the list to his well-known data theft awareness site “‘‘;--have i been pwned?”
The list, which took more than 12 hours for Hunt, who also serves as a regional VP at Microsoft, to upload, included a staggering 773 million user records. In addition to the leaked email addresses, the database included around 11 million passwords. Initially, Hunt found the 83 gigabyte file stored on the MEGA cloud service. After being taken down from that system, the file remained online for sometime on a popular hacking forum.
This megaleak is particularly dangerous due to its extreme size. By feeding the data into specialized software, Hackers can carry out millions of attempts to achieve entry into users’ online accounts. Any casual internet user who used the same password for multiple sites could find themselves affected by multiple attacks.
While how and when the data was initially stolen has still to be determined, researchers have confirmed that it comes from multiple sources and that the data was fed to the database over the course of numerous hacks. Anyone interested in seeing if they themselves have been affected should check by visiting https://haveibeenpwned.com.
Sources:
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
https://www.wired.com/story/collection-one-breach-email-accounts-passwords/
Ascension | United States | >24,000,000
On January 23rd it was reported by journalist Zack Whittaker of Techcrunch that more than ten years of mortgage records had been exposed on a server maintained by Ascension, a data analytics company that specializes in the financial industry. The security breach included the records of more than 24,000,000 mortgages obtained or applied for in the United States over the last decade. Records include intimate financial details such as loan and mortgage agreements, payment schedules, and tax documents.
Techcrunch’s investigation found that the records - which were saved in a database that was not password protected - were gathered as a result of banks using Ascension’s document digitization service. The general counsel of Ascension’s parent company, Rocktop Partners, has confirmed the incident.
Sources:
https://techcrunch.com/2019/01/23/financial-files/
https://www.housingwire.com/articles/47992-millions-of-sensitive-mortgage-documents-exposed-in-massive-data-breach
Twitter | Worldwide | 10s of Millions
On January 17th social-media platform Twitter revealed on its website that a software issue had potentially leaked the tweets of tens of millions of its users. According to Twitter’s official statement, a bug was fixed on January 14th which had apparently been leading to user data being sent out without their permission. The bug, which affected Android users who had sometime since November 3rd, 2014 updated their profile or settings, disabled the “Protect Your Tweets” security feature, even if it had been enabled by the user.
Normally, the “Protect Your Tweets” feature restricts the visibility of the user’s tweets only to those twitter accounts that they had followed. During the more than four years that the bug was in effect, these tweets were visible to all twitter users. Security conscious Twitter users have beenleft wondering what the point of the privacy settings is at all.
Not surprisingly, certain national governments have taken note. Particularly in the Europe Union, where the bug likely meant a violation of GDPR. Already, a probe has been announced by the Irish Data Protection Authority. Penalties could reach as much as four percent of the company’s revenue.
Sources:
https://thehill.com/policy/cybersecurity/427028-irish-data-protection-authority-reveals-probe-into-twitter-data-breach
https://www.theverge.com/2019/1/17/18187143/twitter-bug-android-protected-tweets-turned-off
State Bank of India | India | 10s of Millions
An unsecured server owned by the State Bank of India, the largest bank in that country, gave wrongdoers this month access to potentially tens of millions of customers’ data. On January 27, it was reported by Techcrunch that a Mumbai-based server, which hosted the bank’s text message and call-based support systems had been left fully accessible without password protection.
The server was responsible for holding data regarding bank accounts that was requested by customers. SBI is a Fortune 500 company with hundreds of millions of customers. The server has now been secured but the banking information of potentially many millions has already been exposed, and potentially tens of millions of identities have been stolen.
Source:
https://techcrunch.com/2019/01/30/state-bank-india-data-leak/
BlankMediaGames | Worldwide | 8,000,000
At the start of the month the security researchers at DeHashed received a tip from an anonymous sender providing evidence of access to a server containing the personal data of BlankMediaGames’ popular browser-based game, Town of Salem. The vulnerable database included usernames, emails, passwords, addresses, payment information, and game activity.
Certain users who had paid for premium features had had their billing information, apart from credit card numbers, leaked. The data base included 8.388,894 rows and 7,633,234 unique email addresses.
BlankMediaGames finally made an official statement a few days after being contacted by DeHashed and announced that they had resecured their server.
Source:
https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/
Bannerbit | Worldwide | 213,415
At the beginning of the month, the security researchers at Have I Been Pwned were tipped off by a third party to a large breach coming from Bannerbit.com, a marketing platform that auctions off access to the contact information of potential clients. The leaked database includes 213,415 email addresses and plain text passwords.
The security researchers made multiple attempts to contact Bannerbit but has not received a reply. No official statement has been made and it is unclear if there will be any legal repercussions.
Source:
https://haveibeenpwned.com/PwnedWebsites
Binance, Bitfinex, Poloniex et al | Worldwide | 100,000
On January 20th, it was reported by the journalists at CCN that a mass amount of KYC data was up for sale on the darknet. As early as July 2018, an anonymous user under the pseudonym ExploitDOT had made a post claiming to have hacked into databases containing the identity data of the users of several major cryptocurrency exchanges, including Binance, Bitfinex, and Poloniex.
Allegedly, the stolen data includes hundreds of thousands of images of passports and national IDs, as well as high resolution selfie images of exchange users. There is some indication that the data was “dumped” by a third-party KYC provider after having succumbed to a security breach.
Sources:
https://www.ccn.com/hacked-customer-data-from-world-leading-cryptocurrency-exchanges-for-sale-on-the-dark-web/
https://www.theblockcrypto.com/2019/01/21/a-darknet-vendor-is-allegedly-selling-images-and-data-associated-with-crypto-exchange-identity-verification-processes/
Ministry of Health | Singapore | 14,200
Singapore is proud of its “smart nation,” where data about all its citizens is easily accessible through the use of smart ID cards, and where all identity information is centrally stored in the databases on government ministries. That being said, on January 28th it was reported by the New York Times that the Singaporean Ministry of Health had unwittingly released the medical records of 14,200 individuals who had tested positive for HIV.
The ministry claims that the leaked data has not “emerged in any form” online and that the perpetrator is known to them, and contrasting reports as to who the wrongdoer may have been have been made. Access to the data has apparently been disabled by the authorities. However, in Singapore, where homosexual intercourse is still illegal, any information coming out could have disastrous consequences for victims, even though HIV can be contracted by anyone of any orientation.
Sources:
https://www.nytimes.com/2019/01/28/world/asia/singapore-hiv-records.html?module=inline
https://www.nytimes.com/2019/01/29/world/asia/singapore-data-breach-hiv.html
Airbus | European Union | Thousands
In a press release dated January 30th, 2019, Airbus announced that their information systems had succumbed to a cyber attack. Airbus security teams have been able to determine that the contact and IT identification details of a number of employees located in Europe had been leaked. The press release claims that no impact is to be expected for its commercial operations. Airbus stated that the company is now in contact with European regulatory authorities, pursuant to the General Data Protection Regulation (GDPR).
Source:
https://www.airbus.com/content/dam/corporate-topics/publications/press-release/EN-Airbus-Cyber-Security-Statement.pdf