Blockpass Data Breach Intelligence Report - May 2019
Over the course of May, the Blockpass Research Team analyzed 11 data breach events, chosen either for their scale, significant impact on consumers, or their implication on a global scene. This month, there was an element of uncertainty when trying to determine the largest data breach. A leak from First America Financial Corp. involved hundreds of millions of records, but the actual number of people affected is unknown; whereas the largest leak with a known amount of people affected has not been linked to any company.
Of the 11 events analyzed this month, at least two affected hundreds of millions of people, with a third event leaking almost 900 million records which are likely to have affected hundreds of millions of individuals, making the estimated minimum number of those affected - 558,484,809 individuals - potentially a very low estimate. The given 7.4% of the world population affected is more likely to be close to 10% or above. Whilst exact numbers are difficult to determine, those responsible for the unsecured databases or those that are in charge of the hacked data is also sometimes unclear. 3 of the incidents this month have not yet been linked to a company or organisation, suggesting that it was from a company that knew it was doing something wrong, or maybe even worse, that the companies involved were simply grossly negligent. Looking at the data breach events in May, a staggering number of them resulted from poor security measures - with databases left unprotected or with weak passwords. The risk of companies and organisations holding personal data continues to be seen every month when these basic failures occur. Centralised repositories of information are too dangerous to be viable; a future where people hold their own information on their own devices is Blockpass’ goal, and a much safer system than what is currently in place.
This report, for the month of May, is the seventh of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.” Unknown | Unknown | Over 275,000,000
|# of Events Analyzed
|# of Identities Lost
|% of World Population
|Industry Hardest Hit
Indian citizens were discovered to be the victims of a significant data breach this month when security researcher Bob Diachenko found an unsecured MongoDB database that held the records of 275,265,298 individuals. Hosted on Amazon Web Services, the data revealed names, e-mail addresses, genders, dates of birth, phone numbers, educational details, professional skills, employment histories, current employers and salaries. The database owner was not identified but Diachenko was of the opinion that it could be part of a scraping operation. Although Diachenko notified the Indian Computer Emergency Response Team, the database remained online until it was deleted by a hacker group known as ‘Unistellar’ on the 8th of May, who left a message and a contact e-mail concerning the restoration of the data. Diachenko also revealed that MongoDB databases suffered in other incidents this month, with SMS text marketing company, ApexSMS Inc., leaking 80,055,125 records. Unprotected MongoDB databases also led to the exposure of 1,615,360 records from two premium streaming video platforms belonging to AMC Networks: Sundance Now and Shudder.Sources:
https://www.bleepingcomputer.com/news/security/over-275-million-records-exposed-by-unsecured-mongodb-database/https://cyware.com/news/unprotected-mongodb-database-leaks-over-80-million-records-belonging-to-an-sms-marketing-firm-apexsms-5d75d90ehttps://cyware.com/news/new-unprotected-mongodb-instance-found-leaking-over-1-million-records-of-amc-networks-20c95509 Canva | Graphic Design Tools | Over 139,000,000
Australian-based online graphic-design tool website Canva was found to have been the victim of a huge data breach this month when more than 139 million users had their personal data stolen. Reportedly occuring on the 24th of May, the data included usernames, the users’ real names, e-mail addresses and information on their location such as city and country. The company responded to the hack, stating that though some personal data had been stolen and that they were working with authorities to find out what had happened, users’ financial data was not at risk as Canva did not store that data. Sources:
https://www.cisomag.com/nearly-140-million-user-data-leaked-in-canva-hack/https://www.hackread.com/online-graphic-design-tool-canva-hacked/https://www.crn.com.au/news/canva-hacked---user-details-accessed-but-passwords-safe-525716 First America Financial Corp. | Real Estate Title Insurance | Tens to Hundreds of Millions
In what may have been the single largest this month, the American real estate title insurance company, First American Financial Corp., was found to have a leaked 885 million documents of mortgage deals via an unsecured section of its website. Using the breach, anyone was able to view the personal data on these files which stretched back as far as 2003 and included bank account numbers, bank statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images. The breach was only brought to light when a real estate developer Ben Shoval contacted security news and investigation website, KrebsOnSecurity. Source:
https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/ Various | Dating | Approximately 42,500,000
On the 25th of May, security researcher Jeremiah Fowler identified an unprotected database containing around 42.5 million records from users of dating apps. Concerning mostly American users, the personal data exposed included usernames, ages, locations, and IP addresses.The researcher reported that the database apparently held user info from multiple, supposedly unconnected dating apps: Cougardating, Christiansfinder, Mingler, Fwbs and TS. He also raised the question of why they would all store information on the same database. Attempts by the researcher to contact the owner of the database proved unfruitful. Sources:
https://securitydiscovery.com/chinese-dating-apps/https://cyware.com/news/unprotected-database-exposes-almost-425-million-records-from-chinese-dating-apps-bb4950a4 Ladders | Job Recruitment | Over 13,700,000
A US-based job recruitment site, Ladders, was found to have 13.7 million user records unsecured online for anyone to see. Found by a security researcher, Sanyam Jain, the data leaked records included names, e-mail addresses, employment histories, job search requirements and pay.The data in question was stored on an Elasticsearch database, hosted on Amazon, and had no password requirement to access it. The researcher informed TechCrunch, who contacted Ladders which then took the database offline and secured it. The company said they are investigating any potential data theft. Source:
https://techcrunch.com/2019/05/01/ladders-resume-leak/ Unknown | Unknown | Up to 3,895,482
The exact nature and target of this breach is currently a mystery, but on the 10th of May, Bob Diachenko - the Cyber Threat Intelligence Director and journalist at SecurityDiscovery.com who also discovered the leak that affected the 270 million Indian citizens shown above - discovered an unsecured database of potentially over 3.5 million people’s data.
The subjects of this database were Panamanian citizens, with 3,427,396 records described as ‘patients’ and a further 468,086 records described as ‘test patients’. The information on the records included full names, date of birth, national ID number, medical insurance number, phone number, e-mail address, address and various other information. Given that the population of Panama is 4.1 million, this single data breach could have affected over 95% of the entire country. Diachenko noted that once he contacted the relevant authorities, the database was quickly secured, but noted that it had been potentially unsecured since the 24th of April, with no way of telling if others had accessed it. Source:
https://securitydiscovery.com/panama-citizens-massive-data-breach/ Various | Government | Over 2,250,000
Russian government sites were found to be leaking data this month when Ivan Begtin, co-founder of Russian NGO ‘Informational Culture’, discovered a large number of sites with vulnerabilities after an investigation of multiple government online certification centers, government portals and an e-bidding platform used by government agencies. In total, this breach affected over 2.25 million Russian citizens. In carrying out this investigation, Betgin disclosed findings of 23 sites where people’s insurance account numbers were leaked, and 14 where passport information was leaked. The data included full names, job titles, places of work, e-mail addresses and tax identification numbers. Betgin provided details in blogs which he posted here: 1, 2, 3, 4.
Sources:https://www.rbc.ru/politics/29/04/2019/5cc2df569a7947c83b69b0d5https://www.zdnet.com/article/russian-government-sites-leak-passport-and-personal-data-for-2-25-million-users/ Uniqlo | Clothing | 460,000
This month it came to light that in excess of 460,000 Uniqlo customers were the victim of hackers between the 23rd of April and the 10th of May. A statement made by Fast Retailing, the company behind Uniqlo, confirmed the breach. Personal information leaked in this hack included names, addresses and contact details. Despite this, Fast Retailing has stated that credit card security codes were not at risk from this attack. Source:
https://www.cnbc.com/2019/05/14/japans-uniqlo-says-hackers-access-data-from-460000-online-accounts.html TalkTalk | Telecommunications | 4,545
It is not just current data breaches that are brought to light in these monthly reports, and the loss of customer information in this instance goes back to 2015. Telecommunication company TalkTalk was recently found not to have informed over 4500 customers of the loss of their personal data, including full names, addresses, dates of birth, customer numbers, mobile numbers and bank details. Reported to the BBC Watchdog Live by concerned viewers, the company had previously stated that the details had been secure. It is believed that the data had been online and accessible since the incident in 2015. TalkTalk has stated that these customers were misinformed due to a ‘genuine error’, but they did not believe that the information that was sufficient to lead to direct financial loss. Source:
https://www.bbc.co.uk/news/business-48351900 Singapore Red Cross | Healthcare | 4,297
On the 16th of May, the Singapore Red Cross posted a statement on their Facebook page that informed about a hack they had suffered on the 8th of May, resulting in the loss of personal details of 4,297 potential blood donors. Would-be blood donors had names, contact numbers, e-mail addresses, blood types, preferred appointment times and locations leaked. It is believed that a poor administrator password was the weakness that was exploited for access. Source:
https://www.theonlinecitizen.com/2019/05/16/singapore-red-cross-website-hacked-details-of-over-4000-potential-blood-donors-leaked/ Theta360 | Photo Sharing | Thousands
A data breach discovered on the 14th of May by Noam Rotem and Ryan Locar revealed that the Theta360, a photo sharing system run by Ricoh, had exposed in excess of 11 million photos belonging to users. Alongside the photos, usernames, first names, last names and captions for the photos were also exposed. The researchers who discovered this breach were then able to use the personal information to find users social media accounts. The researchers alerted the company and the leak was rapidly plugged. Having photographs leaked is potentially very worrying as it increases the potential for fraud when an identity can be linked to a picture. Source:
You can find a link to our previous report - for the month of April - here.