(In) Secure Digest: the Unprotected Server, the Marine Data Leak and a Supply Chain Attack
14.05.2024

It's time to share our traditional monthly roundup of major IS incidents. In May's edition, we'll reveal: the case of an unscrupulous medical company; accidental data leak caused by the SaaS vendor; consequences of the India's largest electronics manufacturer negligence.

Analytical miscalculation

What happened: major US company Sisense fell victim of a cyberattack.

How it happened: on 11 April, the US Cybersecurity and Infrastructure Protection Agency (CISA) reported that a major US company, Sisense, was hacked. 

The company’s sphere of business activity is the development of business intelligence software. The list of company’s clients include some of the world's largest enterprises: Nasdaq, Philips Healthcare, Verizon, Air Canada and others.

The incident came to light thanks to unnamed researchers. They notified CISA about the leak of Sisense customer data. A preliminary investigation revealed that critical infrastructure organizations in the US were affected. 

No other details on the incident are not known yet

The regulator representatives advised Sisense customers to change all credentials and access tokens, related to the company's tools and services. Researcher Brian Krebs later shared a Sisense message that was distributed among the private customer mailing list. In their message, the company officials duplicated the regulator's recommendations and confirmed the leak of customer data.

Sorry, its open!

What happened: Microsoft left one of the internal development servers of the Bing search engine unprotected and publicly available.

How it happened: SOCRadar researchers found an unprotected and publicly available Microsoft server. It was hosted on Microsoft's Azure cloud service and internal information was kept there. The data set included:

  • Code
  • Scripts
  • Passwords
  • User credentials, which Microsoft employees used to access other internal systems.

Although researchers notified Microsoft of the problem on 6 February, the issue hadn’t been solved until 5 May. It is unknown whether anyone except the researchers had accessed the server, as it wasn’t password-protected. The similar case happened earlier in 2020.

Incognito, right?

What happened: Google will delete billions of records on Chrome browser Incognito mode users.

How it happened: In 2020, a $5 billion class action lawsuit was filed against Google for collecting Chrome browser Incognito mode users’ data. The corporation representatives initially wanted to seek a pre-trial settlement, but the judge denied the request. She argued that the description of the ‘Incognito’ mode didn’t fully notify users of the company's actions.

Finally, Google agreed with the plaintiffs on an agreement, according to which the corporation would update the description of the start page of the ‘Incognito’ mode, as well as delete some data on Incognito mode users. In addition, a spokesperson for the corporation said that the company was “happy to delete old technical data that was never associated with an individual and was never used for any form of personalization”.

Insider-style data leak

What happened: data of 7.5 million customers of Indian electronics maker boAt leaked.

How it happened: on 5 April, a hacker with ‘ShopifyGUY’ nickname uploaded a database on Indian company boAt customer on the darknet. The data set included the following customer details: 

  • Names
  • Addresses
  • Phone numbers
  • Emails etc. 

The hacker claimed, that the leak occurred back in March and affected 7.5 million of the company's customers.

The Indian company’s representatives told that the investigation was in process, but didn’t reveal any details. However, according to media reports, the leak occurred due to employees’ negligence.

Initially, experts doubted the authenticity of the data as the value of the leaked database was only $2. However, lately, several Indian media outlets have confirmed the authenticity of the information.

Marine hack

What happened: cybercriminals hacked MarineMax yacht retailer and gained access to sensitive information on its customers and employees.

How it happened: on 1 April, MarineMax, the world's leading yacht retailer representatives claimed that an unknown third party managed to gain unauthorized access to portions of company’s information environment. As a result of the incident, some business processes were disrupted and some sensitive data, including personal details, was leaked.

The Rhysida group claimed responsibility for the attack and put the company's database up for sale for 15 BTC (roughly $1 million). As proof of authenticity, the group shared several screenshots, containing the following:

  • MarineMax's financial documents
  • Employees' driving licences
  • Employees’ passports and more.

Pandas at risk 

What happened: Trading platform PandaBuy fell victim to a cyberattack that resulted into leak of  data on more than a million of customers.

How it happened: On 1 April, two malicious actors, known as Sanggiero and IntelBroker uploaded the database of major online platform PandaBuy to the darknet. The attackers managed to steal such information as:

  • Full name
  • User ID
  • Phone number
  • IP address
  • Order dates and numbers
  • Home address
  • Postcode, etc.

The hackers claimed that ‘The data was stolen by exploiting several critical vulnerabilities in the platform's API and other bugs were identified allowing access to the internal service of the website’.

The company itself has yet to comment on the leak, but PandaBuy is reportedly trying to cover up the incident by censoring user posts on Discord and Reddit.

Outsiders at home 

What happened: US retail chain The Home Depot fell the victim of a supply chain attack.

How it happened: On 4 April, a hacker, known as ‘IntelBroker’ uploaded The Home Depot's database to the darknet. According to the hacker's own statement, it contained the corporate data on about 10,000 employees of the retail chain.

The Home Depot did not deny the leak. The company officials stated that the leak occurred due to a mistake made by the employees of one of its SaaS vendors, who inadvertently provided a small sample of data (names, emails, user IDs) about employees during system testing.

Total lack of medical confidentiality

What happened: healthcare company Cerebral was fined $7 million for sharing sensitive data.

How it happened: the US Federal Trade Commission (FTC) has fined telemedicine company Cerebral for passing sensitive customer information to third parties for advertising purposes.

According to the regulator officials, Cerebral transferred data on more than 3 million users to platforms such as LinkedIn, Snapchat and TikTok. The data was collected via a website, which utilized tracking apps and services. The data transmitted included:

  • Names
  • Medical information
  • Addresses
  • Phone numbers
  • Dates of birth
  • IP addresses
  • Insurance information and other details.

Let information leaks remain stories in our digests. And remember, there is human error and negligence behind every vulnerability, so to make sure you have comprehensive protection in place, set up SearchInform solutions. It's free for the first 30 days.

Try now

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.