It's time to find out what happened in the field of information security in January. In this Digest, you’ll find the most notable data breaches from the last month.

Bad Robin Goods

What happened: Seven Texas Healthcare Commission servants were stealing government benefits.

How it happened: The Texas Health and Human Services Commission had seven insiders steal state benefits between 2021 and 2024. Each was exposed and fired for illegally accessing the accounts of public assistance recipients as well as fraud.

Texas Health and Social Services Commission is an American government agency that issues benefits to needy categories of citizens. Most often, benefits are paid into bank accounts or electronic cards issued in the name of applicants for their requests.

Commission employees enter and transmit citizens' information into the system, and can find out and change pin codes and other data from issued cards. Thus, without decisions to control the handling of data, some employees changed the data in the system in their favour.

For example, two employees were fired after they stole $270,000 from 500 accounts that received government benefits. Another employee was fired for violating the IS policy by transferring the information of his fellow citizens from the state information system to his personal email.

The rest of the insiders were doing roughly the same thing. All of them were exposed and fired. Some of them will not only have to find new jobs but will also have to stand trial. As the investigation is ongoing, the exact damage and the number of victims has not yet been disclosed.

At least 60,000 people were affected in the latest incident, the Texas Attorney General's Office on 6 January reported.

I Know Your Password

What happened: two high-profile incidents involving compromised credentials to internal resources became known.

How it happened: two major companies were hacked. Spanish telecoms operator Telefónica and cloud-based hotel management software developer Otelier.

Telefónica confirmed the hack of its internal ticketing system after the stolen data was published on a hacker forum. The attackers reported that the ticketing system refers to the internal Jira server. The hackers gained access to it using the leaked credentials.

A total of 2.3GB of tickets, documents and other data was leaked. In response, the company launched an investigation and reset passwords on compromised accounts.

In the second case, the attackers used the same method to infiltrate Otelier's corporate server and from there reached Amazon S3 cloud storage. As a result, they gained access to 8 TB of data, including both the developer's corporate documents and data from the service's client hotels: from internal regulations to guests' personal information. 

The leaked data belonged to the largest chains: Hyatt, Hilton, and others. For example, there was so much Marriot data that the hackers could not determine who exactly owned the compromised storage and demanded a ransom from Marriot, not Otelier.

After the incident, Have I Been Pwned discovered 437,000 unique email addresses associated with the leak. At the same time, Troy Hunt, the founder of the service, received much more data: a table of reservations with 39 million rows and a table of users with 212 million. Now the company is contacting the victims, investigating the incident and says that unauthorised access has been stopped

By the way, in January there was another incident related to the hotel business and passwords. Or rather, their absence. More than 24 million records with the personal data of tourists were lying on the server without a password. Among the potentially leaked were names, email addresses, phone numbers, dates of birth, information about hotel visits, etc. The ownership of the database has not yet been confirmed, but experts attribute it to Honotel.

Hidden Threat

What happened: experts reported the cases of dangerous equipment purchased on marketplaces.

How it happened: the media reported that devices bought on marketplaces may be infected with infostealers and other malware. This has happened before but about second-hand devices.

In addition, in January, a social network user reported a similar problem with an RJ45 adapter he purchased on AliExpress. At the same time, some users claimed that the author of the post was mistaken and the problem was only with the driver, while others assured that the problem could be much bigger.

Don't Be Afraid. I'm Your Friend

What happened: Fraudsters used the Google Ads contextual targeting for phishing.

How it happened: in January, two news stories appeared at once about cases of fraud committed with the help of an advertising tool

Firstly, unknown intruders distributed infosteelers through advertising. The bait was a phishing site that looked like a web resource of the open-source utility Homebrew.

In the search engine, the legitimate URL (brew[.]sh), page description and favicon (the site's icon in the search) were displayed in the ‘sponsored’ advertising box, but after clicking on it, the victim was directed to the fraudulent brewe[.]sh. As a result, the AmosStealer infostealer was downloaded instead of legitimate software.

Secondly, fraudsters stole credentials from personal Google Ads accounts. They used phishing sites as in the case of Homebrew. However, the site masqueraded as a Google Ads account. Once the data was entered, it was sent to the attackers.

We've played enough

What happened: unknown attackers leaked to the darknet details access to FortiGate devices.

How it happened: on 14 January, attackers posted VPN access credentials for FortiGate units on a hacker forum. The published file weighs 1.6 GB and contains IP addresses, device configuration files, VPN access credentials, private keys, and passwords in clear text.

Experts said that the leaked credentials may be related to the 2022 incident. Back then, unknown attackers exploited a null vulnerability to download configuration files from FortiGate units and add malicious super_admin accounts with the name FortiGate-tech-support.

When the attackers got all the benefits they could from this data, they put it out into the public domain. Most likely to gain a reputation in the community. Despite the age of the leak, the data may still be relevant today. If you use FortiGate products, it's a good idea to check to see if your data has leaked.