(In)Secure digest: default passwords, sensitive info for free, and phisher salary.
12.02.2021Back to blog list
Come visit us, your Nissan
What happened: The source code and internal tools of Japanese company Nissan became publicly available. The leak features the source code of Nissan's mobile apps, market research tools, customer search and retention data, and important components of diagnostic systems. Nissan's confidential data was actively distributed through hacker forums and Telegram channels.
Who is to blame: The weakness appeared to be an open Git server, which could be accessed via the standard username-password bundle, namely: admin-admin. The automaker has already confirmed the leak and is investigating the incident. The damage caused by employee negligence is still pending an estimation.
“If there's a password, we didn't get it.”
What happened: The data of more than 11 million Instagram accounts, 66 million LinkedIn profiles, and 81 million Facebook accounts leaked to the web. The total amount of compromised data, including phone numbers and email addresses of users, resulted in 408 GB.
Who is to blame: The culprit of the leak is Chinese company Socialarks, which specialization is to manage information materials for social networks. Socialarks specialists did not bother themselves to protect the Elasticsearch server with encryption, nor they created a password.
To be honest, it's not the first time for Socialarks to neglect the rules of information security. Last summer, they did the same and exposed the data of 150 million users of the same social networks.
Pay your electricity bills
What happened: British company People’s Energy has suffered a serious cyber attack, resulting in their entire database being stolen. This database included sensitive personal details on all 270,000 of its customers. The data consists of:
- customer names,
- their addresses,
- phone numbers,
- dates of birth,
People's Energy account numbers, as well as information about tariffs and identification numbers of gas and electricity meters. In a small number of cases (0.1%), users' financial data was also compromised. The company provided its customers with detailed instructions on how to prevent possible fraudulent activities.
Who is to blame: According to People's Energy, it was just "unfavorable circumstances". To investigate the details they hired an external organization that specializes in cybersecurity. People's Energy recommends its customers not click on links from suspicious emails (especially, if they are associated with People's Energy) and do not respond to messages and calls from unfamiliar numbers. Nevertheless, users are assured that there is no need to completely block their accounts, since the passwords from their accounts were not compromised.
What happened: The UN Environment Program has disclosed more than 100,000 employee records.
Who is to blame: UN neglected a number of subdomains, including ilo.org, where user credentials were stored with no decent protection. These subdomains enabled anyone interested to log into the database, which contained information about 102,000 UN employees, their projects, business trip details, grants, etc. Luckily, pentesters from Sakura Samurai happened to be first in revealing the vulnerability.
The Italian Job
What happened: Ho Mobile, an Italian mobile operator, owned by Vodafone, has confirmed a massive data breach, which impacted roughly 2.5 million customers. The leak was discovered before the New Year when the database was put up for auction on the Darknet.
Who is to blame: Ho Mobile explains the leak as the result of a cyberattack, however, the details are not disclosed – the case is being investigated by law enforcement. Ho Mobile is now offering to replace SIM cards for all impacted customers, if they wish, and free of any charges. Although, this is unlikely to solve the problem, since hackers stole personal data, including full names, telephone numbers, social security numbers, email addresses, dates and places of birth, nationality, and home addresses.
“A million-dollar” newcomer
What happened: The United States Department of Justice fined Ticketmaster $10 million for industrial espionage. The company attempted a few times to take the data of the competing CrowdSurge and succeeded.
Who is to blame: A former employee from CrowdSurge is. He has recently been hired by Ticketmaster. The manager brought with him the trade secret of CrowdSurge and passwords to the databases of a former employer. And all of this after signing an NDA before dismissal and a non-compete clause.
Price of love
What happened: A British citizen lost his access to his bitcoin wallet with 7 500 bitcoins, which he got in 2009. In January 2021 they went up to $258 million.
Who is to blame: one of the versions – private issues. In 2013 the man dated a woman, who hated the sound of the working crypto farm – she demanded that he stop mining. The disgruntled boyfriend threw away the hardware. That’s where the hard drive was with the key to a bitcoin wallet. Another version is simpler: the man could have thrown the hard drive away while cleaning in the office.
The news has gotten “renewed” this year, when the British turned to the officials for help. To find the drive with the cryptocurrency, he offered to shovel all the trash of the city – for this he will give to the city 25% of the amount he lost in bitcoins (more than $70 million today).
What happened: Hackers took from a constructing company about $139 000 in the city called Yalutorovsk. The sum was transferred to fake cards as a salary and cashed via ATM.
Who is to blame: Right before the incident happened the chief accountant manager opened an email with a malware. The violators accessed her computer remotely and made a transaction.
The police found one of the hackers within a month. Although he gave back what he had stolen (even with % – $158 000), he is facing a 10-year sentence – for fraud in IT sector, committed by a group of individuals with prior conspiracy and on an especially large scale.
What happened: Habr blog user accessed the internal network of Russian Railways and told the company about it. Then he helped to manage the vulnerabilities.
Who is to blame: To access the internal network was easy via a router not protected with a password. As a result, the researcher gained access to more than 20 thousand cameras at train stations and company offices, IP phones, servers and network devices. He found out that many of them had factory preset passwords, and there were practically no protection tools within the corporate network.
After the publication of the hack, Russian Railways specialists contacted the author and used his advice to close the security loopholes. The company's press service, however, publicly opposed the "illegal access to information systems and the publication of data related to information security in open sources." Russian Railways also emphasised that the vulnerability did not lead to leakage of passenger data and did not pose a threat to traffic safety.
Information security tip of the month: A new year has come, and the pains in information security are old - behind each vulnerability is the same human factor, error and negligence. And it seems that I have prepared for everything in my company, but when you read such news again and again, you get nervous: what if you overlooked the open port? It's good that verification can be delegated to information security systems: let the automation itself look for "resurrected" accounts of dismissed, logins with default passwords, unprotected nodes and hacking attempts (even if there are well-wishing researchers on the other side). SIEM works across the entire infrastructure in real time 24/7. Moreover, the first 30 days are free. Install and happily wait for the spring to come.