Leaked Credit Card
19.10.2022
Back to blog listLeaked Credit Card
Credit card frauds affect millions of people every year. To estimate the damage of credit card numbers leakage is not an easy task. But in 2020, the losses topped 28.58 billion US dollars. Let’s take a look at the most significant cases such as Mastercard and Twitch
Mastercard: Thousands of credit card data leaked on the net
Tens of thousands of Mastercard credit card details surfaced on the web and were available for anyone to see. The affected number was around 90,000, the participants of the "Priceless Special" bonus program whose credit card details were breached. The leaked data included credit card number, name, place of residence, postal code and e-mail address. However, the card expiration date and the check digit from the back of the card were missing. Third parties could use the credit card data to make purchases from certain retailers – those that did not request security features such as the card expiration date and check digit. Fortunately, this was the exception. And these merchants would have to be liable for misuse of the credit card. But it would be a hassle and a lot of work.
So, here's what you should do if you participated in such programs:
- Check if your card details are exposed: enter your e-mail address in the Hasso-Plattner Institute's Identity Leak Checker. This would also help to check whether you have been affected by other data leaks. A green light means with a high probability that you and your card details are safe, but there is no guarantee. If the tool fails, you should have your Mastercard blocked by your bank. Explain that you are affected by the data leak and ask for a free replacement of the card. Your bank or Mastercard will probably also contact you on their own initiative.
- Affected persons should also be increasingly on the lookout for so-called phishing to avoid exposure of credit card data and other bank data in the future. This involves fake letters and e-mails, which appear even more genuine due to the personal data. Calls from alleged bank employees are also conceivable. Never enter passwords or PINs after clicking on a link in a mail. If your bank supposedly calls, hang up and call back. Never give PIN or CVV of your credit card to the third parties.
Leaked data: Twitch denied loss of passwords and credit card details
The attackers apparently did not have access to the systems for storing login data or card details. According to Twitch, no credit card or bank data was affected either. However, the company confirmed access to its own source code.
Twitch released another statement on the security incident related to the leaked data that put the company in the headlines earlier. The gaming platform reiterated that the incident was caused by a “change in server configuration that allowed an unauthorized third party to gain unauthorized access”.
Among other things, Twitch claimed that passwords or credit card details were not exposed in the intrusion. The company commented that the systems storing Twitch credentials, hashed with bcrypt, were not accessed. Nor had full credit card numbers or banking information been compromised.
"The exposed data primarily included documents from Twitch's source code repository, as well as a subset of creators' payout data. We have thoroughly reviewed the information contained in the exposed files and are confident that only a small portion of users are affected and the impact on customers is minimal. We are contacting those affected directly," the company said.
An unknown hacker released all of Twitch's source code in a 128 GB file. This included creator payouts dating back to 2019, proprietary SDKs and internal AWS services used by Twitch, and all of the company's internal cybersecurity red-teaming tools.