In December 2018, the mapping website Mappery suffered a data breach that exposed over 205k unique email addresses. The incident also exposed usernames, the geographic location of the user and passwords stored as unsalted SHA-1 hashes. No response was received from Mappery when contacted about the incident.
In December 2018, the Slovak website for watching movies online for free Bombuj.eu suffered a data breach. The incident exposed over 575k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Bombuj.eu when contacted about the incident.
On an unknown date in approximately 2017, the Indian training and assessment service known as Hub4Tech suffered a data breach via a SQL injection attack. The incident exposed almost 37k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Hub4Tech when contacted about the incident.
In October and November 2018, security researcher Bob Diachenko identified several unprotected MongoDB instances believed to be hosted by a data aggregator. Containing a total of over 66M records, the owner of the data couldn’t be identified but it is believed to have been scraped from LinkedIn hence the title “You’ve Been Scraped”. The exposed records included names, both work and personal email addresses, job titles and links to the individuals’ LinkedIn profiles.
In April 2018, the ad management platform known as AerServ suffered a data breach. Acquired by InMobi earlier in the year, the AerServ breach impacted over 66k unique email addresses and also included contact information and passwords stored as salted SHA-512 hashes. The data was publicly posted to Twitter later in 2018 after which InMobi was notified and advised they were aware of the incident.
In approximately mid-2016, the Italian-based service for creating forums known as ForumCommunity suffered a data breach. The incident impacted over 776k unique email addresses along with usernames and unsalted MD5 password hashes. No response was received from ForumCommunity when contacted.
In November 2018, the Minecraft modpack platform known as Technic suffered a data breach. Technic promptly disclosed the breach and advised that the impacted data included over 265k unique users’ email and IP addresses, chat logs, private messages and passwords stored as bcrypt hashes with a work factor of 13. Technic self-submitted the breach to HIBP.
The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers.
In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receipt via email for a pair of earrings he’d just purchased as a surprise gift for his girlfriend.
Dallas-based Web designer Brandon Sheehy discovered that slightly modifying the link in the confirmation email he received and pasting that into a Web browser revealed another customer’s order, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.
Sheehy said after discovering the weakness, his mind quickly turned to the various ways that crooks might exploit it.
“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” he said. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”
Concerned that his own information was similarly exposed, Sheehy contacted Jared parent company Signet Jewelers and asked them to fix the data exposure. When several weeks passed and Sheehy could still view his information and that of other Jared customers, he reached out to KrebsOnSecurity.
Scott Lancaster, chief information security officer at Signet, said the company did fix the problem for all future orders shortly after receiving a customer’s complaint. But Lancaster said Signet neglected to remedy the data exposure for all past orders until contacted by KrebsOnSecurity.
“When a customer first brought this matter to our attention in early November, we fixed it for all new orders going forward,” Lancaster said. “But we didn’t notice at the time that this applied to all past orders as well as future orders.”
Lancaster said the problem affected only orders made online through jared.com and kay.com, and that the weakness was not present on the sites of the company’s other jewelry brands, such as Zales and Piercing Pagoda.
Data exposures like these are some of the most common yet preventable for online retailers. In July, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.
Sheehy said he’s glad Signet has fully fixed the bug, but said he was annoyed that it seems like many companies fail to address or even acknowledge such failures unless and until they’re confronted by the news media.
“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”
We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.
It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.
The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.
This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.
The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.
They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.
Likewise for individuals, it pays to accept two unfortunate and harsh realities:
Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.
Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.
Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.
Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.
This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised.
By the way, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.
The “assume you’re compromised” philosophy involves freezing your credit files with the major credit bureaus, and regularly ordering free copies of your credit file from annualcreditreport.com to make sure nobody is monkeying with your credit (except you).
It means planting your flag at various online services before fraudsters do it for you, such as at the Social Security Administration, U.S. Postal Service, Internal Revenue Service, your mobile provider, and your Internet service provider (ISP).
Assuming compromise means placing very little trust or confidence in anything that comes to you via email. In the context of this Marriott/Starwood breach, for example, consider all the data points that attackers may now have to make a phishing or malware attack more likely to be successful: Your Starwood account number, your address, phone number, email address, passport number, dates and times of your reservations, and credit card information.
How hard would it be for someone to craft an email that warns of a problem with a recent reservation or with your Starwood account, urging you to click a booby trapped link or attachment to learn more? Now imagine that such targeted emails can come from any brand with whom you’ve done business (for a refresher, see Reality #2 above).
Assuming you’re compromised means beefing up your passwords by adopting more robust multi-factor authentication — and perhaps even transitioning away from SMS/text messages for multifactor toward more secure app- or key-based options.
If the advice above sounds inconvenient, unfair and expensive for all involved, congratulations: You are well on your way to internalizing Realities #1 and #2. For better or worse, being a savvy consumer means constantly having to make difficult trade-offs between security, privacy, and convenience.
Oh, and you generally only get to pick two out of three of these qualities. Same goes for the trio of high-speed, high-quality, and low-cost. Or good, fast, and cheap. Again, pick two. You get the idea.
Unfortunately, these transactions become even more lopsided and difficult to weigh when one party to them always selects the same trade-off (e.g., fast, low-cost, and convenient). Right now, it sure seems like there aren’t a lot of consequences when huge companies that ought to know better screw up massively on security, leaving consumers and their paying customers to clean up the mess.
I don’t know how many more big-time privacy and security debacles we need to convince our nation’s leaders that perhaps we should enshrine in law some basic standards of care for how companies handle and secure consumer data, and what rights and expectations consumers should have when companies fail to meet those standards. Because it’s clear that unless and until this happens, some subset of businesses out there will continue to make the most expedient and short-sighted trade-offs available to them, regardless of the impact to their customers and the public at large.
On this point, as with many others related to Internet security and privacy, I found it hard to argue with the opinion of my home state Senator Mark Warner (D-Va.), who observed:
“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.
Marriott said the breach involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sept. 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.
Marriott said the intruders encrypted information from the hacked database (likely to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network), and that its efforts to decrypt that data set was not yet complete. But so far the hotel network believes that the encrypted data cache includes information on up to approximately 500 million guests who made a reservation at a Starwood property.
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.
Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.
The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.
Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.
However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data. In Dec. 2016, KrebsOnSecurity broke the news that banks were detecting a pattern of fraudulent transactions on credit cards that had one thing in common: They’d all been used during a short window of time at InterContinental Hotels Group (IHG) properties, including Holiday Inns and other popular chains across the United States.
It took IHG more than a month to confirm that finding, but the company said in a statement at the time it believed the intrusion was limited to malware installed at point of sale systems at restaurants and bars of 12 IHG-managed properties between August and December 2016.
In April 2017, IHG acknowledged that its investigation showed cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data — including those used at front desks in certain IHG properties.
Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorized access to the separate Starwood network.
Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program.
Marriott is offering affected guests in the United States, Canada and the United Kingdom a free year’s worth of service from WebWatcher, one of several companies that advertise the ability to monitor the cybercrime underground for signs that the customer’s personal information is being traded or sold.
The breach announced today is just the latest in a long string of intrusions involving credit card data stolen from major hotel chains over the past four years — with many chains experiencing multiple breaches. In October 2017, Hyatt Hotels suffered its second card breach in as many years. In July 2017, the Trump Hotel Collection was hit by its third card breach in two years.
In Sept. 2016, Kimpton Hotels acknowledged a breach first disclosed by KrebsOnSecurity. Other breaches first disclosed by KrebsOnSecurity include two separate incidents at White Lodging hotels; a 2015 incident involving card-stealing malware at Mandarin Oriental properites; and a 2015 breach affecting Hilton Hotel properties across the United States.
This is a developing story, and will be updated with analysis soon.
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com