, potentially exposingAttack.Databreachpayment card information for people that bought plane tickets or booked hotel rooms over the course of two years . The company said that it has uncovered evidence that about 880,000 payment cards were possibly impacted , along with other personal information , like names , payment card information , dates of birth , phone numbers , email addresses , physical and/or billing addresses and gender . The company said evidence suggests an attacker may have accessedAttack.Databreachinformation stored on a legacy e-commerce platform during two periods : 1 January through 22 June 2016 and 1 October to 22 December 2017 . `` We determined on March 1 , 2018 , that there was evidence suggesting that an attacker may have accessedAttack.Databreachpersonal information stored on this consumer and business partner platform , ” the Expedia-owned site said in a media statement . “ We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform . To date , we do not have direct evidence that this personal information was actually takenAttack.Databreachfrom the platform . We deeply regret the incident , and we are committed to doing everything we can to maintain the trust of our customers and partners . '' Mike Schuricht , vice president of product management at Bitglass , said that the issue may have arisen as an artifact of the acquisition integration . Expedia bought the company in September 2015 . “ Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or nonproduction systems , ” Schuricht said via email . “ As is the case with most audits and postmortems in the event of a breach , Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions , like Travelocity , to ensure all of its owned databases are not similarly impacted . It ’ s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes. ” Orbitz is offering customers a year of free credit monitoring ; yet Nathan Wenzler , chief security strategist at San Francisco-based security consulting company AsTech , said that more is needed . “ Another day , another breach . And while the attackers show no signs of slowing down , companies really need to do more than just provide users a free year of credit monitoring services and consider their work done , ” he said via email . “ Legacy systems are common attack points , as they are often neglected , go without updates or patches and are commonly not monitored , which gives criminals an ideal avenue to gain access and stealAttack.Databreachwhatever data may be resident there . In this case , it was nearly 900,000 credit card accounts . Credit monitoring may be a nice PR gesture , but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data , no matter where it lives . ”
Wishbone , the social media-based quiz app for teens and young adults , has been compromisedAttack.Databreach, leading to more than 9.4 million records going up for sale on the Dark Web . The breachAttack.Databreachgave the attackers accessAttack.Databreachto Wishbone users ’ user names , any real or nicknames provided by users during account registration , email addresses and telephone numbers , according to an email sent by the company to users , posted to Pastebin . According to independent researcher Troy Hunt , the database was a MongoDB file that may have been inadvertently left openAttack.Databreachto the internet . The leakAttack.Databreachmay have stemmed from a vulnerability in a Wishbone API , the company confirmed to Motherboard—one that the company has now closed , it said . Parents should look through the settings of Wishbone , and any other app their children are using , to see if any personal information is stored in them . And , having a talk with kids about the dangers of exposingAttack.Databreachinformation should be at the top of the to-do list . Hunt has also published the leakAttack.Databreachto his searchable HaveIBeenPwned database , so parents can find out if their child is a victim . “ Teenagers today are constantly connected and sharing all aspects of their daily life is normal as there is a lot of peer pressure to participate in social apps , ” said Sanjay Kalra , co-founder and chief product officer at Lacework , a provider of cloud security solutions . “ Being a parent of [ a ] teenager in this hyper-social environment is a scary aspect . You can not control information once exposed . Parents should be in constant communication with their teenagers , explaining the risks associated with information sharing and training them on basics of internet security . They should be educating them on how to use multiple strong passwords , anonymization of the data and identities and long-term effects of having personal aspects of life in public domain . ”
Three appears to have made a blunder , after customers logging into the British mobile phone company ’ s website found themselves looking at other customers ’ accounts - including the names , addresses , call histories and data usage of complete strangers . The Guardian describes how one customer , Andy Fidler , found the Three app on his mobile phone wasn ’ t working - and so he decided to log into Three ’ s website instead : “ I managed to successfully download a complete stranger ’ s phone bill . All I did was click on the link to bring up my bill . It included the name , address , how much they were paying , the phone numbers they had rung and texted. ” Fortunately , bank details were not accessible . He wasn ’ t the only one to stumble across the problem - which appears to be more of a technical screw-up than a malicious hack - as posts on Three ’ s official Facebook page reveal . A Three spokesperson says that they are aware of the problem and are investigating . But one has to wonder how many customers could have been put at risk of having their private data exposedAttack.Databreach, and for how long the problem has been present . The Information Commissioner ’ s Office has confirmed it will be “ looking into this potential incident involving Three ” , and if they find the company has been sloppy with its securing customer details it is unlikely to be impressed . Last November , in what appears to be an unconnected incident , Three revealed that its upgrade database had been breachedAttack.Databreach, exposingAttack.Databreachthe names , phone numbers , addresses and dates of birth of over 130,000 customers .
Online gaming company Reality Squared Games ( R2Games ) has been compromisedAttack.Databreachfor the second time in two years , according to records obtainedAttack.Databreachby the for-profit notification service LeakBase . The hacker who shared the data with LeakBase says the attackAttack.Databreachhappened earlier this month . Headquartered in Shenzhen , China , R2Games operates a number of free-to-play , micropayment-driven games on iOS and Android , as well as modern browsers . The company currently supports 19 online games , and claims over 52 million players . In December of 2015 , stretching into July of 2016 , more than 22 million R2Games accounts were compromisedAttack.Databreach, exposingAttack.DatabreachIP addresses , easily cracked passwords , email addresses , and usernames . The company denied the breach reports , telling one customer that `` R2Games is safe and secured , and far from being hackedAttack.Databreach. '' The hacker claims all forums were compromisedAttack.Databreach, in addition to the Russian version of r2games.com . The latest record set includes usernames , passwords , email addresses , IP addresses , and other optional record fields , such as instant messenger IDs , birthday , and Facebook related details ( ID , name , access token ) . LeakBase shared the most recent records with Troy Hunt , a security researcher and owner of the non-profit breach notification website `` Have I Been Pwned ? '' ( HIBP ) . Hunt checked the data by testing a small sample of email addresses and usernames against the password reset function on R2Games . Every address checked was confirmed as an existing account . From there , Hunt did some number crunching . There were 5,191,898 unique email addresses in the data shared by LeakBase . However , 3,379,071 of those email addresses were using mail.ar.r2games.com or mail.r2games.com ; and another 789,361 looked generated , as they were all [ number ] @ vk.com addresses . LeakBase speculates that the r2games.com addresses are the result of registrations from third-party services . After stripping the questionable addresses Hunt was left with 1,023,466 unique email addresses to load into HIBP . Of this set , 482,074 have been seen before in other breaches , leaving 541,392 new entries for his index – and new notifications for 1,105 subscribers . When asked about the passwords , Hunt told Salted Hash many of them are MD5 with no salt , but a large number of them have a hash corresponding to the password `` admin '' and a few hundred thousand others are using the plain text word `` sync '' . `` The observation I 'd make here is that clearly , they do n't seem to be learning from previous failures . The prior incident should really have been a wake-up call and to see a subsequent breach not that long after is worrying . Perhaps the prior denials are evidence that they just do n't see the seriousness in security , '' Hunt said , when asked his opinion about the latest R2Games data breachAttack.Databreach. Salted Hash reached out to R2Games , but the company did n't respond to questions . Emails were sent to support , as well as recruiting and sales , on the off chance someone could direct them to the proper resources . For their part , LeakBase said since this data breachAttack.Databreachis n't in the public domain , they will not add the records to their service and it will not be searchable . However , they do plan to email impacted users and inform them of the incident . HIBP has been updated , and those changes are live now . If you 're an R2Games player , it might be wise to change your password and make sure the old password is n't used on any other websites . Also , keep an eye out for gaming related offers and emails , as well as `` notifications '' from domains that are n't related to R2Games itself - as those could be scammers looking to cash-in on the breach . While the hacked data is n't public yet , there 's nothing preventing the person who shared it with LeakBase from selling it or trading it .
Northrop Grumman has admitted one of its internal portals was broken into , exposingAttack.Databreachemployees ' sensitive tax records to miscreants . In a letter [ PDF ] to workers and the California Attorney General 's office , the aerospace contractor said that between April 18 , 2016 and March 29 , 2017 , crooks infiltrated the website , allowing them to accessAttack.Databreachstaffers ' W-2 paperwork for the 2016 tax year . These W-2 forms can be used by identity thieves to claim tax rebates owed to employees , allowing the crims to pocket victims ' money . The corp sent out its warning letters on April 18 , the last day to file 2016 tax returns . `` The personal information that may have been accessedAttack.Databreachincludes your name , address , work email address , work phone number , Social Security number , employer identification number , and wage and tax information , as well as any personal phone number , personal email address , or answers to customized security questions that you may have entered on the W-2 online portal , '' the contractor told its employees . The Stealth Bomber maker says it will provide all of the exposed workers with three years of free identity-theft monitoring services . Northrop Grumman has also disabled access to the W-2 portal through any method other than its internal single sign-on tool . The aerospace giant said it farmed out its tax portal to Equifax Workforce Solutions , which was working with the defense giant to get to the bottom of the intrusion . `` Promptly after confirming the incident , we worked with Equifax to determine the details of the issue , '' Northrop told its teams . `` Northrop Grumman and Equifax are coordinating with law enforcement authorities to assist them in their investigation of recent incidentsAttack.Databreachinvolving unauthorized actors gaining accessAttack.Databreachto individuals ’ personal information through the W-2 online portal . '' According to Equifax , the portal was accessedAttack.Databreachnot by hackers but by someone using stolen login details . `` We are investigating alleged unauthorized accessAttack.Databreachto our online portal where a person or persons using stolen credentials accessedAttack.DatabreachW-2 information of a limited number of individuals , '' an Equifax spokesperson told El Reg on Monday . `` Based on the investigation to date , Equifax has no reason to believe that its systems were compromisedAttack.Databreachor that it was the source of the information used to gain accessAttack.Databreachto the online portal . ''
Insecure backend databases and mobile apps are making for a dangerous combination , exposingAttack.Databreachan estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leakedAttack.Databreachpersonally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team calledVulnerability-related.DiscoverVulnerabilitythe vulnerability HospitalGown and saidVulnerability-related.DiscoverVulnerabilitythe culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report releasedVulnerability-related.DiscoverVulnerabilityWednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlinesVulnerability-related.DiscoverVulnerabilityin February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortionAttack.Ransomtargets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it foundVulnerability-related.DiscoverVulnerability21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessingAttack.Databreachcompany data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers saidVulnerability-related.DiscoverVulnerabilityvulnerable mobile apps it foundVulnerability-related.DiscoverVulnerabilityran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerableVulnerability-related.DiscoverVulnerabilityto possible exfiltrationAttack.Databreachby a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted accessAttack.Databreachto the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority saidVulnerability-related.DiscoverVulnerability, attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attackAttack.Phishingor brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leakedAttack.Databreachdata . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leakedAttack.DatabreachPulse customer data . AppThority notifiedVulnerability-related.DiscoverVulnerabilityPulse Workspace and its customers of the vulnerability , which have since been fixedVulnerability-related.PatchVulnerability. Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collectAttack.Databreachpersonal identifiable data that can be mined by hackers for phishingAttack.Phishingor ransomware attacksAttack.Ransom. App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .
The most recent breachAttack.Databreachof smart teddy bears -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The company behind the products , Spiral Toys , is denying that any customers were hacked . Zach Lanier , director of research at Cylance , went through the more famous incidents involving toys and breaches and offers a tip with each case . This may have given attackers accessAttack.Databreachto voice recordings from the toy 's customers , by allegedly making the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication process . Thus anyone , including the attackers , was able to view and stealAttack.Databreachthe data . CloudPets placed no requirement on password strength , making it much easier to decipher passwords . Tip : Always create a secure password , no matter the strength requirement . Include lowercase and uppercase letter , symbols and numbers . Use a password manager to help create and store unique passwords for sites and services . A line of stuffed animals , these connected toys combine with a mobile application that was vulnerableVulnerability-related.DiscoverVulnerabilitydue to a number of weak APIs , which didn ’ t verify who sent messages . This meant that an attacker could guess usernames , or email addresses , and ask Fisher-Price for server return details about associated accounts and children ’ s profiles , which provides their name , birthdate , gender , language and toys they have played with . Tip : If the IoT device connects to a mobile app or desktop computer , it is important to examine how it connects . If the start of the URL address is http rather than https , which is the secure version of HTTP , then your device is making a less secure connection . The doll has a microphone and accesses the internet to answer your child 's questions . Moreover , criminals could have the ability collectAttack.Databreachyour personal information . Tip : If the toy does require Wi-Fi , make sure it supports modern , more secure Wi-Fi capabilities like WAP2 . Their speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings . It ’ s valuable to know how they are using your data . Don ’ t provide personal information that seems extra or unnecessary . VTech had its app store database , Learning Lodge , hacked . As a result of the breachAttack.Databreach, over 11.6 million accounts were compromisedAttack.Databreachin a cyberattackAttack.Databreach, exposingAttack.Databreachphotos of children and parents as well as chat logs . The profile data leaked included their names , genders and birth dates . Tip : Check to see if the manufacturer has had any cybersecurity issues in the past , and if so , how they responded . Alternatively , if the company is relatively new , your device is definitely at greater risk . The interactive toy has the ability to communicate and record conversations . Those conversations are sent to the company ’ s servers , analyzed and then stored in the cloud . The toy was criticized for spying on kids by recording their conversations . Through Wi-Fi , attackers can hijack the connection to spy on your children , stealAttack.Databreachpersonal information , and turn the microphone of the doll into a surveillance device . Tip : Since the device is Wi-Fi enabled , confirm if the device supports modern security protocols . If the device only uses WEP or WPA ( but not WPA2 ) security standards , it may be too risky to use . Those versions are older and over time have become almost entirely insecure from attack