Six million of Verizon 's US customers had their personal and account information exposed Attack.Databreach , including PIN numbers . Verizon Communications suffered a major data leak Attack.Databreach due to a misconfigured cloud server that exposed Attack.Databreach data on 6 million of its customers . The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon 's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE 's cloud server , according to UpGuard , which issued a report on the breach today . Verizon customer names , addresses , account information , including account personal identification numbers ( PINs ) , were compromised Attack.Databreach . UpGuard in its data estimated that up to 14 million customer records were exposed Attack.Databreach , but Verizon stated that data on 6 million of its users was affected . In one file alone , there were 6,000 PINs that were publicly exposed Attack.Databreach , according to Dan O'Sullivan , a cyber resilience analyst for UpGuard . What 's unique about this leak Attack.Databreach is that it was not just personal data that was publicly exposed Attack.Databreach but also PINs , according to O'Sullivan . `` The PINs are used to identify a customer to a customer care person , '' O'Sullivan says , noting that an attacker could impersonate the user by using the PIN and then gain access to that individual 's account . Verizon issued a statement acknowledging the public exposure Attack.Databreach of its customer data , but stressed that no loss or theft Attack.Databreach of Verizon or Verizon customer information occurred . The telecom giant also noted : `` To the extent PINs were included in the data set , the PINs are used to authenticate a customer calling our wireline call center , but do not provide online access to customer accounts , '' Verizon stated . `` An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access , '' Verizon said . How it Went Down NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal , according to Verizon 's statement . As part of this project , NICE needed certain data that included a limited amount of personal and cell phone number information . None of the information stored for the project included social security numbers , according to Verizon . Meanwhile , on June 8 , UpGuard 's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain `` verizon-sftp . '' The repository held six folders with titles spanning `` Jan-2017 '' to `` June-2017 '' and a number of other files with a .zip format . Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL . Following the discovery , UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakage Attack.Databreach and then on June 22 the exposure was sealed up , according to UpGuard 's report . `` There was a fairly long duration of time before it was fixed , which is troubling , '' O'Sullivan says . Verizon is not the first company to encounter data leakage Attack.Databreach as a result of permissions set to public rather than private on Amazon 's S3 bucket . Earlier this year , UpGuard also discovered a similar situation that involved the Republican National Committee ( RNC ) , which left millions of voter records exposed Attack.Databreach on the cloud account . As in the Verizon case , the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon 's AWS S3 . That third-party also improperly set the database to public rather than private . `` The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors . You can have the best security in the world and the best visibility into your systems , but if you pass it onto a third-party vendor without checking out how well they handle their security , then you have done that all in vain , '' O'Sullivan says . `` Verizon did not own the server that was involved here , but it will own the consequences . '' Rich Campagna , CEO of Bitglass , stressed the importance of security teams ensuring services used are configured securely . `` This massive data leak Attack.Databreach could have been avoided by using specific data-centric security tools , which can ensure appropriate configuration of cloud services , deny unauthorized access Attack.Databreach , and encrypt sensitive data at rest , '' Campagna said in a statement .

Users of the Guardian ’ s Soulmates dating site have been getting spammed with smut after the site leaked Attack.Databreach their contact information . The UK-based Guardian newspaper ’ s publisher , which runs the service , is blaming “ human error ” and a third-party technology provider for the leak , which has now been fixed . According to the BBC , the site — which charges users up to £32 ( $ 41.50 ) per month — said that only email addresses and user IDs had been exposed Attack.Databreach directly . But that information can be used to dig out more from public profiles , said the company , including photos , relationship preferences and physical descriptions . Here ’ s a statement the publisher sent to The Register : We can confirm we have received 27 enquiries from our members which show evidence of their email addresses used for their Soulmates account having been exposed Attack.Databreach . We take matters of data security extremely seriously and have conducted thorough audits of all our internal systems and are confident that no outside party breached any of these systems . Our ongoing investigations point to a human error by one of our third party technology providers , which led to an exposure Attack.Databreach of an extract Attack.Databreach of data . This extract Attack.Databreach contained only members ’ email addresses and user ID which can be used to find members ’ publicly available online profiles . We have taken appropriate measures to ensure this does not happen again , and we continue to review our processes and third party suppliers . Nonetheless , we apologise to our members who were affected . If any of our members are concerned we encourage them to contact us on support @ guardiansoulmates.com . One user who contacted the BBC said they ’ d starting receiving sexually explicit spam , laced with information from their Soulmates profile , in November . The user , who works in IT , said they weren ’ t completely surprised . Things like this can happen with online services . But they were still a bit taken aback , given that they hadn ’ t used the site for several years and they were no longer paying the membership fee . That user told the BBC that they had contacted Soulmates six months ago , concerned about what other information might have been breached Attack.Databreach . Another user who reached out to the BBC said that in spite of the breached information being public , it still felt “ creepy ” to see it lifted from the confines of the dating site : It ’ s all information that I was happy to put online at one point anyway , but when it ’ s used outside of context like that it does feel a lot more creepy . We don ’ t have details on the identity of the third-party tech provider , or where , exactly , in the setup the door was left open . At any rate , if it is indeed the fault of a third party , this is just the latest example of how contractors can be the weak link in your security chain . It doesn ’ t matter how strict your own cybersecurity is if one of your contractors isn ’ t up to scratch . As we ’ ve noted before , everyone we do business with , share data with , outsource operations to , sell things to or buy things from forms a part of our own security chain . A breach at any point in the chain can have an impact on the privacy and integrity of our data . As for those Soulmates users now afflicted with sexually explicit spam , our sympathies . It ’ s hard enough to find true love . Who needs the heartache of trying , and failing , to keep your data out of the hands of e-jerks ? We ’ ve passed out plenty of advice to avoid online dating fraud , but none of that applies here , given that you ’ re certainly not at fault in this one . Do be careful of that spam , though . Be it lascivious or as pure as a spring lamb , it ’ s still spam , and that stuff often goes hand in hand with malware . Don ’ t click !

Cyber attacks are becoming commonplace in 2017 and the most recent one might be a credit card breach Attack.Databreach which hit the popular retail chain Kmart , reported first on May 16 , but only confirmed by parent company Sears Holding on Wednesday . `` Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls . Once aware of the new malicious code , we quickly removed it and contained the event . We are confident that our customers can safely use their credit and debit cards in our retail stores , '' Howard Riefs , a spokesman for Sears Holding , said in a statement to Patch . The company further explained the risk to its customers . “ Based on the forensic investigation , NO PERSONAL identifying information ( including names , addresses , social security numbers , and email addresses ) was obtained Attack.Databreach by those criminally responsible . However , we believe certain credit card numbers have been compromised Attack.Databreach . Nevertheless , in light of our EMV compliant point of sale systems , which rolled out last year , we believe the exposure Attack.Databreach to cardholder data that can be used to create counterfeit cards is limited , '' it said . The breach was first reported by security website Krebs on Security on May 16 . Many small banks and credit unions received complaints about batches of stolen cards , all of which had been used at Kmart locations . The company didn ’ t reveal which of its 735 locations were hit , but did say how the breach occurred . The company ’ s systems were hit with a malware designed to steal Attack.Databreach credit card data from point-of-sale devices installed at kiosks . The malware copies Attack.Databreach credit card information from the card ’ s magnetic strip , when the cards are swiped at payment kiosks . Using this information , the cards can be cloned and purchases made using these clones would be debited from the credit card user ’ s account . This not the first time Kmart suffered such a breach . The retail chain had a similar breach Attack.Databreach in 2014 and had also claimed at the time the stolen data did not include customer names , emails addresses and personal information . `` We are actively enhancing our defenses in light of this new form of malware . Data security is of critical importance to our company , and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats , '' it said . It was however confirmed the breach Attack.Databreach did not target all Kmart locations , in which case credit card companies would have themselves issued warnings to customers against using their cards at retail stores . Sears Holdings has set up a helpline for customers who might be affected by the breach . If you think you are one of them , you can call 888-488-5978 to get your queries answered .

Developers are once again being blamed Vulnerability-related.DiscoverVulnerability for cloud back-end security vulnerabilities , this time in a new report Vulnerability-related.DiscoverVulnerability from Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposed Attack.Databreach on cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakage Attack.Databreach `` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakage Attack.Databreach on the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we found Vulnerability-related.DiscoverVulnerability almost 43 TB of data exposed Attack.Databreach and 1,000 apps affected Vulnerability-related.DiscoverVulnerability by the HospitalGown vulnerability , '' Appthority said Vulnerability-related.DiscoverVulnerability in a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposed Attack.Databreach , a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The report Vulnerability-related.DiscoverVulnerability echoes the findings of an earlier report Vulnerability-related.DiscoverVulnerability by RedLock Inc. , which revealed Vulnerability-related.DiscoverVulnerability many security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock report Vulnerability-related.DiscoverVulnerability , developers were blamed Vulnerability-related.DiscoverVulnerability for the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacks Attack.Ransom earlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaks Attack.Databreach of personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishing Attack.Phishing , brute force login , social engineering , data ransom Attack.Ransom , and other attacks . And , HospitalGown makes data access Attack.Databreach and exfiltration Attack.Databreach far easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leaking Attack.Databreach large amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leaked Attack.Databreach some form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessed Attack.Databreach by unauthorized individuals and ransomed Attack.Ransom . Even apps that have been removed from devices and the app stores still pose an exposure Attack.Databreach risk due to the sensitive data that remains stored on unsecured servers . The company said Vulnerability-related.DiscoverVulnerability its Mobile Threat Team identified Vulnerability-related.DiscoverVulnerability the HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identified Vulnerability-related.DiscoverVulnerability in the RedLock report Vulnerability-related.DiscoverVulnerability , Appthority emphasized Vulnerability-related.DiscoverVulnerability that all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .