In what has become a frequent event, another company has fallen victim to exposing their sensitive company information to the entire internet, all because they failed to password-protect their web-based storage system. LimeLeads, a San Francisco-based company that matches individuals and businesses with potential leads, left its internal database of users unsecured. The LimeLeads overexposure was discovered by a hacker, who downloaded it and sold more than 49 million of the users’ information online.

This type of overexposure continues to happen because many of the systems that offer cloud-based or web-based storage to their customers have the password setting off by default. That might seem like a bad idea, given how many times in recent months this very scenario has happened. However, there are important reasons for not automatically locking everyone out of the system, especially when the company is transitioning to this service. As soon as the transition is underway, that default setting should be changed immediately to a password-protected setting.

Instead, too many companies leave it unprotected, never changing the default, which is what led to the LimeLeads overexposure. That means literally anyone who knows to look for it—or just gets curious and starts browsing around online—can find both the storage bucket and the contents. In this case, a security researcher who routinely looks for unsecured databases discovered it. Unfortunately, they did not discover it before someone else got to it first.

According to ZDNet, a hacker who goes by the name Omnichorus also stumbled upon the database. They then downloaded the contents and posted it for sale on the Dark Web. In many other events like the LimeLeads overexposure, the companies were lucky. They never found evidence that anyone else (before the security researcher who reported it) found or used the information.

Unfortunately, any time personal data is collected and stored, it is the responsibility of the new owner to keep it secure. The LimeLeads overexposure amounts to a data breach, despite the unintentional nature of the event, and those users’ records have now been compromised. Businesses must make comprehensive computer training and updates a priority in order to prevent issues like the LimeLeads overexposure.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

The 2020 year has kicked off with a number of high-profile data breaches that have affected a wide variety of industries. The recently announced Front Rush data breach affecting student-athletes is just another in a long line of attacks that have targeted businesses and their customers.

Front Rush, a tech company whose recruiting software connects colleges, universities and sports teams with up-and-coming student-athletes, suffered a data breach that compromised around 700,000 students’ profiles. The Front Rush data breach was the result of an unsecured Amazon Web Services online storage system, which is another in an ever-increasing number of accidental overexposures that lay out companies’ databases to anyone who looks for them on the web.

This time the exposed victim records included minors, and due to the nature of the information collected, it included SAT scores and grades, medical files and financial aid agreements.

The storage bucket has been taken offline, but there is no way of knowing if anyone accessed the information before Front Rush became aware of the issue. A security researcher discovered the exposed bucket and contacted Front Rush, but they did not receive a reply. The researcher then reached out to the media so that victims’ might be made aware.

Incidents like the Front Rush data breach may be on the rise, but they are also avoidable. By default, the web storage bucket is set to “non-password protected,” and it is up to the client to lock it down and put a password in place. Users who fail to do so are literally leaving their entire database available to anyone on the internet.

The consumers whose information goes into these unsecured storage systems do not have much they can do to prevent these things from happening. That is why it’s very important to monitor your accounts closely, change your passwords frequently (in case someone stumbles on old information online) and be on the lookout for spam email and phishing attempts that come from these kinds of breaches.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

A Golden Entertainment phishing attack is forcing the gaming company to see if any exposed information has been used in a harmful way and to look at ways to protect employees from possible attacks in the future.

There are many different ways that hackers can strike. From infiltrating entire networks to installing viruses and malware, their methods are varied and unfortunately, quite effective. A newly announced breach of one company’s employee email accounts shows how simple and effective it can be.

In what seems to be a phishing attack, hackers sent an email to an employee of Golden Entertainment, a company that manages casinos, distributed gaming venues and more. The email enticed the employee to follow through with some sort of instructions, which have not been released. Those instructions could have been to open an attachment, download a file, click a link or any other avenue that the hackers chose.

The end result was that the email contained malicious steps that gave the hackers access to email accounts for the employees. The report states that the unauthorized user(s) may have visited that account more than once throughout an eight-month period. As such, they were able to access sensitive emails, including some that had attachments. Those attachments included complete customer identities for some clients, including payment card data, Social Security numbers and much more.

The company has not found any evidence that the affected customers’ information was used in a harmful way, but they are being very cautious about their investigation and resulting steps.

The Golden Entertainment phishing attack is just another reminder that all companies, no matter how big or small and no matter what industry they are in, should have comprehensive employee training on how to respond to emails, messages and social media posts. Those trainings should include instructions on never opening an attachment or clicking a link that was unexpected, even if the email appears to come from a trusted sender. Instead, the employees should verify the instructions verbally before complying.

Failure to do so can lead to cybercrimes such as hacking, account takeover, ransomware and identity theft, as seen in the Golden Entertainment phishing attack. The high costs of the aftermath of these attacks can make anyone wish they had simply never clicked. Be sure you are doing all you can to protect yourself from attacks like the Golden Entertainment phishing attack by being able to spot a phishing attack and reporting it to your employer.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

It is the season of love and the season of romance scams, specifically a senior online dating scam.

Who Is It Targeting: Single seniors looking for relationships

What Is It: Variety of scams that target seniors based on romantic conversations

What Are They After: There are a variety of senior online dating scams out there right now, and they can do everything from stealing your money or identity to landing you in jail. Typically, romance scammers reach out via social media messaging sites, online dating sites and even platforms like Skype. However, the brief conversations with a stranger quickly turn romantic, and before too long, the victim is snared.

How Can You Avoid It:

  • Be very wary of connecting with people you do not know
  • Look for red flags, such as a job in a far-flung location or some excuse as to why they cannot connect or speak on the phone regularly
  • If you are asked for money for ANY reason, it is a scam; no one you just met online will need to ask you for money, no matter how many times you have chatted
  • Some of the romance scams can hook you into taking part in criminal activities like money laundering, so be careful of any “favors” you are asked to do
  • Video platforms like Skype have been used for sextortion, so be very careful about engaging in adult behaviors online with someone you don’t actually know

If you think you may be a victim of identity theft or a senior online dating scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. Find more information about current scams and alerts here. For full details of this scam check out this article from WealthyRetirement.com.

After a couple of years away from the top of the Consumer Sentinel Network Data Book, identity theft reports have returned to the top spot.

The Federal Trade Commission (FTC) accepts agency, business and consumer-submitted reports of scams, fraud and other related crimes. They then compile those reports into a large online database called the Consumer Sentinel Network. This database is available to law enforcement around the country. When compiling the report each year, the FTC also maps the types of crimes that consumers submit and shares that data with the public.

The FTC received over 3.2 million reports of which the top three categories including identity theft, imposter scams, and telephone & mobile services. Identity theft encompasses a number of different types of crime, largely based on how the thief stole the information and what they did with it. For example, medical identity theft occurs when the thief uses stolen information and poses as a patient to receive medical care or pharmaceuticals. Government identity theft occurs when someone uses the stolen data to apply for government benefits, file a fraudulent tax return and other crimes. Child identity theft, as the name implies, happens when the victim is a child with a clean credit report or is not receiving government benefits and someone uses their Social Security number and information.

Just because other crimes eclipsed identity theft reports for a couple of years does not mean the number of incidents were insignificant. It only means that other crimes were more prevalent. Now, with identity theft reports returning to such a prominent position, it should serve as a warning to the public that all forms of identity theft, fraud and scams continue to be serious problems.

However, there are ways you can protect your identity:

  • Place a freeze on your credit report. If your data has ever been compromised in a data breach, this is an especially good idea. It is now free, but keep in mind that if you need to thaw your credit, it can take several days.
  • Enable alerts on all of your financial accounts and cards. These alerts will let you know if someone has infiltrated your existing accounts and managed to use them.
  • Practice good password hygiene. A password can only protect you if it is strong—with at least eight digits and a combination of unguessable letters, numbers and symbols—and only used on one account. It is also a good idea to change your passwords regularly to prevent anyone who discovered old login credentials from accessing your accounts.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

The Identity Theft Resource Center (ITRC) has released it’s annual End-of-Year 2019 Data Breach report, and the information is both surprising and expected. The ITRC has long been a go-to source of help and information about identity theft and fraud, data breaches and other related matters. As part of its mission to empower consumers, law enforcement and lawmakers alike with up-to-date information, the ITRC compiles a data breach report each year to present a clear picture of this type of crime.

The 2019 Data Breach Report has revealed that data breaches are on the rise once again, despite a drop the year before. The lower numbers in 2018 appear to have been an anomaly rather than a sign that businesses are getting better at the kinds of security that hackers cannot breach.

Hacking continued to be the number one method of data breaches.

However, there were some very interesting findings. In 2019 there may have been a record number of data breaches but the numbers of consumers’ personal records that were compromised were dramatically lower than before. While that is in large part to the 2018 Marriott data breach exposing over 380 million records, it could still be a sign that the data hackers are after is not as accessible.

Also, for only the second year in a row, the medical industry was not the number one target for hackers. In the past, the healthcare sector has often been a top priority for data theft due to the high-volume of personal information that doctors offices and hospitals collect on their patients.

Last year, the business sector was the number one target and medical providers were in second place.

There was another unfortunate surprise to come from the 2019 Data Breach Report and the sharing of the findings. Too many people still do not know how to better protect themselves from this kind of crime, and many are unaware of the resources like the ITRC that are here to help them.

In order to try to avoid becoming a victim, it is important to understand what preventive steps consumers can take.

Tactics like the second most common avenue of data breach last year (unauthorized access), for example, can often be thwarted with strong, unique passwords on all of your accounts.

It is also important to monitor your accounts closely for signs of unauthorized use, report any suspicious activity immediately and file a police report if you have been a victim of identity theft.

For a complete look at the ITRC’s 2019 Data Breach Report, click here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Hackers are taking advantage of the outbreak with a new coronavirus email scam.

When anything newsworthy happens, you can guarantee that scammers will attempt to make a quick buck off of the public buzz. Sadly, the coronavirus is just the latest global event to be used as bait by these criminals.

While the number of cases continues to climb and the death toll rises, scammers are using fake emails that contain harmful links to snare their victims by playing off their concerns. These emails claim to have information on coronavirus updates, an interactive link where you can look up the numbers of cases near you and more. The links, however, redirect to web pages that steal your information instead of providing you with important updates.

Sadly, this coronavirus email scam is a classic tactic on the part of scammers. You could remove “coronavirus” and insert whatever the latest headline-grabbing issue is, and these messages would look very similar. In order to avoid the coronavirus email scam and the threat in general, you must develop good cybersecurity behaviors and habits.

  • Never click a link, open an attachment or download a file that you were not specifically expecting. Instead, contact the sender to verify its authenticity. If the sender is not someone you regularly interact with, ignore the email altogether. Even if it is someone known to you, still verify the link in case their email was hacked.
  • Do not share or forward emails or messages that claim to have the “latest” headline news. They are often alarmist to the point of being hoaxes or contain outdated details. In the case of the coronavirus email scam, they contain dangerous links.

It is important to stay up-to-date on major events. Coronavirus and the flu, for example, are two medical issues that are rampant and very problematic, even more so for certain demographics of people. In order to stay on top of the news, go directly to trusted sources—such as the CDC or World Health Organization—for updates and information.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

This news is currently evolving and we will update as announcements are made available.  

You might also like…

By: Eva Velasquez, President & CEO of Identity Theft Resource Center

If you have a LinkedIn account, keep an eye on your email for a LinkedIn romance scam.  There are immediate red flags in this communication, and I’m a happily married woman, but I did find part of this invitation appealing: I saw the immediate opportunity to educate people regarding romance scams!  Here is  a recent email that came to my work inbox. It said:

How are you,

I read your profile on LinkedIn and you caught my eye, I am interested in communicating more and sharing more about me with you and hope to learn more about you too that is if you are single and interested in communicating further. This is all new for me, it is the first time I would ever go against protocol of doing business only on the LinkedIn website. I do believe everything is possible if we put our mind and heart together just like I believe that good things can be found in the least places and when we least expect. I do not just give out my personal details like email or phone numbers to people on LinkedIn or off it, but I am willing to make a compromise to communicate with you so here am I emailing you off the site because I really wanted to touch base with you.

I am interested in communicating more this is me being honest. I hope no offense is taken, I understand the medium is a business networking medium and not a dating or social networking website and I don’t intend to use it for one. I will wait for your response soon hopefully, meanwhile, my profile on LinkedIn is on my name AUSTIN WAGNER. You should check me out and let me know what you think. I have no picture on my profile so I am sending you a couple of recent pictures too just so you know what I look like.

Warm Regards,
Austin Wagner

“Austin Wagner” went on to send me these pictures:

I first thought, wow this is one heck of scam but they definitely tried to phish the wrong gal. Oddly enough, I thought I  recognized the man in these images. Most times, scammers will steal pictures from public social media account to use for their own gain including dating apps, social media, etc. Sometimes these pictures will even be of a military member in uniform. I mean, who wouldn’t trust the red, white and blue?

Being the CEO of a non-profit that specializes in identity theft remediation, I put on my investigative hat and got to work. After a reverse image Google search, it turns out the pictures are of Joe Cross, the health advocate from the documentary Fat, Sick and Nearly Dead. I knew I recognized him! I had seen the film and even adventured on my own green juice journey (amazing benefits but that’s besides the point). Moreover, the pictures were from his Facebook and Twitter in 2016. This scammer chose the wrong person to come after!

I did not have a new love interest, and that is okay because, once again, I am a happily married woman! This LinkedIn romance scam is a reminder of how careful we all have to be of romance scams.

They can do more damage than nearly any other scam. Not only can they take your money, but they can meddle with your emotions as well.

To avoid falling victim to a LinkedIn romance scam, keep these things in mind:

Make Sure You Know the Person

If you receive a message like the one I received, it is fake. These scammers browse sites like LinkedIn looking for victims to take advantage of. As nice as it is to receive a compliment on your looks, don’t fall for ones like these and make sure you have alternate means of contacting the person outside of LinkedIn. I have received several instant messages from connections whose accounts were hacked. In fact, I received one from the CEO of Seamgen with whom I have a working relationship with. However, the ask looked odd, and requested that I click on a link to fill out a form. I emailed my contact and they confirmed that their account had been hacked and were in the process of restoring it.

Money? You Want My Money?

Everyone needs a little financial help, right? The first request for money will come along and it will seem like a legitimate request. Next thing you know, you have bought your “significant other” a plane ticket or medication for one of their sick relatives. If you get requests like this, it is a scam like the LinkedIn romance scam and the criminal is just looking to steal your money.

Mentioning money, some romance scams can force the victim into money laundering, which happens when your “significant other” wires your money with instructions to send it to someone else.

Others Types of Romance Scams

Not all romance scams are like the LinkedIn romance scam. Some can happen at your door, an online romance scam that crosses over into real life, as well as on dating apps.

The best way to protect yourself from scammers like these is to be smart and cautious, even more so than you would in a face-to-face relationship. Also, if you are EVER asked to send money, don’t do it. It is important to protect yourself from manipulative tactics. Protect yourselves from the “Austin Wagner’s” of LinkedIn, no matter how flattering they are.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You may also like…

Identity Theft Resource Center®’s Annual End-of-Year Data Breach Report Reveals 17 Percent Increase in Breaches over 2018

Scam Alert: FedEx Delivery Text Scam

Scam Alert: Australian Fire Fundraising Scam

There is a new U.S. government consumer agency that will pay for data breaches? If that is what you have been told, it is not true. It would be like the fox guarding the henhouse, but actually paying that fox money to eat your chickens instead. A new phishing scam that masquerades as a U.S. government consumer agency is supposedly paying data breach victims for the loss of their personally identifiable information. Instead, once consumers enter their name, birthdate, credit card number and Social Security number, you can probably guess what happens next.

Yes, even more identity theft.

According to security company Kaspersky whose researchers discovered the scam, a website claiming to be the U.S. Trading Commission maintains a victims’ fund to help consumers who have been impacted by data breaches. Unfortunately, there is no such thing as the U.S. Trading Commission, even though their website looks surprisingly similar to that of the Federal Trade Commission.

There are a number of red flags about the site that by now should be obvious to a lot of users. First, similar to the legitimate sites that let you check to see if your information has been compromised, this one offers you the chance to compare your information after you hand over some details. The boxes where you enter the information are not all spelled correctly. Also, Kaspersky’s researchers typed in a jumbled array of letters instead of the information, then received an “official” response from a member of Congress whose image and signature had been stolen for this fake.

In order to file a claim on the bogus information that the website shows you so they can pay for data breaches, you must enter your SSN and payment card. Those should always be major red flags to anyone who uses the internet. There is no reason to submit your SSN to anyone without verifying the company, their web security and why they need it.

The spoofing alone, using a similar-sounding name, should have given users pause. There is no government agency with that name, and a quick Google search can show you that. Never interact with a website that claims or appears to be official if you cannot identify the agency. Also, any government agency should have a .gov ending on its website and email domain names. Any website that gathers sensitive information like a payment card number or SSN should also have an HTTPS designation at the beginning of the web address.

Unfortunately, creating a fake website as part of a new phishing scam is a shockingly easy thing to do. That is why it is important that consumers know these red flags and look for them before interacting with any company or organization. Protect yourself by developing cautious good habits about where you submit your personal data.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You may also like…

Identity Theft Resource Center®’s Annual End-of-Year Data Breach Report Reveals 17 Percent Increase in Breaches over 2018

Scam Alert: FedEx Delivery Text Scam

Scam Alert: Australian Fire Fundraising Scam

If you are a LabCorp patient, you should be aware of a recent LabCorp data breach that exposed thousands of patients’ documents. Medical providers, hospitals and insurance companies are often hot targets for data breaches due to the sheer volume of information they gather on their patients. According to the Identity Theft Resource Center’s 2019 End-of-Year Data Breach Report, the medical industry had the second-highest number of data breaches over 2018. When lives are at stake, providers cannot afford to be wrong about which patient is which. Therefore, patient records often contain things like full names, addresses, birthdates and even Social Security numbers. In short, patient records are a gold mine for identity thieves.

Unfortunately, knowing that’s the case is not always enough to protect the public.

TechCrunch recently reported that it discovered a trove of LabCorp patient information in an accidental overexposure breach that contained at least 10,000 patients’ documents. The information was stored for internal retrieval, but once one document was inadvertently made available in a cache of Google data. It was simply a matter of changing the digits in the web document’s address to find many more patients.

It is similar to finding a physical address by searching for it online. You type in a street address and your search engine shows you a picture of the house or the business. By changing the numbers in the street address—either randomly guessing those numbers or doing it systematically—the search engine will then show you more results. In the case of the LabCorp data breach, by changing the numbers in the patient’s address, anyone who knew to look for it could see all of the other available patients’ records.

These records contained detailed personal data, and in some cases, Social Security numbers.

LabCorp has not responded publicly to the report of the LabCorp data breach, although the server has been taken offline and the Google cache link is now useless. TechCrunch reached out to some of the patients whose data they retrieved and confirmed that it was their legitimate records, but LabCorp has not stated what will happen next. This is the second breach of LabCorp’s patient records in a year.

Image
ITRC partner, Breach Clarity, provides a risk score with actions to take after a breach

If you believe you your information was exposed as part of the LabCorp data breach, reach out to the Identity Theft Resource Center toll-free at 888.400.5530 or through live chat to speak with one of our advisors about your next steps.


 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help app from ITRC.

You may also like…

Tax Identity Theft Awareness Week 2020

California Consumer Privacy Act (CCPA) Goes Into Effect

Epilepsy Foundation Cyberattack Leads to Weaponized Social Media Accounts