From groceries and household goods to medicine and clothes, the coronavirus pandemic has forced people to do a fair bit of their shopping online. According to data from ACI Worldwide, in March 2020, online retail shopping saw a rise in sales as high 74 percent year over year. While online shopping is playing an important role in allowing people to stay home and safely shop during COVID-19, hackers are taking note as well. That could be part of the reason why retail and manufacturing companies are seeing the most attacks. It is also why it is so important for consumers to exercise online shopping safety to not expose their personally identifiable information (PII) unwittingly.

Online shopping has grown in popularity and ease of use over the years. The increase of its use due to COVID-19 could lead to a heightened risk of formjacking, when cybercriminals insert malicious code to an existing, reputable website and gain access to its sensitive user information. While shopping the site, the user data is sent to hackers even as the user’s cart is processing as it should with the retailer. According to CNBC, e-skimming attacks intended to steal people’s personal information while shopping online were already increasing before COVID-19. Online shopping amid the pandemic has also led to an increase in fake goods being sold online, like fake cures, vaccines and tests.

Fraudsters understand the consumers’ needs to buy essential and nonessential goods during COVID-19 and are taking advantage. Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number. While the flaw was patched, hackers could have exploited it with malicious links.

Despite some of the risks of shopping online, there are things consumers can do to practice online shopping safety. People should make sure all of their transactions are at legitimate business websites that they visit directly. If someone comes across any fake products, they should report it to the National IPR Center or the Consumer Product Safety Commission. Finally, when creating an account to shop online, consumers should exercise online shopping safety by using strong security questions and answers.

To reduce the likelihood of falling victim to a phishing attempt while trying to shop online, consumers should protect their computers and devices by using security software, multi-factor authentication and backing up their data. These tips could help reduce the likelihood of a consumer falling for a scam or victim of identity theft. If someone believes they are a victim of identity theft or has any questions regarding online shopping safety, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

COVID-19 COULD LEAD TO INCREASE IN TRAVEL LOYALTY ACCOUNT TAKEOVER

COVID-19 CATFISHING SCAMS MAKE A REBOUND AMID PANDEMIC

CAM4 DATA EXPOSURE LEAKS BILLIONS OF RECORDS FROM ADULT STREAMING WEBSITE

A recent CAM4 data exposure left nearly 11 billion records exposed. A team of researchers uncovered the leak by CAM4, an adult streaming website. According to komando.com, it is estimated that just over 6.5 million of those records were from users in the U.S. The information leaked in the CAM4 data exposure included full names, email addresses and payment logs. The database was immediately taken down by parent company Granity Entertainment once the CAM4 data exposure was discovered. However, the logs appear to have been exposed since March 16.

According to the researchers in an article published by Security Boulevard, a large amount of email content came from popular domains like Gmail, Hotmail and iCloud, domains that offer supplementary services like cloud-storage and business tools. That could mean that compromised CAM4 users might see large volumes of personal data (photographs, videos and related business information) leaked to hackers.

CAM4 is not the only adult website to have a large amount of user information exposed or breached. In August 2015, Ashley Madison, a “hookup” website, had its website infiltrated by hackers, who stole 37 million account holders’ names and then released them online. 

If fraudsters get a hold of the CAM4 user information, they could send sextortion scams, emails that claim to have inappropriate videos or pictures of the users, with threats to leak it if a ransom is not paid. If anyone affected by the CAM4 data exposure receives a similar email, it is probably a scam and should be ignored.

While those affected by the CAM4 data exposure are at an increased risk of receiving sextortion scams, it is not just important that the emails are ignored; it is equally important for people not to click any links, open any attachments or download any files associated with the email. Victims should also change the password to their account and the password of any other accounts that might share the same password. If anyone believes they have been affected by the CAM4 data exposure, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530. Advisors can help potential victims created an action plan that is personalized to them.


You might also like…

THIRD CHEGG DATA BREACH IN THREE YEARS IMPACTS NEARLY 700 EMPLOYEES

BILL & MELINDA GATES FOUNDATION, CDC, NIH AND WHO EMPLOYEE INFORMATION EXPOSED

CREDENTIAL STUFFING COMPROMISES 160,000 ACCOUNTS IN NINTENDO DATA BREACH

Multi-billion dollar education tech company Chegg—which specializes in digital and print textbook rentals, as well as online homework help solutions—announced it suffered another data breach. This Chegg data breach impacted approximately 700 of its employees. It marked the third data breach of Chegg or its acquisitions since 2018.

Unlike the 2018 Chegg data breach, which compromised the account records of an estimated 40 million users, this breach affected current and former employees. Those employees’ personally identifiable information is believed to have been stolen, including their names and Social Security numbers. Another data breach was disclosed in 2019, days after Chegg acquired another platform, Thinkful.

There’s been speculation that sites like Chegg could become more of a target for hackers now that so many educational institutions are closed due to COVID-19. Having transferred their learning to internet-based distance learning options, students and professors alike have been taking greater advantage of online homework and test prep help. The increase in traffic could lead hackers to go after these companies to steal identities or payment methods. However, there is no proof that Chegg has become more of a target or that the latest Chegg data breach is due to schools being closed.

Chegg notified the affected employees of the recent breach, and under California law, the employees are entitled to some protective measures. Anyone who has had their information compromised in any type of data breach should consider requesting a no-cost freeze on their credit reports from the three major credit reporting agencies—Equifax, Experian and TransUnion. While it may take a few more steps when a consumer is looking to apply for credit, a freeze is one of the most robust preventative measures a person can implement to safeguard their identity credentials. Also, consumers who are concerned about the security of their personally identifiable information can look for credit monitoring and identity theft solutions that will keep them informed if anyone uses their data.

Victims of the Chegg data breach should also file their tax returns as soon as possible. With the delay in the filing deadline due to disruption caused by COVID-19, a significant number of taxpayers could choose to put off filing until things are more stable and they can safely visit a tax preparer. While it is one less thing to worry about right now, it is also a longer timeframe for identity thieves to file a fraudulent tax return in someone else’s name.

Anyone who thinks they are a victim of the Chegg data breach can live chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


BILL & MELINDA GATES FOUNDATION, CDC, NIH AND WHO EMPLOYEE INFORMATION EXPOSED

CREDENTIAL STUFFING COMPROMISES 160,000 ACCOUNTS IN NINTENDO DATA BREACH

PAAY DATA EXPOSURE LEAVES DATABASE WITH CREDIT CARD DETAILS AND TRANSACTIONS UNSECURED

Nearly 25,000 public health organization employees had their email addresses and passwords exposed after they were dumped online. According to the SITE Intelligence Group, a U.S. – based hacker activist is the likely source of the Bill & Melinda Gates Foundation, Center for Disease Control and Prevention (CDC), National Institute of Health (NIH) and World Health Organization (WHO) employee information being exposed. CNET reported that the email addresses and passwords appear to have come from data that was breached and first posted on the internet in 2016. According to the Washington Post, the hacker was encouraging people to go into the emails of the respected agencies to “uncover” what was happening at the organizations in regards to COVID-19.

The leaked data was reported in April and is believed to have come from a larger set of breached information. Fortunately, the leaked password information only affected one system at WHO, an older extranet system. WHO has reported an increase in attempted hacks and has seen an increase in fraudulent emails sent by hackers posing as WHO employees. However, WHO has also reported that the increase in attacks has not been due to this data leak, particularly because old WHO employee information was exposed.

WHO said the following in a statement: “Ensuring the security of health information for Member States and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic. We are all in this fight together.”

The Gates Foundation reported that they do not currently have an indication of a data breach at their foundation. However, employees at the affected organizations should change their passwords and the passwords of any other accounts that have the same credentials. The WHO employee information being exposed is another reminder of the importance of using strong, unique passwords, and never using the same password across multiple accounts.

If someone believes they had their WHO or other organization’s employee information exposed, or is a victim of identity theft, they can live chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530. Advisors will help people create an action plan that is personalized to their set of circumstances.


You might also like…

CREDENTIAL STUFFING COMPROMISES 160,000 ACCOUNTS IN NINTENDO DATA BREACH

PAAY DATA EXPOSURE LEAVES DATABASE WITH CREDIT CARD DETAILS AND TRANSACTIONS UNSECURED

POPULAR VIRTUAL PET PLATFORM WEBKINZ BREACHED BY BAD ACTOR

Video game giant Nintendo announced their investigation of a data breach after users began reporting suspicious activity. As part of the Nintendo data breach investigation, the company found that at least 300,000 accounts may have been compromised by unauthorized users due to an issue with legacy login procedures. On 4/29/2020 security provider SpyCloud announced that credential stuffing was the cause of the Nintendo data breach. However, Nintendo would not confirm or deny.

Legacy login systems allow longtime customers the ability to log into updated or revamped platforms for companies they have used in the past. Their old logins enable them to access a new site within the same company without having to create an entirely new account—or lose their previously stored information.

As Nintendo has gone through a variety of iterations over the years, Nintendo’s login system made sense for some time. For example, users who had created a Nintendo Network ID (NNID) for the 3DS system or Wii U did not have to establish brand-new Nintendo accounts now that they were Nintendo Switch owners. Unfortunately, due to the Nintendo data breach, the NNID legacy system was compromised by malicious actors, which allowed unauthorized access to certain accounts. This gave the hackers access to those users’ stored payment methods, including PayPal accounts and payment cards that were stored on file.

The card numbers and account numbers were not accessible. The only thing hackers could do with the cards was make purchases in the Nintendo system for things like V-Bucks, a virtual currency used in the game Fortnite. However, NNIDs that were linked to Nintendo accounts may have also compromised information like usernames, email addresses and birthdates, all of which can be used to target victims with spam, phishing attempts and ransomware.

The legacy NNID was being used to gain access to the current Nintendo network, which means current payment methods. That creates a single point of failure.

Due to the Nintendo data breach, the video game company launched a forced reset for the affected passwords and disconnected the ability to use an NNID to log into a Nintendo account. For all account holders, the company recommends activating two-factor authentication to protect these accounts. This incident serves as a reminder that old or reused login credentials can still be used for harm, and should, therefore, be protected and updated frequently or canceled if no longer used. If someone has been affected by the Nintendo data breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor.


You might also like…

PAAY DATA EXPOSURE LEAVES DATABASE WITH CREDIT CARD DETAILS AND TRANSACTIONS UNSECURED

POPULAR VIRTUAL PET PLATFORM WEBKINZ BREACHED BY BAD ACTOR

SMALL BUSINESS ADMINISTRATION DATA EXPOSURE PUTS THOUSANDS OF BUSINESS OWNERS’ PERSONAL INFORMATION AT RISK

In what has become a common occurrence, another company—this time a credit card payment processing start-up —has suffered an accidental overexposure. A Paay data exposure left credit card details and transactions exposed for anyone to see. Accidental overexposures happen when a database of information is stored in an online or cloud-based server, then the information’s owner fails to protect it with a password. The result is the data housed in the database is open for anyone to discover online.

The New York-based processor acknowledged on April 3 that the incident happened after the data was discovered by a security researcher. The researcher contacted Tech Crunch for help in verifying the information and notifying the company so they could take protective steps. After further review, Paay discovered that the database involved had been unsecured for about three weeks, containing more than two million separate card transaction records dating back to September 2019.

One of the major factors in several data breaches recently is the failure to protect information that the company did not even realize they had. Experts have cautioned businesses to delete information they do not need to store and to stop collecting information that they do not need. In this case, it appears that Paay might not have been aware they stored credit card numbers and then failed to protect that data as a result.

Paay will issue data breach notification letters to the individual consumers whose numbers were left exposed in the Paay data exposure. While expiration dates were visible in this incident, no security codes or account holders’ names were compromised. In the event anyone’s card number was exposed, it is a good idea to contact their financial institution for a new card number. Those affected should also monitor their accounts closely for any suspicious activity and unauthorized transactions.

In the Paay data exposure or any other incident, anyone who suspects their identity has been used fraudulently should file a police report. If anyone needs further assistance, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor. The ITRC also offers a free app for iOS and Android called the IDTheftHelp app, which offers resources, a location to store the steps victims have completed and the option to chat with an agent.

You might also like…

POPULAR VIRTUAL PET PLATFORM WEBKINZ BREACHED BY BAD ACTOR

SMALL BUSINESS ADMINISTRATION DATA EXPOSURE PUTS THOUSANDS OF BUSINESS OWNERS’ PERSONAL INFORMATION AT RISK

COVID-19 CONTAMINATION SCAM PLAYING OFF THE FEARS OF CONSUMERS

Canadian toymaker Ganz, owner and developer of the popular Webkinz platform for children, recently announced that a malicious, unauthorized actor had accessed 23 million usernames and passwords as part of the Webkinz data breach. The credentials accessed were the users’ platform account data, the majority of which are routinely accessed by young Webkinz users.

Webkinz is an online and app-based platform in which users “adopt” a virtual pet after buying its plush counterpart. The plush’s code is entered into the user’s account and the user can play with his/her pet online. The platform also features an arcade section with both entertainment-based and educational games that let the players earn virtual money to take care of their pets, design homes for them and more. One feature of the platform allows users to send pre-selected, approved phrases to each other and compete against one other in certain challenges. No information is shared or exchanged in those interactions.

The company’s statement indicated that usernames and hashed passwords (passwords that are a scrambled representation of themselves) were the only information accessed, but that does not mean there isn’t cause for concern. Hashed passwords can still be unencrypted if hackers have the means to do so. Reused passwords, or passwords that account holders use on multiple websites—especially in conjunction with the same email address that was used to create the account—can lead to the takeover of other accounts once hackers have compromised the first one.

While reusing passwords is convenient, it is more important now than ever that passwords are strong enough to withstand automated software that can make many password attempts per second, and that passwords are not used on more than one website or account.

The Webkinz parent company Ganz issued a statement on its website, notifying users of the incident. They recently launched a forced reset in response to the matter, but also recommend that users change their passwords on any other accounts where they may have used these same login credentials. A strong reminder for Webkinz users, especially those who used the platform as children but are now adults, that may be utilizing the same email/password combination.

It is not yet known whether or not the data compromised in the Webkinz breach is archived or active account information. However, in the company’s statement, they said they have not and do not collect more sensitive information.

The Webkinz data breach also highlights the importance of parents doing what they can to reduce their children’s risks online. Parents should make sure their kids are not oversharing information, teach them how to keep their information safe and talk to them about good internet behavior. If kids know how to spot a fake message online, to not click any links they do not recognize and limit the amount of information they share on their social media profiles, they will reduce their risk of falling victim to child identity theft.

If anyone believes they have fallen victim to identity theft, or have had their information exposed in the Webkinz breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530 or live chat with an expert advisor on the next steps to take.


You might also like…

“ZOOM-BOMBING” LEADS TO MORE ONLINE CHILD PRIVACY CONCERNS

CHOOSE STRONG SECURITY QUESTIONS/ANSWERS FOR ONLINE ACCOUNTS

CASHAPP SCAMS SEE A RISE DUE TO COVID-19

More than 7,000 businesses applying for emergency loans may have had their personal information exposed by a Small Business Administration (SBA) data exposure. The SBA’s failure to secure the data, which was discovered on March 25, was due to a programming error in the administration’s online application portal for Economic Injury Disaster Loans (EIDL).  

According to POLITICO, the application system may have disclosed personal information to other applicants of the program. Some of the personal information from the SBA data exposure may have included Social Security numbers, contact information, names, addresses and income amounts.

According to the SBA, the Paycheck Protection Program (PPP) was not affected because it began April 3 and is also handled by a separate online system. However, businesses that applied for an EIDL were notified about the Small Business Administration data exposure and have been offered one year of free credit monitoring services.

In a statement, the SBA said “We immediately disabled the impacted portion of the website, addressed the issue and relaunched the application portal. SBA continues to process applications submitted via email, paper and online.”

While exposing business data might not always rise to the same level of risk as personal data, personal and business data is often co-mingled when the business entity is a small business. Due to that, it is important that people impacted by the SBA data exposure protect both sets of data by freezing their personal and business credit if both are involved. The Identity Theft Resource Center (ITRC) also recommends those who could have been impacted monitor their accounts carefully for any suspicious activity, change the passwords for any accounts with sensitive information and to consider the free credit monitoring services that are being offered.

If anyone believes they are a victim of identity theft or have had their information exposed due to the Small Business Administration data exposure, they are encouraged to call the ITRC toll-free at 888.400.5530 or to live chat with an expert advisor. Advisors can help small businesses – who utilize a personal Social Security number – and consumers create an action plan that is tailored to their unique circumstances. Victims can also download the ITRC’s ID Theft Help App where they can track their steps in a customized case log. Documenting the process post-breach is more important now than ever with the recent requirements of victims to provide proof in order to receive compensation after a data breach settlement.


You might also like…

COVID-19 CONTAMINATION SCAM PLAYING OFF THE FEARS OF CONSUMERS

CASHAPP SCAMS SEE A RISE DUE TO COVID-19

WHY HAVE YOU NOT RECEIVED YOUR STIMULUS CHECK PAYMENT YET?

Two financial companies that appear to be connected were the apparent leakers of a financial database leak of important client and employee data. The database was linked to the MCA Wizard app, which was created by Argus and Advantage. According to vpnMentor, who discovered the unsecured information online, Argus and Advantage had stored more than 500,000 sensitive documents—many of them financial records or personally identifiable information—in an Amazon Web Services S3 storage bucket. These cloud-based servers allow companies to store data off-site and access it remotely. However, as many other companies have learned, the security protocols are not automatic. That means the S3 bucket is not automatically password protected or requires other security steps.

The information that the security researchers discovered from the financial database leak contained a wide variety of uploaded documents. Credit reports, driver’s licenses, tax returns, bank account information and access, Social Security information and much more was included in the database, which was discovered in December of 2019. Since the date of the discovered financial database leak, the researchers saw new information added to the compromised database.

Attempts to reach the companies were also unsuccessful. VpnMentor was unable to find contact information for one of them, and emails to the other company came back as undeliverable. The only recourse was to contact Amazon Web Services, who was eventually able to take down the database.

There has been no word yet on data breach letters being issued due to the financial database leak or if any malicious hackers accessed the database before it was taken down. Potentially, anyone who thought to look for it was able to access the entire cache of information, which is how the researchers discovered it. In the meantime, there are steps that consumers can take if they are concerned that they have done business with these companies or their information might have been included in the compromised database.

  1. Victims should place a freeze on their credit report with the three major reporting agencies.
  2. People should sign up for alerts from their financial institution that will notify them of activity on their accounts.
  3. It would be encouraged for people to change the passwords on any sensitive accounts.
  4. Victims should enable two-factor authentication on important accounts.
  5. People should monitor their accounts closely for signs of unusual activity and report those incidences if they see anything suspicious.

If someone believes they are a victim of either the Advantage or Argus financial database leak, they are encouraged to contact the Identity Theft Resource Center through the website to live chat with an expert advisor. For those that cannot access the website, they can call the toll-free hotline (888.400.5530) and leave a message for an advisor. While the advisors are working remotely, there may be a delay in responding but someone will assist victims as quickly as possible.


You might also like…

New Marriott Breach Affects Over Five Million Guests

Covid-19 Romance Scams Begin to Make the Rounds

Are you an IRS non-filer? Tips to Avoid a Stimulus Check Identity Scam

There are many different ways a person’s information can be stolen in a data breach. General Electric (GE), one of the largest electronics companies in the world, announced that it had information of current and previous employees’ exposed through a Canon data breach.

On February 28, 2020, GE was notified that there was a third-party data breach affecting their employees’ sensitive information. The third-party provider, Canon Business Process Services, suffered an email breach of one of its employee’s email accounts. The account, which is believed to have been accessed sometime between February 3 and February 14, led to secure documents that more than 280,000 employees had uploaded to GE during the course of their employment.

These documents provided personally identifiable information (PII), including Social Security numbers, passport numbers, driver’s license numbers, bank account numbers for direct deposit and more. Information on the employees’ beneficiaries was also compromised.

Canon is providing coverage for GE employees who were impacted by the Canon data breach , including two years of identity protection and credit monitoring. Victims of the Canon data breach will be notified by letter and have until June 30, 2020, to take advantage of the services that are being offered.

In the Canon data breach or any data breach event, the notification letter is a very important part of the process. It informs the recipients of what incident occurred, what information is believed to have been stolen, what steps the victims can take to protect themselves and any support that is being provided to protect the victims. The letter itself serves as more than just a notification; in the event the identity thieves use the victims’ information in a criminal way, it can also provide some proof that the victims’ information was actually stolen. If someone believes they are a victim of the Canon data breach that affected GE, the Identity Theft Resource Center is standing by to provide information and resources, and to help victims create an action plan tailored to their needs. Victims are encouraged to live chat with an expert advisor or to call toll-free at 888.400.5530. If victims call, they will have to leave a message due to advisors working remotely. However, advisors will work to return calls as soon as possible.


 You might also like…

NEW MARRIOTT BREACH AFFECTS OVER FIVE MILLION GUESTS

COVID-19 ROMANCE SCAMS BEGIN TO MAKE THE ROUNDS

ARE YOU AN IRS NON-FILER? TIPS TO AVOID A STIMULUS CHECK IDENTITY SCAM