ShinyHunters Hacks Expose Business Vulnerabilities

Since 2005, the Identity Theft Resource Center (ITRC) has been tracking publicly notified breaches, building one of the most comprehensive repositories of data in the U.S. that is updated daily.

One of the most recent cybercrimes the ITRC reported involves a cybercrime ring, ShinyHunters, stealing the information of over 200 million customers from at least 13 different companies. In early May, ShinyHunters posted 15 million customer records on the dark web. Two days later, the hacking group began offering the entire database to buyers, which included 91 million user accounts from an Indonesian website.

Since then, ShinyHunters has offered more than 100 million users’ account information at popular websites like dating app Zoosk, meal kit company Home Chef, design-focused marketplace Minted, Minnesota’s Star Tribune newspaper, health and wellness website Mindful, photo printing service Chatbooks and online publication Chronicle of Higher Education.

While not all of those companies acknowledged ShinyHunters’ claims, more are recognizing the data breaches once they confirm there was data theft. One of the latest companies to confirm a data breach was Mathway, a popular education app for iPhone and Android devices. It is believed that the information stolen includes data about children who are the primary users of the app. The Mathway data has proven to be worth a lot on the dark web, going for $4,000 in bitcoin (or over $375 million U.S.) for 25 million stolen user accounts.

ShinyHunters has acknowledged its successful hacks. In fact, in an interview with WIRED magazine, a spokes-hacker said “it is not too hard” to breach so many organizations. They continued to say that “it’s just a way to make money.”

Groups that commit wholesale data theft are not amateurs like one might see in a TV show or a movie. These groups are professional threat actors that run their groups like any business. They have advertising campaigns, marketing campaigns, help desks and customer support – all to steal people’s information and convert it into cash.

Two other recent data breaches the ITRC has noted were of PaperlessPay, a third-party provider for personal information like W-2’s and paystubs, and Wishbone, a social media app that lets users compare products and then interact with other app users to find out what products are hot and what are not.

In February, federal law enforcement investigators found identity thieves selling PaperlessPay client data. The personal information compromised included the names, addresses, pay and withholdings, Social Security numbers and bank account numbers, in some cases.

In regards to Wishbone, hackers are selling 40 million account profiles, which includes names, email addresses, phone numbers, locations, genders, social media profiles and hashed accounts passwords of users. While hashed passwords are typically useless because the information is encrypted and has to be unlocked, Wishbone uses an outdated form of encryption that is easily cracked with a password breaking tool. This is the most recent breach for Wishbone that was also successfully attacked in 2017.

Businesses must keep their cybersecurity and data protection up-to-date. If not, it can lead to data breaches and a loss of revenue from customers who might not trust the business with their personal information. It is also important for consumers to make sure their apps, websites and businesses they share data with have strong security to protect their information. Consumers are encouraged to ask questions before sharing personal information so they can take their business to a company that takes data protection and privacy seriously.

If someone believes they have had their information exposed as part of a data breach, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them. Victims can also download the ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.

Contact Tracing Scams Ramp Up as New Technology Evolves Amid COVID-19 Pandemic

Possible Nigerian Fraud Ring to Blame for Unemployment Identity Theft Attack