Posts

  • Credential theft is when fake webpages are created that look real for the sole purpose of stealing logins and passwords to access legitimate accounts.
  • The top targeted companies for phishing scams from credential theft include Paypal with 11,000 fake login pages, Microsoft with 9,500 fake pages, and Facebook 7,500 fake pages.
  • To prevent falling victim to a credential theft attack, consumers should not click on any links unless they know they are legitimate, double-check the email address of the sender, and change their password if they believe they used a fake login page.
  • For more information about the latest data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Victims of identity theft can contact the ITRC toll-free at 888.400.5530, or by using the live-chat function on the website.

Credential stuffing is a term consumers often hear from cybersecurity experts. Credential stuffing is a type of cyber attack where stolen credentials, like usernames and passwords, are used to gain access to other accounts that share the same credentials. There is another term not heard as much, but just as prevalent: credential theft.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the last week in our Weekly Breach Breakdown podcast. This week, we are talking about creating fake websites that look real for the sole purpose of stealing logins and passwords used to access legitimate accounts. We will look at how security researchers found tens of thousands of fake website login pages that are used to collect credentials from consumers.

Credential Theft

To commit a credential stuffing attack, a hacker must have credentials. Where do data thieves get the logins and passwords needed to fuel these attacks? The most obvious way is through data breaches everyone has seen over the years, where millions of credentials are stolen in a mass attack. However, there are less obvious ways, too. One of those less obvious ways is credential theft.

Earlier in 2020, security company IRONSCALES began to look for a specific kind of webpage; fake login pages that look like they could come from real companies. From January until June, IRONSCALES found more than 50,000 phony login pages from more than 200 recognizable brands with a high volume of web traffic.  

These fake login pages are used in phishing emails as a way of getting people to click on what they think is a legitimate login page. Most people cannot tell the login page is fake, leading unsuspecting victims to enter their real login and passwords into a fake webpage. That is all it takes for data thieves to have actual credentials from live accounts. They do not even have to buy or steal any data.

Top Targets for Phishing Scams

Anyone reading this blog might be wondering if they have ever clicked on an email link connected to an account. If they have, was it a real login page?

IRONSCALES reports that PayPal is the top target for phishing scams, with more than 11,000 fake login pages spoofing the brand. Microsoft is not far behind with 9,500 phony login pages. The list continues with Facebook with 7,500, eBay with 3,000 and Amazon with 1,500 known fake login pages. Other commonly spoofed brands include Adobe, Aetna, Apple, Alibaba, Delta Air Lines, JP Morgan Chase and Wells Fargo.

All of these companies have people who do nothing but seek and shut-down these and other kinds of fake webpages, websites, social media accounts and text messages that are used to collect personal information from their legitimate customers and prospects. However, research shows that credential theft is easy for a couple of reasons. The first is because malicious phishing emails that deliver fake login pages can easily bypass cybersecurity tools and spam filters just by making small changes in the email.

Inattentional Blindness

The second reason is because of inattentional blindness; when something looks so familiar or causes you to focus so intently that you don’t see the apparent errors hiding in plain sight. An example of inattentional blindness comes from a study where people were told to watch a video to count the number of people wearing white jerseys as they passed a ball. More than 50 percent of people taking the test missed the fact that one of the players was wearing a gorilla suit.

How Inattentional Blindness Applies to Identity Theft

Credential theft attacks translate into the inability to spot the tell-tale signs of a phishing scheme, even among trained cybersecurity and fraud professionals. What should people do if they encounter what they believe is a phishing attack?

1. Don’t click on any links unless you are sure they are legitimate. When in doubt, navigate directly to the website or webpage you are trying to reach instead of using a link.

2. If the link arrives in an email, double-check the address of the sender. An email address can be masked to make it look legitimate in the sender line. However, if you click on the sender’s name to see the actual address, you may find the email from mybank.com is actually from bob@scams-r-us. Get into the habit of checking email addresses.

3. If you believe you used a fake login page, change your passwords and alert the security team at the company whose login page has been spoofed as soon as possible. While changing your password, consider switching to a 12-character passphrase with upper and lower case letters. It will take an automated hacker tool 300 years to break that passphrase, as well as be easier to remember.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor by calling toll-free at 888.400.5530, or on the website via live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

  • Cense.Ai left a temporary data storage repository online, accessible to anyone with a web browser. It led to the exposure of nearly 2.6 million records, including sensitive data and other personally identifiable information (PII).
  • A recent data breach of Freepik, a photos and graphics website, happened when hackers used a known software vulnerability to gain access to one of its databases storing user data. It led to hackers obtaining usernames and passwords for 8.3 million users.
  • After detecting unauthorized access to certain devices, ArbiterSports learned an unauthorized party obtained a backup copy of a database with PII in a recent data breach. ArbiterSports reached an agreement with the unauthorized party to have the files deleted.
  • Victims of a data compromise can speak with an Identity Theft Resource Center expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530.

August was another month full of data breaches, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly reported data breaches, and data exposures in a database containing 25 different information fields and 63 different identity attributes that are updated daily. Of the recent data breaches in August, Cense.Ai, Freepik and ArbiterSports are three of the most notable.

Cense.Ai

A recent Cense.Ai data exposure led to almost 2.6 million records, including sensitive data and other personally identifiable information (PII), accessible to anyone on the web. According to TechNadu, a database containing names, dates of birth, addresses, insurance records, medical diagnosis notes, clinics, insurance provider details, accounts, payment records and more was left online due to an error.

Security Researcher, Jeremiah Fowler, found two folders containing the sensitive data and managed to remove the port from the IP address of the Cense’s website. Fowler found that all individuals listed had been in a car accident. In most cases, there was also information like policy numbers, claim numbers and the date of the accident.

According to PCMag, Cense.Ai has not commented publicly about the exposure, and the company did not immediately respond to PCMag’s request for comment. Anyone affected by the Cense.Ai data exposure should monitor all of their accounts for any suspicious activity. If you find anything out-of-the-ordinary in your records, contact the appropriate company and take additional action if needed. 

Freepik

Freepik is a website that provides access to high-quality free photos and design graphics. In mid-August, the popular site announced that they suffered a data breach. According to the company’s statement, there was a breach from a SQL injection in Flaticon that allowed an attacker to get user information from their database. A little more than eight million users were affected. 4.5 million users had no hashed passwords due to exclusively federated logins (through Google, Facebook, etc.), and the hacker only obtained their email address. However, the additional 3.8 million users had both their email addresses and hashed passwords stolen. Freepik says they have taken extra measures to reduce their risk of a similar attack in the future. The company is also in the process of notifying all affected users.

Users who had their passwords stolen in this recent data breach should change their password and the password of any other accounts that share the same password. Also, switch to a nine to ten-character passphrase. They are easier to remember and harder for hackers to guess.

ArbiterSports

ArbiterSports is used by many for end-to-end activities management solution. However, some users of the officiating software company were notified of a data breach that exposed account usernames and passwords, names, addresses, dates of birth, email addresses and Social Security numbers. According to the company’s notification letter, ArbiterSports recently detected unauthorized access to certain devices in their network and an attempt to encrypt their systems.

After an investigation, the company learned the unauthorized party obtained a backup copy of a database made for business continuity reasons. The database contained PII for over 539,000 users. While ArbiterSports was able to prevent their devices from being encrypted, the unauthorized party still demanded payment in exchange for deleting the files. The two reached an agreement, and the files were deleted.

ArbiterSports is offering a free one-year membership of Experian’s IdentityWorks Credit 3B to detect possible misuse of personal information and to provide identity protection focused on identification and resolution of identity theft. Anyone affected should also change their username and password, as well as the username or password of any other accounts that share the same credentials. 

notifiedTM

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

Online Job Scams See Rise Amid Pandemic

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Fortnite is one of the most popular battle royale games on the market. People of all ages play the game to work their way towards the center of the map. However, there is one thing about Fortnite, and other games, that many gamers are not aware of: the massive amounts of gaming data that is collected and stolen.

Every week the Identity Theft Resource Center (ITRC) looks at the most interesting data compromises from the previous week, as well as what happens behind the scenes when someone attacks a company and steals personal or business information in our Weekly Breach Breakdown podcast. This week, we are taking a look at Fortnite in an episode titled “Let the Games Begin!”

The Financial Dominance of the Gaming Industry

What industry made more money in 2019? Video games or movies? The answer will probably surprise most people. Video games generate more revenue each year than movies and music combined. Despite Marvel’s Avengers: Endgame setting a new global box office record in 2019 at $2.7 billion in ticket sales, the film industry’s $42 billion pales in comparison to the more than $150 billion in video game revenue in 2019. The top video game of 2019, Call of Duty: Modern Warfare, racked up $1 billion in sales in the last two months of 2019 alone. Call of Duty is still the number one video game in terms of sales nearly a year later.

Data Risk

One of the reasons the game remains so popular is the same reason why video games represent a significant data risk: someone can play Call of Duty online for free and make in-game purchases. When someone goes to the movies, they don’t give away personal information to buy their ticket. However, when someone wants to play video games online, they have to share lots of data.

The Impacts on Fortnite

Nearly 2.7 billion people play video games, and at least 500 million of them play games online; 350 million just play Fortnite. While the online battle game is free to play, Fortnite makers gross $2.4 billion a year in in-game purchases. It’s what attracts data thieves; the combination of player gaming data and people willing to spend lots of money.

Research published by Night Lion Security calculates more than two billion online video game player profiles have been breached in 2020 based on the number sold, or for sale, in underground online forums. It adds up to roughly $1 billion in illicit gaming data sales each year. Of those, Fornite player account information is the most valuable at approximately $600 million per year.

Why? It’s not just personal information being stolen. Instead, its profile gaming data, including game achievements and player personas known as “skins.” With the right skin, a user can become an elite level player without having to play Fortnite or defeat hundreds of players to get to the top of the heap.

Night Lion notes that one highly prized skin commands as much as $2,500 on the black market. Between reselling elite and average player accounts, data thieves who specialize in Fortnite skins earn an average of $25,000 per week, nearly $1.3 million per year.

How Do Data Thieves Do It?

Cybercriminals use automated tools that compare login and password information from past data breaches to active Fornite accounts, at a rate of almost 500 accounts per second. To cover their tracks, the data thieves use masking tools that go for as little as $15 on the dark web.

What You Need to Do

The best security tools in the world cannot help protect gaming data if players use the same logins and passwords on more than one game account.

  • If you or a family member plays a popular video game, including Fortnite, make sure the game credentials are unique for each game
  • Also, create a unique passphrase and set up two-factor authentication to prevent misuse of your player profile and personal information

If you do not, it could be game over.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest articles below

Right now, there is a particular kind of data exposure that is mystifying security experts around the world. Every week, the Identity Theft Resource Center (ITRC) takes a look at some of the top data compromises of the previous week in our Weekly Breach Breakdown podcast. This week, we are looking at an attacker who is erasing insecure cloud databases and leaving a single word as their calling card: meow. Yes, it is a “meow” attack.

Where It All Began

The story begins 20 years ago when threat actors were known as hackers. They were just as likely to be your neighbors’ kid than a criminal mastermind in a foreign country. For visual, you can think of the 1980’s movie War Games where Matthew Broderick breaks into a super-secret pentagon weapons system to challenge the computer to a game of thermonuclear war and tic-tac-toe.

Fast forward to today, and the average threat actor is part of a well-organized criminal enterprise where stealing and selling personal and company information is the bottom line. It is a multi-billion-dollar business that runs like a regular business – that is, if it weren’t illegal.

Unsecured Databases

Every week the ITRC talks about data breaches from the previous week and how they happen. In July, one week we focused on the top reasons data breaches occur, and pointed out that IBM’s latest research shows misconfigured cloud databases are tied for the number one reason personal information is compromised, even if it is not stolen.

Unsecured databases have been a growing cybersecurity problem since 2018, and some of the world’s biggest data compromises have been the result of poor cybersecurity practices. In 2019, a mystery web database containing four billion records linked to 1.2 billion people had no password protection and was accessible on any web browser.

Later in 2019, databases that included hundreds of millions of records were exposed at First American Financial Corp., email validation firm Verifications.io, and Capital One Bank.

What Is Happening Today

Now, in a throwback to the time before professional hackers, either someone or some group is trolling the internet using the same automated tools as professional data thieves. They are looking for cloud databases that do not have proper security. However, instead of stealing the information, the Grey Hat attacker is deleting the information it finds and is replacing it with the word meow.

As ITRC COO James Lee says in the podcast, “In other words, a modern-day Robinhood is treating the internet as their own personal Sherwood Forest and taking from the data-rich to protect the personal information of the masses.”

When the Attacks Were Discovered

The “meow” attacks were discovered in early July by cybersecurity researcher Bob Diachenko. Diachenko has since identified more than 4,000 “meow” attacks, including one where 3.1 million patient records were erased at a medical software company because the database housing the sensitive information did not have a password to secure the data.

What the ITRC Recommends

The ITRC disapproves of vigilante justice, even when protecting consumers from having their personal information misused. The ITRC condones and strongly encourages businesses to make sure they have properly configured their security tools before putting an internet-accessible cloud database into production. To use a pun, doing so may help “keep the cat in the bag,” where it belongs.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.



Read more of our latest news below

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

There are different types of data breaches, but they all have frustrating, as well as potentially devastating impacts. On this week’s Weekly Breach Breakdown podcast, we are taking a look at the difference between a data breach that exposes consumer information and a data breach that reveals a company’s intellectual property or trade secrets; companies attacked by ransomware that do both is on the rise.

A Tale of Two Breaches

The current digital age can be viewed as the best of times and the worst of times, especially when it comes to data use, privacy and security. While many consumers enjoy unprecedented levels of convenience and prosperity, thanks to technology, there are also significant pitfalls. Despite billions of dollars in cybersecurity investments, personal and corporate information is exposed daily due to malicious and accidental events.

While many people view data breaches as personal information being stolen from companies about individuals, it is becoming more common for threat actors to target more than consumer data. Instead, many hackers are looking to get their hands on company secrets by landing a successful ransomware attack, leading to the company’s intellectual property being breached.

By August 15, more than 25 Fortune 500 companies were attacked by ransomware, where company intellectual property was at risk.

Nintendo

In July, the Identity Theft Resource Center (ITRC) posted about an attack on Nintendo, who refused to pay the data kidnappers’ ransom demands. As a result, the data thieves posted massive amounts of proprietary data on the internet, including game prototypes. At the time of the attack, it was believed to be a one-off. However, within days, two more global organizations found their company data being posted on the web for everyone to see after refusing to pay ransomware demands.

LG

Electronics and appliance manufacturer, LG, found source code for their mobile phones and laptops posted on a ransomware site. The ransomware group, Maze, released a statement that said they did not want to disrupt LG’s customers as part of the company’s data breach, so they opted to release the stolen intellectual property publicly rather than shut down LG’s systems.

Xerox

At Xerox, a digital document product company, information was released after the company refused to pay a ransom demand that involved customer service systems, but not customer information.

Carnival Cruise Lines & Jack Daniels

Just last week, household names like Carnival Cruise Lines and the makers of Jack Daniels Whiskey joined the list. In the case of Jack Daniels, the company claimed the attack was blocked. However, the attackers claim they were successful and threatened to release the data they stole.

Why the sudden increase in companies attacked by ransomware?

While there are multiple reasons why a company might fall prey to a ransomware attack, the new variable in the equation is people working from home as a result of the COVID-19 pandemic. A survey released this week by the security firm Malwarebytes indicates that companies are seeing more attempted, and successful, attacks aimed at exploiting the weaker security that is usually associated with remote workers.

The research spotlights why there is an increase in companies attacked by ransomware:

  • 20 percent of respondents have faced a security breach as a result of a remote worker
  • 24 percent have spent unbudgeted money to resolve a security breach or malware attack
  • 28 percent admit to using personal devices for work more than their company devices, which could open the door to cyberattacks
  • 18 percent say cybersecurity is not just a priority for their employees

If employees are working from home or managing a team of remote workers, they should make sure they are following best practices for protecting their personal information and company data. Anyone needing more information about how to protect their work information should ask their company’s IT security team or contact the ITRC for tips on how to protect their personal information.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.  It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

If someone believes they are the victim of an identity crime, or their identity has been compromised in a data breach, they can speak with an ITRC expert advisor on the website via livechat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest news below

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

The recent social-good relationship management software data breach has nonprofit organizations left to figure out what to do next. Blackbaud, a cloud software company, used primarily by nonprofits, recently announced that they were the victim of a ransomware attack. The number of people affected is still unknown, and more information needs to be gathered to judge the actual scope of the attack. People who engage with organizations that utilize Blackbaud could be at risk of scams and social engineering.  

What Happened

In May 2020, a ransomware attack was partially thwarted. However, the perpetrator copied a subset of data before being locked out. The hackers then offered to delete the data for an undisclosed amount of money. According to Blackbaud, they paid the ransom and received confirmation that the copy they removed had been destroyed. However, the confirmation was not detailed. Blackbaud says they have no reason to believe that any data went beyond the cybercriminal, was or will be misused. The information exposed in the breach includes telephone numbers, email addresses, dates of birth, mailing addresses, donation dates, donation amounts and other donor profile information. Right now, the University of Detroit Mercy is the only third-party vendor to report Social Security numbers being involved. Blackbaud is now calling the incident a security incident.

How it Can Impact You

While no personally identifiable information (PII) has been reported stolen, aside from at the University of Detroit Mercy, no one knows if there has been more PII stolen except for the hackers. Consumers impacted by the Blackbaud data breach could be at risk of scams (particularly giving and donation scams) and social engineering tactics. Multiple sectors were also impacted by the attack.

Healthcare Sector

Healthcare organizations all over the world use Blackbaud as their cloud software company. According to Blackbaud, 30 of the top 32 largest nonprofit hospitals are powered by their solutions. The Identity Theft Resource Center (ITRC) has seen multiple data breach notices from healthcare organizations affected by the Blackbaud data breach. Since the breach impacted donors primarily, it could mean those individuals may be more susceptible to being targeted by fraudsters in the future. As of this writing, no personal health information (PHI) has been involved.

Education Sector

Blackbaud plays a significant role in the education sector. They offer school management software to K-12 schools, as well as universities. Some of the management software includes student information, learning management, enrollment management and school websites. Many schools and districts have acknowledged they were impacted by the Blackbaud data breach. Most of the information involved includes donor information, alumni information and student demographic information.

Nonprofit/NGO Sector

Blackbaud is a service that is primarily by nonprofits. Blackbaud offers an array of software services that cater to nonprofits all over the world, but are best known for their customer relationship management (CRM) tools. Many nonprofits use these to nurture their donors and fundraising. The range of types of nonprofits affected by the attack is vast. In fact, some Blackbaud nonprofits continue to come forward about whether or not they may have been impacted. Now, many nonprofits are trying to figure out their next steps for how to securely manage their CRM needs.  

What You Need to Do

The Blackbaud data breach and its impacts on businesses and consumers are specific to each affected entity and customer. Blackbaud has said that it notified its affected customers of the breach, and those customers should be notifying their impacted individuals. Depending on what information was exposed, the steps for those affected individuals could vary. Anyone who receives a notification letter regarding the Blackbaud data breach should not dismiss the letter and take the recommended steps in the notice.

The biggest threat, based on the data compromised, is social engineering. Employees of the nonprofit organizations impacted by the breach may receive emails that look like they are from an executive, in an attempt at spear phishing. Donors and members of the nonprofit organizations impacted by the Blackbaud data breach may receive messages asking to provide their personally identifiable information (PII) to update their contact or financial information, either directly through the email or through a link that does not actually belong to the nonprofit they are affiliated with. If an employee comes across an email they find suspicious, they should go directly back to the person it claimed to come from and verify the validity of the message if it is internal. If it is someone claiming to be from outside the organization, it should be run by their manager, IT services or someone who would be familiar with the relationship.

Anyone who believes they were impacted by the Blackbaud data breach can call the ITRC toll-free at 888.400.5530. They can also live-chat with an expert advisor. Another option if the free ID Theft Help app. The app has resources for victims, a case log, access to an advisor and much more.


You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

A recent data breach of Dave, an online banking service, has users of the service searching for answers. Hackers often target digital banking services for their plethora of consumer records. In 2018, hackers leaked the information of 2.8 billion consumer data records, costing $654 billion in damages to U.S. organizations. Additionally, since the start of COVID-19, there has been a 50 percent increase in mobile banking. Dave is a fintech company that allows users to link their bank accounts and loan payments for upcoming bills to avoid overdraft fees. The Dave.com data breach occurred after the company’s third-party service provider, Waydev, was breached, allowing hackers access to over seven million users’ data.

What Happened

Dave suffered an attack, resulting in 7,516,625 user records being published on RAID, a hacker forum. Some of the information that was exposed from the Dave.com data breach included names, emails, birth dates, physical addresses, phone numbers, encrypted Social Security numbers and Bcrypt hashed passwords. The company uncovered the hacker’s access point into the database and has since notified customers of the exposure. After becoming aware of the incident, Dave enlisted law enforcement and the FBI to conduct an ongoing investigation, according to ZDNet.

What Does This Mean for You?

While there is no evidence that hackers have used the data from the Dave.com data breach to gain access to accounts or conduct any unlawful actions, there is still a lot of harm that could potentially be done. One threat is social engineering, where someone manipulates someone else into divulging personal information. Since multiple forms of information were exposed, there is an even higher and potentially more harmful risk for those impacted.

While the threat level is not as high as social engineering, hackers could also target victims with mail-forwarding and sign up for accounts with the victim’s information.

Next Steps to Take

Affected users of Dave should consider taking immediate action to minimize the risks of identity theft. Some important next steps include:

  • Change the usernames and passwords on any accounts that share a username and password with their Dave.com account – opt for a stronger, unique passphrase
  • Look out for account sign-ups and websites which they are not familiar
  • Avoid clicking on any links or opening any attachments in messages they are not expecting or giving out personal information on the phone. Instead, users should reach out directly to verify the validity of the message.

Anyone affected by the Dave.com data breach can call the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 for more information on the next steps they need to take. They can also live-chat with an expert advisor. Finally, victims should consider downloading the free ID Theft Help app for access to resources, a case log to track their activities in managing their data breach case and much more.

You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Significant and negatively impactful data breaches in the healthcare industry have happened for a long time. Back in 2015, Anthem suffered a massive data breach that led to as many as 80 million people having their information stolen. In 2019, third-party billings and collection agency, American Medical Collection Agency (AMCA), suffered a data breach that affected over 24 million people and 20 healthcare entities. That included Quest Diagnostics, who had 11.9 million patients impacted. More recent healthcare data breaches include Florida Orthopaedic Institute, University of Utah Health and PaperlessPay.

What Does it Mean to You?

Data breaches in the healthcare industry continue to happen because of the availability of both personally identifiable information (PII) and personal health information (PHI) available to bad actors. Hackers can do a lot of damage with access to sensitive PHI and PII, like Social Security numbers, health insurance numbers, drivers licenses or identification numbers, medication lists, conditions, diagnoses and financial information. Fraudsters can submit use this data to file fraudulent health insurance claims, apply for medical care and prescription medications, use the information on billing and much more.

According to the Protenus 2020 Breach Barometer, in 2019,  data breaches in the healthcare industry continued to be a problem, involving sensitive patient information, with public reports of hacking jumping 48.6 percent from 2018. The 2020 IBM Report on the average cost of a data breach reported that the most expensive attacks in 2019 occurred in the healthcare sector. According to the Identity Theft Resource Center’s (ITRC) 2019 Data Breach Report, there were 525 medical and healthcare data breaches in 2019, exposing over 39 million sensitive records. The medical and healthcare sector had the second-highest number of breaches and sensitive records exposed of all the sectors the ITRC tracks.

What Can You Do?

Data breaches in the healthcare industry will continue to happen because of the troves of information. However, there are things consumers can do to reduce their risk.

  • Victims should change their username and password for their affected healthcare account
  • Consumers should also change their username and password on any other accounts that have the same username or password as their healthcare account
  • Depending on what piece of PHI is exposed, victims should contact the affected healthcare provider to see what steps need to be taken

Victims of a data breach in the health care industry can call the ITRC toll-free at 888.400.5530 for more information on the next steps they need to take. They can also live-chat with an ITRC expert advisor.

Victims are also encouraged to download the free ID Theft Help app. The app has tools for data breach victims, including a case log to track all of their steps taken, access to helpful resources during the resolution process, instant access to an advisor and much more.


Read more…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams