Tag: breach

Categories
Mobile Syrup

Over 200 million email addresses leaked in Twitter breach

Hackers have posted usernames and email addresses belonging to over 200 million Twitter users in a database. The data was compiled from several Twitter breaches dating back to 2021, and while the online database does not include passwords, the collection of data will likely pose a security threat to those exposed.

Several reports from security researchers and media outlets, including The Verge and Bleeping Computer, have detailed the breach, with researcher Alon Gal warning the breach “will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”

Bleeping Computer shared screenshots of the database, revealing it contains several text files listing email addresses and linked Twitter usernames along with email addresses and real names (if users shared their real names with Twitter). The database also includes information like users’ follower counts and account creation dates. Bleeping Computer also said it was able to confirm the validity of many email addresses including in the leak. The database is being sold on one hacking forum for as low as $2 USD.

Troy Hunt, who created the cybersecurity alert site ‘Have I Been Pwned‘ to help people check if their phone number or email was included in a data breach, posted on Twitter that he found 211,524,284 unique email addresses in the Twitter breach. “[The breach] looks to be pretty much what it’s been described as,” Hunt wrote.

The breach has since been added to Have I Been Pwned so Twitter users can head to the site and check if their information was included in the breach.

As mentioned above, the Twitter breach can trace its origins back to 2021 when hackers found a vulnerability in Twitter’s security systems. That vulnerability allowed malicious actors to look up accounts with an automated system that entered email addresses and phone numbers to see if they were associated with Twitter accounts.

Twitter disclosed the vulnerability in August 2022 and claimed it fixed the issue in January after it was reported as a bug bounty. Moreover, Twitter said at the time it had “no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity researchers had already found databases of Twitter credentials for sale in July 2022. This latest database of Twitter info appears to have origins in the old vulnerability.

Source: The Verge, Bleeping Computer

Categories
Mobile Syrup

Hackers breached Mailchimp, targeted crypto holders with phishing scams

Email marketing firm Mailchimp confirmed over the weekend that hackers breached an internal tool and used it to access 300 user accounts and steal audience data from 102 of those accounts.

The breach was outed first by Trezor (via Bleeping Computer), a company that makes hardware wallets for cryptocurrency. Trezor used Mailchimp to send newsletters to customers.

Following the breach, several customers received phishing emails that appeared to be from Trezor and warned of a “security incident.” The emails prompted users to download a malicious version of Trezor’s app to reset their hardware wallet PIN. If installed, the malicious app could have allowed hackers to steal users’ cryptocurrency.

Mailchimp’s chief information security officer (CISO), Siobhan Smyth, told TechCrunch that the company became aware of the breach on March 26th. Smyth explained that the company a malicious actor accessed a tool used by its customer support staff and account administration teams through a successful social engineering attack — social engineering refers to manipulating people and exploiting human error to gain private information, such as login credentials.

“We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said in the statement.

Although Mailchimp declined to share with TechCrunch what data hackers accessed in the breach, it did say that the attack targetted customers in the cryptocurrency and finance sectors. Moreover, Mailchimp said that the attackers gained access to API keys for an undisclosed number of customers — those keys potentially allow attackers to send spoofed emails that appear to be from legit Mailchimp customers.

Mailchimp says it has disabled those API keys and they can no longer be used. However, Smyth told TechCrunch that the company received reports that hackers used the information they obtained from user accounts to send phishing campaigns to accounts’ contacts.

Smyth declined to answer TechCrunch’s questions about whether Mailchimp would implement additional security measures. Further, Mailchimp wouldn’t disclose how many other cryptocurrency or finance customers were impacted by the breach.

As it stands, anyone subscribed to newsletters should be on alert for possible phishing scams, especially if subscribed to crypto or finance newsletters. It’s best to avoid clicking any links in emails you receive.

Moreover, MobileSyrup uses Mailchimp for its weekly newsletter but has not seen any indication that it was impacted by the breach.

Source: Bleeping Computer, TechCrunch

Categories
Mobile Syrup

Microsoft confirms hackers stole partial source code for Bing, Cortana

Microsoft confirmed that hacking group ‘Lapsus$’ compromised a “single account” and accessed partial source code for Bing and Cortana.

The company confirmed the breach in a blog post and detailed what Lapsus$ — or ‘DEV-0537’ as Microsoft calls the group — got from the breach. According to Microsoft, no customer code or data was involved. The company says that Lapsus$ only compromised one account, and Microsoft’s security teams responded quickly to remediate the account and prevent further activity.

Moreover, Microsoft said that it doesn’t rely on the secrecy of source code as a security tool. In other words, Microsoft assumes attackers will access source code, and so relies on other tools to protect itself. The company made a similar remark following the massive Solarwinds breach in 2020.

Lapsus$ claimed it got access to around 45 percent of the code for Bing and Cortana, as well as some 90 percent of code for Bing Maps.

The Verge notes that the Lapsus$ group claimed to be behind several recent security attacks and said it stole data from Okta, Samsung, Ubisoft, and Nvidia. While some of the companies have admitted data was stolen, Okta refuted the group’s claims and said its service hadn’t been breached.

Microsoft wrapped up its blog post by outlining steps organizations can take to improve security, especially in regard to Lapsus$. The company described the Lapsus$ attack pattern as gaining “access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion.”

With that in mind, Microsoft suggests organizations require employees to use multi-factor authentication, or MFA (also called two-factor authentication, or 2FA). MFA involves using multiple methods of authenticating users, such as passwords combined with a one-time passcode (OTP) sent via email, SMS, or through an authentication app. Of the three, Microsoft recommends using a dedicated authentication app to avoid vulnerabilities with email or SMS OTP codes, such as SIM swap attacks commonly used to intercept these codes.

Source: Microsoft Via: The Verge

Categories
Mobile Syrup

Twitch blames data breach on error in a ‘server configuration change’

Twitch issued a couple of minor updates following the massive security breach on Wednesday that saw the source code, creator payouts and more leaked online.

In the first of two updates posted on the Twitch blog, the Amazon-owned streaming platform said an “error in a Twitch server configuration change” caused the breach:

“We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.”

It’s worth noting that Facebook blamed its recent outage on a similar configuration problem.

I feel I’d also be remiss not to point out that Twitch saying “some data was exposed” downplays the breach, which allegedly leaked the entirety of Twitch. To be fair, Twitch goes on to explain that it’s still trying to “understand the impact in detail.”

Further, the streaming platform says that it has “no indication that login credentials have been exposed.”

However, reporting on login credentials is mixed. Some publications, including MobileSyrup, reported that login credential don’t appear to be included in the over 125GB of data leaked online. 9to5Mac cites a developer going by ‘Sinoc‘ on Twitter who says that the data included encrypted passwords. While the encryption hopefully will keep the passwords safe, it may be best to change your Twitch password and enable two-factor authentication (2FA) just in case.

Twitch also wrote in its first blog update that the breach didn’t expose full credit card numbers because it doesn’t store full credit card numbers.

In the second update, Twitch says it reset all stream keys “out of an abundance of caution.” That means some people may need to go here to get a new stream key and add the new key to their broadcasting software to start streaming again. The change shouldn’t impact most users, but it depends on how your stream is set up.

You can read Twitch’s updates here.

Source: Twitch Via: 9to5Mac