Tag: Data breach

Categories
Mobile Syrup

Indigo employees face data breach due to ransomware attack on website

As a result of a ransomware attack on the website of Indigo Books & Music Inc., current and former employees are facing a major data breach. It’s being reported by The Globe and Mail that personal data, including social insurance numbers, home addresses, banking information, and more, have been compromised.

On Thursday, Indigo president Andrea Limbardi sent a memo to staff regarding the data breach. “We recently learned that your personal information may have been acquired by an unauthorized third party between Jan. 16, 2023, and Feb. 8, 2023,” the memo states. As seen by The Globe and Mail, the memo continues to state, “We know this may be concerning news to receive and are deeply sorry for this breach of your information.”

Current and former employees of Canada’s largest bookstore now have to worry about possible identity theft and/or fraud. The data breach appears to have also compromised emails, phone numbers, full addresses, birth dates, and banking information. Further, direct deposit information and individual bank and branch numbers are at risk.

“You should consider contacting your local police and visit the Canadian Anti-Fraud Centre for support,” Limbardi informs staff. “You should also review the RCMP’s Identity Theft and Identity Fraud Victim Assistance Guide for steps you can take.”

Earlier this month, Indigo suffered a fairly significant breach. The company clarified that the “cybersecurity incident” created a number of hiccups for those attempting to access bookstores and online purchases at the time. However, Indigo was quick to reveal that customer information wasn’t compromised. Additionally, the company’s Plum points reward system remains unaffected.

Within the memo, Indigo tells employees that it plans to support employees with “additional assurance and protection.” The company will be working with TransUnion. It’s said the agency with notify staff of any “critical changes” to their credit scores. Additionally, Indigo is setting staff up with a two-year subscription to TransUnion myTrueIdentity “at no cost.”

Image credit: Shutterstock

Source: The Globe and Mail

Categories
Mobile Syrup

2K confirms support site data breach, warns personal data is likely compromised

2K, the publisher behind NBA 2K, Bioshock and more is facing a security breach. The company is reaching out to players via email, notifying them of the personal data compromise.

On September 19th, 2 K’s help desk platform was compromised. “Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to support our customers,” 2K tweeted at the time. Following this, the publisher confirms the breach is resulting in the theft of personal information.

“We are contacting you to let you know that an unauthorized third party gained access to, and a copy of, a limited volume of your personal data held in 2 K’s helpdesk system and made it available for sale,” 2K said in an email. One Reddit user posted the email in full, highlighting the publisher’s notice.

2K confirms that the names of players, emails, Gamertags, console details and other sensitive information provided to the company are compromised. However, the publisher is reluctant to state whether financial information has also been breached. “There’s no indication that any of your financial information or password(s) held on our systems were compromised,” the company claims.

It appears as though whoever is behind the hack is already contacting players. 2K warns players that malicious links and phishing scams may have been sent via the support portal under the guise of 2K. In this case, these links may lead to further compromising sensitive data such as passwords stored on their devices. The support portal is now back online. 2K recommends players “be vigilant for unauthorized third parties.”

To be clear, it appears as though this breach predominantly affects those who have contacted 2K via the support portal. The breach doesn’t seem to affect players who actively play 2K games or have a 2K account. However, it’s always worth staying vigilant across all of your accounts.

2K is reeling from not one but two major breaches recently. Subsidiary Rockstar Games got hit with one of the largest gaming leaks last month. Over 90 videos of the unannounced Grand Theft Auto 6 were stolen and leaked due to a “network intrusion.” The FBI is now investigating the 17-year-old hacker accused of infiltrating the studio’s systems.

Image credit: 2K

Via: GamesRadar

Categories
Mobile Syrup

Plex warns users to change passwords following data breach

Digital media player and streaming service Plex sent a letter to users warning that a “third-party was able to access a limited subset of data,” including emails, usernames, and encrypted passwords.

Plex said it already addressed the method the attacker used to gain access to its systems and is doing additional security reviews. Moreover, the company said it doesn’t store credit card or other payment data on its servers, and so the attacker was not able to gain access to that data. Finally, Plex says it is requiring all Plex accounts to reset passwords “out of an abundance of caution.”

However, Plex did not share what method the attacker used to gain access.

Interestingly, ‘Have I Been Pwned‘ creator Troy Hunt was “pwned” in the Plex breach. Hunt tweeted a copy of the letter along with a reminder that users can’t do anything to avoid being caught in a breach, but they can take steps to lessen the impact of breaches. For example, using a password manager to generate unique, random passwords for each account, as well as using two-factor authentication (2FA), can help mitigate the severity of security breaches.

If you use Plex, you should go change your account password now. However, it’s worth noting that several users report having issues with changing their password — per Hunt’s tweets, it seems there’s an issue with the option to sign out connected devices after changing the password. As such, anyone having issues changing their Plex password should uncheck the option to sign out connected devices as that should fix the problem.

Source: Troy Hunt (Twitter) Via: Engadget

Categories
Mobile Syrup

Twitter data breach exposed contact details of 5.4 million accounts

An attacker allegedly gained access to the contact details of 5.4 million Twitter accounts through a vulnerability Twitter has known about for months.

The data exposed in the attack ties Twitter handles to phone numbers and email addresses, even for users who have restricted the ability to be found on Twitter this way. The attacker offered a sample of the data on a hacking forum and is selling the full database for “nothing lower than 30k” (presumably USD, or roughly $38,505 CAD).

Restore Privacy detailed the breach, noting that the attacker claims the dataset ranges from “Celebrities, to Companies, randoms, OGs, etc.” Moreover, the publication reports that the owner of Breach Forums verified the authenticity of the leaked data and said it was extracted via a vulnerability reported in January.

That vulnerability, detailed in a HackerOne post from user ‘zhirinovskiy,’ exploits a bug with Twitter’s Android app and the Twitter authorization process and can obtain the Twitter ID of any user by submitting a phone number or email. zhirinovskiy describes Twitter IDs as “almost equal to” the username of an account.

Five days after the report, Twitter staff acknowledge it as a “valid security issue” and after investigating, awarded zhirinovskiy with a $5,040 USD bounty (about $6,469 CAD).

9to5Mac notes that the attacker likely obtained existing databases of phone numbers and emails from other breaches, then used those with the Twitter breach to connect them with existing Twitter IDs. So far, there isn’t a way to check if your account is included in the breach. The best thing Twitter users can do is be aware of phishing scams and avoid clicking links in emails or texts, especially if they come from an unknown or untrusted source.

News of the breach comes as Twitter takes aim at Elon Musk, blaming the Tesla CEO for lower-than-expected quarterly earnings.

Source: Restore Privacy Via: 9to5Mac

Categories
Mobile Syrup

Ikea Canada internal data breach impacts an estimated 95,000 Canadians

Ikea Canada has suffered a security breach, affecting upwards of 95,000 Canadians. The company is working to prevent third parties from storing, accessing, and using said data. Ikea Canada submitted a report to the Office of the Privacy Commissioner of Canada (OPC).

Global News confirmed the news following Ikea Canada’s data breach. As a result of the breach, the personal information of customers appeared in the results of generic searches made by an employee between March 1st to March 3rd. These searches in question were made by an employee.

Calgary-based customer Arthur Gallant, received an email from Ikea, with a notice that his privacy was breached. “It’s cold comfort to be told my financial information was not accessed,” Gallant said in an interview with Global News. “Because the information that was accessed is still pretty private.” Ikea Canada confirms that no financial or banking information was accessed during the breach.

Ikea Canada states that “actions to remedy this situation” are being taken as a result of the breach. The company is reviewing internal processes and is reminding co-workers of their “obligation to protect customer information.”

Following its report to the OPC, officials are in communication with the company to address the situation. However, the next steps are reportedly unknown currently.

Apart from financial information, customer names, emails, phone numbers and postal codes were among the data. Customer’s Ikea Family loyalty numbers may also have been leaked.

As with any privacy breach, Ikea Canada encourages customers to take appropriate caution.

Image credit: Ikea

Source: Global News

Categories
Mobile Syrup

Ford government says Ontario vaccine portal is still secure following data breach

The Ontario government says residents should still be confident in the province’s vaccine booking portal, even though the government failed to disclose a suspected security breach that resulted in a police investigation and charges against a government employee.

As reported by CTV News, the Ontario Provincial Police (OPP) cyber crimes unit was “immediately engaged” and quickly started an investigation after learning about the breach on November 17th. The government asked the OPP to investigate after it received reports that residents received spam text messages from people who had scheduled appointments are accessed their vaccine certificates through the provincial vaccine portal.

The spam messages were “financial in nature,” according to Ontario’s Solicitor General, who also said the investigation confirmed that no personal health information was accessed and that the COVID-19 vaccine booking system “remains secure.”

CTV News reports that multiple residents received text messages with either their full names or their children’s full names, all with slightly differing requests.

Investigators executed two search warrants on November 22nd, one in Ottawa and the other in Quebec, related to the security breach. 21-year-old Gloucester resident Ayoub Sayid — who police say was an employee of the Ontario Ministry of Government and Consumer Services in the vaccine contact centre — and 22-year-old Rahim Abdu from Vaudreuil-Dorio, Quebec, were taken into custody and charged with Unauthorized Use of a Computer contrary to s. 342.1(1)(c) of the Criminal Code. The charges have not been proven in court.

Despite the arrests, the Official Opposition has criticized Premier Doug Ford’s government for failing to notify the public. Instead, concerned residents shared reports about the breach on social media, and the Ford government only confirmed it after inquiries from the media.

“The government knew this was happening and they chose to keep it under wraps,” said NDP leader Andrea Horwath.

Source: CTV News

Categories
Mobile Syrup

Twitch confirms data breach, leaker calls community a ‘toxic cesspool’

Popular streaming platform Twitch confirmed on Twitter that it suffered a data breach.

The Amazon-owned service says its “teams are working with urgency to understand the extent of this.”

Hackers accessed Twitch’s source code and published over 125GB of data online from Twitch and related services.

The data includes the source code for Twitch and an unreleased Steam competitor from Twitch’s parent company, Amazon. The leaked information also included three years’ worth of payouts to Twitch creators. Further, the massive leak was labelled ‘part one,’ suggesting more data could come in the future.

The person who posted the leak claims it’s meant to “foster more disruption and competition in the online video streaming space” and called the Twitch community “a disgusting toxic cesspool.”

It’s worth noting that Twitch has recently struggled to deal with ‘hate raids.’ Creators took a day off last month to protest and bring attention to the increased harassment and hate raids plaguing the platform. Considering the comment about Twitch’s community, it’s possible the attack could be related to the ongoing harassment issue.

Although the leak doesn’t appear to include passwords or address information for users, that doesn’t mean hackers didn’t obtain that information in the breach. If you use Twitch, you should probably update your password and add two-factor authentication (2FA).

The leak includes the following information:

  • Three years of Twitch creator payouts
  • The entirety of twitch.tv, including “commit history going back to its early beginnings”
  • Source code for the mobile, desktop and video game console Twitch clients
  • Code from proprietary SDKs and internal Amazon Web Services (AWS) used by Twitch
  • An unreleased Steam competitor from Amazon Game Studios
  • Data on related Twitch properties like IGDB and CurseForge
  • Twitch’s internal security tools

Ultimately, it appears hackers targeted Twitch and its system rather than users. But again, this is also allegedly the first part of a larger leak. It also remains unclear how hackers gained access to so much Twitch data and whether they exploited a larger flaw in AWS. If so, that could pose significant problems since AWS powers such a larger amount of the internet.

Source: Twitch Via: The Verge, Engadget