By Rudra Srinivas
If there is a thing or two that we can learn from the year that went by, it is the fact that our data is never safe and can be compromised at any given point. All sorts of cyber-attacks, be it data breaches, ransomware attacks, phishing campaigns, advanced attacks, and even state-backed hacking campaigns hogged limelight throughout the year in its entirety.
It is given that cyber threats are ever-evolving but before we start to analyze what will scare us the most in the future, it is important to hark back on the major security incidents that we already witnessed this year. This is a quick rundown.
Leaky Elasticsearch Server
Security researchers discovered an open Elasticsearch server that contained unique data records of around 1.2 billion users. According to security analysts Bob Diachenko and Vinny Troia, the server held more than 4 terabytes of data, without password protection or authentication.
The exposed data included names, email addresses, phone numbers, LinkedIn, and Facebook profile information. It was believed that the exposed data appeared to have originated from two different data enrichment companies—People Data Labs (PDL) and OxyData.Io (OXY).
“The data discovered on the open Elasticsearch server was almost a complete match to the data being returned by the People Data Labs API. The only difference being the data returned by the PDL also contained education histories. There was no education information in any of the data downloaded from the server. Everything else was the same, including accounts with multiple email addresses and multiple phone numbers,” the researchers said in a statement.
JustDial Data Breach
A security flaw in JustDial systems, an Indian-based local search services provider, left data of around 156 million of its users vulnerable. However, the company managed to patch the bug after a security researcher Ehraz Ahmed flagged the issue.
The researcher explained in a video that how a hacker could use any JustDial user’s phone number as username and gain access to the account by exploiting the bug. Ahmed also revealed the bug allowed hackers to change account details for JustDial’s payment option — JD Pay, allowing them to redirect all the money into their account.
JustDial clarified that no loss of data or money was reported. “We at JustDial take security seriously. There was a bug in one of our APIs which could potentially be accessed by an expert hacker. This bug has been fixed. We work with various security researchers to strengthen our platform and would like to thank Ehraz Ahmed for bringing this out to us,” JustDial said in a statement.
Capital One Data Breach
Capital One Financial Corporation, a bank holding company, disclosed a data breach in July which affected approximately 100 million individuals in the United States and nearly 6 million in Canada. The company stated that the attacker exploited a specific configuration vulnerability in its digital infrastructure and allegedly accessed the data.
The compromised information included names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, credit scores, and transaction data. However, Capital One clarified that no credit card account numbers or log-in credentials were compromised in the incident.
The FBI charged a suspect, Paige A. Thompson, with computer fraud and abuse. Thompson, who went by the hacker name ‘erratic’, allegedly exploited a misconfigured firewall to access the Capital One cloud repository and exfiltrate the data in March 2019.
Facebook Data Leak
An unprotected server which hosted a Facebook database leaked millions of Facebook users’ phone numbers online. According to reports, the server wasn’t password-protected, allowing anyone to access it. The database contained more than 419 million records of Facebook users across the globe, including 133 million records of U.S. users, 18 million records of U.K. users, and more than 50 million records of Vietnamese users. The records contained unique Facebook IDs and the phone numbers linked to their accounts.
In April 2019, researchers also discovered a massive trove of Facebook user account information being exposed on Amazon cloud servers. The security team at UpGuard stated that they found two data breach incidents in different regions. Facebook also admitted to another data breach involving roughly 100 third-party app developers who had improper data access. This incident exposed around 146 GB of data that contained over 540 million records detailing comments, likes, reactions, account names, FB IDs, and other sensitive information.
Canva, an Australian online design tool, revealed that hackers breached its network systems and stole data of nearly 140 million users in May 2019. The company stated that the usernames and email addresses of customers were accessed in the incident.
According to Canva, encrypted personal data like usernames and passwords were accessed by hackers. And, no credit card details or designs were exposed/accessed in the attack.
DoorDash, a San Francisco-based food-delivery service provider, faced a massive data breach that affected data of around 4.9 million people (its customers, delivery workers, and merchants), who were using its service platform.
The company said that an unauthorized third-party accessed its user data on May 4, 2019. DoorDash clarified that users who joined its services platform on or before April 5, 2018, were affected in the incident and the ones who joined after April 5, 2018, weren’t.
Ecuador Data Breach
Almost everyone in Ecuador became a victim of a massive data breach that exposed the personal information of over 20 million individuals. This included the country’s president and WikiLeaks founder Julian Assange, who was granted asylum by Ecuador in 2012.
Security firm vpnMentor discovered the breach on a Miami-based Elasticsearch server owned by an Ecuadorian company Novaestrat. It’s said that the exposed data appears to have come from various sources, including the Ecuadorian national bank, Ecuadorian government registries, and an automotive association called Aeade. The exposed information included names, date of birth, contact information, National identification numbers, bank account details, taxpayer-identification numbers, and driving records.
Instagram Data Breach
The Facebook-owned photo-sharing application Instagram had discovered that an unsecured server containing personal information of millions of Instagram influencers, celebrities, and brand accounts have been found online.
According to the security researcher Anurag Sen, who discovered the leak and notified TechCrunch, the database had over 49 million records exposed online, allowing anyone to access the data. The exposed data included users’ biodata, profile picture, the number of followers they have, their location by city and country, and contact information like the Instagram account owner’s email address and phone number.
The researcher stated the leaky database belonged to a social media marketing firm Chtrbox, which was based in Indian city, Mumbai. The database was taken offline and an investigation was led toward the incident, Chtrbox stated.
With these examples, it is well-established that our data has never secure. There’s nothing consumers and companies can do except practice preventive security measures and adopt policies that better protect the data.
Download CISO MAG December 2019 to read about the biggest news events of the year, Cybersecurity startups of the year, CISO MAG Editor’s choice for the best security technology, and the Cybersecurity Persons of the year.
Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.