Week of September 21, 2018


Week of September 21, 2018

Animoto Hack Exposes Personal Information, Location Data*:

Animoto, a cloud-based video maker service for social media sites, has revealed a data breach.

The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general.

Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated.

The company also said that users’ scrambled passwords were exposed in the breach, but were hashed and salted, making it difficult for anyone to reveal the original password.

The New York City-based company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.”

Payment data is not thought to be affected as it’s stored in a separate system, the company said.

Animoto CEO Brad Jefferson told TechCrunch that the number of users affected isn’t known but all 22 million users will be notified.

Animoto didn’t say how its breach occurred but pointed to “suspicious activity” on its systems.

The company also said it reset employee passwords and reduced employees’ access to critical systems.

*Source: Tech Crunch, August 08, 2018


US Government Payment Site Leaks 14 Million Customer Records*:

Government Payment Service Inc, the company thousands of local governments in the US use to accept online payments for everything from court-ordered fines and licensing fees, has compromised more than 14 million customer records dating back to 2012.

According to a security investigation site, the leaked information includes names, addresses, phone numbers, and the last four digits of credit cards.

The site,, found that it was possible to view millions of customer records simply by tweaking the digits in the web address displayed by each receipt.

Two days later, the payment site released a statement saying it had addressed a "potential issue," and that while there was "no indication that any improperly accessed information was used to harm any customer" the company has nonetheless updated its systems to prevent the issue reoccurring.

Government Payment Services Inc was acquired by Securus Technologies at the start of 2018.

The Texas-based company provides telecommunications services to prisons, among other things, and has come under fire a number of times for data breaches this year alone.

In May, it emerged that Securus was abusing its cell phone-tracking capabilities, then just weeks later hackers broke into its system and stole the online credentials of multiple law enforcement officials.

*Source: EnGadget, September 18, 2018


MongoDB Server Leaks 11 Million User Records From E-Marketing Service*:

On Monday, a security researcher specialized in finding exposed databases has identified an unsecured MongoDB server that was leaking the personal details of nearly 11 million users.

The server appears to belong to an email marketing firm based in California.

The data, contained in a 43.5GB dataset, included full names, email addresses, gender information, and physical addresses such as state, city, and ZIP code for 10,999,535 users.

All email addresses contained in this database were Yahoo-based, suggesting this was only a small part of a larger dataset, most likely stored on multiple servers.

Besides personal user information, the data also contained DNS details and email delivery status information about messages a user had received.

Bob Diachenko, the security researcher who discovered the breach and shared his findings with ZDNet, says the database had been left exposed online since at least September 13, the date when the Shodan search engine had last indexed it, and tagged it as a "compromised" server.

The database received this marker because, besides its normal content, it also included a table named "Warning" that contained a data collection with the following text: "Your Database is downloaded and backed up on our secured servers. To recover your lost data: Send 0.4 BTC to our Bitcoin Address and Contact us by email with your server IP Address and a Proof of Payment. Any email without your server IP Address and a Proof of Payment together will be ignored. You can apply for a backup summary within 12 hours. Then we will delete the backup. You are welcome!"

This is your typical ransom note that has been popping up on exposed MongoDB databases since late 2016.

Combining a simple Google search along with the nature of the user records found in the exposed database led Diachenko to believe the data belonged to, a daily deals website.

The website claims to operate under the brand, but a Quotient spokesperson told ZDNet today that SaverSpy is only part of an affiliate program.

Both ZDNet and Diachenko alerted the operators of the SaverSpy website about the exposed server. While we have not heard back from the company, the server was secured earlier today.

*Source: ZDNet, September 18, 2018


Hackers Stole Customer Credit Cards in Newegg Data Breach*:

Newegg is clearing up its website after a month-long data breach.

Hackers injected 15 lines of card skimming code on the online retailer’s payments page which remained for more than a month between August 14 and September 18.

The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name — likely to avoid detection.

The server even used an HTTPS certificate to blend in.

The code also worked for both desktop and mobile customers — though it’s unclear if mobile customers are affected.

The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings.

Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016.

The company touts more than 45 million monthly unique visitors, but it’s not known precisely how many customers completed transactions during the period.

In an email to customers, Newegg chief executive Danny Lee said the company has “not yet determined which customer accounts may have been affected.”

This incident was a well-disguised attack that looked nearly identical to the recent British Airways credit card breach; some have attributed both attacks to the Magecart group.

*Source: Tech Crunch, September 19, 2018


Vote Leave Data Firm Hit With First Ever GDPR Notice*:

A Canadian analytics firm that worked for Vote Leave has received the UK's first formal notice under a key data law, the UK's data protection watchdog has confirmed.

AggregateIQ (AIQ) was accused of processing people's data "for purposes which they would not have expected".

The firm has appealed against the notice, which was issued by the UK's Information Commissioner's Office.

If the company fails to appeal to the ICO's notice or does not comply with it, it could face a large fine.

AIQ is a small Canadian data firm that uses data to target online ads at voters during public polls.

It was paid nearly £2.7m ($3.6m) by Vote Leave to target ads at prospective voters during the Brexit referendum campaign.

Vote Leave has been fined £61,000 and referred to the police after an Electoral Commission probe said it broke electoral law by exceeding its spending limit by funnelling money through a pro-Brexit youth group called BeLeave.

AIQ also received funding from Northern Ireland's Democratic Unionist Party and Veterans for Britain, amounting to a total of £3.5m from all its pro-Brexit clients.

The ICO said that although the data was gathered before 25 May, when the GDPR regulations came into effect, it was concerned about the "continued retention and processing" of data after that date.

The GDPR makes it clear that if you process data within the EU or if you are targeting European markets the GDPR is also applicable.

*Source: BBC, September 20, 2018


Japanese Cryptocurrency Exchange Hit With $60 Million Theft*:

Tech Bureau, a Japanese cryptocurrency exchange, has confirmed a $60 million theft following recent initiatives to improve its security posture.

Tech Bureau said its Zaif exchange was hacked over a two-hour period on Sept. 14.

Three days later, it noticed server problems and confirmed the attack on Sept. 18.

The theft totalled 6.7 billion yen ($59.67 million USD) in digital currencies, including Bitcoin, Monacoin, and Bitcoin Cash.

About 2.2 billion yen belonged to Tech Bureau; 4.5 billion belonged to its clients.

Now the firm reached an agreement with Fisco, which will invest 5 billion yen ($44.59 million USD) and receive majority ownership.

Earnings will be used to replace funds taken from customers.

The hack highlights a problem of poor security in cryptocurrency exchanges.

Cryptocurrency exchanges throughout Japan have come under scrutiny after Coincheck suffered a $530 million theft of digital currencies back in January. It reports many exchanges are left vulnerable due to poor management and lack of security for client funds.

*Source: Dark Reading, September 20, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top