This Week In Security - 02/03/2020
Databases that contained customer support logs were accessible without password protection.
During a two-day period in December 2019, there were more than 250 million Customer Service and Support records available to the public on the web. These records included logs of communication between Microsoft support staff and customers worldwide over a 14-year period from 2005 until 2019. The data was made available to anyone that had a web browser.
Many of these records contained plain text data and included customer email addresses, locations, IP addresses, Microsoft support agent emails, descriptions of CSS claims, case numbers, as well as internal notes that were marked confidential.
An investigation into the breach showed that the cause was a change in the database’s network security group containing misconfigured security rules. Microsoft addressed the issue in their blog:
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
Most personally identifiable information was redacted from the records.
Fraudsters are turning to legitimate job sites to convince people to hand over sensitive information.
Technology has made it easier to pull off job scams, warns the FBI. Although fake job posts have been around for a long time, they have been on the rise since early 2019. Victims are tricked by criminals posing as employers and convinced they have a new job position. The hackers then attempt to get personal information or even money from victims, with the average loss being around $3,000 per victim.
“While hiring scams have been around for many years, cybercriminals’ emerging use of spoofed websites to harvest PII (personally identifiable information) and steal money shows an increased level of complexity,” the FBI stated in the advisory. “Criminals often lend credibility to their scheme by advertising alongside legitimate employers and job placement firms, enabling them to target victims of all skill and income levels.”
In 2018 there were almost 15,000 reported incidents of employment fraud accounting for more than $45 million in losses.
“Applicants are contacted by email to conduct an interview using a teleconference application,” the FBI stated. “According to victims, cybercriminals impersonate personnel from different departments, including recruiters, talent acquisition, human resources, and department managers.”
Norwegian Consumer Council oversaw a new report exploring how dating apps are sharing user data.
According to a Norwegian consumer group, popular dating apps used by millions of people worldwide are sharing user information such as dating choices or precise locations to both advertising and marketing companies.
Grindr is sharing user information with thousands of advertising partners including information about users’ gender and sexual orientation, location, and age. Other dating apps including that of Tinder and OkCupid also share similar information with some of the information heavily violating the European Union’s General Data Protection Regulation (GDPR).
“Any consumer with an average number of apps on their phone — anywhere between 40 and 80 apps — will have their data shared with hundreds or perhaps thousands of actors online,” said Finn Myrstad, the digital policy director for the Norwegian Consumer Council, who oversaw the report.
The 10 apps included in the study were recorded transmitting user data to more than 135 third parties.
“Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app,” Austrian privacy activist Max Schrems said. “This is an insane violation of users’ [European Union] privacy rights.”
A joint investigation involving the United States, the Netherlands, Germany, and Northern Ireland, and the United Kingdom saw the WeLeakIinfo website shut down.
U.S. authorities in collaboration with a number of other countries including Germany, the U.K., Northern Ireland, and the Netherlands have seized the domain name of a website selling access to more than 12 billion indexed records. The information included on the website included usernames, email addresses, passwords, as well as other sensitive information that was stolen in data breaches.
According to Andrew Shorrock, the Senior Investigating Officer at the NCA:
“Cybercrime is a threat that crosses borders and so close international collaboration is crucial to tackling it. These arrests have resulted in the seizure of the site’s data which included 12 billion personal credentials and so work is continuing by law enforcement to mitigate these and notify the sites that were breached.
The data behind the site is a collaboration of more than 10,000 data breaches. Criminals rely on the fact that people duplicate passwords on multiple sites and data breaches such as these create the opportunity for fraudsters to exploit that.”