339 Million AdultFriendFinder users compromised

Friend Finder Networks, the company that operates Adultfriendfinder.com and cams.com which was affected by a breach of 3.5 million users information in May, 2015 has been breached again.

How many victims? This time 339 million users including 15 million users whose accounts were deleted but their data were still held by the company.

What type of information? Usernames, email address, date of the last visit, password, last IP address used, browser information, and VIP membership status

What happened?  LeakedSource.com speculates that the breach was carried out through the use of an exploit for a Local File inclusion vulnerability which was publicly revealed last month. Passwords were found in unencrypted format or SHA 1 hashed which are both insecure. 99% of the hashed passwords have already been cracked. The team has decided not to make this particular data set searchable by the general public for now.

What was the response?  Friend Finder Networks has not confirmed the breach but they said the Local File inclusion vulnerability which was allegedly exploited has been fixed.

Quote: “It goes without saying that systems, software and processes should be regularly reviewed as previously accepted risk levels may no longer suffice.” – David Kennerley, director of threat research at Webroot, to SC Media.

Advertisements

Web Hosting Service Weebly suffers major data breach

data-breaches-notificationWeb hosting service Weebly has confirmed a major data breach reported by LeakedSources.com.

How many victims? 43.4 million accounts

What type of information? Usernames, Email addresses, Passwords and IP addresses. Fortunately, the passwords were heavily encrypted.

What happened?  LeakedSource.com acquired the stolen Weebly data from an anonymous source and reports that they were stolen from the company’s main database in February 2016.

What was the response?  Weebly has responded by resetting passwords and sending out breach notification emails. In a company statement sent to SCMagazine, the company noted: “Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers,” It went further to say “At this point we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident.” The statement went further to say: “Our security team, with support from outside security consultants, is working to protect our customers and to enhance our network protections. This includes initiating password resets, implementing new password requirements and a new dashboard that gives customers an overview of recent log-in history of their Weebly account to track account activity,”

Quote: “This mega breach affects not only tens of millions of users but tens of millions of websites and with Weebly being one of the most popular hosting platforms in the world, this breach could have been far more disastrous in the wrong hands had they not strongly hashed passwords,”  – LeakedSource.com’s blog post.

​New Zealand online dating site data leaked

Personal information including usernames, passwords, e-mail address, gender, date of birth, country of residence and photos, as well as sexual preferences of over 1.5 million online dating users were found in an unsecured MongoDB database by MacKeeper researchers accessible on the internet. The data was found to belong to a New Zealand based company that runs haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, hookupdating.mobi and the mobile application “Hook Up Dating.

In response to MacKeeper’s notification to the company, they claimed that the database is mostly dummy data used to test migrating data from SQL to MongoDB. The researchers are not okay with this claim considering the massive number of accounts.

Also, a one by one analysis of a random selection of more than 300 records shared with ZDNet proves otherwise.

The company is taking the leak lightly claiming that only the researchers had accessed the data. They did not invalidate the affected passwords and only notified users to change their password because they were upgrading their system for security reasons.

New Critical flaw found in OpenSSL

​Last week, OpenSSL released an update that fixed 14 flaws. One of the flaws fixed was an OpenSSL memory corruption flaw but the fix resulted in a dangling pointer flaw in the cryptographic system.

The dangling pointer vulnerability was disclosed by Google information security engineer Robert Święcki and OpenSSL released a patch for it on Monday.

“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved, unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location.” the advisory stated.

Over 500 Million Accounts affected in Yahoo Breach

Internet giant Yahoo last Thursday disclosed a major data breach affecting over 500 million user accounts. Yahoo announced that a state-sponsored actor was responsible for the breach which occurred in late 2014.

Information suspected to be leaked in the breach include names, email address, telephone numbers, birth dates, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers. Yahoo has already invalidated those unencrypted security questions and answers.

Yahoo has said it is taking steps to notify affected users and has advised users who haven’t changed their passwords since 2014 to do so. The company statement also recommended that customers “avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.”

Further security concerns with the breach includes attackers using leaked information for phishing attacks, sending spam messages from compromised accounts as well as other identity theft incidences.

‘Muslim Match’ suffers Data Breach

Dating site Muslim Match has suffered a data breach in which profile information of users and a cache of 790,000 private messages sent over the social network were exposed.

The website wasn’t encrypted, running on http making the site a very vulnerable one.

Experts have expressed their fears of blackmailing arising as a result of the data that was breached. According to infosecurity magazine reports,  AlienVault security advocate, Javvad Malik, explained that smaller sites often have fewer resources to devote to security. However, he explained that no online company is ‘too small’ or unimportant to be targeted by attackers, especially when user data is involved,”

Malik also claimed the religious and cultural taboos at play in this instance could make blackmail a very real possibility.

“Where possible, people should consider information on websites to be publicly available,” he argued. “Therefore, they should consider what photos and information they post and share and the potential impact if the content is shared broadly.”

PunkeyPOS Malware Variant found in US POS Terminals

what-is-malware-as-a-servicePandaLabs researchers have found a new variant of PonkeyPOS on about 200 POS terminals in the US. The malware is designed to steal credit card details from infected victims.

According to Infosecurity magazine:
In terms of functionality, the malware includes a keylogger responsible for monitoring keystrokes and a RAM scraper designed to read the memory of processors running on the system.

PunkeyPOS will decide which data is relevant and ignore anything that isn’t card data, which is read from the magnetic stripe and sold to fraudsters who can use it to clone cards for use at a later date.

“Once the relevant information has been obtained, it is encrypted and forwarded to a remote web server which is also the command and control (C&C) server,” Panda Security explained.

“In order to avoid the detection of the card information in case somebody is scanning the network traffic, it is encrypted before it is sent using the AES algorithm.

The malware is similar to another variant of the same family found in April, 2015.