Hackers don’t take vacations: top 10 summer data breaches
The number of web apps offered online grows every year and their user base tends to increase as well. So it’s no wonder that cybercriminals are frequently targeting them. According to the Verizon Data Breach Investigations Report 2020, “attacks on web apps were a part of 43% of breaches, more than double the results from last year. As workflows move to cloud services, it makes sense for attackers to follow. The most common methods of attacking web apps are using stolen or brute-forced credentials (over 80%) or exploiting vulnerabilities (less than 20%) in the web application to gain access to sensitive information”.
So since apps can become gateways to huge volumes of personal and financial information, this trend is getting more and more momentum.
Hacking strategies vary. For example, on August 15, a Twitter user with the nickname 08Tc3wBB published a video demonstrating the new exploit that allows hacking the latest iOS 13.6.1 system.
What else has been happening lately in terms of the web app attacks? Breach Report team has put together the list of top summer leaks with openly published data:
1. Wattpad.com, a popular website and application for publishing user-generated stories
270,330,836 hacked accounts were shared online publicly on July 14, 2020. The dump contained email addresses, SHA-256 hashed passwords, names, IP addresses, locations, biographies, genders, geographical locations, and usernames.
2. ReadNovel.com, a reading community
19 118 089 hacked accounts were leaked online on August 5, 2020. It compromised emails and MD5-hashed passwords (not a reliable encryption method).
3. Vakinha.com.br, a charity donations platform
3 852 224 hacked accounts were put on sale on a dark web forum on July 27, 2020. The package consisted of emails and MD5-hashed passwords.
4. SWVL.com, a travel booking service
3 364 049 hacked accounts were leaked online on August 5, 2020, compromising emails and bcrypt-hashed passwords
5. LiveAuctioneers.com, an online auction platform
2 938 244 hacked accounts were exposed online on July 10, 2020. The database includes emails, MD5 hashed passwords, and also likely names, mailing addresses, phone numbers, and visit history.
6. Promo.com, a promotional video making service
2 643 365 hacked accounts were shared online on June 22, 2020. The exposed data includes email addresses, SHA-512 salted hashed passwords, names, genders, and IP addresses.
7. YotePresto.com, a loaning service
1 444 676 hacked accounts were exposed online on June 30, 2020. The file consists of email addresses and bcrypt-hashed passwords and is sold with 13 other databases.
8. Appen.com, an AI training data company
1 226 369 hacked accounts were leaked in June 2020 compromising email addresses and bcrypt-hashed passwords. Despite the fact that this encryption method is a fairly strong one, it is not infallible.
9. Gamevil.com, a mobile game developer
762 952 hacked accounts were shared on the dark web on July 4, 2020. Data sets are made of usernames, emails, IP addresses, MD5 salted hashed passwords, and other profile information.
10. YingjieSheng.com, an advertisement directory
730 832 hacked accounts were found online by Breach Report on August 5, 2020. The database contains unmatched pairs of emails and plaintext passwords.
The most aggressive criminal group that is accountable for more than half of these leaks is ShinyHunters. This summer they have been flooding the dark web with compromised data: the hackers published 386 million user records stolen from eighteen companies, including Chatbooks.com, Mathway.com, GGumim.co.kr, and others.
Apart from hackers, there are other actors showing interest in user data. For instance, US Secret Service has recently bought cellphone location data through subscription to Locate X service offered by Babel Street. Usually, law enforcement bodies need a warrant or court order to access user location data accumulated by IT companies. But a legislative loophole allows them to buy commercially available data from private companies. US Customs and Border Protection, Internal Revenue Service, and other federal agencies were also reported to use cellphone location data, sold by a company called Venntel.
This contradicts public statements of the US government with pleads to protect the personal data of American citizens. In August 2020, US President Donald Trump signed orders to ban business transactions with hugely popular Chinese apps TikTok and WeChat. The official explanation has to do with data security: “TikTok automatically captures vast swaths of information from its users…This data collection threatens to allow the Chinese Communist Party access to Americans' personal and proprietary information, potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.” The block would come into force in 45 days unless the parent companies agree to sell the apps. In response, TikTok sued the US government claiming that the order “has the potential to strip the rights of [TikTok] community without any evidence to justify such an extreme action, and without any due process”. Oracle and Microsoft with Walmart are competing to buy the app, but China imposed restrictions requiring approval to sell the algorithm, which bogged down the negotiations.
Looking at such a volatile landscape, how can ordinary users protect themselves? Some companies act transparently in case of breaches, admit the attacks, react quickly, and reset user passwords, sometimes even before the data is leaked publicly. For example, this summer a push-to-talk app Zello chose this strategy after a serious attack. But very often users don’t receive notification after their data is exposed. That is why smart security solutions such as Individual or Business Breach Report Monitoring are necessary. Users receive notifications when their data enter the dark web and can immediately take protective measures. You can also check if your data has been compromised on Breachreport.com for free!