New Cybersecurity Threats and How to Protect Yourself: August 2019
New cybersecurity threats like phishing attacks, ransomware, and scams are always popping up. Stay up to date on the latest widespread threats and protection methods in our recurring series.
MOVIEPASS DATA BREACH
MoviePass is a movie ticket subscription service where users can pay a monthly fee to watch a designated number of movies for a discounted price. MoviePass uses a debit-style card for its subscribers to use.
They were victims of a data breach which exposed tens of thousands of these card numbers, along with customers' personal card numbers and expiration dates, billing information, names, addresses, email addresses, and some passwords. 161 million records have been found exposed so far.
The breach was caused because a critical server containing customer information was not protected with a password and may have remained exposed for months before being discovered.
What to do: If you are a current or former member of MoviePass, definitely update your password or close your account if unused. Keep an eye on your financial accounts and watch for other phishing attacks or scams coming from this information. Criminals will often used data collected from breaches like this, sometimes combined with information from other leaks, to open accounts, commit fraud, or scam the victim.
STATE FARM DATA BREACH
State Farm was the victim of a credential-stuffing attack, where the attacker obtained a list of user IDs and passwords likely via the Dark Web and attempted to access accounts. State Farm stated that no personally identifiable information was compromised and no fraud has been detected.
State Farm has sent out notices to customers whose information was used.
What to do: Whether you receive a notice from State Farm or not, it's a good idea to change your password after an incident like this. While State Farm claims no information was taken it's tough to know for sure. Keep an eye on your insurance policy and financial accounts and be on the lookout for any fraud.
POSHMARK DATA BREACH
Poshmark is an online service that allows users to buy and sell clothes to others, with around 50 million customers. They discovered that user information had been accessed by an unauthorized third party.
Data includes user profile information, gender, city data, email addresses, size preferences, and scrambled passwords. Luckily Poshmark uses bcrypt hashing to scramble passwords, which is one of the stronger methods out there, so hopefully the attackers can't use them to log into user accounts. Internal preferences like email and push notifications were also accessed. The company stated that financial and address information were not taken, however.
Poshmark has since employed an outside forensics company to investigate and implemented stronger security measures.
What to do: If you've ever used Poshmark, change your password and monitor for unusual activity on your account. Luckily it doesn't seem as though the thieves will be able to use the information to log into user accounts or commit other fraud, but it's always a good idea to be cautious.
CHOICE HOTELS DATA BREACH
Choice Hotels is the parent company of Clarion, Comfort Inn, EconoLodge, Quality Inn, and Rodeway Inn. A data breach at Choice led to hackers stealing information via an unsecured database which was publicly accessible. 5.6 million records were taken, affecting 700k customers. Data included names, email addresses, and phone numbers.
The exposed database was being handled by a third-party vendor, which Choice Hotels has since fired.
The security researchers who discovered the breach said that the information taken was already up on the Dark Web and being held for a $4300 ransom.
What to do: The company and researchers are warning people to be on the lookout for phishing scams by email, text, and phone. While the information stolen did not include financial information, compromised credentials and information can be used to perpetrate these scams.
DELTA AIRLINES VENDOR 7.ai DATA BREACH
Delta Air Lines is suing a former vendor of the chatbot technology the company used, 7.ai. The vendor had a weak password for its systems, which led to a hacker accessing Delta's customer information.
The attacker had the potential to take names, addresses, and full credit card details of up to 825k customers. Delta does not know yet if the stolen information has been misused.
What's worse, the vendor failed to alert Delta of the breach for a month after it was discovered. And conveniently, it was a month after they signed a renewal contract with Delta. Delta is suing 7.ai for damages and time and services rendered to affected customers, and for violating their contractual obligation to notify Delta of a breach in a timely manner.
What to do: If you received a notification from Delta or have used their services in the past year, update your account password. As always, keep an eye on your financial accounts and be wary of any emails or phone calls claiming to come from either service.
If you need some extra help identifying or protecting against any of these or other cybersecurity threats, let us know!