Data Loss Prevention (DLP)

State Farm Suffers Data Breach

State Farm, the insurance provider in the US, has been compromised in a credential stuffing attack, according to a news report. 

The firm, says the report, acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and by sending out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by the hackers. 

The insurer’s data breach notification email said,“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”

According to the report, State Farm confirmed in its “Notice of Data Breach” email that the attacker obtained usernames and passwords of some policyholders’ accounts, but no personally identifiable information was obtained and no fraud was detected. It is unknown if the attacker logged into accounts. 

Kern County suffers data breach compromising over 15000 employees’ personal information

  • A data breach at the systems of third-party vendors might have impacted the health benefits program run by Kern County on behalf of its employees.
  • This could have exposed the personal information of current and former Kern County employees, their dependents, and medical staff at Kern Medical Center.

What is the issue?

A potential security incident at a third-party vendor could have exposed the personal information of current and former Kern County employees, their dependents, and medical staff at Kern Medical Center.

A brief overview

A spokeswoman for Kern County, Megan Person said that a data breach at the systems of third-party vendors might have impacted the health benefits program run by the County on behalf of its employees.

  • Person confirmed that the data breach did not occur on the county networks and systems.
  • County officials have launched an investigation to determine if any data was compromised.
  • She added that if a data breach is confirmed, then all affected employees will be provided with complimentary credit-monitoring services.

“The security of our plan participants and their information is our primary concern, and we remain vigilant in monitoring the situation. We want to assure our employees and our constituents this did NOT affect our county networks and systems. It’s a reminder that all of us should be cautious and take extra measures when it comes to our online security,” Person said, Techwire reported.


STEVE HARDIGREE HADN’T even gotten to the office yet and his day was already a waking nightmare.

As he Googled his company’s name that morning last June, Hardigree found a growing list of headlines pointing to the 10-person marketing firm he’d founded three years earlier, Exactis, as the source of a leak of the personal records of nearly everyone in the United States. A friend in an office adjacent to the one he rented as the company’s headquarters in Palm Coast, Florida, had warned him that TV news reporters were already camped outside the building with cameras. Ambulance-chasing security firms were scrambling to pitch him solutions. Law firms had rushed to assemble a class action lawsuit against his company. All because of one unsecured server. “As you can imagine,” Hardigree says, “I went into panic mode.”

The day before that scrum, WIRED had revealed that Exactis exposed a database of 340 million records on the open internet, as first spotted by an independent security researcher named Vinny Troia. Using the scanning tool Shodan, Troia identified a misconfigured Amazon ElasticSearch server that contained the database, and then downloaded it. There he found 230 million personal records and another 110 million related to businesses—more than two terabytes of information in total. Those files didn’t include credit card information, passwords, or Social Security numbers. But each one enumerated hundreds of details on individuals, ranging from the value of people’s mortgages to the age of their children, as well as other personal information like email addresses, home addresses, and phone numbers.

Exactis licensed that information to marketing and sales customers, so that they could integrate it with their existing databases to build more comprehensive profiles. But privacy advocates have warned that those same details, left open to the public, could just as easily allow spammers or scammers to profile targets.

The sort of accidental mass data exposure Exactis experienced is hardly unique, given the string of similar or worseprivate info spills that have happened even in the months since. Much rarer, however, is Exactis founder Steve Hardigree’s willingness to talk to WIRED about that experience: being the company at the center of a nationwide data privacy fracas, as well dealing with the legal, bureaucratic, and reputational fallout.

The result is a cautionary tale about the liability that a massive dataset can create for a tiny company like Exactis. It also hints at just how easy it’s become for small firms to wield massive, leak-prone databases of personal information—without necessarily having the resources or know-how to secure them.

But first, Hardigree wants to make a point: The Exactis data exposure was no “breach,” he says. He takes issue even with calling it a “leak.” Hardigree insists that while the data was left exposed online in early June of last year—only for a matter of days, Hardigree says, though Troia claims it was more like months—the company’s logs and an external security audit seemed to show that no outsiders actually accessed it other than Troia. The data was secured in response to Troia’s warning prior to WIRED’s story. “We don’t believe it ever leaked,” Hardigree says.

Troia counters that he took a screenshot last July of a listing on a dark web forum called KickAss that appeared to be selling at least part of the Exactis data. (See below.) But Hardigree says that Exactis included false “seed” personas in the database, designed to serve as a test to see if it had leaked, a standard marketing industry technique. Hardigree says he’s continued to monitor those seeds personally, and none have received any emails that would indicate a leak—spam, phishing, or otherwise. He also says he’s been in contact with the FBI and claims the agency has been scanning the dark web for the Exactis data and found none. (The FBI declined WIRED’s request to comment on or confirm this.)

E-Commerce Company Gearbest Leaked User Information

Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.

Highly successful, Gearbest sells electronics and appliances, clothing, accessories, and homeware. Owned by Chinese conglomerate Globalegrow, the company ships to most countries around the world and operates several internationally successful sites.

However, one of the company’s databases, an Elasticsearch cluster, and those belonging to its sister companies were found to be completely unsecured, thus allowing potential hackers to access a broad range of data, including orders, payments and invoices, and information on its customers.

These databases leaked information such as products purchased, shipping address and postcode, and customer name, email address, phone number, order numbers, payment information, IP address, username, address, date of birth, national ID and passport details, and account passwords.

The security researchers say they were able to access a database containing over 1.5 million records, and that sensitive information such as email addresses and passwords was being stored unencrypted, although the company claims to be properly protecting user data.

On top of that, a lot of the information included in the database (such as the IP address) isn’t required when completing the duties of an e-commerce store.

“This is particularly worrying given the current trend towards a more open and honest internet. Services providers across multiple industries, strive to increase transparency for their customers. Gearbest’s shady practices do the opposite,” VPNMentor notes.

The researchers claim that the leaked information allowed them to access Gearbest accounts and make changes to the login information and other data associated with them. Malicious hackers could have abused the data to steal customer identities or perform other operations.

With customers from all over the world, some of the leaked data, such as the full content of orders, could prove damaging to users in countries with strict laws.

On top of that, some of the leaked information included URL access to Gearbest’s – and Globalegrow’s – Kafka system, a data management program that allows companies to manage the amount of site data sent through their servers to maintain efficiency and collect big data.

“This kind of access allows malicious hackers to manipulate information, reassign database properties, and even disable entire sections of the company’s server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management,” the researchers say.

The researchers claim they have repeatedly attempted to contact both Gearbest and Globalegrow to inform them of the unprotected database, but that they received no response by the time they published their research.

In a statement published after VPNMentor disclosed its findings (complete statement is at the end of the article), Gearbest claimed that only a database associated with external tools used to improve efficiency and prevent data overload was exposed to the Internet for a short period of time, due to an error made by a member of its security team. The company says the number of impacted customers is only around 280,000, representing users who placed orders between March 1 and March 15. The company claims it has taken steps to secure the data and the accounts of affected users.

“Companies like Gearbest cannot afford to ignore vulnerability reports from external security researchers. […] In Gearbest’s case, a database containing huge swaths of sensitive customer information is critical to the business, and addressing any vulnerabilities in its security should have been highly prioritized. Organizations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs,” Jonathan Bensen, CISO and senior director of product management at Balbix, told SecurityWeek in an emailed comment.

“Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more,” Brian Johnson, CEO and co-founder of DivvyCloud, said.

“What we’ve seen — and continue to see — is companies are accelerating their use of technologies more than they’re enabling their teams or hiring effective people, and that will be the downfall of utilizing servers like Elasticsearch. The data exposure highlights how modern data repositories have created a fundamental conflict in businesses,” Terry Ray, SVP and Imperva Fellow, commented.

New Data Affirms Cyber Threat for Industrial Control Systems

Recent CyberX report finds that plain-text passwords, direct internet connections, and weak anti-virus protections place industrial control systems at risk for cyber attacks

by Phil Neray, VP of Industrial Cybersecurity, CyberX

“Press Here to Kill Everybody,” the provocative title of Bruce Schneier’s new book, gets right to the heart of the risks involved in industrial cybersecurity. Destructive malware such as WannaCry and NotPetya, as well as targeted attacks such as TRITON and Industry, have shown the potential impact of cyber attacks on our industrial control systems (ICS). The costly production outages and clean-up costs alone put companies at great risk, but even those are overshadowed by the potential impact of catastrophic safety and environmental incidents.

Though positive steps have lately been taken to secure our ICSs, new data from CyberX, the IIoT, and ICS security company, finds that these systems are still soft targets for adversaries. The data behind our 2019 “Global ICS & IIoT Risk Report,” released on October 23, shows that major security gaps remain in key areas such as plain-text passwords, direct connections to the internet and weak anti-virus protection.

We also found the prevalence of Windows XP and other legacy Windows systems has decreased year-over-year — driven top-down by management in the aftermath of NotPetya’s financial damage — but we’re still finding unpatchable Windows systems in 53 percent of all industrial sites.

Unlike questionnaire-based surveys, our report analyzes real-world traffic from production ICS networks, making it a more accurate representation of the current state of ICS security. The report is based on data collected over the past 12 months from more than 850 production ICS networks, across six continents and all industrial sectors including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas.

Among the key findings of our report, we found that 69 percent of industrial sites have plain text passwords traversing the network. Lack of encryption in legacy protocols like SNMP and FTP exposes sensitive credentials, making cyber-reconnaissance and subsequent compromise relatively easy.

Whether for convenience or inattention, 40 percent of industrial sites have at least one direct connection to the public internet. With digitization as a key business driver, operational technology (OT) networks are now also increasingly connected to corporate IT networks, providing additional digital pathways for attackers.

According to our findings, at least 57 percent of industrial sites are still not running any anti-virus protections that update signatures automatically, leaving the programs largely ineffective, and 16 percent have at least one Wireless Access Points (WAP). Misconfigured WAPs can be accessed by unauthorized laptops and mobile devices, and sophisticated malware such as VPNFilter target access points such as routers and VPN gateways, enabling attackers to capture MODBUS traffic, perform network mapping, destroy router firmware and launch attacks on OT endpoints.

As we continue to both assess past attack methods and the current state of our networks and vulnerabilities, a path towards remediation and protection becomes clearer. Not everything can be protected at once, but ruthless prioritization is required. In the report, we lay out a series of eight steps towards protecting an organization’s most essential assets and processes. These include continuous ICS network monitoring to immediately spot attempts to exploit unpatched systems before attackers can do any damage; threat modeling to prioritize mitigation of the highest consequence attack vectors; and more granular network segmentation.

Analyzing the data for the second time in two years also gave us an opportunity to compare data and look for trends, and perhaps the most important conclusion we reached after looking at the delta between last year’s report and this year’s report is that the delta itself is small, and the industry may not have changed much over the course of the past year. Other than the drop of industrial sites using legacy Windows systems from 76 percent last year to 53 this year, the rest of our data changed in relatively small increments.

In comparison to last year, where the median overall risk-readiness score across all industrial verticals was 61 percent, our latest research puts the score at 70 percent. These results, however, fall short of CyberX’s minimal recommended readiness score of 80 percent. With this year’s report, the risk-readiness score by industry is 67 percent for manufacturing, 68 percent pharmaceuticals and chemicals, 79 percent for energy and utilities, and 81 percent for oil and gas.

As these numbers suggest, awareness about the need for stronger ICS defenses is growing, but there’s still a lot of work to be done. When looking at the scope of the current ICS security situation and its many complexities, it bears remembering that we are attempting to close a 25-year gap between OT and IT security practices.

The 25 Passwords Leaked Online in 2018

SkOUT Secure Intelligence has released the top 25 passwords that were leaked online in 2018.

The top 25 included perennial favorites such as ‘123456’ and “password” at number one and two places, respectively, as the most common. This was followed by ‘123456789’, ‘12345678’ and ‘12345’, rounding out the top five. The list also included other obvious passwords such as “admin” and “qwerty”. New entrants to the top 25 obvious passwords include the “Princess” and “Donald”, which SkOUT says is a reference to President Donald Trump.

The 25 most commonly used passwords of 2018

  1. 123456 (Unchanged)
  2. password (Unchanged)
  3. 123456789 (Up 3)
  4. 12345678 (Down 1)
  5. 12345 (Unchanged)
  6. 111111 (New)
  7. 1234567 (Up 1)
  8. sunshine (New)
  9. qwerty (Down 5)
  10. iloveyou (Unchanged)
  11. princess (New)
  12. admin (Down 1)
  13. welcome (Down 1)
  14. 666666 (New)
  15. abc123 (Unchanged)
  16. football (Down 7)
  17. 123123 (Unchanged)
  18. monkey (Down 5)
  19. 654321 (New)
  20. !@#$%^&* (New)
  21. charlie (New)
  22.  aa123456 (New)
  23. donald (New)
  24. password1 (New)
  25. qwerty123 (New)

“A good password is the first line of defence between your data and an attacker, so it is vitally important that you make password security a priority in your personal and business life,” said Skout chief technology officer Jessvin Thomas. “If you are guilty of reusing, rotating, or using notoriously weak passwords, you are making yourself or your business an easy target for attackers.”

DNC issues cybersecurity guidance for 2020 election

Stung by Russian hackers intent on swaying the 2016 presidential election, the Democratic National Committee (DNC) has put considerable resources into shoring up cybersecurity and on Friday releases a checklistmeant to secure campaign and candidate devices.

“The checklist is exactly that: a list of steps you can complete and then check off,” DNC CSO Bob Lord said in a blog post. “The goal is to print it out, and run through it line by line.”

The guidance covers encryption, passwords, PINs, two-factor authentication, email safeguards and the importance of security updates.  “If you are working in a political party or on a campaign, and you have a personal Gmail account, please enroll in Google’s Advanced Protection program,” the DNC advised, explaining the program “uses a physical key to log you into your Gmail account, and dramatically reduces the risk of getting phished.”

The advisory touches on other protections beyond the checklist, such as Facebook privacy settings,secure chat, setting up security questions and reducing the attack surface by using a Chromebook or iPad.

Retail trading industry targeted with malware attacks; stolen data being sold on Dark Web

  • A Trojan is believed to be circulating among trading firms allowing attackers to steal information on a large scale.
  • Panda Trading Systems, a tech service provider to trading firms found that the malware used was Emotet.

With malware campaigns nearly targeting every industry, retail trading firms are no exception. A recent investigation by Panda Trading Systems showed that the popular banking trojan Emotet was compromising systems associated with trading firms. Even worse, attackers behind these malware campaigns were selling stolen data on the dark web.

When the tech service provider conducted security scans on some of its customers’ computers, it found that Emotet was exfiltrating databases of marketing networks and many senior executive personnel within brokerages.

The analysis showed a typical campaign of the banking trojan where a malicious attachment (in PDF or Word document) in the spam email when executed downloads the malware.

An Organized Attack

Dikla Sheffer, Director of Business Operations at Panda Trading Systems, told Finance Magnates that these attacks were planned and perpetrated in an organized way.

“This is an organized attack on brokerages, affiliate networks, PSPs, VOIPs, and other companies operating within the retail trading industry. Once we identified the virus, we saw fit to publish a warning and share our findings, in the hope that industry colleagues will become more aware of cybersecurity dangers and take the necessary steps to protect themselves,” she said.

The company also stated that it has found other types of malware making rounds in the trading industry. On top of this, it was discovered that the attackers were selling sensitive information such as client lists, to buyers on the dark web. Many malicious sites were also disclosing confidential data as ‘downloads’.

Dunn Brothers, Chino Latino and other Minnesota businesses hit by data breach

  • The breach occurred between January 3, 2019, and January 24, 2019.
  • North County Business Products, Inc. said that, on January 4, 2019, it became aware of suspicious activity occurring within certain client networks.

North Country Business Products, Inc. has announced a data breach that may have impacted hundreds of restaurants and coffee shops operating in Minnesota. This includes the likest of Dunn Brothers Coffee, Tacos Trompo in Fargo, the West Fargo VFW Post 7546 and Vinyl Taco in Grand Forks.

Discovery of the breach

According to the data breach notification, the breach occurred between January 3, 2019, and January 24, 2019. The attackers may have gained unauthorized access to credit and debit card information of customers who visited the affected shops during this period.

North County said that, on January 4, 2019, it learned of suspicious activity occurring within certain client networks. Upon discovery, it immediately launched an investigating and started determining the nature and scope of the event.

Modus operandi

On January 30, it was found that hackers had deployed info-stealing malware at some of the restaurants that are in partnership with North County. This malware was used to collect specific information such as cardholder’s name, credit card number, expiration date, and CVV.

“On January 30, 2019, the investigation determined that an unauthorized party was able to deploy malware to certain of North Country’s business partners restaurants between January 3, 2019, and January 24, 2019, that collected credit and debit card information. Specific information potentially accessed includes the cardholder’s name, credit card number, expiration date, and CVV,” said the notification report.

In the wake of the incident, North County has started notifying the potentially affected customers. It has also advised them to review their accounts for any suspicious activity.

Third batch containing 93 million account credentials stolen from 8 companies put up for sale on the Dark Web

  • Following the second batch of 127 million accounts stolen from 8 companies, the third batch containing 93 million accounts stolen from 8 companies was made available for sale on Dream Market marketplace.
  • Each listing the seller posted in Dream Market was accompanied by a message demanding fair justice for Goerge Duke-Cohan who was arrested and charged in a federal indictment, and warning to release more data otherwise.

The seller ‘gnosticplayers’ is back with a collection of 93 million stolen account credentials from 8 companies. This is the third batch made available for sale by gnosticplayers in the Dream Market marketplace which is worth 2.6249 bitcoin amounting to $9,400.

Earlier, the first batch containing almost 620 million stolen accounts from 16 companies and the second batch of 127 million stolen accounts from 8 companies were put up for sale on Dream Market.

Dream Market is a Dark Web marketplace where criminals sell an assortment of illegal products, such as user data, drugs, weapons, malware, and more.

What data was involved in the stolen accounts?

The data involved in the stolen accounts included first and last names, sex, phone numbers, location addresses, email addresses, usernames, passwords, SHA1 encrypted password, password salt, IP addresses, login logs, API keys, company information, banking information, PayPal details, Facebook IDs, and more.

Eight companies affected

The stolen accounts belonged the following 8 companies,

  1. – 3.86 million data worth 0.35 bitcoin
  2. Jobandtalent – 11 million data worth 0.4995 bitcoin
  3. Onebip – 2.6 million data worth 0.2626 bitcoin
  4. StoryBird – 4 million data worth 0.2334 bitcoin
  5. StreetEasy – 1 million data worth 0.175 bitcoin
  6. GfyCat – 8 million data worth 0.35 bitcoin
  7. ClassPass – 1.5 million data worth 0.204 bitcoin
  8. Pizap – 60.8 million data worth 0.583 bitcoin

The breached companies belong to various sectors such as movie sharing service, job portal, mobile payment platform, storytelling service, real estate, GIF image hosting, fitness service, and online photo editor.

Message posted along with listings

Each listing the seller posted in Dream Market was accompanied by a message demanding fair justice for Goerge Duke-Cohan who was arrested and charged in a federal indictment, and warning to release more data otherwise.

Goerge Duke-Cohan is a member of the Apophis Squad who was arrested and charged in a federal indictment with making false threats to schools and other institutions and launching DDoS attacks on websites.

“George Duke-Cohan is a young and talented boy, instead of giving him a chance, the UK govt sends him to prison for three years. Now, he’s been told by the American government, that he faces 65 years for the offense he was already sentenced to three years in the UK. It means he will be judged twice ??

May this upcoming release of dumps serve as a reminder:

When countries claim to respect their citizens, they have duty protect them. I wouldn’t be surprised whether George Duke-Cohan ends his life, the UK gov already destroyed him and doing this is like sentencing him to death. If he is not given a fair justice during the upcoming days, weeks, years, more data will be released….,” the message read, ZDNet reported.

The seller takes credit for the breaches

The seller ‘gnosticplayers’ admitted being responsible for the hacks and denied being just an intermediary. The seller noted that he plans to sell over one billion account credentials and then disappear with the money.

“My two main goals are: -money -downfall of American pigs. New leaks are coming, including one from a cryptocurrency exchange,” gnosticplayers told ZDNet.