This week’s news roundup features a data breach of over 770 million accounts, security doorbell Ring under fire, new ransomware, and more
A cybersecurity researcher has stumbled upon the largest cache of stolen or leaked data ever found in one public list. The now-infamous Collection #1 consists of 773 million unique email addresses and 21 million unique unhashed passwords, which seem to have been aggregated from 2,000 leaked databases. The trove was 87 gigabytes large and filled with 12,000 files. The wealth of credentials in Collection #1 does not go beyond email addresses and passwords — no credit card info, social security numbers, or other personal data, fortunately. The data is most likely being used for phishing scams, blackmail, and automatic credential-stuffing attempts.
However, the astronomical numbers only get more astronomical. When news of Collection #1 broke, other cybersecurity researchers began investigating, including one who communicated with the owner of Collection #1 and learned that Collections #2-5 also exist, and then some! This discovery should serve as a wakeup call for users to refresh and/or upgrade all their passwords. The only way to make sure your life is not impacted by a data breach is to make sure the data breach has none of your current data.
Ring has caught on with homeowners everywhere, and the doorbell camera is a common sight on doorsteps across the country, which is why Amazon purchased the company for one billion dollars. But Ring has been criticized for poor security practices and potential abuse of sensitive customer information. Sources claim that Ring granted its Ukraine-based R&D team full access to every customer Ring video ever created. In addition, the source claims engineers and executives had access to certain customer live feeds, despite the fact that there was no reason for them to have this permission. A Ring spokesperson denies that access was ever granted, though several sources assert it was.
The mega-hit game played by over 150 million people worldwide was found to have a flaw in its authentication process that allowed bad actors to send out malicious links to millions of players. If the player clicked on the link, it allowed the bad actor to commandeer the account, particularly to hijack the player’s virtual currency and eavesdrop on live conversations. It is unclear how many players were compromised in this way, but Fortnite developer Epic Games states they addressed the vulnerabilities as soon as they were made aware of them. Fortnite is a shoot-em-up survival deathmatch where the last person standing wins...and dances.
Hanover County, Virginia issued a Notice of Data Breach to all residents this week. The problem was a compromised payment portal residents used to pay public utilities, permit fees, license fees, and fines. A vulnerability in the Click2Gov system allowed outside forces to access names, credit card numbers, and expiration dates between the dates of August 1, 2018, through January 9, 2019. Residents were advised to keep a close eye on their bank statements and credit reports, as well as encouraged to deactivate the credit card they used on Click2Gov. This is the second Click2Gov breach in two months, as we reported on an even larger Click2Gov breach in December involving 300,000 payment records.
“Negligence better describes what happened here,” states Luis Corrons, Avast security evangelist. “When you are responsible for a system and know that the same system was abused through a vulnerability less than two months ago, the least you can do is to ensure that you are running the latest version. Even worse,” Corrons continues, “they only became aware of the breach because they were told by an external party, and only because they are left with no other options, are they finally taking action to solve the problem.”
A new strain of ransomware has been making the rounds that features an extra malicious grab for your money. The ransomware itself is reportedly straightforward. The twist comes into play with the payment options where, in addition to the standard bitcoin payment, the victim is offered the option to pay by PayPal. This is where the social engineering of phishing comes into play. If the victim clicks on the PayPal option, they are taken to a lookalike PayPal page designed to steal both their credit card information and their PayPal login credentials. This double-whammy of a malware infection is still at large, so readers are encouraged to beware.
“Evil is always creative,” notes Corrons, “and this is a good example of a scenario that could easily make a lot of victims fall right into the trap.” Corrons’ steadfast advice is straightforward and will always avoid the problem altogether: never, ever pay a ransom.
The World Economic Forum has released its Global Risk Report 2019, and along with climate change and weapons of mass destruction, cyberattacks and data breaches are listed as this year’s greatest world threats. Borge Brende, President of the WEF, states that technology is the world’s blind spot at the moment, warning that if we do not pay more attention to protecting our systems and data, cyberattacks could yield disastrous results for the general public. While this may not be the cheeriest news on which to begin the year, it serves as a sobering reminder to remain alert.
“We rely so much on technology that a cyberattack can disrupt our lives,” adds Corrons. “As the influence of technology in our everyday existence grows exponentially, so does the attack surface and the consequences we'll have to face.”
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.
Avaddon ransomware group targeted Asia-based insurer AXA with DDoS attacks and ransomware just a week after the insurance company announced it was dropping support for ransomware payments in France.
Security experts analyze the newest ransomware threat that is currently locking up systems around the world.