This month in data breaches: September edition

Another month, another litany of breaches to discuss. We join you at the end of September 2022, which, even by modern standards, has offered tough lessons for organisations large and small in being careful with whom you provide sensitive information.

We’ve got a lot of ground to cover, so let’s get started examining September in data breaches.

Uber

When it comes to breaches, they don’t get any more high-profile than Uber.

According to reports, a 17-year-old hacker was able to access user data, vulnerabilities reported to Uber’s HackerOne account, and Uber’s IT infrastructure.

The attacker most likely obtained a corporate password of an Uber contractor and, from there, gained access to a host of internal systems.

There are some intriguing aspects of the attack itself that cybersecurity experts and organisations may learn from. The human element, including social engineering and multi-factor authentication fatigue, has received much attention. Lapsus$ was identified in Uber’s security update as a potential attacker group of interest, which has provided some answers.

Credential theft continues to pose the most significant risk in this case and many others. As we’ve lately noticed, hackers are getting better at bypassing MFA by using a variety of channels and techniques. In fact, there are numerous MFA compromises in the Uber story.

Since your employees are your gatekeepers, regularly train them on how to spot and report phishing to help prevent identity theft. Take a look at our identity theft course here.

Rockstar Games

The individuals behind the Uber hack struck again in September, claiming responsibility for hacking gaming giant Rockstar Games after targeting mega-brands like Microsoft, Cisco, Samsung, Nvidia, Okta and as previously mentioned, Uber.

Arguably the most anticipated video game in history, Grand Theft Auto 6, had been kept well under wraps by studio Rockstar Games. That was until roughly 90 videos showing in-development gameplay footage appeared on GTAForums from an account with the user name “teapotuberhacker”.

The videos, which had a total runtime of about 50 minutes, were shared on social media and reported widely.

Teapotuberhacker claimed they planned to “negotiate a deal” with the game publisher to return unpublished data, including the source code for Grand Theft Auto 5 and the in-development version of Grand Theft Auto 6, after publishing the allegedly in-development video on September 18, 2022.

Similar to Uber, an employee password was obtained and then Slack was used, where it’s likely that information shared between staff members was used to gain further access to sensitive data.

TikTok

Early in September, security experts found a critical TikTok vulnerability that would have allowed users to be exploited for a one-click account takeover. On September 3rd, the Breach Forums message board posted the initial claims of an alleged hack.

Screenshots from a TikTok and WeChat breach were purportedly released by a user going by the username AgainstTheWest. The user claimed to have yet to decide whether they wanted to sell or make the allegedly stolen material available to the public in that posting.

In addition to a video displaying one set of database tables, two links to samples of the data were also made public. The ad goes on to say that they have taken 2 billion records from the database.

BlueHornet|AgainstTheWest, a Twitter user, also claims to have taken “internal backend source code” in a tweet.

According to a spokesman for TikTok, no proof of a security vulnerability has been discovered. Out of an excess of caution, we advise all TikTok users and organisations in their everyday accounts to always make sure two-factor authentication (2FA) is turned on.

Revolut

Customers of Revolut first noticed something was amiss on September 11th, when reports of “inappropriate wording via chat” surfaced. A few days later, some users received an email notification stating that a cyberattack had affected their accounts.

Revolut reported that while the attackers were unable to access funds, credit card information, PINs, or passwords, they did have access to the personal information of the impacted users.

The State Data Protection Inspectorate of Lithuania disclosed that Revolut Bank had experienced a data breach, that social engineering techniques were used to gain access to the database, and that 50,150 customers’ data from all over the world may have been compromised. This data included names, addresses, email addresses, telephone numbers, part of the payment card data, and account details.

Revolut emphasised to users after this event that “We will never ask you for your details or passwords,” however only a few days later, clients began receiving SMS phishing (smishing) messages, but they don’t seem to be specifically targeted at individuals who were compromised.

They were then taken through a set of well-crafted pages asking them to log into Revolut by entering their phone number, passcode, full name, email address, date of birth, and the info related to the debit card attached to their account.

This data breach highlights the risks of smishing and the effect it can have on a whole organisation. Our brand-new course, Hook, Line and Sinker: The Game, gives employees smishing and phishing training on how to can spot the early signs, view the course here.

So, what can we learn from this?

Looking closely at these breaches, you’ll note that a pattern emerges, namely, the use of social engineering techniques to trick users into giving out personal information.

Whilst human error is unavoidable and largely inevitable, the damage from those errors can be controlled and limited.

Indeed, the type of password-based attacks described in the Uber and Rockstar Games breaches could have been stopped entirely if multi-factor authentication was in place across all organisation members – especially those with access to privileged information.

There are no shortage of threats which can seriously harm your business, but there is hope. Cybersecurity awareness training is a proven method to reduce your risk of breach and give your team the skills required to spot the telltale signs of potential threats. Start training your team today.

Leave a comment

Your email address will not be published. Required fields are marked *