Surge of Cybersecurity Problems Reported in Recent Days

A large amount of cybersecurity incidents in just over the last week included a YouTube account hijacking, dating app exposure, DoorDash data breach, and social media game developer Zynga hacking.

ZDNet discovered a huge upsurge of account hijacks hitting YouTube users, especially within the auto-tuning and car review community. The list included channels such as Built, Troy Sowers, Maxtchekvids, PURE Function, and Musafir.

Rosemary O’Neill, director of customer delivery, NuData Security, a Mastercard company, commented: “Companies like YouTube need to have better tools to protect their users to reduce the chances of an attack. In this case, the reliance on user credentials was the main authentication gap – whether a password, a security question or a one-time code.”

Peter Goldstein, chief technology officer/co-founder, Valimail, noted, “By sending convincing emails to YouTube influencers directing them to a seemingly legitimate Google login page, hackers are attempting to steal login credentials and take over accounts.”

Online dating app Turkey-based Heyyo left a leaky Elasticsearch server with the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users., open, according to ZDNet.

“Heyyo is giving criminals everything they need to perpetrate identity theft and account takeover. In 2019, we have seen an increase in online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault.” Robert Prigge, president, Jumio, said.

“Database misconfigurations have proven time and time again to be the Achilles’ heel of many organizations that have suffered data breaches this year,” Chris DeRamus, co-founder/chief technology officer, DivvyCloud, suggested.

Anurag Kahol, chief technology officer, Bitglass, said, “Within the past month, we have seen millions of consumer records impacted in incidents involving Ecuador, Suprema, MoviePass, and now Heyyo.”

Eve Maler, vice president of innovation/emerging technology, ForgeRock, held, “The leaked user data is more than enough information for hackers to launch spearphishing or extortion campaigns—where bad actors leverage users’ dating life and habits as blackmail—similar to the Ashley Madison extortion scheme.”

Food delivery company DoorDash confirmed a data breach involving a third-party service provider on May 4 affected 4.9 million customers, delivery workers and merchants. Users who joined before April 5, 2018 had names, email and delivery addresses, order history, phone numbers and hashed (one-way encryption) and salted passwords (with random characters); the last four digits of payment cards taken.

Ben Goodman, vice president of global strategy/innovation, ForgeRock, explained, “While it’s still unknown why DoorDash took almost five months to publicly announce their breach, the food delivery app company could be subjected to significant fines for not addressing the major security incident more promptly.”

Vinay Sridhara, chief technology officer, Balbix, said. “In a saturated food delivery app market, DoorDash must recognize that cybersecurity and customer privacy are becoming essential facets to a successful business.”

DeRamus held, “Companies, such as DoorDash, whose entire platform between delivery worker, customer and restaurant is driven through a digital application, need to invest in improving their cloud infrastructure.”

Stephan Chenette, co-founder/chief technology officer, AttackIQ, said “This incident is a good reminder that it’s not just customers who are impacted when a breach occurs. DoorDash must maintain the trust of workers and merchants in order to survive, and protecting their sensitive data is a big part of maintaining that trust.”

“Malicious parties can use payment card information and personally identifiable information to make fraudulent purchases, make a sale on the dark web for a quick profit, and much more.” Kahol added.

“The digital economy is powered by trust, and that becomes increasingly more important with these types of sharing economy companies who rely on collaboration and communication through trusted parties,” Kevin Gosschalk, CEO, Arkose Labs, stated.

Prigge said, “DoorDash is the second consumer mobile app that has announced a major data breach in 24 hours, and we can expect even more personal information available for sale on the dark web. For sharing economy companies, this is a huge concern.”

“Cybercriminals can use this kind of data, in combination with effective and widely used email impersonation techniques. In fact, 83% of phishing emails are brand or company impersonations,” Goldstein stated.

Colin Bastable, CEO, Lucy Security, commented: “Just because the passwords are hashed and salted does not mean that this was an innocuous hack. In the race to grab market share, businesses like DoorDash place security too far down the list.”

Third-party service reliance carries a larger than expected price tag, Mike Bittner, associate director of digital security/operations, The Media Trust, noted. “That price skyrockets when third parties fail to apply the right protections around the data consumers provide in exchange for the conveniences we offer.”

According to George Wrenn, CEO/founder, CyberSaint Security, “Technology-driven businesses must become significantly more diligent in their assessment of third-party vendors. Especially with a new business, breaches like this can be especially damning.”

Marty Puranik, CEO, Atlantic.Net, said, “It’s difficult for companies like Door Dash because they are integrating fast with new technologies and multiple teams to unveil new services to stay ahead of the competition. At the same time, they have to balance that with protecting customer data.”

A Pakistani hacker using the alias Gnosticplayers told The Hacker News he breached “Words with Friends,” other Zynga-developed games, leaving the database access to more than 218 million users unshackled. The Hacker News, said the stolen users’ information could include names, email addresses, hashed passwords, password reset tokens, phone numbers, and login, Facebook and Zynga account IDs.

Prigge said, “Because these games are often connected to user Facebook accounts, hackers can gain access to far more information under a forged identity.”

Gosschalk noted, “In the past three months, consumers could have had their identity breached by applying for a credit card with the largest card company, ordering food on a popular delivery app, signing up for a movie membership card, participating in online dating or even playing a game on their phone. No industry is safe if it involves user data.”