49 Million Records Exposed on Hacking Forum

Exposed sensitive data, improper password administration, third party mismanagement, all continue to create problems for organizations seeking to protect personal information from the dark web and prying cybercriminal activity.

ZDNet reported 49 million user records from an exposed Elasticsearch server belonging to U.S. data broker LimeLeads, which provides contacts used for pitches and sales, ended up for sale on an underground hacking forum.

Security researcher Bob Diachenko, confirmed to ZDNet that LimeLeads had exposed an internal Elasticsearch server as an open system since at least July 2019. According to Diachenko, the LimeLeads data contained user details such as full name, title, user email, employer/company name, company address, city, state, ZIP code, phone number, website URL, company total revenue, and the company’s estimated number of employees.

Anurag Kahol, chief technology officer, Bitglass, reacted to the news, “Week after week, we witness companies leaving sensitive data vulnerable in the cloud due to simple mistakes and misconfigurations.” Kahol added, in this particular case, a failure to password protect an internal server led to over 49 million user records made available for sale on the dark web. Those affected by this breach are now vulnerable to fraud and phishing attacks for the foreseeable future.

“In today’s global, data-centric landscape, database leaks continue to increase in frequency and in significance. Massive leaks have yet to slow down in the past two years and individuals’ personal information continues to be compromised from recurring breaches as critical security measures, such as passwords, are still yet to be deployed,” James Carder, chief security officer/vice president, LogRhythm said.

Carder pointed out the database left exposed for a period of two weeks was long enough for a cybercriminal to access the sensitive data. “In any case, when there is detection of a breach, rapid incident response can mean the difference between a damaging data breach and quick containment.”

Vinay Sridhara, chief technology officer of Balbix also commented, “Organizations continue to miss the most basic security measure of properly password protecting critical assets. These types of embarrassing incidents, the effect of misconfigurations and poor cyber hygiene, are at the root of several recent leaks such as the Wyze data breach [exposing camera info, Wi-Fi network specifics and email addresses of customers] which leaked 2.4 million users’ data just last month.” Sridhara maintained even though LimeLeads took immediate action to secure the exposed internal server and mitigate damage within 24 hours of notification, the Elasticsearch misconfiguration was exploitable since July 2019, possibly even longer. “This is another case of an ounce of prevention being worth a pound of cure.”

In another incident, operators for Emotet, a kind of malware initially intended as a banking Trojan designed to steal financial data, launched a sophisticated phishing attack against email addresses associated with users at the United Nations. The Emotet attackers impersonated representatives of Norway by sending malicious emails to 600 unique email addresses stating there is a problem with an attached signed agreement to U.N. employees. If a victim opened the document and enabled its content, it executed a malicious Word macros downloads and installed Emotet on the computer.

Alexander García-Tobar, CEO/co-founder of Valimail said, “The latest cyberattack against users affiliated with the United Nations demonstrates how a convincing phishing email can be an extremely effective attack vector — especially among high value/high ranking targets, in this case U.N. delegates instead of corporate executives.” He added, because these attacks differ from the normal Emotet spam campaigns (usually they are fake accounting reports, delivery notices and invoices), we know that the bad actors are specifically tailoring their approach based on other acquired knowledge or data. “Blocking impersonations like these can stop more than 83% of malicious emails in their tracks.”

Why should financial institutions not directly affected by a breach or phishing campaign care?

Following up on the report of an information breach occurring at Western Australia’s P&N Carder said, “In 2019, cyberattacks hit financial services firms 300 times more than other companies in the past year,” according to a 2019 report from Boston Consulting Group (BCG). Financial institutions continue to be a very attractive target for cybercriminals due to the large amounts of sensitive customer data collected and stored. “As with the case of this breach, P&N Bank relied on an outside party to host systems with sensitive data without having the visibility necessary to ensure that the third party had the proper security controls and processes in place to protect the data,” Carder said. He also noted even if it’s caused by a third party, the financial institutions’ brand image and accountability are still directly associated with breach.

Another reason, a Federal Reserve white paper released last July, “Synthetic Identity Fraud in the U.S. Payment System,” focused on the severity of this somewhat misunderstood fraud type, a mounting problem for credit unions and other financial institutions. The Fed paper reported fraudsters increasingly use synthetic identities (created from amassing enough info on individuals from various schemes and frauds) to execute payment scams, which can evade detection by ID verification and credit-screening processes. Over time, fraudsters build up the synthetic identity’s creditworthiness, then “bust out” by purchasing high-value goods and services on credit before disappearing. Other consequences include denial of benefits, tax return rejections and health record inaccuracies.