Case Studies of Hacked Organizations

Hacked_Organizations

In this blog, we will reveal some of the most interesting facts behind four hacking events that you most likely heard of this year. If you did not investigate further than the headlines, then here is your chance to learn from their mistakes.

Spotify

A very recent TechCrunch.com article reported that a list containing hundreds of Spotify account credentials – including emails, usernames, and passwords – has popped up on the website Pastebin, in what appears to be a security breach. A Spotify spokesperson stated – “Spotify has not been hacked, and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we verify if they are authentic, and immediately notify affected users to change their passwords.” TechCrunch states – “After reaching out to a random sampling of the victims, we’ve confirmed that the Spotify accounts were compromised.”

Some of the reported user impacts are:

“found his account had been used by an unknown third party.”

“found their account email changed to an address not belonging to them.”

“I opened Spotify on my phone and saw someone using my account somewhere else.”

Unfortunately, because people often re-use their passwords on other sites, several reported their Facebook, Uber, Skype and even their bank accounts have been hacked into as well.

Breach of accounts one organization leads to breaches in other organizations. Related reading – Mat Honan: How I Resurrected My Digital Life After an Epic Hacking

Mate1

Motherboard, in an article this February 29th, reported that a hacker claims to have sold the email addresses and plain text passwords of over 27 million Mate1.com users.

“Their server was compromised, and the MySQL database was dumped,” the hacker, who remains anonymous, told Motherboard. “I had shell/command access to their server.”

“On Monday, this reporter clicked the forgotten password feature on Mate1’s login page. The full, plaintext password was then emailed, further corroborating that the site does indeed store passwords without any hashing.

The serious threat is that some victims used the same password for Mate1 as their other accounts. Anyone in possession of the Mate1 database could then try the compromised log-in credentials against many other web services. Unless you have a good way to distinguish the malicious users from your real users, you run the risk to have some of your client accounts exposed.

AliBaba/Taobao

On February 4th, Reuters reported that hackers in China obtained a database of 99 million usernames and passwords from a number of websites. The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts. The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings. The attack started in mid-October and was discovered in November.

Such attacks has a very high success rate. In this case, there was approximately 20% success rate. The key reason is that 60%+ of users reuse their passwords.

FitBit

On January 8th, CNBC reported on an article first published by BuzzFeed.

“Fraudsters have been using leaked data to take over Fitbit accounts. The criminals used leaked email addresses and passwords from third-party sites to log into accounts. Once inside the accounts, the attackers changed the details in an attempt to defraud the company, Fitbit confirmed. They also had access to customer data showing where a person regularly runs or cycles, as well as what time a person goes to sleep.

In a message to users, Fitbit urged them to avoid reusing passwords across other accounts, which, it said, “leaves them more vulnerable to this type of malicious behavior.” In counter-point, users raised concerns about Fitbit’s light verification process and the absence of two-step verification for account changes. A company spokesman said the company is looking into greater security controls. “It’s a fair criticism. We don’t have two-step verification on the site at the moment – it is something we’re working on actively,” he said.

This incident shows that secure organizations can be breached if their users’ accounts are breached at other web services.

Conclusions

VeriClouds wants this article to serve as a reminder that there are ways to minimize the risk of falling victim to cyber-attacks.

  1. Use Network Monitoring services. Refer to out blog “Why Web Services are Vulnerable” for more detail.
  2. Look for apparently legitimate accounts exhibiting suspicious behavior such as transferring unusually large amounts of data.
  3. Scan network activity for suspicious signatures in the entire HTTP request, including the headers, URL, parameters, and data payload.
  4. “Machine learning” is a network security measure that tries to determine which accounts are hacked based on logs of previously identified hacked accounts.

All of these methods provide some degree of security improvement. None of them alone do the whole job, so the solution becomes expensive and complex.

The Vericlouds credentials monitoring service is the most efficient and effective solution because it allows you to know exactly which accounts have been compromised. You can prevent the attack before it happens by blocking or disabling known compromised accounts.

ABOUT VERICLOUDS

VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.

Spread the word. Share this post!

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to support@vericlouds.com