6 Major Data Breaches We Found and Reported in 2018
The 6 data breaches we’ve found in 2018 made us once again think about the importance of powerful protection of your sensitive information. Keeping an eye on everything is hard without extra help, so getting a professional protection app like MacKeeper is a good idea. Its ID Theft Guard can secure you from spies, hackers, and more.
In this post, we’ve gathered 6 breaches that occurred in 2018. The research was conducted by Chris Vickery — a data breach hunter, who collaborated with MacKeeper to publish security and data breaches reports on the MacKeeper blog.
Have I Been Pwnd service will check your emails for data breaches
A note from our experts:
Every year, it becomes increasingly difficult to keep your data confidential. Protect yourself with MacKeeper’s ID Theft Guard tool before reading more about data breach reports in 2018.
From the left-hand menu, select ID Theft Guard and click Scan new email.
Enter your email address and click Start scan.
Step 1. MacKeeper > ID Theft Guard > Scan new emailStep 2. Type in your email address > Start Scan
FedEx customer records exposed
In February 2018, Chris Vickery stumbled upon a publically available Amazon S3 bucket, belonging to Bongo International LLC.
The exposed bucket contained more than 119 thousand scanned documents of US and foreign citizens, such as passports, driving licenses, and security IDs, among others. The IDs were accompanied by scanned "Applications for Delivery of Mail Through Agent" forms (PS Form 1583), which also contained names, home addresses, phone numbers, and ZIP codes.
In 2014, FedEx Corp. bought Bongo International and relaunched it as FedEx Cross-Border International. The service was shut down three years later. However, the data inherited from Bongo International LLC services from the 2009-2012 era remained publicly available.
On February 13th, after effortless attempts to get in touch with FedEx via FedEx Cross Border Merchant Customer Support line and emails, Vickery requested the assistance of ZDNet reporter, Zack Whittaker. Shortly after, the company confirmed its connection to the data and reassured Zack that none of it had been misappropriated. Read Zach’s take on the story at ZDnet.
A lesson to learn
The acquisition of Bongo International LLC and its subsequent data breach, highlight the importance of proper data management before, during, and after the sale.
When a company is being acquired, it is obliged to notify the customers about the acquisition and the transfer of their data to a new owner. The acquiring company should send the customers a data protection notice and allow them to opt-out of the data transfer. Furthermore, the acquiring company should use the opportunity to identify any security and data privacy risks during the integration or migration stage of the purchase.
If you worry about your data being exposed by this or any other cybersecurity incident, learn how to act after a data breach.
Tens of thousands of vulnerable MongoDB servers
In March 2018, MacKeeper’s experts tested the security of MongoDB, a popular NoSQL database commonly misconfigured for public access. A honeypot or fake database setup created by the researchers was attacked by an automated script from a Chinese IP address. The compromise was completed in just 13 seconds.
The MacKeeper’s experts took the following steps to create the honeypot database:
Deployed Splunk on EC2 instance with 30 GB storage.
Configured location dashboard with locations of hosts that attempted to connect to the Honeypot.
Configured Top 25 IP dashboard with Top 25 IP addresses by the count of connections.
Configured indexes for storing and accessing all collected data.
Deployed MongoDB version 2.6.10 on EC2 instance with 30GB storage.
Deployed MongoDB Monitoring Splunk App for log forwarding of MongoDB logs.
Configured MongoDB for maximal verbosity of authentication logs and interactions logs.
Deployed Splunk forwarder and Splunk Linux Auditd for auditd logs.
Generated and uploaded a fake dataset into 2 databases on MongoDB: ***_prod, ***_dev.
Backed up MongoDB Honeypot for recovery after a ransomware attack.
Opened MongoDB for all TCP connections on 27017 port (typical misconfigured MongoDB)
After accessing the honeypot, the script deleted the Journals and created a database called Warning with Readme collection and the Solution record. Then, it left the following ransomware message for the database owners:
A lesson to learn
Although no data was lost in the breach of the test database, tens of thousands of real MongoDB databases are still vulnerable to cyberattacks. To address the issue the company has updated its software with secure defaults and released security guidelines. Nevertheless, there are approximately 54,000 databases that haven’t been secured yet.
Cryptocurrency leaks personal information on thousands of investors
In March 2018, MacKeeper’s researchers discovered a publicly available database operated by a cryptocurrency company, Bezop. The database contained full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver's licenses, and other IDs of over 25,000 owners of the cryptocurrency.
The transaction and cryptocurrency side of Bezop was built around Ethereum, an open blockchain technology allowing developers to easily design distributed systems for creating cryptocurrency and managing transactions. The front end store side of Bezop's system was reportedly based on HTML5, React JS, Node Js, and MongoDB.
Although the MongoDB vulnerabilities are well known, it’s difficult to grasp how the data exposure could happen by mistake. The database could have only been configured to public access deliberately, which is a giant cybersecurity risk.
A lesson to learn
Bezop survived the bumpy opening and it is still operational. We hope that the data breach has taught the company a valuable lesson on the security vulnerabilities of Mongo databases. Let’s also hope that the company has realized that no matter how hectic a development cycle is, convenience should never be prioritized over security.
Honda Car India leaks customer data
In 2018, MacKeeper’s experts discovered two unsecured Amazon AWS S3 buckets belonging to Honda Car India. The buckets stored databases with personal information of more than 50,000 users of the company’s Honda Connect App.
The exposed information included names, phone numbers and email addresses of both users and their trusted contacts, passwords, genders, and information about users’ vehicles.
Upon closer examination of the S3 buckets, MacKeeper’s researchers realized that it had been accessed at least once before by security researcher @Random_Robbie (twitter), who left the following note.
Astoundingly, the company didn't notice the note’s presence in its bucket, which indicated the lack of monitoring on its part.
The leaked information could have been used by the cybercriminals to launch targeted phishing attacks. It would not be too difficult to email or text a malicious link seemingly coming from a trusted source to access a victim’s device. To minimize your exposure to similar attacks, learn how to protect your privacy online.
A lesson to learn
With the sheer volume of coverage of leaky S3 buckets, it's astounding that they are still regularly discovered by MacKeeper’s experts. It shows that many companies of all sizes are still not paying enough attention to their cybersecurity. The case in point is Honda Car India that didn't notice the presence of the researcher’s note in its bucket, which indicated the lack of monitoring on its part.
The companies neglecting to improve their cybersecurity stance put at risk not only their reputation but also their customers’ privacy and even livelihood. Given the severe consequences of data breaches, there’s no place for loose cybersecurity in our increasingly interconnected world.
Docker Hub’s cryptojacking infection
In 2018, cybersecurity experts from MacKeeper discovered 17 malicious docker images stored on a repository service, Docker Hub, for a year.
The docker images were used by cybercriminals to infect the victim’s devices with cryptocurrency mining malware, which is a crime referred to as cryptojacking. It is estimated that the illegal practice allowed the cybercriminals to mine $90,000 worth of Monero cryptocurrency.
The cybercriminals presumably followed these steps to launch the cyberattack:
Automized target collection using Shodan, Censys or Zoomeye.
Infiltrated vulnerable or misconfigured Docker registries or Kubernetes instances.
Exploited weak default settings and injected mining malware within containers.
Automatically collected targets and exploiting them as C2 server hosts using AutoSploit or similar software.
Ericsson’s Head of Cloud Jason Hoffman attributes Docker’s rapid adoption to its package management. Although undeniably true, it’s worth noting that Docker images are generally dependent on the package manager provided by an underlying Linux distribution. Images such as CentOS 5.11 are deliberately held back for the sake of compatibility and their Shellshock vulnerability.
Additional insight into the issue is offered by engineer Ross Fairbanks who states that the Docker containers run as root by default. It means that a compromised container makes possible the root access to the host itself.
A lesson to learn
Pulling a Docker image from Docker Hub is akin to downloading an unknown binary file, executing it, and hoping for the best.
To minimize the risk of cryptojacking, it’s important to improve the traceability of the Docker images. At the same time, internal and external communication within Kubernetes cluster should also be secured. To this end, do the following:
Don’t access Kubernetes clusters via the internet.kubelet
Use SSH tunnels to send packets via the cluster's network without exposing the Kubelet's web server to the Internet.
Ensure that kubelet serves its https endpoint with a certificate that is signed by the cluster CA.
A money-laundering database breach
In June 2018, MacKeeper’s researchers stumbled across an unsecured database maintained by cybercriminals who used stolen credit cards and free-to-play apps for money laundering.
The cybercriminals processed almost 20,000 stolen credit cards in just 1.5 months. The following image offers a simplified view of the criminal scheme.
The criminal scheme revolved around the use of Apple IDs and just three games: Clash of Clans, Clash Royale, and Marvel Contest of Champions. Given that the aggregate annual revenue of the games exceeded $330 million, they were perfect targets for money laundering. To facilitate the process of in-game currency generation, the cybercriminals used automated bots created by the games’ fans.
A lesson to learn
It seems that the cybercriminals managed to pull off a daring crime because of Apple’s lax credit card verification process. In the same vein, email service providers also did not do enough to protect against this kind of abuse. Finally, the money-laundering scheme wouldn’t be possible if game developers did a better job of enforcing their in-game currency trading policies.
We respect your privacy and
use cookies
for the best site experience.
Privacy Preferences Center
We use cookies along with other tools to give you the best possible experience while using the
MacKeeper website. Cookies are small text files that help the website load faster. The cookies we
use don’t contain any type of personal data meaning they never store information such as your
location, email address, or IP address.
Help us improve how you interact with our website by accepting the use of cookies. You can change
your privacy settings whenever you like.
Manage consent
All cookies
These cookies are strictly necessary for enabling basic website functionality (including page
navigation, form submission, language detection, post commenting), downloading and purchasing
software. The website might malfunction without these cookies.
