Bitch Board

[Global Payments breach - 1.5M exposed]

FYI...

Global Payments breach - 1.5M exposed ...
- https://krebsonsecurity.com/2012/04/global-payments-1-5mm-cards-exported/
April 2, 2012 - "Global Payments, the credit and debit card processor that disclosed a breach of its systems late Friday, said in a statement Sunday that the incident involved at least 1.5 million accounts. The news comes hours ahead of a planned conference call with investors, and after Visa said it had pulled its seal of approval for the company... In a press release issued 9:30 p.m. ET Sunday, Atlanta based Global Payments Inc. said it believes “the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained”. It remains unclear whether there are additional accounts beyond these 1.5 million that were exposed by the breach; the company’s statement seems to be focusing on the number of cards it can confirm that thieves offloaded from its systems..."

Breach anatomy graphic
- https://krebsonsecurity.com/wp-content/uploads/2012/04/breachanatomy-600x430.png

- http://h-online.com/-1498448
2 April 2012

- http://www.reuters.com/article/2012/04/02/us-visa-globalpayments-idUSBRE83102P20120402
Apr 1, 2012 - "Visa Inc. has dropped payment processor Global Payments Inc. from its list of approved service providers after a major cyber intrusion that could expose Visa, MasterCard, American Express and Discover card holders to fraud. Global Payments said it believes less than 1.5 million credit card numbers were stolen in the cyber security breach..."

- http://www.databreaches.net/?p=23827
March 30, 2012
___

- http://corporate.visa.com/media-center/index.shtml
Mar 30, 2012 - "Visa Inc. is aware of an announcement from Global Payments Inc. that it experienced unauthorized access into a portion of its processing system... Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity..."
- http://www.visasecuritysense.com/en_US/index.jsp

- http://newsroom.mastercard.com/2012/03/30/3-security-steps-to-protecting-your-personal-data/
March 30, 2012 - "... MasterCard and financial institutions do not proactively solicit personal or payment card information from customers... be wary of unsolicited requests by anyone claiming to represent one of these entities..."

 

[Breach window at Global Payments expands]

FYI...

Breach window at Global Payments expands
- https://krebsonsecurity.com/2012/05/global-payments-breach-window-expands/
May 1, 2012 - "A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012... Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time. Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011... so far, Global Payments has offered few details about the incident beyond repeating that less than 1.5 million card numbers may have been stolen from its systems... Global Payments spokeswoman Amy Korn declined to comment for this story, but said the company would be releasing additional information about the incident in a statement on its Web site, http://www.2012infosecurityupdate.com/ , later this evening*."
* http://www.2012infosecurityupdate.com/
"... Based on our announcement of unauthorized activity in a limited segment of our North American processing system, some card brands removed us from their list of PCI compliant service providers. They have requested we revalidate our PCI status, which we will do following the current investigation. We anticipate that we will be re-instated to those lists at the conclusion of the re-validation and any required remediation... We have not publicly communicated any time periods and there is a full investigation underway. It would be premature and inappropriate for us to speak to or confirm any timeframes until the investigation is complete. We identified and self-reported this incident in early March, and we will continue to provide information to the appropriate parties as revealed by the investigation."
... As of May 1, 2012

  

[Debit card accounts stolen - Global Payments breach]

FYI...

Debit card accounts stolen - Global Payments breach ...
- https://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fraud/
May 14, 2012 - "Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud. At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer. That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc. According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers... The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have -some- of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised both Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were were not obtained by the criminals. Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN... USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that..."

 

[WHMCS breach]

FYI...

WHMCS breach ...
- https://krebsonsecurity.com/2012/05/whmcs-breach-may-be-only-tip-of-the-trouble/
May 24, 2012 - "A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords — and in some cases credit cards — may turn out to be the least of the company’s worries.. for the past four months hackers have been selling an exclusive zero-day flaw that they claim lets intruders break into Web hosting firms that rely on the software... Following an extended period of downtime on Monday, the privately-owned British software firm disclosed that hackers had broken in and stolen 1.7 gigabytes worth of customer data, and deleted a backlog of orders, tickets and other files from the firm’s server... WHMCS’s user forums have been and remain under a constant denial-of-service attack, and the company is urging customers to change their passwords... Many users seem to be worried that the data stolen the now-public breach may include WHMCS direct customer data, as well as the location of the installed software and credit card data, and passwords for WHMCS installs that were done by them or supplied during troubleshooting..."
___

- http://www.databreaches.net/?p=24284
May 22, 2012

 

[update]

FYI...

LinkedIn Blog:
- http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
June 6, 2012 - "... update on this morning’s reports of stolen passwords.
We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should -never- change your password on any website by following a link in an email.
3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases..."

LinkedIn passwords leaked ...
- http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/
June 6, 2012 - "Although not yet confirmed by the business-networking website, it is being widely speculated that over six million passwords belonging to LinkedIn users have been compromised. A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them. Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals. Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords. As such, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step..."

- http://www.reuters.com/article/2012/06/06/linkedin-breach-idUSL1E8H68FJ20120606
Jun 6, 2012

- https://krebsonsecurity.com/2012/06/if-you-use-linkedin-change-your-password/
June 6, 2012
> http://krebsonsecurity.com/password-dos-and-donts

 

[eHarmony dating site data-breach]

FYI...

eHarmony dating site data-breach
- http://www.theregister.co.uk/2012/06/07/eharmony_also_breached_in_linkedin_password_dump/
7 June 2012 - "Along with the LinkedIn password dump, dating site eHarmony has confirmed that some of its users’ passwords have also been published online, possibly by the same attacker as that obtained the LinkedIn data... It says all affected user passwords have been reset, along with providing the usual advice of creating strong passwords, using a different password for every site, and changing passwords every few months*. The LA Times says that the eHarmony list contained only passwords..."

* http://advice.eharmony.com/blog/2012/06/06/update-on-compromised-passwords/
June 6, 2012

> http://www.reuters.com/article/2012/06/07/us-linkedin-breach-idUSBRE85511820120607
Jun 7, 2012

eHarmony admits to leaking 1.5 million passwords
- http://h-online.com/-1612654
7 June 2012

   

[Last.fm - change your password]

FYI...

Last.fm - change your password...
- http://arstechnica.com/security/2012/06/another-hack-last-fm-warns-users-to-change-their-passwords/
Jun 7, 2012 - "Social music site Last.fm announced an investigation into a user password leak this morning*... Last.fm is asking users to change their passwords immediately. Last.fm users can switch their passwords by logging in and accessing the "Settings" page, or by reporting their password as lost**. In the site's announcement, Last.fm re-emphasized these are the -only- means for password changes: 'We will never e-mail you a direct link to update your settings or ask for your password'..."

Millions of Last.fm passwords leaked
- http://h-online.com/-1613641
8 June 2012

* http://www.last.fm/passwordsecurity

** https://www.last.fm/settings/lostpassword
___

eHarmony - Vague post leaves unanswered questions
- http://arstechnica.com/security/2012/06/eharmony-confirms-member-passwords-compromise/
Jun 7, 2012

10 (or so) of the worst passwords exposed by the LinkedIn hack
- http://arstechnica.com/security/2012/06/10-or-so-of-the-worst-passwords-exposed-by-the-linkedin-hack/
Jun 6, 2012

   

[FTC files against Wyndham Hotels for failure to protect]

FYI...

FTC files against Wyndham Hotels for failure to protect ...
Credit Card Data of Hundreds of Thousands of Consumers Compromised, Millions of Dollars Lost to Fraud
- http://www.ftc.gov/opa/2012/06/wyndham.shtm
06/26/2012 - "The Federal Trade Commission filed suit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security... the breach led to the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia. Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures. As a result, Wyndham’s security was breached two more times in less than two years.
• In March 2009, intruders again gained unauthorized access to Wyndham Hotels and Resorts' network, using similar techniques as in the first breach. In addition to using memory-scraping malware, they reconfigured software at the Wyndham-branded hotels to obtain clear text files containing the payment card account numbers of guests. In this second incident, the intruders were able to access information at 39 Wyndham-branded hotels for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers’ accounts.
• Later in 2009, intruders again installed memory-scraping malware and thereby compromised Wyndham Hotels and Resorts’ network and the property management system servers of 28 Wyndham-branded hotels. As a result of this third incident, the intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts..."
___

6 Biggest Breaches Of 2012 So Far
- http://www.darkreading.com/taxonomy/index/printarticle/id/240002408
Jun 20, 2012
1. Zappos - Time Of Disclosure: January 2012 - Records Breached: 24 million records, including names, email addresses, phone numbers, last four digits of credit card numbers, and encrypted passwords...
2. UNC - Time Of Disclosure: February 2012 - Records Breached: 350,000 records...
3. Global Payment Systems - Time Of Disclosure: March 2012 - Records Breached: 7 million consumer records, including 1.5 million credit cards...
4. South Carolina Health and Human Services - Time Of Disclosure: April 2012 - Records Breached: 228,435 records...  
5. University of Nebraska - Time Of Disclosure: May 2012 - Records Breached: 654,000 student records...
6. LinkedIn - Time Of Disclosure: June 2012 - Records Breached: 6.5 million user passwords...

Top 15 Worst Data Breach Incidents of 2012 ...
- http://www.csoonline.com/slideshow/detail/52656/The-Worst-Data-Breach-Incidents-of-2012---So-Far#slide1
June 18, 2012

   

[Yahoo! - 453,492 pwd's and email addresses hacked and exposed]

FYI...

Yahoo! - 453,492 pwd's and email addresses hacked and exposed...
>> https://www.computerworld.com/s/article/9229084/Passwords_leaked_from_Yahoo_Boozy_preachy_angry_and_easy
July 12, 2012 - "... a list of 453,492 email addresses and passwords... found them by hacking into a database associated with an unnamed Yahoo service. The passwords weren't all for Yahoo services; they also come from domain names including gmail.com, hotmail.com and aol.com..."
- http://www.reuters.com/article/2012/07/13/net-us-yahoo-hackers-idUSBRE86B0HT20120713

- http://h-online.com/-1637505
12 July 2012

Yahoo! confirms data breach
- http://h-online.com/-1640148
13 July 2012
___

Over 1 million user credentials compromised in Android Forums hack
- http://h-online.com/-1640164
13 July 2012

NVIDIA Forums suspended after hack
- http://h-online.com/-1640918
13 July 2012

Password Leaks Continue: Billabong, NVIDIA...
- https://threatpost.com/en_us/blogs/password-leaks-continue-billabong-nvidia-accounts-compromised-071312
July 13, 2012 - "... The attacks, which some have suggested are driven by a demand for e-mail addresses used to supply spam runs and targeted phishing attacks... especially when that password information is stored in cleartext..."

Thousands of GMX accounts compromised to send SPAM
- http://h-online.com/-1638088
13 July 2012

   

[11 million passwords leaked from Gamigo]

FYI...

11 million passwords leaked from Gamigo ...
- http://h-online.com/-1651198
24 July 2012 - "A file with 11 million password hashes belonging to users of the online games platform Gamigo has been circulated on the internet. According to an analysis by ZDNet, 8.2 million different email addresses are also part of the 478MB file. Around 3 million of these belong to users from the US, 2.4 million are German addresses and 1.3 million are supposed to originate in France. The list also includes corporate email addresses from companies such as IBM, Siemens, Deutsche Bank and the German insurance company Allianz. The file appeared in the same forum which had previously circulated millions of password hashes from Linkedin, Last.fm, eHarmony and other web sites... Gamigo, which is a subsidiary of the German Axel Springer publishing group, has confirmed to The H's associates at heise Security that the data contained in the file is authentic. The company has stated that it noticed a "security-related incident" in March 2012 in which an older version of a database was copied off its servers. Gamigo says it immediately contacted the affected members and reset the passwords to their accounts. The company also says it took the affected database offline and initiated "a comprehensive security audit". Now that the data has been leaked, the company wants to look at the incident again. Users who are registered with Gamigo and have used the same password at other web sites should immediately change their logins..."

Password leak at meetOne - 900,000 members ...
- http://h-online.com/-1652783
26 July 2012 - "A data leak at the meetOne dating site allowed anyone to access private data including the plaintext passwords, email addresses and real names of the site's approximately 900,000 members..."

   

[8.7 million hacked mobile customers in S.Korea]

FYI...

8.7 million hacked mobile customers in S.Korea
- http://news.yahoo.com/8-7-million-mobile-customers-hacked-korea-062535102.html
July 29, 2012 - "South Korean police have arrested two hackers who stole personal data of 8.7 million customers of the nation's second-biggest mobile operator, the company said. KT said the hackers - formally arrested on Sunday - had stolen data such as customers' names, phone numbers and residential registration numbers for five months since February and sold the information to telemarketing firms... Hacking attacks on major companies aimed to gain access to the personal data of their customers is a frequent occurence in South Korea, one of the world's most-wired nations. Seoul authorities said in July last year hackers using an Internet address registered in China had gained access to South Korean major websites including web portal Nate .com and may have stolen the private data of 35 million users. In November 2011, Seoul's top games developer Nexon saw personal information of 13 million users of its popular online game MapleStory stolen by hackers. In March 2010, authorities launched a probe into the security systems of major retailer Shinsegae and 24 other companies after private data on 20 million customers was leaked."

    

[Dropbox: Password Breach Led to Spam]

FYI...

Dropbox: Password Breach Led to Spam
- https://krebsonsecurity.com/2012/07/dropbox-password-breach-led-to-spam/
July 31, 2012 - "Two weeks ago, many Dropbox users began suspecting a data breach at the online file-sharing service after they started receiving spam at email addresses they’d created specifically for use at Dropbox. Today, the company confirmed that suspicion, blaming the incident on a Dropbox employee who had re-used his or her Dropbox password at another site that got hacked... a statement released on its blog* this evening... says it has plans to roll out additional security measures that should help users protect their Dropbox accounts even if users (or employees, assumedly) lose account passwords, including two-factor authentication..."
* http://blog.dropbox.com/index.php/security-update-new-features/
July 31, 2012 - "A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox... Our investigation found that usernames and passwords recently stolen from -other- websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts. A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam... we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:
• Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
• New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
• A new page that lets you examine all active logins to your account.
• In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time).
At the same time, we strongly recommend you improve your online safety by setting a unique password for -each- website you use..."
___

- http://h-online.com/-1657230
1 August 2012

- http://countermeasures.trendmicro.eu/dropbox-breach-leaves-unanswered-questions/
1 August 2012

   

[Blizzard pwned - email, encrypted passwords slurped]

FYI...

Blizzard pwned - email, encrypted passwords slurped
Millions of World of Warcraft players raided
- http://www.theregister.co.uk/2012/08/10/blizzard_hacked/
10 Aug 2012 - "Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hacks. The gaming outfit said in a lengthy statement on its website that its security team had spotted "unauthorised and illegal access" into its system. It said: "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened." Blizzard said it was yet to uncover evidence that sensitive financial data, including gamers' credit cards and billing addresses, had been compromised. "Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed," the company added. However, a list of email addresses for Battle.net users across the globe, excluding those based in China, had been lifted in the hacking. And it gets worse..."
(More detail at the URL above.)

- https://isc.sans.edu/diary.html?storyid=13870
Last Updated: 2012-08-10 01:51:02 UTC
___

- http://h-online.com/-1665425
10 August 2012

 

[$10 million hacking spree on Subway sandwich shops]

FYI...

$10 million hacking spree on Subway sandwich shops
The Romanians admitted their role in ring that compromised some 146,000 cards
- http://arstechnica.com/security/2012/09/romanians-cop-to-10-million-hacking-spree/
Sep 18, 2012 - "Two Romanian men have admitted to participating in an international conspiracy that hacked into credit-card payment terminals at more than 150 Subway restaurant franchises and stole data for more than 146,000 accounts. The heist, which spanned the years 2009 to 2011, racked up more than $10 million in losses, federal prosecutors said.
Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit credit card fraud, documents filed on Monday in US District Court in New Hampshire showed. Dolan admitted he helped alleged ring leader Adrian-Tiberiu Opera scan the Internet for point-of-sale systems... Monday's plea agreement, which was signed by the defendant, stated. "Next, once he cracked the password and gained administrative access, Dolan remotely installed software programs called 'keystroke loggers' (or 'sniffers') onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants' POS systems, including customers' payment card data."
Dolan hacked into "several hundred US merchants'" systems and stole payment data belonging to about 6,000 cardholders, according to the document. He has agreed to spend seven years in prison.
Cezar Iulian Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit credit card fraud. In a separate plea agreement that was also signed, he admitted repeatedly asking Opera to provide him with payment card data stolen through the conspiracy. He obtained data belonging to about 140 cardholders. Butu has agreed to be sentenced to 21 months in prison..."

 

[IEEE data breach exposes 100,000 passwords]

FYI...

IEEE data breach exposes 100,000 passwords ...
- http://h-online.com/-1717358
26 Sep 2012 - "Romanian researcher Radu Drăgușin says that he managed to extract 100,000 plain text IEEE member passwords from approximately 100GB of log files. The log files were publicly accessible on the IEEE's FTP server and had been available for at least a month before being discovered by the researcher... the most frequently used password continues to be "123456", closely followed by "ieee2012" and "12345678"... The IEEE has now confirmed the incident on its Facebook page and on its web site*, noting that the problem has been fixed and that it is currently in the process of informing affected users. The organisation is the largest technical industry association worldwide, managing, maintaining and approving standards such as the current Ethernet and Wi-Fi specifications."
* https://origin.www.ieee.org/about/news/2012/25september_2_2012.html

- http://www.theregister.co.uk/2012/09/25/ieee_leaks_logins/
25 Sep 2012 - "... Apple, Google, IBM, Oracle, Samsung, NASA, Stanford University and so on – practically any outfit that employs high-ranking engineers in electrical, electronics, computer sciences and communications disciplines will probably get mentioned somewhere in the logs..."
___

- http://www.darkreading.com/taxonomy/index/printarticle/id/240008028
Sep 26, 2012