Quora, Marriott, Facebook and Huazhu Hotels – Another Matrix Moment?

Data breach announcements have been coming out at a fast and furious pace lately – and not just the run-of-the-mill pilfering of payment data from e-commerce sites or phishing for access to employees’ email accounts. Year to date, the Cyber Risk Analytics breach research team has cataloged over 5,000 breach events, making it the second most active year for breach disclosures since 2005.  While the team at Risk Based Security is accustomed to a certain amount of fluctuation in breach activity from month to month, the collective hair on the back of our necks has been standing at attention since October, accompanied by a nagging feeling that something different is going on.

And it’s not just the number and frequency of breaches that has caught our attention. It’s the nature of certain incidents that has us wondering if we are seeing a concerted effort to steal more data useful for spying, espionage and misinformation campaigns.

State-sponsored malicious activity is nothing new.  North Korean actors have been accused of everything from cracking into Sony Pictures Entertainment potentially out of spite to launching 2017’s WannaCry ransomware campaign in an effort to generate hard currency for the regime. The news cycle continues to spin around the latest revelations from the FBI’s Special Counsel investigation, which was launched in response to allegations of Russian interference in the 2016 presidential election. And it was only last week that two Iranian men were indicted by the Department of Justice for allegedly creating and launching SamSam ransomware. Although to be fair, the two individuals were not expressly linked to the Iranian state.

So why is there a nagging feeling that something more is afoot? Consider these events:

August 28, 2018 – Huazhu Hotels Groups, one of China’s largest hotel chains, discloses that 240 million records had been compromised including the following data exposed:

  • Customer names
  • Home addresses
  • Phone numbers
  • Email addresses
  • Bank account numbers
  • Passwords
  • Booking details (check-in, departure, hotel location, room number)

Other than the large number of records exposed, the incident doesn’t really stand out as especially intriguing. Like so many other events, the breach was discovered after data popped up for sale on a dark web forum. Researchers close to the event believe that the information originated from database backups uploaded by developers to a poorly secured GitHub account, a sadly common data mishandling mistake. The only detail to strike us as slightly odd – why would 240 million records with financial data on as many as 130 million individuals be offered up for sale for a mere 8 Bitcoin (and Bitcoin’s value isn’t what it used to be at the start of 2018) and later lowered to all of 1 Bitcoin after the news broke? That seems like quite a deal. Unless perhaps selling the data was an afterthought?

September 28, 2018 – Facebook makes headlines once again with 30,000,000 records exposed, including:

  • Names
  • Email addresses
  • Phone numbers
  • Usernames
  • Dates of birth
  • A host of demographic information gleaned from user profiles.

This time, hackers took advantage of a combination of vulnerabilities in the “View As” feature.
Wired magazine reported:

“Facebook says it is cooperating with the FBI, and can’t reveal any findings about the identity of the hackers or their possible motivations, but the attack seems to have been well-coordinated, with the right infrastructure in place to quickly begin fanning out and exfiltrating data. The attackers used a group of established seed accounts that they controlled to exploit the vulnerabilities and steal access tokens from their accounts’ friends, friends of friends, and so on.”

While they may not be disclosing possible motivations, it is clear the attackers were targeting profile information. To date, no information has surfaced indicating this data has been offered for sale or monetized in some fashion.

November 30, 2018 – As many as 500,000,000 records are taken from Starwood Hotels’ customer loyalty program including:

  • Names
  • Addresses
  • Email addresses
  • Passport numbers
  • Dates of birth
  • Genders
  • Booking details (arrivals, departures, reservation dates and communication preferences)
  • A lesser amount of payment card data

It appears that attackers were in the Starwood system as early as 2014 and only discovered in September of this year. Similar to Facebook, there is no indication the data has been offered for sale or otherwise monetized. If attackers were after easily monetized data such as payment card details, then,

a)   Why sit on data with a somewhat limited shelf life for so many years; and
b)   With such complete access, why focus on the booking information over financial data?

December 3, 2018 – Now comes the Quora announcement that 100,000,000 account holder records were compromised by hackers including:

  • Names
  • Email addresses
  • Encrypted passwords
  • IP addresses
  • User IDs
  • Account settings
  • Data imported from linked networks such as contacts, demographic details, and interests.

Quora has not confirmed when the intrusion first occurred, so it is difficult to know how long attackers were mining this information.  What really caught our attention with Quora was the revelation that the data was linked to social networking accounts.

Still not convinced that there may be more sinister motives at work here?

We offer up these tantalizing observations for your consideration:

  1. If an organization wanted to track individuals’ movements on a large scale, where is a good place to look? Hotel booking data.
  2. If an organization wanted to understand connections between individuals, where do you go? Social media platforms like Facebook.
  3. If an organization wanted to try link this data together, what data point is likely to be most useful and accessible? Email addresses.
  4. What is even more useful for linking all this together? Email address AND data from linked social networks.

We don’t know who is responsible for these events. We don’t know why they targeted these organizations. And we certainly do not have evidence linking these breaches together in any way.

So what we can say definitively?

We can say without a doubt, that we have witnessed the compromise of some truly massive and unique databases this year. That the data contained in these databases is estimated to be less valuable on the black market than other data types useful for identity theft. If linked together, this is the type of data that can provide profound insight into people’s movements and connections.

Our research team will continue to watch these and new events as they unfold. If any of our speculative musings come to pass, we will certainly update this post. And if we are wildly mistaken, well, we’ll own that too, but it won’t stop us from sharing our unique insights with our loyal readers as this isn’t the first time we’ve seen a glitch in the matrix!