Data Breaches Are Catching People With Their Pants Down
September 9, 2019 • RBS
Data breaches aren’t slowing down. In fact, it seems that they are accelerating. As of June 30th, there have been 3,813 breaches exposing over 4.1 billion records. Compared to the total as of midyear 2018, the number of breaches was up 54% and the number of exposed records was up 52%.
It seems like the news bombards us with breach after breach, with big companies like Equifax saying they are sorry (often in a way that sounds suspiciously like “sorry you found out”).
Many breaches are the result of researchers finding unsecured databases, where sensitive information is simply left out in the open, ripe for the taking. In some cases, the database has been like that for an extended period of time, making it hard to say who has been in it or what has already been taken.
When researchers reach out to these companies about the situation, they may receive silence or a simple “thank you” that implies that they were already aware. This attitude seeps into the resulting press release when an exposure comes to light, and after hearing the same thing over and over again, you can’t blame the general populace for being numb to the consequences or to the potential impact of a breach.
As we mentioned in our 2019 MidYear Data Breach QuickView Report, some customers will simply shrug off the inconvenience of a breach. Fixing a case of stolen identity is extremely time consuming, but not every person has to deal with that situation, and unless it explicitly happens to you, you might be forgiven for not paying it a lot of attention. No harm, no foul. But what happens if you get caught with your pants down?
We all know that adult websites and apps exist and in the month of August, the internet’s veil of anonymity was shattered. We won’t judge, but two breaches could have huge ramifications for those involved. Have you ever wondered who in the world has the time or energy to leave those wild comments? Curious who it is that’s looking for “local kinky, open-minded people” in your area? Well, it turns out that with these data breaches you can actually find out. Scandalous.
In the beginning of August, we shared an article on our social media channels detailing the security concerns of the group dating app 3Fun. The app, which allows users to find “local kinky, open-minded people” had numerous issues that resulted in 1.5 million users being exposed. Here were the issues:
- Exact user location, birth date, sexual orientation, and private photos are accessible in the app or could be queried via the server API.
- Hiding one’s location or setting a privacy setting on other sensitive information only filtered the data in the app itself. Everything set to private could still be queried via the server API.
When we consulted our Chief Research Officer, Carsten Eiram about the topic, he summed up their security in the following quote:
“Awful.”Carsten Eiram, Chief Research Officer at Risk Based Security
In most situations, any attacker trying to find an exact user’s location would have to ‘trilaterate’ by spoofing GPS coordinates in order to track the distance. However, in 3Fun’s case, there is no need. If the privacy feature isn’t set, the app provides the user’s latitude and longitude within the app. Even if the privacy feature is applied the information is always available via the server API.
The scariest thing about this GPS leak is that an attacker can track a target in near real-time and observe their private activities. Using this information, an attacker can gather more intel on a specific individual and then sort through the app for photos, chat logs, and a birthday in order to fully hone in on a target. In Pen Test Partner’s write up they were able to map out users within major cities and, had they been malicious, could have singled out high-profile targets and attempted to blackmail or dox them with this information.
Given this discovery, what was 3Fun’s response when notified? According to the researchers of Pen Test Partners, 3Fun responded with the following:
“Dear Alex, Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team”3Fun
You can find more details in Pen Test Partner’s write up.
Adding on to our dirty list of breaches, Luscious.net, a popular hentai (adult cartoon) porn site, also suffered a breach exposing 1.195 million global users. The cause? An unsecured database that was authenticated incorrectly.
Within the database were usernames, locations, email addresses, and in some cases full names of members. However, InfoSecurity also reports that cybersecurity researchers Noam Rotem and Ran Locar were able to connect extremely personal content in the form of comments and uploads to specific individuals. In an environment where internet anonymity is truly important, this exposure is even more relevant since a number of users enlisted in Luscious’ services with official government email addresses.
Like the 3Fun breach, the potential of singling out high-profile targets is very high. Sexuality can be a taboo topic and this is amplified even further due to the website’s already niché fetish. An attacker could track down a government user and see exactly how many image albums they created, how many videos they uploaded, any comments made, and all the accounts or videos they followed. Given the current climate where one Tweet can ruin a career, one can only imagine the kind of leverage an attacker would have over a government employee.
As alarming as this is, the response that the researchers got after disclosing these issues is equally as glaring as the vulnerabilities uncovered. Even though Luscious’ patching process took care of the issue within four days, Rotem and Locar were met with silence when they disclosed the situation. According to Forbes’ account, both researchers had initially emailed the creator of the site to no avail. Once it was concluded that email was a dead end, they reached out via Facebook Messenger, LinkedIn, and SMS text. Still no response. It wasn’t until after initial publication of the story that the owner confirmed the vulnerability and stated,
“We will be reaching out to any compromised users to warn them about the potential exposure of their private email addresses.”Luscious.net site owner
Concerns of a Consumer
Obviously, no one is completely safe and even the most secure organizations have weak points. A data breach can happen to anybody. But as we have seen, organizations have to deal with the situation properly. Equifax is having a PR disaster and if you want further analysis, our researchers had covered that breach back when it initially unfolded in 2017. So many organizations are treating breaches as “business as usual” and treat disclosure as a last resort. This is not the best practice and the general population has a right to know when their sensitive data has been exposed.
If that is the case, what is the issue? Why can’t vendors just patch something once it comes out and why do these databases get authenticated incorrectly in the first place? Simply fix the vulnerability when a research team reaches out. Alas, it isn’t usually that simple, but sometimes it is.
Concerns of a Business Owner
If you’re a business owner then you probably have different concerns. Regardless of which industry you are in, you are in constant contact with a multitude of vendors and other organizations. Do you want to do business with or be affiliated with a vendor who has an Equifax approach to safeguarding data? You need to know the likelihood of this before you hand your trust over. In a perfect world you would be able to know which organizations have suffered a breach, if they are suffering from one now, or if they are likely to be breached. You want to know which vendors actually patch and which ones have a track record of ignoring research. Well, there is a way to get this data for your risk management plan.
We’ll be the belt. Keep your pants up.