In the first month of the year, hackers have wasted no time targeting organizations to steal consumer information. The majority of the data breaches included email addresses and phone numbers, which leave individuals vulnerable to credential stuffing, phishing and vishing attacks. Facebook, Instagram, and other social media networks continue to be targeted, meaning individuals may also come across scams and fraud through social messages and ads. Sophisticated cybercriminals can manipulate spoofed sites to show up in search engine results or social media ads.
Here are the recent data breaches that made headlines in January 2021:
One of the biggest Internet of Things (IoT) technology vendors, Ubiquiti, Inc., alerted its customers of a data breach caused by unauthorized access to their database through a third-party cloud provider. The email communication advised customers to change passwords and enable multi-factor authentication. The data exposed may include an undisclosed number of customer names, email addresses, hashed and salted passwords, addresses, and phone numbers.
News of the conservative social media app, Parler, having its data scraped by a hacker came to light after Amazon Web Services removed the platform from its servers. The 70TB of leaked information includes 99.9% of posts, messages, and video data containing EXIF data — metadata of date, time, and location. Parler’s Verified Citizens, or users who had verified their identity by uploading their driver’s license or other government-issued photo ID, were also exposed.
Facebook, Instagram and LinkedIn
A Chinese social media management company, Socialarks, suffered a data leak through an unsecured database that exposed account details and Personally Identifiable Information (PII) of at least 214 million social media users from Facebook and Instagram, and LinkedIn. The exposed information for each platform varies but includes user’s names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name.
A cybercriminal compromised a certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365. Mimecast is a cloud-based email management service that provides email security services for Microsoft 365 accounts. According to the company, approximately 10 percent of its customers used the compromised connection, but have since been asked to reinstall a newly issued certificate.
A database containing 1.9 million user records belonging to Pixlr, a free online photo-editing application, was leaked by a hacker. The database was stolen at the same time as the attack on 123RF, which exposed over 83 million user records. The leaked records include email addresses, usernames, hashed passwords, user’s country, whether they signed up for the newsletter, and other sensitive information.
The dating platform, MeetMindful.com, was hacked by a well known-hacker and had its user’s account details and personal information posted for free in a hacker forum. The leaked details of more than 2.28 million users registered included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens.
Customer data was stolen from the men’s clothing retailer, Bonobos, was found for free in a hacker forum after a cybercriminal downloaded the company’s backup cloud data. The exposed database contains order information for over 7 million customers, including addresses, phone numbers, and account information for 1.8 million registered customers, and 3.5 million partial credit card records.
VIPGames.com, a free gaming platform, exposed over 23 million records for more than 66,000 desktop and mobile users due to a cloud misconfiguration. The leaked user records include usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and data on players who were banned from the platform.
Through a targeted attack on retail employees of U.S. Cellular, the fourth-largest wireless carrier in the U.S., hackers were able to scam employees into downloading malicious software onto company computers. Once downloaded, the software granted remote access to the company devices and to the customer relationship management (CRM) software containing account records for 4.9 million customers. The company states that 276 customers were impacted and notified of the security incident. While viewing a customers’ account in the CRM, the hacker had access to names, addresses, PINs, cell phone numbers, service plans, and billing/usage statements.