Massive Data Breach: 125 Million Records Exposed Due to Firebase Misconfiguration

Introduction

Logykk, xyzeva, and MrBruh have unveiled a troubling truth: 900+ sites suffered a Firebase misconfiguration, exposing 125M user records. The records contain plaintext passwords and sensitive billing information.

Scanning for Vulnerabilities

Initially, researchers employed a Python scanner, but it proved impractical due to memory consumption issues. Subsequently, they turned to Go-based scanning, which, though expected to conclude in 11 days, actually took nearly 2 to 3 weeks, producing valuable insights.

Identifying Misconfigurations

To expedite the process, researchers compiled a shortlist of potentially affected websites and developed the “Catalyst” scanner. This tool identifies read access to Firebase collections and calculates the impact of exposed data, facilitating efficient analysis.

Uncovering Disturbing Findings

The resulting database revealed alarming statistics: 84 million names, 106 million email addresses, 33 million phone numbers, 20 million passwords, and 27 million pieces of billing information were compromised. What’s more interesting, is that 98% of passwords, or 19,867,627 to be exact, are in plain text. The researchers added that these numbers should be taken with a grain of salt. Real numbers of impact can be much larger. Among the impacted sites were Silid LMS, Lead Carrot, and MyChefTool, with millions of user records exposed, underscoring the severity of the breach.

Numbers of Firebase Misconfiguration Data Breach
Private Database of exposed user records
source: xyzeva

Aftermath and Response

Despite efforts to notify affected organizations, the response was modest, with only 200 misconfigurations rectified. Notably, some gambling websites attempted to downplay the issue, even offering flirtatious responses.

  • 842 Emails sent over 13 days
  • 85% Emails delivered
  • 9% Emails bounced
  • 24% of Site owners fixed the misconfiguration
  • 1% of Site owners emailed us back
  • 0.2% (2) Sites owners offered a bug bounty

Conclusion: Strengthening Security Posture

While data breaches may appear unavoidable, proactive measures can significantly mitigate risks. Adopting a zero-trust approach, coupled with just-in-time access architecture, offers essential protection against unauthorised access. PureID provides cutting-edge solutions, including passwordless technology and advanced authentication frameworks like ZITA. By prioritising robust cybersecurity measures and leveraging innovative solutions, organizations can bolster their defences and safeguard sensitive data in today’s increasingly vulnerable digital landscape.

Protect Your Privacy on X: Understanding the IP Address Sharing Issue

Introduction

X, formerly Twitter, launches voice and video calls, sparking privacy concerns among users about IP address sharing. Protecting personal information becomes paramount, prompting users to explore disabling options within X’s settings for enhanced privacy awareness and protection.

The Issue

X’s calling feature shares users’ IP addresses with callers by default, potentially exposing sensitive location details. This means that when you make or receive a call on X, the other party can see your town, city, or postcode without your explicit consent.

The Risk

Exposing your IP address on X can lead to privacy risks, including location tracking and potential harassment. This information can be used by malicious actors to identify your physical location and possibly target you with unwanted communication or even physical harm.

Twitter DMs should have end to end encryption like Signal, so no one can spy on or hack your messages - Elon Musk (28 Apr 2022) X Sharing IP Address

In his April 2022 tweet, Musk explicitly advocates for end-to-end encryption in Twitter DMs to prevent spying or hacking of messages. This reflects his strong belief in the need for robust security measures to protect users’ privacy and sensitive information. However, the recent implementation of X’s calling feature, which shares users’ IP addresses by default, appears to contradict Musk’s commitment to data security.

Safeguarding Yourself

Here’s how you can protect your IP Address from being exposed:-

1: Access Your Settings: Open the X app and go to your profile picture icon to access your account settings.

2: Navigate to Privacy Settings: Select “Settings and Privacy,” then choose “Privacy and Safety” to find the relevant options.

3: Disable IP Address Sharing: Find the option related to audio and video calling settings in the “Direct Messages” section. Toggle off the default setting that shares your IP address with callers. This will prevent others from seeing your location when you make or receive calls on X.

4: Verification: After disabling the default setting, verify that the feature is indeed turned off to ensure your IP address won’t be shared during calls.

User Awareness:

It’s important to raise awareness among X users about the default setting that shares IP addresses during calls and how to disable it. By informing others about this issue, you can help protect their privacy as well.

Conclusion:

By understanding the issue and taking proactive steps to disable IP address sharing, you can enjoy the benefits of X’s calling feature while minimising potential risks to your privacy and security. Stay informed and vigilant to safeguard your personal information online.

Read Also:

GitHub’s Battle Against Malicious Forks : A Security Challenge

Introduction

GitHub, a leading software development platform, faces a grave security threat posed by millions of malicious repository forks. Since mid-2023, attackers have exploited GitHub’s ecosystem, employing sophisticated tactics to infiltrate legitimate repositories and spread malware.

The Attack

The attack involves cloning existing repositories, injecting malware, and uploading them back to GitHub under the same names. Automated systems then fork these repositories thousands of times, amplifying the malicious spread. This campaign targets unsuspecting developers, executing code designed to steal sensitive information such as authentication cookies.

Timeline

  • May 2023: Malicious packages uploaded to PyPI, spread through ‘os.system(“pip install package”)’ calls in forks of popular GitHub repos.
  • July-August 2023: Malicious repos uploaded to GitHub directly, bypassing PyPI after removal of malicious packages.
  • November 2023-Now: Over 100,000 repos detected with similar malicious payloads, continuing to grow.

GitHub’s Response

GitHub employs automated tools to swiftly detect and remove malicious repositories. However, despite these efforts, some repositories evade detection, posing a persistent threat. GitHub encourages community reporting and has implemented default push protection to prevent accidental data leaks.

Implications

The widespread nature of the attack risks secondary social engineering effects, as naive users unknowingly propagate malware. GitHub’s security measures mitigate risks, but the incident underscores vulnerabilities in the software supply chain. Similar campaigns targeting dependencies highlight the fragility of software supply chain security.

How can PureID help?

Pure ID authentication framework provides enterprise users with individual commit-signing keys. All the changes to code repositories can be cryptographically verified at the build time, if it’s coming from a trusted user or not.

Without cryptographic verification its hard to determine if the code is committed from a  trusted/original author and is free from any unauthorised commits or sanctity violation.

Removing passwords from authentication flow further hardens the security of the code repositories.

Conclusion

GitHub’s battle against malicious forks underscores the ongoing challenges in securing the software supply chain. Vigilance, community reporting, and enhanced security measures are essential to effectively mitigate risks in the ever-evolving threat landscape.

See Also:

Securing Cloud Environments: Lessons from the Microsoft Azure Breach

Introduction

In the wake of the recent Microsoft Azure breach, it has become increasingly evident that organizations must prioritise enhancing their security posture to mitigate the risk of similar incidents in the future. This breach, attributed to compromised passwords & MFA manipulation, underscores the critical importance of implementing passwordless authentication solutions to strengthen overall security.

The Breach

The breach unfolded through a series of sophisticated maneuvers executed by cyber criminals to exploit weaknesses in Azure’s security framework. Initially, phishing emails targeted mid and senior-level executives, enticing them into disclosing their login credentials unwittingly. 

Armed with these credentials, attackers gained unauthorised access to Azure accounts, despite the presence of multi-factor authentication (MFA). By circumventing MFA and substituting victims’ MFA settings with their own, attackers maintained undetected access to Azure resources. 

They further obscured their identities using proxies, evading detection while seizing control of sensitive data and cloud resources.

This helps attackers bypass any poorly designed adaptive authentication solution relying on IP based access restriction or re-authentication.

How Microsoft Azure was Breached

The Lessons

  1. Phishing: Implement Phishing-Resistant Authentication Methods
    • Organisations must adopt phishing-resistant authentication methods to combat prevalent phishing attacks. Staff training alone may not suffice, necessitating solutions that minimise the risk of credential theft.
  2. Credential Theft: Go Passwordless
    • Enhanced credential security with multi-factor authentication is insufficient. Robust password management practices and adaptive MFA solutions have been and will continue to be breached unless you eliminate credentials altogether. Passwordless solutions are the optimal choice for enterprises, as they have been for quiet some time now. Both enterprises and individuals must recognise and adopt it as a standard practice.
  3. MFA Replacement: Implement Continuous Monitoring and Anomaly Detection
    • When you’re using credentials, it’s crucial to keep an eye on them. Continuous monitoring and anomaly detection play a vital role here. They help spot any unauthorised changes in MFA settings promptly, preventing any further access.
  4. Masking Location Using Proxies: Strengthen Adaptive Authentication Checks
    • Strengthening adaptive authentication checks is vital to detect suspicious activities like masked locations. Geo-location based authentication or behavioural biometrics can enhance authentication accuracy.
  5. Cloud Account Takeover: Implement Zero Trust Security Architecture
    • Implementing a Zero-trust security model is crucial to verify every access request, regardless of source or location. Granular access controls and continuous monitoring can mitigate the impact of cloud account takeovers.

Moving Forward

In the aftermath of this breach, organizations must prioritise fortifying their security posture to prevent similar incidents. While passwordless authentication solutions offer promising alternatives, organizations should also concentrate on strengthening existing security protocols, conducting regular security audits, and enhancing employee awareness to mitigate future threats effectively.

Conclusion

The breach of Microsoft Azure serves as a stark reminder of the imperative for proactive cybersecurity measures in safeguarding sensitive data and mitigating the risk of unauthorised access. 

By embracing passwordless authentication solutions and implementing a holistic security strategy, organizations can enhance their resilience against evolving cyber threats and safeguard their invaluable assets effectively.

Mother of all breaches: Which you could have avoided !!

Introduction

Don’t use passwords they said. It can be breached they said. Well, surprise, surprise, we didn’t pay much attention. Now, here we are, nervously checking our email IDs against the colossal 26 billion-record breach – the mother of all breaches!

Breach Unveiled: A Symphony of Chaos

So, there’s this massive breach, Mother of All Breaches (MOAB), a digital pandemonium that has exposed a whopping 26 billion records. It’s like a digital opera – records from MySpace to Adobe, starring Tencent, Weibo, Twitter, and LinkedIn. Your data just had its grand debut!

The Dramatic Unfolding

Picture this: MOAB is a blockbuster compilation of data breaches, meticulously curated. It’s like a Hollywood blockbuster, but your credentials are the star, and not in a good way. Your once-secure passwords are now part of a hacker’s treasure trove. Slow clap for the password drama.

Passwords – The Ultimate Blunder

If  Ellen DeGeneres hosted this show, she’d say, “You had one job – say no to passwords!” See the aftermath? Identity theft, phishing attacks, and a surge in password-stuffing shenanigans. All thanks to those outdated, reused, and easy-to-crack passwords.

Passwordless Paradise: Where Dreams Come True

Now, imagine an alternate universe where you actually listened – where passwordless authentication is the superhero. No MOAB nightmares, just smooth, secure logins without the hassle of juggling countless passwords. A utopia, right?

Mitigation Party: Reclaim Your Digital Kingdom

Inspect Your Vulnerability: Employ tools such as “Have I Been Pwned” and data leak checker. data leak checker. Use “Privacy Hawk” to trace your data’s path and request removal from unwanted websites. Move swiftly: Purge your digital footprint by eliminating your data from irrelevant websites.

Conclusion: Lessons Learned (Hopefully)

In an ideal world, you’d have embraced passwordless authentication, and we’d all be sipping digital margaritas by now. But, alas, here we are – dealing with the aftermath. Take this as a digital wake-up call: passwords belong to the past, let’s march into a passwordless future.

A Final Plea: Break Free from Passwords

Passwords are so yesterday!! The revolution is calling – will you answer? Join the passwordless parade; your digital sanity will thank you later. Use PureId, Stay Safe.

MongoDB Security Incident: Navigating the Aftermath

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

On December 13, 2023, MongoDB, a prominent US-based open-source NoSQL database management system provider, faced a substantial security incident. This breach of MongoDB Atlas, a fully-managed cloud database, unfolded as unauthorised access infiltrated corporate systems, laying bare customer account metadata and contact information. The assailants employed a cunning phishing attack, exploiting support service applications. The consequences were dire – a trove of sensitive data, including customer names, phone numbers, and account details, left exposed in the turbulent aftermath of this cyber storm.

MongoDB Steps Explained

Intrusion Footprints: A List of IPs Disclosed

In a proactive move, MongoDB disclosed a comprehensive list of external IP addresses on their alerts page. These IPs were strategically employed by the unauthorised third party. Organisations are strongly advised to meticulously scrutinise their networks, diligently searching for any ominous signs of suspicious activity intricately linked to these disclosed IPs. If you spot these IPs, you’ve got unwelcome guests. Remember it’s time to act, and act fast.

MongoDB Breach

Phishing & Social Engineering – The Achilles’ Heel of Multi-Factor Authentication

MongoDB issues a resolute counsel to its user base, emphasising the critical need to bolster defences against the looming threats of social engineering and phishing. In response, the company advocates the implementation of multi-factor authentication (MFA), urging users to promptly update their MongoDB Atlas passwords as an additional layer of security.

Phishing attacks or social engineering can bypass and disable all types of MFA solutions, as seen time and again. The security incident under discussion started with phishing attacks. So implementing MFA will have zero security advantage but will only increase the cost, efforts and complexity of authentication.

GoPasswordless – The best protection for MongoDB

Going passwordless with PureAUTH will benefit in 2 broad ways to protect MongoDB or any other enterprise applications –

  1. Secure Authentication – PureAUTH offers passwordless authentication which is secure from phishing & social engineering attacks.
  2. Resilience in case of data breach – If data from the database like MongoDB is leaked due to mis-configurations, 0-day vulnerability or insider attacks etc, the adversary will not find any passwords, MFA seeds, swap-able public keys, or any usable data to carry out unauthorised access elsewhere.

Conclusion

Amidst the gloom, MongoDB presents a silver lining: Passwordless Authentication. It’s a call to transcend traditional password reliance for a more secure future. Fortify your defences with passwordless security. MongoDB users, the future beckons. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cyber security landscape with renewed strength. Passwords? Pfft, that’s so yesterday. The journey continues—Passwordless Authentication awaits.

Unpacking Okta’s Recent Security Breach

Introduction

In today’s interconnected world, data breaches have become unfortunately common. One recent incident that has drawn the cybersecurity community’s attention involves Okta, a prominent identity and access management (IAM) provider. This blog post delves into the specifics of the Okta breach, its impact, and the lessons we can learn.

The Initial Okta Breach

The story starts with a breach of Okta’s case management system, reported in late October. Threat actors gained unauthorised access to sensitive files of 134 Okta customers, less than 1% of the customer base. Some stolen files were HTTP Archive (HAR) files with session tokens, usable in session hijacking attacks.

Targets: BeyondTrust, Cloudflare, and 1Password

BeyondTrust, Cloudflare, and 1Password confirmed their systems were targeted due to this breach. They emphasised no loss of customer data during these incidents, highlighting their robust security measures.

Okta’s Response and Investigation

David Bradbury, Okta’s Chief Security Officer, revealed the breach’s origin. An employee logged into their personal Google account on an Okta-managed laptop, inadvertently saving service account credentials. The hackers exploited this service account, gaining permissions to view and update support cases. The breach occurred from September 28 to October 17, 2023.

Investigation Challenges

Okta’s security team initially focused on unauthorized access to support cases. Identifying suspicious downloads took 14 days. Unique log event types and IDs complicated the detection process.

On October 13, BeyondTrust provided a suspicious IP address, leading to the identification of the compromised account’s activities.

Implications and Ongoing Concerns

The breach raises numerous cybersecurity concerns. Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, highlighted the potential for secondary attacks arising from exposed data. Such incidents erode trust in service providers, especially for security-focused companies like Okta.

John Bambenek, Principal Threat Hunter at Netenrich, pointed out that recurring security events raise questions about Okta’s reliability in sensitive roles like identity and authentication.

Conclusion: The Vital Role of Passwordless Authentication

The Okta breach underscores the importance of robust cybersecurity practices. Organisations must remain vigilant, conducting continuous security assessments and proactively implementing measures against evolving threats.

A single compromised password can jeopardize an entire institution. Therefore, we strongly advocate for passwordless authentication. By eliminating passwords, organizations can fortify their defenses, enhancing security and reducing the risk of future incidents. Passwordless authentication is a safer and more effective approach to protecting digital identities in today’s evolving landscape. #gopasswordless

Breach Report & Breach Support

June, reminds us of 2 things, first how fast another year has passed and second – Verizon Data Breach Investigations Report (DBIR).

Since 2008 Verizon has been releasing Data Breach Investigations Report (DBIR) that has provided the world of Infosec valuable insights and detailed analysis of the evolving threat landscape from various viewpoints (industrial segments, geography specifics etc).

Report Highlights

Stolen credentials remain the biggest concern and the reason for 86% breaches over the web. Reports also states that most targeted assets were the servers rather than individual applications or devices.

From VDBIR 2023

On the Rise

In Summary VDBIR 2023 mentions that 50% of total breaches were due to credential fraud, 10% Phishing & rest due to exploitation of vulnerabilities.

Report also mentions ransomware attacks becoming ubiquitous & 50% increase in Social Engineering attacks. 

From VDBIR 2023

Report also has a monthly summary of incidents from 2022, including the incidents involving leaked passwords from Okta and MFA factors from Twilio.

August Summary from VDBIR 2023

PureID #BreachSupport

As the industry is still closely studying the breach report VDBIR-2023, we are working on our latest initiative – Breach Support, through which we intend to help businesses quickly recover from the incidents by removing passwords and adopting Zero Trust Access control with zero impact on business. More details on Breach Support will be shared soon, stay tuned.

Please Note – All the above images are taken as -is from VDBIR 2023, & the last one from PureID Team

Breach Story – Summer 2023

The temperature in May 2023 is high not just due to global warming but also due to the Security Breach at numerous reputed organisations.

Many companies experienced or disclosed data breach in last 10 days. Prominent breaches that has surprised the industry are the ones coming from Discord, a Microsoft Company & Capita, the UK based service gaint.

The other organisations of signifance include Toyota, PharMerica, ScanSource etc.

Organisations named in recent security breach incidents

The Incidents

All of the above companies are yet to disclose the root cause of the breach, but as it always happens compromised user credentials is the most likely reason of the breach.

As the organisations are still carrying out the investigations and getting their PR sorted, it will be interesting to which popular security solutions will be named/blamed for its failure, just like the breach at Okta was blamed for the breach at Twilio, and the failure of DUO Security and Thycotic was blamed for the breach at Uber last year.

If you are interested to study more about these breaches, we have provided the links to the resources below

OrganisationThe IncidentRoot CauseReference
CapitaHackers accessed roughly 4% of its server infrastructure and stole files hosted on the breached systemsUnder InvestigationCapita Breach
DiscordCustomer email ID, messages and attachments were disclosedLeaked Credentials of Support AgentDiscord Breach
LuxotticaInformation of 70 million users leaked onlineUnder InvestigationLuxottica Breach
PharMerica5.8 Million patients medical data leakedNot DisclosedPharmerica Breach
ScanSourceMassive Service outage, yet to know about breached dataUnder InvestigationScansource Incident
Toyota2 Million customers data accumulated over 10 years, leakedAccess key disclosed in code repositoryToyata breach

The Scary Picture

The leaked data from the above organisations is posted in the dark web and is available for sale. Large portion of stolen data is available for free. Tory Hunt, collects data from such sources and makes it available for individuals to learn haveibeenpwned.

https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive

ABC News network has recently lauched a visual summary of the potential scale of the leaked information out there about indivisuals, using the haveibeenpwned service.

Breach Happens

#BreachHappens!!! Its unavoidable. PureID is working to provide immediate relief to organisations who are breached or in middle of security incident, stay tuned to know more.

FinTech Company’s Million+Records Exposed…

Have you ever received a phone call from a seemingly legitimate vendor, who knew all your personal and financial information, and then requested an advance payment or financial assistance from you? If you have, you know how terrifying this situation can be. It only takes one small mistake to send your finances into disarray.

But you are not alone in this struggle. Jaramiah Fowler, a cybersecurity expert, helped avoid this nightmare scenario by his vigilance. Fowler discovered a database containing a million consumers’ personal and financial information, including names, email addresses, postal addresses, phone numbers, payment purposes, sums paid, due dates, and tax ID numbers. The database had invoices from people and companies who paid for their goods and services using an app.This database belonged to NorthOne Bank, a FinTech company used by over 320,000 American businesses

 Jeremiah Fowler  discovered a database that was not password-protected by NorthOne Bank.

About NorthOne

NorthOne is a popular FinTech company that offers integration options with various services, including but not limited to Airbnb, Cash App, Lyft, PayPal, Quickbooks, Shopify, Square, Stripe, Uber, Venmo, and Wave. It is worth noting that NorthOne is not a full service bank. Banking services to NorthOne Bank are provided by The Bancorp Bank.

The Incident

The findings were first reported on January 19th, 2023 and the database remained unsecured until January 31st, 2023. It is unclear how long these records were exposed or who else may have had access to the database. It should also be noted that Bancorp Bank is not at fault or responsible for this breach.

The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF documents. There were basic security controls preventing a full indexing of all documents. There were over a million files in the database that were marked as “production”. In a random sampling of 1,000 invoices, Jeremiah observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care.

Invoices in the exposed Dataset

This is how the data appeared in the compromised dataset. You can clearly see “Powered by NorthOne” in the footer of the image.

How Customers can be targeted ?

The data in the unprotected PDFs contains Tax Identification Number (TIN) along with other personal details of the customers. This TIN can be exploited to file fraudulent federal tax returns and claim refunds from the Internal Revenue Service (IRS).

Someone can misuse the data by using the Employee Identification Number (EID) to apply for loans. Another challenge could be to prove that the application was not authorised.

In order to acquire customers’ trust, a con artist may also pose as a legitimate financial organisation and cite transaction receipts. Consumers’ personal information can be used by other parties to influence them and reveal sensitive information.

What went wrong?

It seems that NorthOne had a database with no protection on. You can learn how to safeguard your database, code repositories, and code infrastructure with PureAUTH‘s Just-in-Time Access Provisioning. You can learn more in our blog titled Know Your Code Infrastructure.