Four large companies made cybersecurity headlines this January, as they all disclosed that they had been impacted by cyber-attacks. The attack methods and severity varied in each case, but all resulted in a breach of company and/or customer data.
Late last week, T-Mobile announced that it was hacked. The criminals responsible for the breach were able to extract the personal data of 37 million customers, including names, addresses, birthdates, and account numbers. The company stated that the hackers were not able to gain access to valuable data such as credit card information or Social Security numbers. That was little comfort to some of the customers, as two class-action lawsuits are already in the process of being filed against T-Mobile.
Perhaps the most distressing point about this cyber-attack was the ease with which it was carried out. The responsible party never actually gained access to T-Mobile servers or network; instead, they were able to access an open application programming interface (API). The particular API which was exploited was used for Twitter content. Over the past few months Twitter has been enforcing rules which now disallow the use of APIs with their site. As this was a recent change, T-Mobile had not yet disabled the API access on their site.
Another major company also announced that it had suffered a cyber attack with a loss of customer data. Last week PayPal disclosed that a recent attack had compromised data for 35,000 customers. In their announcement, PayPal stated that the attacks were not able to leverage the attack to steal any money from their customers, but they were able to access a large amount of private data, including names, birthdates, addresses, and Social Security numbers.
In this hack, the attackers used a method called credential stuffing. During a credential stuffing attack, an attacker gets access to large set of known usernames and passwords from previous hacks that have occurred where the information was sold or leaked on the dark web. They then use that list to begin plugging the account information into the system in the hopes that an individual is using the same username and password as they did on another site. When the attack used this method on the PayPal site they had discovered that there were 35,000 individuals who were using username and password combinations that they were using on other sites that had already been compromised. In this instance PayPal itself was not to blame, it was the lax behaviors of a vast number of their users.
Video game company Riot Games recently disclosed that it was a victim of a cyber-attack as well. The hackers stole the coveted source code for their most popular game, League of Legends, as well as another game and an anti-cheating tool they had developed. The attackers immediately put the stolen data up for sale on the dark web. Riot Games stated that no customer data was compromised during this attack. At this time it is not clear how the attackers were able to get access to the proprietary code.
Another major attack to come out this month was the hack of Odin Intelligence. Odin Intelligence works with law enforcement agencies to provide a series of services. The hackers were able to gain access to documents belonging to some of the police agencies which use Odin products. Stolen information included plans for upcoming police raids, confidential police reports, and forensic reports.
Last year one of Odin’s products, an app called SweepWizard, was found to be spilling private data. SweepWizard is used by law enforcement agencies as a way of coordinating joint operations. Wired.com received a tip that the app was flawed, and informed the company of their findings. Attackers also defaced the Odin webpage following the attack. They included a statement blaming the inaction of CEO Erik McCauley in not correcting the vulnerabilities. Much like the T-Mobile hack, the attackers were able to exploit open APIs that Odin had left open for third party vendors to use.
The cyber landscape is and will continue to be a dangerous place. It takes the utmost diligence to protect yourself or a company once out there on the web. These four companies are just a recent drop in an ocean of cyber-attack targets, and they will not be the last to suffer such a fate. There is a saying in the cybersecurity world: “It is not if you will get hacked, it is when.”
We can expect to see a high volume of cyberattacks continue to plague the cyber world. These 4 attacks show us that cyber criminals will not only continue to utilize old tried and true methods of attack, but will also find new and inventive ways to achieve their goals.
As an individual it is important for you to know that excellent password hygiene practices are essential to protecting your account information. Do not reuse the same password for multiple sites. If you are following the NIST or DISA guidelines for passwords, they should be about 12-14 characters long, should contain at least one uppercase letter, at least one lowercase letter, a number, and a special character.