Published on February 3rd, 2017 | by Akshay Nayak
Breach of the Month — January 2017
While everyone likes to win, this is an award you don’t want. Each week we choose a breach as our #breachoftheweek for our Twitter stream, and those become nominees for SS8’s “Breach of The Month”. Think of it as our team’s very own Raspberry Awards! Analyses of the Breach of the Week winners are provided by SS8’s Threat Analyst team. This month’s threat analysis was done by Akshay Nayak.
The weekly winners, and nominees for January’s Breach of the Week are… (insert drum roll here):
- Clash of Clans
- Hello Kitty
A few points from each of our weekly winners:
Clash of Clans
Supercell, the makers of the popular game Clash of Clans (which I admittedly played for about a month) suffered a data breach where details of 1.1 million accounts were comprised. Supercell claims these were not game accounts but forum accounts. The cause of this was an unpatched vulnerability in the vbulletin software they used in their forum.
Hardware bitcoin wallet provider Keepkey had its systems targeted on Christmas day. I don’t think this was a present that Keepkey wanted; maybe they were on the naughty list. It all started when an attacker managed to register a new phone number under the pin-protected Verizon account of the company’s founder. From there, it was game over, as the attacker used the number to take control of his email account via account recovery. Once access to the email was obtained the attacker used this to reset passwords to numerous accounts linked to it, such as such as the company’s Twitter account.
Sanrio, Hello Kitty’s parent company, had 3.3 million user credentials compromised. The cause of this breach was most likely a MongoDB misconfiguration early in December of 2015. At that point, the company said that no data was exposed and everything was fixed. This was not the case. On January 8th of this year, LeakedSource, a breach notification service came across an identical set if data containing close to 3.3 million accounts, which Sanrio admitted was their compromised user credentials.
And the winner is….
With over 3.3 million records of personal information leaked, including 186,000 minors, it was no contest. On size alone, this was a reason to choose this as our #BreachoftheMonth winner. Also, there is no telling who had access to this list. Identity theft is hard enough for adults to deal with, let alone children. Such issues are only compounded for children, as the problems might not materialize for several years. When they fill out a form asking for their SSN, only to learn that somebody has stolen their identity.
The company very well knew that the DB was exposed for quite a while but refused to acknowledge it either to avoid tarnishing their reputation or because they did not find any evidence of a data leak. In most cases companies have no idea that they’ve been breached until it’s too late.
That’s it for this month! Check in next month for the “top breach” of February — and you can help us nominate breaches throughout the month using the hashtag #breachoftheweek.
Akshay Nayak is a Threat Researcher at SS8. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.