All posts tagged: data breach

Poh Heng Jewellery hit by data breach, customers’ personal information may have been compromised

Poh Heng Jewellery hit by data breach, customers’ personal information may have been compromised

Published by skeptic

SINGAPORE: Poh Heng Jewellery has notified its customers about a database breach that occurred on Monday (Mar 25). In response to CNA’s query, Ezekiel Chin, data protection officer at the jewellery company, said that the unauthorised access may have compromised members’ personal information. “Upon discovery, we took prompt action to secure our system and have since reported the incident to the Personal Data Protection Commission (PDPC) and Singapore Police Force (SPF),” said Mr Chin. “We have also confirmed that no passwords and payment information were leaked.” When asked why the affected users were not notified upon discovery of the breach, Mr Chin told CNA the immediate priority then was to secure the company’s database and to ensure that there was no further compromise of data and its platforms. “We also needed time to consolidate findings to report to PDPC and SPF to support and facilitate their investigations. “While this may have taken time, it allowed us to better communicate steps taken to contain and resolve the situation to our affected members.” A check by CNA …

AT&T won’t say how its customers’ data spilled online

AT&T won’t say how its customers’ data spilled online

Published by skeptic

Three years after a hacker first teased an alleged massive theft of AT&T customer data, a breach seller this week dumped the full dataset online. It contains the personal information of some 73 million AT&T customers. A new analysis of the fully leaked dataset — containing names, home addresses, phone numbers, Social Security numbers, and dates of birth — points to the data being authentic. Some AT&T customers have confirmed their leaked customer data is accurate. But AT&T still hasn’t said how its customers’ data spilled online. The hacker, who first claimed in August 2021 to have stolen millions of AT&T customers’ data, only published a small sample of the leaked records at the time, making it difficult to verify its authenticity. AT&T, the largest phone carrier in the United States, said back in 2021 that the leaked data “does not appear to have come from our systems,” but it chose not to speculate as to where the data had originated or whether it was valid. Troy Hunt, a security researcher and owner of data …

Mintlify says customer GitHub tokens exposed in data breach

Mintlify says customer GitHub tokens exposed in data breach

Published by skeptic

Documentation startup Mintlify says dozens of customers had GitHub tokens exposed in a data breach at the start of the month and publicly disclosed last week. Mintlify helps developers create documentation for their software and source code by requesting access and tapping directly into the customer’s GitHub source code repositories. Mintlify counts fintech, database and AI startups as customers. In a blog post Monday, Mintlify blamed its March 1 incident on a vulnerability in its own systems, but said 91 of its customers had their GitHub tokens compromised as a result. These private tokens allow GitHub users to share their account access with third parties apps, including companies like Mintlify. If these tokens are stolen, an attacker could obtain the same level of access to a person’s source code as the token permits. “The users have been notified, and we’re working with GitHub to identify whether the tokens were used to access private repositories,” Mintlify co-founder Han Wang wrote in a blog post. News of the incident became public last week when some users on …

How to verify a data breach

How to verify a data breach

Published by skeptic

Over the years, TechCrunch has extensively covered data breaches. In fact, some of our most-read stories have come from reporting on huge data breaches, such as revealing shoddy security practices at startups holding sensitive genetic information or disproving privacy claims by a popular messaging app. It’s not just our sensitive information that can spill online. Some data breaches can contain information that can have significant public interest or that is highly useful for researchers. Last year, a disgruntled hacker leaked the internal chat logs of the prolific Conti ransomware gang, exposing the operation’s innards, and a huge leak of a billion resident records siphoned from a Shanghai police database revealed some of China’s sprawling surveillance practices. But one of the biggest challenges reporting on data breaches is verifying that the data is authentic, and not someone trying to stitch together fake data from disparate places to sell to buyers who are none the wiser. Verifying a data breach helps both companies and victims take action, especially in cases where neither are yet aware of an …

As Change Healthcare’s outage drags on, fears grow that patient data could be released

As Change Healthcare’s outage drags on, fears grow that patient data could be released

Published by skeptic

A cyberattack at U.S. health tech giant Change Healthcare has ground much of the U.S. healthcare system to a halt for the second week in a row. Hospitals have been unable to check insurance benefits of in-patient stays, handle the prior authorizations needed for patient procedures and surgeries, or process billing that pays for medical services. Pharmacies have struggled to determine how much to charge patients for prescriptions without access to their health insurance records, forcing some to pay for costly medications out of pocket with cash, with others unable to afford the costs. Since Change Healthcare shut down its network suddenly on February 21 in an effort to contain the digital intruders, some smaller healthcare providers and pharmacies are warning of crashing cash reserves as they struggle to pay their bills and staff without the steady flow of reimbursements from insurance giants. Change Healthcare’s parent company UnitedHealth Group said in a filing with government regulators on Friday that the health tech company was making “substantial progress” in restoring its affected systems. As the near-term …

Hackers uncover new TheTruthSpy stalkerware victims: Is your Android device compromised?

Hackers uncover new TheTruthSpy stalkerware victims: Is your Android device compromised?

Published by skeptic

A consumer-grade spyware operation called TheTruthSpy poses an ongoing security and privacy risk to thousands of people whose Android devices are unknowingly compromised with its mobile surveillance apps, not least due to a simple security flaw that its operators never fixed. Now, two hacking groups have independently found the flaw that allows the mass access of victims’ stolen mobile device data directly from TheTruthSpy’s servers. Switzerland-based hacker maia arson crimew said in a blog post that the hacking groups SiegedSec and ByteMeCrew identified and exploited the flaw in December 2023. Crimew, who was given a cache of TheTruthSpy’s victim data from ByteMeCrew, also described finding several new security vulnerabilities in TheTruthSpy’s software stack. SPYWARE LOOKUP TOOL You can check to see if your Android phone or tablet was compromised here. In a post on Telegram, SiegedSec and ByteMeCrew said they are not publicly releasing the breached data, given its highly sensitive nature. Crimew provided TechCrunch with some of the breached TheTruthSpy data for verification and analysis, which included the unique device IMEI numbers and advertising …

‘World’s biggest casino’ app exposed customers’ personal data

‘World’s biggest casino’ app exposed customers’ personal data

Published by skeptic

The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers’ private information to the open web. Oklahoma-based WinStar bills itself as the “world’s biggest casino” by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings. The app is developed by a Nevada software startup called Dexiga. The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser. Dexiga took the database offline after TechCrunch alerted the company to the security lapse. Screenshots of the My WinStar app. Image Credits: Google Play (screenshot) Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database …

Hackers breached Microsoft to find out what Microsoft knows about them

Hackers breached Microsoft to find out what Microsoft knows about them

Published by skeptic

On Friday, Microsoft disclosed that the hacking group it calls Midnight Blizzard, also known as APT29 or Cozy Bear — and widely believed to be sponsored by the Russian government — hacked some corporate email accounts, including those of the company’s “senior leadership team and employees in our cybersecurity, legal, and other functions.” Curiously, the hackers didn’t go after customer data or the traditional corporate information they may have normally gone after. They wanted to know more about themselves, or more specifically, they wanted to know what Microsoft knows about them, according to the company. Contact Us Do you have more information about this hack? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email [email protected]. You also can contact TechCrunch via SecureDrop. “The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” the company wrote in a blog post and SEC disclosure. According to Microsoft, the …

Law firm that handles data breaches was hit by data breach

Law firm that handles data breaches was hit by data breach

Published by skeptic

An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023. Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims’ information in order to notify state authorities and the individuals affected. In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel. Orrick said that the breach of its systems involved its clients’ data, including individuals who had vision plans with insurance giant EyeMed Vision Care and those who had dental plans with Delta Dental, a healthcare …