Published on December 3rd, 2019 📆 | 4644 Views ⚑0
Welcome back from the holiday, Americans! Here’s who leaked data while you were away • DigitalMunition
TrueDialog, Mixcloud, Magento Marketplace expose accounts
While you were polishing off that third plate of turkey, here’s what happened in security-land
Thanksgiving is an ideal time to either hack (IT admins need holidays too) or to drop news of hacks (because no one’s reading much news) so here’s your roundup of the weekend’s shenanigans.
In the past few days, researchers have disclosed breaches at mobile carrier TrueDialog, music streamer MixCloud, and Adobe’s Magento Marketplace service. Millions of people are thought to be affected.
TrueDialog exposes “massive” activity database
The research team at VPNmentor took credit for the discovery and disclosure of a database owned by business comms provider TrueDialog. They report that the data of millions of users, including the content of SMS messages, was left out in the open after an Azure-hosted database was mistakenly set to public availability.
“This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages,” reported the VPNmentor team.
“Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more.”
TrueDialog provides SMS services to its customers, mostly businesses and educational institutions. The Texas-based company partners with phone carriers to offer things like alerts and large-scale marketing campaigns, as well as campus alerts and student admissions.
Those are the sort of SMS communications that were exposed, along with account details (email addresses, passwords in either plaintext or base64,) and contact information. VPNmentor says that, in total, the exposed database was 604GB in size and included data on tens of millions of people.
“It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways,” the report reads.
“It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.”
TrueDialog confirmed the incident to DigitalMunition and said that while it is still investigating, currently it is believed that VPNmentor’s team were the only people to spot the database before it was pulled from the public.
“We were notified on Thursday that for a short period text message logs between our business customers and individuals were potentially accessible on one of our Azure servers,” CEO John Wright told El Reg.
“The data was located at a non-published network port which is now secured. We have internally found no evidence that the data was downloaded or viewed by anyone other than the security analyst who notified our company that the data was potentially accessible.”
MixCloud punter profiles put up for sale
UK music streaming service MixCloud is said to be investigating after it was reported that the details on 21 million users are being flagged for sale on the dark web.
Just what could be done with this pilfered data (usernames, email addresses, hashed passwords) isn’t quite clear. The passwords are said to have been securely encoded, and no payment data is included.
Still, those who have a Mixcloud account will want to change up their password and if those credentials were re-used on other sites (don’t do this) those logins should also be updated.
Adobe warns of Magento Marketplace breach
Recently, Adobe began notifying developers on its Magento Marketplace plug-in store that someone had managed to break into a system containing account details, but no payment card information.
Russian bloke charged in US with running $20 million stolen card-as-a-service online souk
“On November 21, we became aware of a vulnerability related to Magento Marketplace. We temporarily took down the Magento Marketplace in order to address the issue,” Magento said in announcing the incident.
“The Marketplace is back online. This issue did not affect the operation of any Magento core products or services.”
The exposed data included name email address, account name, billing/shipping address, and, in some cases, the percentage of plug-in sales that Magento had paid out to third-party developers. ®
CONTINUOUS LIFECYCLE LONDON 2020