Breach Brief – Facebook, USCellular, MeetMindful.com
Facebook, that great gobbler of your personal information is also the bumbling village idiot of data security. This time is has lost control of over 500 million telephone numbers.
Security researcher Alon Gal reported finding a bot on Telegram selling the phone numbers of Facebook users for $20 apiece. Gal says the crook running the bot is laying claim to data of 533 million users. According to the Verge all the information comes from a Facebook vulnerability that was patched in 2019. Motherboard reported the bot was offering discount bulk pricing of 10,000 phone numbers for $5,000.
Telegram shut down the bot and Facebook claims the data was old. This is typical of Facebook to downplay a data breach…again. After all old data is not necessarily useless or invalid. Another factor to keep in mind is that these phone number came from Facebook user all over the globe. Gal counted of the millions of affected users in each country, finding 32,315,282 in America, 11,522,328 in the United Kingdom, 7,320,478 in Australia, and 3,494,385 in Canada.
Since we’re on the topic of data breaches and telephones lets talk about USCellular.
USCellular reported a data breach after retail employees were suckered into downloading malicious software on to a store computer. The software gave remote access to the computer and to a customer relationship management (CRM) software. From there hackers accessed the names, addresses, billing details and more details of existing USCellular customers.
USCellular is a regional service provider with most of its customers in the mid-west.
The company first noticed the breach on January 6th but it is believed that the actual attack was on the 4th according to Bleeping Computer. A notice was filed with Office of the Vermont Attorney General on January 21, 2021. USCellular reports Social Security numbers and credit card details were apparently masked by the CRM system and not lost to the attackers.
USCellular took steps to protect customers by removing the affected computer from the store and resetting all employees credentials in that store.
As for customers, though, their own login details have been changed as well including their PIN number and any security question and answer they had set up. People are being asked to contact USCellular to set up new details for their accounts.
MeetMindful.com, a dating site launched in 2014 was attacked by whats is described by ZDNet as a well known hacker. The hacker, known online as ShinyHunters, is also credited with leaking the details of millions of users registered on Teespring, a web portal that lets users create and sell custom-printed apparel.
The hacker leaked the details of more than 2.28 million users registered of the dating website. The data has been shared as a free download on a publicly accessible hacking forum known for trading stolen databases. The 1.2 GB file appears to be a dump of the site’s users database.
The hacker appears to have hit the mother load. The stolen data includes a wealth of information uploaded by lonely hearts when they first set up their profiles on the MeetMindful site and mobile apps.
Some of the most sensitive data points included in the file include:
- Real names
- Email addresses
- City, state, and ZIP details
- Body details
- Dating preferences
- Marital status
- Birth dates
- Latitude and longitude
- IP addresses
- Bcrypt-hashed account passwords
- Facebook user IDs
- Facebook authentication tokens
The MeetMindful data has been viewed more than 1,500 times and most likely downloaded, in many cases.