[Security Weekly] Personal Data of 533 Million Facebook Users Published Online

cover image

2nd Week of April 2021


1. Personal data of 533 million Facebook users published online

Over 533 million user records from Facebook were found available for download on a hacking forum. Initially discovered by the CTO of threat intelligence firm Hudson Rock, the published data contained all registered profile information, including full names, Facebook IDs, dates of birth, gender, phone numbers, email addresses, location, and occupation.

These data were organized into downloadable files by country, including 32 million records from the US and 11 million records from Britain. Most of these files were available for under $3, with many available for free.

Facebook confirmed the incident, but said that the published data were leaked from a past data breach in 2019 where the company had already reported to authorities back then. The leak was the result of a flaw in its developer API, which the company had already patched in August 2019.

Despite having been quite a while since the breach, personal data from 2019 is still regarded as highly relevant since most of these phone numbers and email addresses likely remain active. Experts are warning all victims to be cautious of social engineering attacks like phishing, scams, identity theft, and illegal marketing activities.

Sources: ZDNet, Threatpost, Infosecurity, DW


2. University of California, Stanford, Maryland suffer data leaks from Accellion FTA

A number of universities in the United States became the latest victims of the Accellion FTA supply chain attack, recently reported by the University of California system, Stanford University School of Medicine, and University of Maryland, Baltimore.

University of California first disclosed that the personal and financial information of some students were exfiltrated and published online by the Clop ransomware gangs, the group that has been actively exploiting the Accellion FTA vulnerabilities for several months now.

Stanford Daily also reported that Stanford Medicine was affected in an Accellion FTA supply chain attack, which leaked names, home addresses, social security numbers (SSN), email addresses, and financial information.

University of Maryland’s medical-oriented campus in Baltimore was similarly impacted, along with University of Colorado and University of Miami. Nevertheless, all these affected universities claimed that only files that had been stored in the Accellion FTA server were stolen, and that as of now, there has been no evidence of the hackers gaining access into their internal networks.

At the same time, Brown University suffered a more serious attack where hackers used malware to infect its internal network. This forced the university to shut down all internal IT systems, including all Windows-based computers, significantly impacting its operations. Yet, it does not appear that the attack at Brown University was related to the rest of the cases.

Cyberattacks on the education sector have been growing since the beginning of the COVID-19 pandemic. Over the past year, Penta Security’s signature-free web application firewall WAPPLES has gained a significant number of customers in the education and public sectors, helping them overcome this growing threat.

Sources: Bleeping Computer, The Hill


3. Fortinet FortiOS flaws actively exploited by newly emerged Cring ransomware

On April 2, FBI and CISA issued a joint alert warning that APTs have been exploiting three vulnerabilities of Fortinet’s FortiOS. Even though Fortinet had already released patches, threat actors are still actively scanning for those who had not yet applied the updates, with a focus on governments and tech firms.

Kaspersky later released a more detailed report claiming that a new ransomware strain dubbed Cring exploited the vulnerabilities to exfiltrate data and deploy ransomware. It said that a number of unnamed industrial firms in Europe had fallen victim.

Two of the vulnerabilities are deemed critical with CVSS ratings of 9.8, while a third one had a score of 7.5. These vulnerabilities allowed hackers to download internal files using malicious HTTP requests and enabled them to bypass 2FA by switching the case of the username.

Cring ransomware was first spotted in early 2021 and quickly gained a significant presence. To stay safe, Fortinet users are warned to immediately apply the latest patches. 

Sources: ZDNet, Kaspersky, Threatpost, SC Media


4. Details of over 600,000 credit cards leaked online after stolen from dark web forum

On March 17, cybersecurity firm Group-IB discovered a post on a dark web forum that linked to a database containing data stolen from another dark web forum called Swarmshop. Established in April 2019, Swarmshop has grown into one of the most popular dark shops for trading stolen credit cards.

The leaked database contained the details of 623,036 payment cards from all over the world. Among these, 62.71% were issued by US banks, followed by 14.02% from Chinese banks, 3.04% from Britain, 3.09% from Canada, 3.07% from France, as well as significant amounts from Singapore, Brazil, Saudi Arabia, and Mexico. The database also included 69,592 Social Security Numbers (SSN) and Social Insurance Numbers (SIN) from the US and Canada.

Apart from the above, login credentials and contact information of 12,344 Swarmshop users, including admins, sellers, and buyers, were also leaked. The hack likely originated from two Swarmshop users who injected malicious scripts into the contact form of the website. However, the linkage has not been proved. Security experts believe this to be a revenge attack because dark web forums rarely recover from data breaches.

Since the beginning of 2021, countless dark web forums have been hacked. This increased frequency may be the result of growing competitiveness in the dark web, forcing hackers to run each other out of business. At the same time, governments are also putting increased effort to crack down on these forums.

Sources: BankInfoSecurity, SC Media, Bleeping Computer


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security