Security News Round-Up: Fitness Company Leaks 606GB of Consumer Data
Fitness Company Leaks 606GB of Consumer Data
Around 606GB of sensitive consumer data was exposed by fitness company V Shred, leaving massive amounts of data online without any form of protection, says Hack Read. Nearly 100,000 trainers and customers of the brand were affected in the incident. The data was stored in yet another misconfigured Amazon Web Services S3 bucket. Included in the exposure were full names, ages, spouse names, genders, addresses, birth dates, email addresses, citizenship statuses, social security numbers, usernames and passwords, health conditions, phone numbers, and social media accounts, the article notes. However, even “before and after” photos of many customers’ bodies were exposed as well.
Millions of Online Gamblers Exposed by App Leak
Clubillion, a popular gambling app, left an Elasticsearch database unsecured online that exposed millions of users. Researchers who discovered the massive leak alerted the company on March 23rd, says Info Security Magazine, but it took until April 5th for the company to secure the database. The trove of data contained PII, such as winnings, IP addresses, emails, and messages, the article states. More than 200 million new records were added to the wide open database every day, putting users at an extreme risk for a number of cyber scams and attacks. Additionally, it is likely that the major lapse in security will push away a number of users for good as cybersecurity grows in importance amongst consumers.
5B+ Unique Credentials Posted on Darknet Forums
According to Bank Info Security, there are more than 5 billion unique credentials going around on darknet forums, with bank account and corporate network access being amongst the most popular in terms of sales. In total, over 15 billion credentials were discovered, but researchers narrowed down 5 billion that were singular listings and not repeat pairings of the credentials. With these numbers, the article notes, there has been a 300% jump in the amount of credentials stolen and posted on these forums from 2018 to now. It is believed that the credentials come from around 100,000 different data breach incidents, Bank Info Security says.
Magecart Group Makes Millions
Over a three year period, a popular Magecart group successfully hit nearly 600 websites, making millions of dollars in the process. Known as the “Keeper” group, they utilized 64 different attacker domains along with another 73 exfiltration domains for carrying out their attacks, according to Info Security Magazine. The attackers made their fake sites look real and focused primarily on smaller businesses that were gaining traction with visitors but likely still had heavily flawed security measures due to their size. It is estimated that they gathered the information of around 700,000 payment cards, the article notes.
Massive DDoS Attack Aimed at Cloudflare
In a DDoS attack spanning four days, more than 316,000 addresses were used to target one individual Cloudfare address, states Dark Reading. The attack was carried out from June 18th to June 21st, the day it was discovered by the company. The peak of the incident was 754 million packets-per-second, the article notes. SYN floods, ACK floods, and SYN-ACK floods were the primary methods used in the attack. On average, the attack maintained between 400 to 600 packets-per-second. Despite the fact that DDoS attacks have become less common over time, says the article, this incident demonstrates that they still do happen in large forms despite the lower frequency.