Re: Samsung Accidentally Exposes Source Code For Apps In Massive Data Breach
Bok Mull
On October 7, 2022 Toyota, the Japanese-based automotive manufacturer, revealed they had accidentally exposed a credential allowing access to customer data in a public GitHub repo for nearly 5 years. The code was made public from December 2017 through September 2022. While Toyota says they have invalidated the key, any exposure this long could mean multiple malicious actors had already acquired access.
In December 2017, while working with an unnamed (so far) subcontractor, a portion of the source code for T-Connect was uploaded to a public GitHub repository. Inside the repo there was a hardcoded access key for the data server that manages customer info. Anyone who found that credential could access the server, gaining access for 296,019 customers.
Samsung Accidentally Exposes Source Code for Apps in Massive Data Breach
Download >> https://pimlm.com/2yMcZr
It was not until September 15, 2022, that anyone noticed this repo was public and that customer data was potentially exposed. Toyota has since made the repo private and has invalidated and replaced any affected connection credentials.
While customer identification numbers and emails have potentially been exposed, customer names, credit card data, and phone numbers were not stored in the exposed database, and are therefore not at risk. Toyota has begun outreach to affected customers. As part of this outreach, the company has set up a special form on its site to let customers check to see if their data was part of the exposure.
As of now, there is no sign that this breach would allow bad actors to do more than just harvest emails and the associated customer management numbers. Toyota has not been able to confirm any abuse or attacks have occurred using harvested data.
This incident serves as a good reminder that with all emails it is important to only follow links in emails from trusted sources. When in doubt about the validity of an email, you should inspect the header to make sure the email domain is legitimate and use the hover preview for any link to ensure the URL is not redirecting you to a potentially dangerous site.
Want to learn more about the problem of hardcoded credentials? Read our State of Secrets Sprawl 2023 report or request a complimentary audit of your secrets exposure (Right into your inbox. No sales call needed).
Over the past 24 hours, the Canadian financial giant has torn down GitHub repositories, inadvertently left open to the public, that contained this sensitive information, after The Register raised the alarm. These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances: a potential gold mine of vulnerabilities for criminals and hackers to exploit.
We were tipped off to the security blunder by Jason Coulls, an IT pro based in the Great White North, who discovered the data sitting out in the open, some of which was exposed for months, we're told. As well as Scotiabank, GitHub, and payment and card processors integrated with the bank, were also alerted prior to publication.
By the time you read this, the GitHub repositories, which presumably were accidentally misconfigured by Scotiabank's techies, should be hidden or removed. Below is a screenshot we were able to take of some of the leaked source code.
Among the hundreds of files of documentation and code, which appear to have been created by developers working on versions of Scotiabank's mobile apps for Central and South America, were credentials and keys to access some of the bank's backend systems and services dotted around the world. Among the more sensitive blueprints was code and login details for what appeared to be an SQL database system of foreign exchange rates.
"They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months," Coulls told El Reg. "Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly."
The substantial code collection also included source for integrating the bank's systems with payment services, including Samsung and Google Pay as well as US credit-card processors Visa and Mastercard, and others.
Having such a vast library of digital blueprints on the public internet may have left Scotiabank and its 25 million-plus customers wide open to attack, should the code be analyzed and found to be exploitable. Bear in mind, back in 2017, Coulls discovered that the Canadian giant's digital banking unit, supposedly its high-tech offshoot, was not only using security certificates that had expired five months prior, but much of its code had not been thoroughly audited or debugged, it seemed.
"Scotiabank had [IBM] AS/400 and DB2 instances where the credentials and connection information is public. They regularly leak source code for everything, from customer-facing mobile apps to server-side REST APIs. They also leak customer data. If they ever claimed that security is a top priority, I would dread to see how they handle low priority things."
Militarysleep.org is a patient portal where users can create their accounts, discuss treatment options, and ask questions about their sleep disorders. Researchers from the MacKeeper Security Research Center have discovered a publically accessible Mongo database that contains the private medical data of thousands of military veterans who suffer from sleep disorders.
The database contained a total of 2+ Gigs database containing more than 1,300 messages (sensitive communications between patients and doctors) and personal data of more than 1,200 users, including their names, emails, personal cell numbers, unencrypted passwords, and military history/ service rank. The most damaging information discovered are the stored notes and chat logs where patients ask questions about sensitive medical issues they are experiencing and believing the communication is confidential. Many of the email addresses are @us.army.mil and we can assume treat both active and former military service members.
Medical privacy is extremely important for both citizens and military veterans and if details are leaked about their diagnoses and treatment, it could affect their current employment, future employment, security clearances or other areas of their lives. Even worse the fear that employers could discriminate against an applicant or employee based on their leaked medical records or likelihood of illness. This is why protecting medical records is so important and every step for cybersecurity must be taken.
Luckily, this database did not fall victim of the Harak1r1 the 0.2 Bitcoin Ransomware - a malicious actor who targets unprotected MongoDB all around the world. Shortly after we sent email notifications to the database was closed down, though without any word or comment from the developers.
The Militarysleep.org database was discovered just one day after thousands of similarly misconfigured Mongo databases were infected and had all of the data removed and held ransom for 0.2 Bitcoin to recover their files. This unfortunate data leak may have just saved their data from being deleted by the Harak1r1 Bitcoin Ransomware. Earlier this week the MacKeeper Research Center discovered a database connected to Emory Healthcare were an estimated.
First of the unsecured Amazon S3 bucket contained a big grouping of emails in txt files. The data were from 2014-15 and contain fans' names, email, physical address, and results of a demographic survey of their fans by asking education, age and race, children's age, and children's gender. The total count of records was 3,065,805 and researchers checked to see if there were duplicates and in the sampling, it appears that they were all unique.
Despite all of the scripts and arguably staged matches they have a massive fanbase and following. WWE is watched by 15 million fans each week in the United State alone and in 2016 they announced that they are expanding into China giving them a potential new fanbase of 1.4 billion!
The second bucket was also partially (around 12-15 percent of data) set for public access and contained another giant portion of marketing and customer data, including billing details (addresses, user names, etc) of several hundreds of thousands of European customers from 2016.
The documents also included spreadsheets with social media tracking of the WWE social media accounts, like YouTube with weekly totals of plays likes, shares, comments, and a more in-depth look at how they manage their social media and gauge fan interactions. The list was even broken down by country so one would imagine that they can better target their ads or localized content.
Both buckets were secured within a couple of hours after we sent notification messages to the emails of the WWE Corp developers found in the first bucket. However, no answer or feedback was received as to how long these data were exposed, how many customers had their info exposed, and how many IP addresses may have accessed the database by now.
Despite being a global entertainment organization, very little is known about the behind-the-scenes inner workings of the privately held company. According to some estimates, the WWE is valued worth is as much as $4 Billion. Many of the folders were protected and did not allow external access. No information on the wrestlers or staff was accessible, but the leak of fan emails, names, and other data is a cybersecurity wake-up call.
The big question: If the database discovered by the MacKeeper Security Research Center did in fact belong to Emory Healthcare. Have they taken the proper steps to inform their customers and the authorities regarding this data theft and breach?
In cooperation with Dissent from databreaches.net, we have reached out to multiple contacts in an attempt to identify the connection to Emory Healthcare or get a comment regarding how they plan to recover their data or notify patients.
The files contained before and after pictures of breast augmentation, implants, and reduction. SpaSurgica also offers labial reduction, liposuction, and a wide range of plastic surgery options that many customers would want private. The pictures, descriptions, and medical history of each patient gives an intimate look at what type of data was leaked. These are not just home addresses and medical records, these are intimate pictures of patient's bodies. There was also access to unencrypted text files containing usernames and passwords for accounts, printers, and other password protected protected logins.
7fc3f7cf58