Blog

Planet Ice, which operates 14 ice rinks up and down the UK, has revealed that criminal hackers managed to break into its systems and steal the personal details of over 240,000 customers.

The first hint most skating and ice hockey fans saw that there could be a problem occurred at the start of last week, when their attempts to book tickets online were met with a terse message explaining that Planet Ice’s servers were “experiencing unplanned server downtime.”

In the following days, some customers reported receiving an email from Planet Ice that revealed it had discovered its “Ice Account” system had been breached, giving unauthorised parties “external access to the non-financial areas of the system.”

According to Troy Hunt’s HaveIBeenPwned project, the data from 240,488 customer accounts is now in the hands of hackers, including:

• Dates of birth, names, and genders of children having parties
• Email addresses
• IP addresses
• Passwords
• Phone numbers
• Physical addresses
• Purchases

Although it’s obviously a good thing that payment information was not accessed by the hackers (that, thankfully, is handled by a third-party processor), it’s easy to imagine how the above information could be exploited by scammers.

For instance, the passwords were stored as MD5 hashes (a method which is considered old and outdated), and so it’s not just a case of ensuring that you change your Planet Ice password but also change your login credentials anywhere else where you might have been using the same password.

Furthermore, fraudsters might attempt to contact Planet Ice customers – using the personal details garnered from the compromised accounts to appear more convincing – in an attempt to phish further information from unsuspecting victims, or point them to bogus websites, or trick them into opening malicious attachments.

Planet Ice says that it has notified the Information Commissioner’s Office (ICO) about the breach, and has called in external cybersecurity experts to assist it with its investigation and response.

The company has warned customers that they should treat further emails they might receive about the security breach as “suspicious” and are encouraging anyone wishing to verify any communications to contact their Data Protection Officer, who is named “Ross”, at [email protected].

Lucky Ross.

Some Planet Ice customers have turned to social media, angry that the first they heard about the security breach was from media reports or HaveIBeenPwned rather than from the company itself.

Which seems a little unfair on poor old Ross, who must be hacking a hell of a time sending out those 240,488 notification emails one-by-one.

A security researcher discovered a two-factor authentication bypass vulnerability that affected Instagram and Facebook, netting him a $27,000 bug bounty. Other security researchers found similar problems and received even higher bounties.

Many companies offer cash to researchers who unearth critical vulnerabilities before criminal can find and exploit them. It’s a valuable way for companies to improve products and online services, which is precisely what happened with the vulnerabilities discovered in the 2FA process for Facebook and Instagram.

“We also fixed a bug reported by GtmMänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report,” explained Meta in a report.

The same report covers more significant discoveries from various other security researchers, mostly dealing with the authentication process or other bugs found within the two-factor authentication chain.

“We received a report from YaalaAbdellah, who identified a bug in Facebook’s phone number-based account recovery flow that could have allowed an attacker to reset passwords and take over an account if it wasn’t protected by 2FA,” Meta said.

“We’ve fixed this bug and found no evidence of abuse. We rewarded the researcher our highest bounty at $163,000, which reflects its maximum potential impact and program bonuses,” the company added.

All of these issues were fixed in the meantime, but it’s worth noting that Mänôz’s two-factor exploit doesn’t come with the same assurances that it was never used in the wild.

Social networks remain a primary target for criminals, which is evident by the number of attacks and the fact that data leaked from previous breaches always finds its way onto the dark web.

About 400 parents of students attending Mount Lilydale Mercy College, a Catholic high school near Melbourne, Australia, were recently informed of a cyberattack that exposed their credit card details.

According to a local news outlet, the Australian Federal Police (AFP) notified school officials of unauthorized access to their network on Jan. 11.

The investigation revealed that the parents, including those of former students, had their credit information (excluding CVV numbers) stolen in the hack.

The data breach letter sent to impacted individuals offers no additional information on how the attackers gained access to Lilydale’s databases.

“Our cyber consultants, together with members of our College Leadership team, have been working together to learn how the breach occurred, ascertain precisely who is impacted, and specifically what information in relation to each person, has been accessed,” Principal Philip Morison explained in the letter.

“Unfortunately, it was recently confirmed that the credit card information, but importantly excluding CCV numbers, of around 400 parents appears to have been illegally accessed,” Morison added. “Those impacted individuals have already been notified in order for them take personal mitigative action with their financial institutions, such as cancelling cards.”

The school also said that it is in the process of reporting the incident to the Australian Information Commissioner and other legal and law enforcement offices.

Parents, on the other hand, should cancel compromised credit cards and closely monitor their financial accounts for suspicious activity, it said. To prevent identity theft and other financial crimes, data breach victims can take more proactive measures, and:

• Ensure that online accounts are protected with strong passwords by using a password manager
• Enable two-factor authentication on sensitive and financial accounts
• Monitor their online identity by opting for a dedicated digital identity protection service that scours the web for privacy threats, data breaches and leaks
• Install a security solution to protect against malicious attacks, phishing and ransomware attacks

GitHub, the popular software development and version control hosting platform, recently disclosed a security incident involving stolen code-signing certificates.

Unknown threat actors acquired three encrypted certificates: two Digicert certificates used to sign Windows apps and another Apple Developer ID certificate.

Although the certificates don’t jeopardize any installed versions of GitHub Desktop for Mac and Atom, GitHub warns that decrypting them could let criminals sign unofficial applications and pass them off as legitimate ones.

“On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account,” reads GitHub’s announcement. “Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.”

The breach impacted several versions of the popular GitHub Desktop for Mac and Atom apps. Fortunately, GitHub Desktop for Windows users weren’t affected.

In response, GitHub revoked certificates for the following versions of GitHub for Mac:

• 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2

The company also invalidated versions 1.63.0 and 1.63.1 of Atom. The above versions of GitHub for Mac and Atom are expected to stop working as of February 2. Users will need to downgrade to a previous Atom to keep using the service.

“On Thursday, February 2, 2023, we will revoke the Mac & Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1,” GitHub says. “Once revoked, all versions signed with these certificates will no longer function.”

The company recommends users update and/or downgrade affected clients before February 2 to avoid workflow disruptions.

Russian hackers are being blamed for an attempted phishing attack against the Latvian Ministry of Defence.

Gamaredon, a Russian state-sponsored cyberespionage group, used a domain name (admou[.]org) previously linked to the gang in previous attacks designed to steal information and gain access to networks run by Ukraine and its allies.

Researchers at French security outfit Sekoia explained that the hackers sent spear phishing emails to the Latvian MoD while posing as officials of the Ukrainian Ministry of Defence.

 

It appears that at least one of the recipients was suspicious of the message and its attachment, as it was uploaded to the VirusTotal service for scanning.

Smuggled inside the email attachment was malicious code which launched a sequence of processes, designed to help hackers steal information from their intended targets within Latvia’s Ministry of Defence.

As The Record describes, what made the investigation into the attack unusual is that once the Gamaredon hacking group realised its attack was being investigated, it began to communicate with the researchers:

A CERT-LV spokesperson told The Record that hackers sent a meme depicting a Russian bear holding a paw on Ukraine, while the U.S. and EU try to contain it.

FSB-linked Gamaredon (which is also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder) has been attacking organsiations outside of Russia for at least ten years.

Last year, for instance, Gamaredon hackers reportedly attempted to hack into a petroleum-refining company located in a NATO country, and targeted military and government institutions in Ukraine with boobytrapped Word documents.

The Latvian Ministry of Defence says that the attempted phishing attack launched against it by the Gamaredon group was unsuccessful.

Latvia’s Computer Emergency Readiness Team (CERT-LV) says that cyberattacks in the country have risen 30% since the start of the war in Ukraine, with the most serious threats posed by pro-Russian hacktivists and Kremlin-backed hackers targeting critical infrastructure, businesses, and Latvia’s government.

If you’ve purchased trainers from sports fashion retailer JD Sports in the past, your personal details could now be in the hands of hackers.

Customers of the UK high street retailer (as well as sister firms Millets, Blacks, Size?, Scotts, and Millets Sports) are being contacted with a warning that cybercriminals have accessed details of orders made between November 2018 and October 2020.

10 million people are thought to have been impacted by the security breach, which has put at risk customers’ names, addresses, email addresses, phone numbers, order details, and the final four digits of their payment cards.

An email sent by the firm to affected shoppers describes the exposed data as “limited” and underlines that full payment card details and passwords have not fallen into the hands of hackers.

 

However, it is clear that the information which has been stolen by hackers is enough for JD Sports customers to be targeted with bogus communications that could attempt to steal more information from shoppers.

Accordingly, the email goes on to warn of the risk that fraudsters might exploit the exposed data to send phishing emails, or send scam calls or text messages pretending to be JD Sports or the other affected brands:

While you do not need to take any specific action, please remain vigilant to fraud attempts and be alert for any suspicious emails, calls or texts which say they are from JD Sports or any of our Group brands. Avoid clicking on links in any unexpected emails or texts.

Bizarrely, some affected customers say that the warning email they have received from JD Sports is written in Portuguese or Spanish – which would be an admirable step by JD Sports if those customers actually spoke Portuguese or Spanish, but apparently, they do not.

Neil Greenhalgh, chief financial officer of JD Sports, extended an apology to customers saying that “protecting the data of our customers is an absolute priority for JD.”

The retailer says that it has contacted the Information Commissioner’s Office (ICO) about the security breach, and is working with external experts to conduct a review of its IT security.

Pro-Russia cybercrime group Killnet has launched a series of distributed denial-of-service (DDoS) attacks against targets in Germany in retaliation for German plans to send tanks to Ukraine.

The attackers focused on websites of German banks, airports and administrative bodies. Most of the attacks failed however, according to Germany’s Federal Cyber Security Authority (BSI).

“Currently, some websites are not accessible,” the BSI stated. “There are currently no indications of direct effects on the respective services and, according to the BSI’s assessment, these are not to be expected.”

The assault comes in response to Chancellor Olaf Scholz’s Wednesday announcement that Germany will send 14 German-made Leopard 2 tanks to Ukraine and allow other countries to send theirs, as well.

Until recently, export regulations prevented other countries from sending the tanks to Ukraine, but ministers changed that in Wednesday’s cabinet meeting.

Russian-language Telegram channels administered by Killnet broadcasted several messages announcing the attacks and urging hackers to join in the effort to disrupt German websites.

Although the consensus is that Killnet coordinated the attacks, the BSI says it’s hard to attribute the malicious campaign to a specific actor.

Numerous hacktivists operate under the self-proclaimed Killnet umbrella, as the group often relays call-to-arms messages on its channels.

Attacks coordinated by the group increased after the Russian invasion of Ukraine. Killnet has previously targeted other opponents of the invasion.

In October last year, the self-proclaimed hacktivist group hit US Airline websites with DDoS attacks, affecting website visitors but without altering actual flights whatsoever. The same group attempted another DDoS attack against the US Treasury a month later. This time, however, the attack failed, as the operation failed to impact the institution.

The number of data theft victims has reached an all-time high according to the annual data breach report from the Identity Theft Resource Center (ITRC).

The number of data breach victims increased by almost 41.5% to more than 422.1 million in 2022, the center said. By number of breaches, though, the year was 60 short of the previous record of 1,862, set in 2021.

“While we did not set a record for the number of data compromises in the U.S. last year, we came close,” said Eva Velasquez, president and CEO of the ITRC. “These compromises impacted at least 422 million people. These numbers are only estimates because data breach notices are increasingly issued with less information.”

Among the victims impacted across 1,802 publicly reported data compromises in 2022 in the US, the report says cyberattacks remain the primary data security threat to businesses and consumers. This includes phishing, smishing, BEC (business email compromise), ransomware, malware and credential stuffing attacks.

“Cyberattacks continued to be criminals’ weapons of choice, with 1,595 breaches in 2022,” the ITRC said. “Supply chain attacks outstripped malware attacks in 2022, with 115 instances affecting 1,743 organizations and at least 10 million people.”

While the top compromises include Twitter, Neopets, AT&T and Flexbooker, 19% of the breaches tracked by the ITRC throughout 2022 impacted healthcare organizations.

The report also highlights a worrying trend regarding disclosure of information to data breach victims. Only 34% of all data breach notices revealed attack vectors and victim details in 2022, resulting in less reliable data, making it harder for victims to determine their identity theft risks, and take the necessary steps to protect their information and financial wellbeing.

“The number of breach notices with detailed attack and victim information has dropped by more than 50 percent (50%) since 2019,” the report reads. “The result of these trends is less reliable data that impairs the ability of individuals, businesses, and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one.”

With Bitdefender Identity Theft Protection (US only) you can stay in the know and limit financial losses associated with identity crimes.

The one-stop credit monitoring and identity theft protection service helps you tackle threats to your identity and financial wellbeing with:

• 24/7 identity monitoring to detect if your personal information is on the dark web and to check for change of address requests, attempts to take over accounts and court records that may show crimes falsely reported in your name
• An easy way to view your credit score or order a credit freeze in case of compromise
• Identity restoration services with a 100% success rate, plus access to your own dedicated resolution specialist
• Up to $2 million identity theft recovery plan, plus many more benefits, depending on your chosen plan