2015 Reported Data Breaches Surpasses All Previous Years

Risk Based Security has released the Data Breach QuickView report that shows 2015 broke the previous all-time record, set back in 2012, for the number of reported data breach incidents. The 3,930 incidents reported during 2015 exposed over 736 million records.

Although overshadowed by the more than one billion records exposed in the two previous years, 2015 also ranks #3 in total reported exposed records.

The 2015 Data Breach QuickView report shows that 77.7% of reported incidents were the result of external agents or activity outside the organization with hacking accounting for 64.6% of incidents and 58.7% of exposed records. Incidents involving U.S. entities accounted for 40.5% of the incidents reported and 64.7% of the records exposed.

The report also revealed that individuals’ email addresses, passwords and user names were exposed in 38% of reported incidents, with passwords taking the top spot at 49.9% of all 2015 breaches. This is especially troubling since a high percentage of users pick a single password and use it on all their accounts both personal and work related.

You can get your free copy of 2015 Data Breach QuickView report here: http://www.riskbasedsecurity.com/2015-data-breach-quickview/

A Breakdown and Analysis of the December, 2014 Sony Hack

Another incredibly far-reaching in-depth compromise of Sony Pictures has happened, this time by a group known as the Guardians of Peace (GOP). The new compromise has all of the excitement of the old events and more, as blaming North Korea for the attack in retaliation to a movie being released by Sony Pictures is all the rage. Risk Based Security has been keeping an updated timeline of the breach, analyzing the leaked documents, and providing links to additional information.

If you are looking for a comprehensive resource on the Sony Hack then please visit the following page:

Hacking Exposed 78% Of All Records Compromised In First Half Of 2014

Mid-year 2014 data breaches exposed over 502 million records far exceeding the mid-year point in 2013, the previous all-time record setting year.

We are pleased to announce the release of the next installment of Risk Based Security’s Mid Year Data Breach QuickView report.

The report shows that 2014 is on pace to replace 2013 as the highest year on record for exposed records, and the recently reported exposure of 1.2 billion email addresses and user names has not been included. The 1,331 incidents reported during the first half of 2014 exposed over 502 million records, nearing 61% of the 814 million records exposed in 2013.

The Data Breach QuickView report also revealed that individuals’ user names, passwords and email addresses were exposed in 57% of reported incidents, with passwords taking the top spot at 70.1% of all Mid-year 2014 breaches.

Risk Based Security’s research suggests that organizations in all industries, regardless of size, should take an active approach to review their networks for security vulnerabilities in their applications, infrastructure and third party libraries. By doing so, organizations can reduce the time of exposure they are facing with many of today’s threats.

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of the first half of 2014’s data breach incidents. You can view the announcement and report here. You can view the announcement and report here.

First Quarter 2014 Exposes 176 Million Records

Troubling Trend Of Larger, More Severe Data Breaches Continues

We are pleased to announce the release of the next installment of Risk Based Security’s Data Breach QuickView report. Analysis of data compromise activity for Q1 2014 shows that, while the number of incidents taking place remains comparable to Q1 2013, the number of records lost per incident is on the rise. The total number of records exposed in the first quarter of 2014 exceeded 176 million – or roughly a 46% increase compared to the number of records loss in Q1 2013.

The report also highlights the continuing trend of targeting user names, e-mail addresses, and passwords. Although this type of information in and of itself typically doesn’t hold the same value as Social Security or credit card numbers, this data can be the keys to opening up the doors that access more valuable information. The continued focus on this type of data may be indicative of more complex or better-planned attacks currently happening involving third-parties and on the horizon.

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of 2013’s data breach incidents. You can view the announcement and report here. You can view the announcement and report here.

SQL Injection Leads To BigMoneyJobs.com Leak

Earlier today, a hacker identified as ProbablyOnion2 (who recently breached boxee.tv) has posted data from a large job seeker website resulting in over 36,000 accounts being published online.

We have created a DataLossDB incident and you can read the full details in the Risk Based Security post.

Potential 7 Million Credit Card Details Leaked

UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.

The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.

Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.

While such an attack does not appear to be directly related to the political strife between Ukraine and Russia, it does raise significant issues for card processors and consumers if the leak is legitimate.

Anonymous Ukraine has posted a short message to Pastebin that includes the following:

Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars.

Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.

At this time, there is no indication where the data comes from or if it is from a single source or multiple. Risk Based Security and the DatalossDB project will continue to examine the data and investigate in hopes of determining more information about the breach.

Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402. Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.

Over 822 Million Records Exposed In 2013

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of 2013’s data breach incidents. You can view the announcement and report here.

Forbes Data Breach Impacts Over 1 Millions Accounts

Today The Syrian Electronic army via their Twitter account @Official_SEA16 announced that they have leaked the Forbes WordPress user database not long after it was announced that they had managed to hack their website.

Eduard Kovacs from Softpedia has stated that the leak has a been uploaded to an IP address ( which was also used last year in a defacement on http://marines.com/ as well.

This breach is quite substantial and includes 1,056,986 unique emails addresses and accounts with 844 of them being government (.GOV) and 14,572 educational accounts (.EDU). In addition, the dump contains credentials from a Forbes wp_users database and contains 564 Forbes.com based emails including administrators accounts.

Forbes has posted a statement to their Facebook page regarding the breach urging all users to reset their password on the Forbes network and on any other sites they may have used the same credentials.

Security message: Forbes.com was targeted in a digital attack and our publishing platform was compromised. Users’ email addresses may have been exposed. The passwords were encrypted, but as a precaution, we strongly encourage Forbes readers and contributors to change their passwords on our system, and encourage them to change them on other websites if they use the same password elsewhere. We have notified law enforcement. We take this matter very seriously and apologize to the members of our community for this breach.

As Eduard points out that although the passwords are encrypted, the email addresses are still very useful. In addition, it is not clear the type of the encryption used and there is still a potential that they can easily be decrypted. It is clear that this breach has the potential to pose a significant risk for many of their users.

Breakout of just a few type of email domains:
844 .GOV
14,572 .EDU
91,464 hotmail.com
3,460 mac.com
185, 271 yahoo.com
407,787 gmail.com
25,050 aol.com

Data, data everywhere! Where it comes from, nobody really knows?

While there are still a few weeks left in 2013, it has already been the most severe in terms of data breaches in the last 10 years with over 705 million records lost. In addition, 4 of the top 10 data breaches of all time happened in 2013, with the top spot now belonging to Adobe (at least for the moment).

The Adobe breach was discovered and brought to light by Brian Krebs and information security researcher Alex Holden back in October (Brian Krebs is an Advisor to Alex Holden’s company). When the leak was first announced it was said to be about 2.9 million records but soon after the figure changed to what is now confirmed to be approximately 152 million records. Adobe has commented on the amount of data and users impacted a few times, and is expected to provide an update when their investigations are completed. The data has been stated to have a lot of duplicates as well as false data including usernames (email addresses) and encrypted passwords. This data was allegedly obtained directly from Adobe’s servers by unknown hackers who are also said to have obtained data from several other well known sites as well.

Early investigations by Krebs appear to have uncovered major breaches after they obtained the complete database of SSNDOB, an underground carding and personal information website. The SSNDOB investigation uncovered a lot of high profile names like LexisNexis Inc., Dun & Bradstreet, and Kroll Background America, Inc. all of which were hacked and used as a massive database for the SSNDOB website. In addition, another was the Cupid Media breach which exposed 42 million accounts and according to Brian Krebs was found on the same server as the Adobe data as well as NW3CM and PR News Wire.

One item which does not seem to be fully addressed is how Brian Krebs and Alex Holden were able to obtain this data. In one of the posts, there was a mention that they“discovered a massive 40 GB source code trove stashed on a server” but still their methods were not abundantly clear. There are several deep web monitoring services available and we have confirmed that at some point the Adobe data was available for purchase for a whopping $6 dollars. However, speculation in some circles have been that this data was originally acquired from a private server and therefore to obtain the data they would have had to have illicit access to the server themselves.

Regardless of the method used to obtain the data, at this point what they have done is help to raise the awareness of several massive breaches that have impacted millions of people around the world. As we move forward, was this type of discovery a one off or will we see more data breach disclosure in this fashion?

Looking Through the Cloudy PRISM

As you have no doubt heard, a lot of fuss has been made over the past couple days involving both NSA, Verizon, and Facebook, as well as several other companies and governments. Here, we want to provide a concise overview of the information available at this point, along with some links to additional reading about the program that is known as “PRISM”.

On June 6, 2013, the Guardian published an article that suggested a classified order was issued on April 25, 2013 that allowed the United States government to collect data until July 19, 2013 and then hand it over to the NSA. This order was issued to Verizon, and it’s existence was not allowed to be spoken of. Currently, the documents revealed only cover Verizon, but there may have been similar orders involving other companies, not just ones that provide phone service. PRISM, a program allowing the NSA access to company data, was originally enabled in December of 2007 by President Bush under a U.S. surveillance law and then renewed by President Obama in December of 2012. This program was started to aid anti-terrorism efforts and there are claims by the government that it has already prevented a terrorist plot in Colorado.

These documents reveal that the NSA is performing massive data mining covering millions of U.S. citizens. Wired reported the collected data includes phone numbers of both parties involved in the phone call, the time and duration of the call, the calling card numbers used in the call, and the International Mobile Subscriber Identity (IMSI) number which applies to mobile callers. The location of the calls may have been recording using cell tower data. Data that was NOT collected includes names, addresses, account information, and recordings of call content. There is heated debate whether this metadata is sensitive or not. On the one hand, no names or call content suggests that your fundamental privacy is intact. On the other hand, consider that the government knows you “spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.”

Edward Snowden has been identified as the whistleblower who released the documents that exposed this classified order. He had access to these documents as an employee for the NSA, which he had been working for over last four years as a contractor from outside organizations, including Booz Allen and Dell. When Snowden released the documents he stated, “I can’t allow the US to destroy privacy and Internet freedom.”

This article by the Guardian highlights multiple comments made by President Obama about the issue. He called this a “very limited issue” when discussing these disclosures of the NSA accessing phone data. In an attempt to deflect criticism, the President also stated that he had privacy concerns regarding private corporations as they collect more data than the government.

Both Facebook and Google denied any previous knowledge of the PRISM surveillance program after concerns they may have been part of the program. Many other technology companies thought be be part of PRISM issued similar statements saying that they did not allow the government “direct access” to their systems. However, theNY Times reports that Google, Microsoft, Apple, Facebook, Yahoo, AOL, and Paltalk all negotiated with the government and were required to share information due to theForeign Intelligence Surveillance Act (FISA). The Guardian also states that Microsoft has been a part of this information sharing program since the beginning in December of 2007 and was joined by Yahoo in 2008, Google, Facebook and PalTalk in 2009, YouTube in 2010, Skype and AOL in 2011, and Apple in 2012. At this point, it is a game of “who do you trust?” The government who finds such data incredibly valuable, or the corporations that sometimes rely on such data for their business model (e.g. Facebook).

In an article by Mark Jaquith, he mentions how important the details are in this situation. There are two different reports on how PRISM actually works; one says the government can directly and unilaterally access company servers to take data and the other is just an easier way to transfer data requested by court orders. The majority of reports are pointing toward the second method describing the way that PRISM works. If this is true, the transfer of data is moderated and indirect making it basically a lock box to securely pass information through. Now, that this has been brought to light we hope more details will continue come to the surface to provide clarity.

As with many big information leaks, the emotions and politics quickly take hold and begin to dominate the argument. Veterans of the Internet are largely not surprised by the PRISM news, due to fleeting memory of ECHELON, Carnivore, and likely other initiatives that never came to light. Regardless, the PRISM program represents a serious threat to individual privacy and every citizen should be concerned.

Written by eabsetz