Breaches and leaks

This one section took me almost as long to piece together as all other articles combined.

Btw, if you happen to run Elasticsearch in your company, make sure it's secured. Or I'll let you write these next week.

Here we go:

  • Atrium Health: a large US healthcare provider, they were hacked through a third-party vendor. Personal details of over 2.65 million patients were extracted, including 700.000 social security numbers.
  • Urban: a massage app, had an unsecured Elasticsearch database that exposed personal information and sensitive reviews.
  • Sky Brasil: the TV company exposed an unsecured Elasticsearch database with personal information of 32 million customers.
  • FIESP : Brazil's largest industry association, made up of 130.000 companies, exposed an Elasticsearch instance with millions of personal records.
  • a company that sells contact data for sales leads. They had an exposed MongoDB instance with over 9 million records.
  • Data & Leads Inc.: another data gathering company, with another unsecured Elasticsearch instance, this time exposing information of an estimated 83 million people.
  • Dunkin' Donuts: an attacker compromised customer accounts, presumably through a credential stuffing attack (using usernames and passwords from other breaches).
  • Dell: not really a breach it seems, they interrupted an attack that was underway to steal customer credentials. As a precaution Dell is resetting passwords though.
  • Uber: not a new breach, but they were fined £385,000 by the UK and €600,000 by The Netherlands for the too-late disclosed data breach of 57 million people in 2016.
Dieter Van der Stock