Anti-vaxxer dating site exposes user data

Leaks and breaches: a roundup

It’s time for one of our semi-regular breach/data exposure roundup blogs, as the last few days have brought us a few monsters. If you use any of the below sites, or if you think some of your data has been sitting around exposed, we’ll hopefully give you a better idea of what the issue is.

Seeing so many services be compromised or simply exposed for all to see without being secured is rather fatiguing, and we’d hate for the end result to be hands thrown in the air with a cry of “Why bother!” Without further ado, then, let’s take a look at breach number one.

Canva: Breached

Something in the region of 139 million users of graphic design service Canva had their data swiped by a hacker known for many other large compromises. Usernames, emails, real names, and cities were amongst the data swiped. A big chunk of users had a combination of password hashes and Google tokens grabbed, too.

There’s some issues with how Canva initially reported this. The “we’ve been hacked” message followed by a short email ramble about free images, led to concerns that many users may have ignored it completely. However, Canva has been quick to deal with the problem at hand and even have—shock and horror in amazement—a good slice of information about it on their status page. In fact, they have even more information on a dedicated update portal.

In a nutshell, Canva states that your login passwords are unreadable, other credentials are similarly secure, your designs are safe, your card details haven’t been grabbed, and you should change your login as a precautionary measure.


Flipboard: breached

Breach number two: Massively-successful news aggregator Flipboard was also caught by an attack according to a statement released on May 28. This attack took place sometime between June 2018 and March 2019. They haven’t said how many accounts were breached, but as with Canva, they were careful to stress that stolen logins would be incredibly difficult to break into thanks to the fact that they didn’t store passwords in plain text. Additionally, they’ve reset everybody’s login credentials as a precautionary security response.

The attackers grabbed the usual collection of valuables: usernames, hashed/salted passwords, some email addresses, and third-party digital tokens. As with the Canva breach, Flipboard has been upfront about the whole fiasco and are being a lot more proactive than many companies faced with similar situations.

Amazingco: exposed data

Next up, we have another example of “utterly unsecured database full of information readily available to someone with a web browser.” This is incredibly common, and a major source of data breaches/leaks. Hacking into servers, exploiting databases, phishing logins from admins? Too much hard work. Criminals need only go looking for wide-open goal areas instead.

In this case, the open goal belonged to an Australian marketing company called Amazingco. 174,000 records were there for the taking, containing everything from names and addresses to phone numbers, event types, and even IP addresses and ports.

We don’t know how long the data was sitting there, and we also don’t know if this information was meant to be sitting on the open Internet, or if someone possibly misconfigured something. What we do know is that this database has now been taken offline.

At this stage, there’s no real way to know if someone up to no good has grabbed it. However, if people with good intentions could find it, then so, too, could bad ones. Customers of Amazingco should practice wariness of attacks, as spear phishing will likely now be the order of the day.

First American Financial Corp: exposed data

Possibly the largest and most damaging of the bunch, our fourth incident is another one where data is freely available to someone sporting a web browser. First American Financial Corp had “hundreds of millions of documents related to mortgage deals, going back to 2003” digitised and ready to view without authentication.

Social security numbers, drivers licenses, account statements, wire transaction records, bank account numbers, and much more were all lurking in the pile. That pile was estimated to weigh in at around 885 million files, and as security researcher Brian Krebs notes, this would be an absolute gold mine for phishers and purveyors of Business Email Compromise scams. The data has now been taken offline, but that’s scant consolation for anyone affected.

What’s the upshot?

Don’t panic, but do be cautious. According to security firm Mimecast, 65 percent of organisations saw an increase in impersonation attempts year over year. Some of the above leaks could be extremely useful to scammers wanting to muscle in on victims, and you never know when someone’s going to try it on. The slightest bit of inattentiveness could lead to a spectacular mishap, and we don’t want that taking place.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.