Miserable Miscreants Targeted Internet Archive's Wayback Machine, Stole 31 Million Records

Check out my latest CSO column, which examines why cross-site scripting vulnerabilities still plague the cybersecurity world and how the advent of AI could perpetuate existing XSS flaws.

Check out what our sponsor, Anchore, is offering

Learn the building blocks for adopting a secure software factory model in a highly informative webinar. The Department of Defense (DoD) software factory model has emerged as a cornerstone of innovation and security for national defense and cybersecurity. Software factories represent an integration of principles and practices found within the DevSecOps movement, with technical guidelines to support continuous cyber-readiness with real-time visibility.

Internet Archive's "The Wayback Machine" suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records.

"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!" reads a JavaScript alert on the compromised archive.org site.

The text "HIBP" refers to the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.

Hunt said that the threat actor shared the Internet Archive's authentication database nine days ago. It is a 6.4GB SQL file named "ia_users.sql." The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

The most recent timestamp on the stolen records is September 28th, 2024, which is likely when the database was stolen.

Hunt says the database contains 31 million unique email addresses, many of which are subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm whether their data was exposed in this breach.

The data was confirmed to be real after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme,

Hunt says he contacted the Internet Archive three days ago and began a disclosure process, stating that the data would be loaded into the service in 72 hours, but he has not heard back since.

On top of this breach,  the Internet Archive suffered a DDoS attack, which has now been claimed by the BlackMeta hacktivist group, which says they will be conducting additional attacks. (Lawrence Abrams / Bleeping Computer)

Related:  Wired, Silicon Republic, Help Net Security, Ars Technica, The Verge, Forbes, Ghacks, Benzinga, BetaNews, TechCrunch, Neowin, Ace of Spades, TechIssuesToday.com, Wired, Engadget, Türkiye Today, Cybernews.com, Cyber Daily, PCMag, The Register, Neowin, Pixel Envy, Cyber Kendra, r/cybersecurity, Sammy's Blog, PCMag, Slashdot

OpenAI said that a suspected China-based group called SweetSpecter posed as a user of OpenAI’s chatbot ChatGPT earlier this year and sent customer support emails to staff. 

OpenAI said the emails included malware attachments that, if opened, would have allowed SweetSpecter to take screenshots and exfiltrate data, but the attempt was unsuccessful.

OpenAI revealed the attempted phishing attack as part of its latest threat intelligence report, outlining its efforts to combat influence operations worldwide. In the report, OpenAI said it took down accounts from groups with links to Iran and China that used AI for coding assistance, conducting research, and other tasks. (Seth Fiegerman / Bloomberg)

Related: OpenAI, OpenAI, PYMNTS.com, PCMag, Tech Times

The US Federal Trade Commission said it will require Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement an information security program to settle charges over multiple data breaches from 2014 to 2020.

The three large data breaches that occurred from 2014 to 2020 affected more than 344 million customers worldwide.

Marriott and Starwood also agreed to provide their US customers with a way to request the deletion of personal information associated with their email address or loyalty rewards account number. Upon customer request, Marriott will also be required to review loyalty rewards accounts and restore stolen loyalty points.

In a separate settlement, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations. (Ismail Shakil, Katharine Jackson / Reuters)

Related: CT.gov, Federal Trade Commission, KATV-TV, The Record, Associated Press, Federal Trade Commission, Hospitality Net, Skift, The Register, HealthcareInfoSecurity.com, PYMNTS.com, Insurance Journal, Wall Street Journal, PhocusWire, ZDNET, Oregonian, CNET, Seeking Alpha, Cybernews, Claims Journal, Newsday

Star Health and Allied Insurance, one of India's largest health insurance firms, confirmed it was the target of a “malicious cyberattack” around two weeks after cybercriminals claimed to post customers’ health records and other sensitive data online.

Allied Insurance said the cyberattack resulted in “unauthorized and illegal access to certain data,” though its operations remained unaffected and services continued.

Last month, a hacker group created chatbots on Telegram that leaked the alleged personal data belonging to 31 million Star Health policyholders and over 5.8 million insurance claims. The data included full names, phone numbers, home addresses, medical reports, and insurance claims of individuals. The hackers also shared copies of customer ID cards and individuals’ tax details.

Shortly after the hackers’ Telegram bots came to light, Star Health filed a legal complaint with the Madras High Court against Telegram for hosting the chatbots. The insurer also sued Cloudflare for its role in hosting the hacker group’s websites on its service. (Jagmeet Singh / TechCrunch)

Related: CSO, Ars Technica, Reuters, MEDIANAMA, The Indian Express, NDTV, Business Today, Livemint, India Today, Pune.news, The Hindu

The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August were carjacked a week later while out house-hunting in a brand new Lamborghini and, according to prosecutors, were also beaten and briefly kidnapped by six young men who traveled from Florida as part of a botched plan to hold the parents for ransom.

A criminal complaint (PDF) filed on Sept. 24 against the six men does not name the victims, referring to them only as a married couple from Danbury with the initials R.C. and S.C. But prosecutors in Connecticut said they were targeted “because the co-conspirators believed the victims’ son had access to significant amounts of digital currency.”

What made the Miami men so convinced that R.C. and S.C.’s son was loaded with cryptocurrency? Approximately one week earlier, on Aug. 19, a group of cybercriminals, allegedly including the couple’s son, executed a sophisticated phone-based social engineering attack in which they stole $243 million worth of cryptocurrency from a victim in Washington, DC.

According to a screen recording of the two young hackers exulting in their massive theft, one of the usernames leaked during the chat was Veer Chetal. According to ZachXBT, that name corresponds to a 19-year-old from Danbury who allegedly goes by the nickname “Wiz,” although in the leaked video footage, he allegedly used the handle “Swag.”  Swag was reportedly involved in executing the early stages of the crypto heist, gaining access to the victim’s Gmail and iCloud accounts.

A criminal indictment was issued in Washington D.C., charging two of the men he named as involved in the heist. Prosecutors allege Malone “Greavys” Lam, 20, of Miami and Los Angeles, and Jeandiel “Box” Serrano, 21, of Los Angeles, conspired to steal and launder over $230 million in cryptocurrency from a victim in Washington, D.C. The indictment alleges Lam and Serrano were helped by other unnamed co-conspirators. (Brian Krebs / Krebs on Security)

Related: Cybernews, r/CryptoCurrency

In a recent legal filing, the US government Bitfinex could be the only victim after it was hacked in 2016 by the couple Ilya Lichtenstein and Heather Morgan, the latter of whom became known as a would-be rapper called RazzleKhan.

The government said Lichtenstein and Morgan, as well as Bitfinex's parent company, iFinex, have asserted that the crypto trading platform is the sole victim.

After the hack, iFinex said customers were able to sell Bitfinex-issued tokens called BFX on the market or back to the platform for cash or iFinex stock, among other options, according to the filing.

"All customers holding BFX tokens chose to exercise one of those options, and as of April 3, 2017, all BFX tokens were fully redeemed," the filing said.

However, the government said it wanted to give Bitfinex accountholders an "opportunity to advance potential claims" ahead of sentencing "out of an abundance of caution." The government asked the court to allow it to use different notification methods, including the Department of Justice's website.

The pair pleaded guilty in August 2023 to money laundering conspiracy in connection with the hacking of Bitfinex in 2016. According to the government, the two allegedly conspired to launder 119,754 Bitcoin tokens in August 2016, valued at close to $71 million. (Sarah Wynn / The Block)

Related: U.Today, Cointelegraph.com, Protos, Protos, Coinpedia Fintech News, CryptoSlate, The Defiant, Protos

Jericho Pictures, the Florida business behind data brokerage National Public Data, has filed for bankruptcy, admitting "hundreds of millions" of people were potentially affected by one of the largest information leaks of the year.

In June, the hacking group USDoD put a 277.1 GB file of data online that contained information on about 2.9 billion individuals and asked $3.5 million for it.

NPD confirmed it had been hacked in an attack on December 2023. Initially, it said just 1.3 million people had lost personal details, such as "name, email address, phone number, social security number, and mailing address(es)." However, in the court documents filed for bankruptcy, the business concedes that the total is much higher.

"The debtor is likely liable through the application of various state laws to notify and pay for credit monitoring for hundreds of millions of potentially impacted individuals," the bankruptcy petition from Jerico Pictures states.

According to the filing, the organization is facing over a dozen class-action lawsuits over the data loss and potential "regulatory challenges" from the FTC and more than 20 US states. However, plaintiffs will have difficulty getting money from Jerico since the documents state the business has minimal physical assets.

In the accounting document, the sole owner and operator, Salvatore Verini, Jr, operated the business out of his home office using two HP Pavilion desktop computers, valued at $200 each, a ThinkPad laptop estimated to be worth $100, and five Dell servers worth an estimated $2,000.

It lists $33,105 in a corporate checking account in New York as its assets, although the business pulled in $1,152,726 in the last financial year and estimates its total assets are between $25,000 and $75,000.

It also lists 27 domains with a value of $25 apiece. These include the corporate website - now defunct - and a host of other URLs, including criminalscreen.com, RecordsCheck.net, and asseeninporn.com. (Iain Thomson / The Register)

Related: PCMag, The Business Journals

Google announced the launch of the Global Signal Exchange (GSE), a new project that aims to foster the sharing of online fraud and scam signals.

The internet giant says it is already blocking millions of attempted scams daily across its products and services. The GSE is expected to improve those protections through a partnership with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF).

The project builds upon GASA’s network of stakeholders, the DNS RF’s data platform, which contains over 40 million scam signals, and Google’s experience in battling scams and fraud.

The resulting solution is expected to be user-friendly and efficient and to scale across the entire web, with GASA and the DNS RF managing access for qualifying organizations.

Google, which has been partnering with entities worldwide to ingest scam signals, says the platform's initial pilot has allowed it to share over 100,000 URLs of bad merchants and take in roughly one million signals. (Ionut Arghire / Security Week)

Related: The Keyword, Silicon Angle, Android Police, Android Authority, Android Central, ZDNet

Best Thing of the Day: That Which Doesn't Kill You Makes You Stronger

According to enterprise service management company OTRS, 93 percent of all IT and cybersecurity specialists surveyed took measures to better prepare for future incidents after the CrowdStrike outage took down a large swath of IT infrastructure in July.

Worst Thing of the Day: The Growing Severity of Ransomware

Cyber insurance provider Coalition reports that the severity of ransomware claims spiked by 68% to an average loss of $353,000.

Bonus Worst Thing of the Day: Um, Just Use Signature Required?

Thieves equipped with stolen AT&T parcel tracking numbers are swiping FedEx-delivered iPhones off customers' porches because FedEx doesn't require a recipient's signature.

Extra Bonus Worst Thing of the Day: Now ChatGPT Will Know What a Slob You Are

Ecovacs robot vacuums, which have been found to suffer from critical cybersecurity flaws, are collecting photos, videos, and voice recordings taken inside customers' houses to train the company's AI models.

Closing Thought

,