Hacks of the Month—December

These are the hacks and attacks that happened last month. A short recap and rundown of what you might have missed in regards to consumer personal data exposed. Hacks of the Month —December!

December Timeline:

Week 1 (Dec. 1 – 8):

elasticserachElasticSearch server 

On November 14 through November 20th, the search engine, Shodan, Elasticsearch servers exposed 57 million US citizens data. This includes full name, employer, job title, email address, ZIP code, phone number, and IP address.

 

ios touch idiPhone users Touch ID Scam 

iOS apps, Fitness Balance and Calories Tracker fingerprint access users are approving payments of over US $100. To view your track history, it prompts to scan your fingerprint. Once you scan your fingerprint, in a flash of a second an in-app purchase popups, charging users $90 and above.

Dell Security Breach

Account information from sites Dell.com and DellPremier.com was under attack. It was possible that names, emails, and hashed passwords were removed. Dell reset passwords of customers’ accounts on their website. In their press release they mention credit card information was not targeted nor any Dell products or services.

tablet webpage_q100M Quora users personal data exposed

On December 3rd, 100 million Quora users were notified by email that their user data was compromised. The breach includes names, email addresses, encrypted passwords, data imported from linked networks, downvotes and direct messages. The firm also offered to send users an archive of their content and personal data within 72 hours of receiving a request to do so.

ca.flowers1-800-Flowers purchasers were exposed over four year period

1-800-flowers payment data breached on its Canadian website. The impacted data consisted of first and last name, payment card number, expiration date and card security code. A malware scrapping credit cards between August 15, 2014 to September 15, 2018.

 

Week 2 (Dec 9 – 15):

log-in-pageFacebook API Bug

Facebook’s latest bad press -announced new API bug in its photo-sharing system. It gave 1,500 third-party apps access to unposted Facebook photos of 6.8 million users. Left exposed for 12 days, between September 13th and September 25th.

Google Plus API bugg+ dead

The second breach on Google plus was related to it’s APIs which allowed developers to access user’s private profiles.

 

Week 3 (Dec 16 – 22):

Caribou Bagels & Coffee Shops stores breachedstores_front

The company, Coffee and Bagels said, “Only Caribou Coffee and Bruegger’s Bagels stores point-of sale (POS) systems were breached.” Hackers gained unauthorized access to steal customer’s payment cards—name, card number, expiration date and card security code. Store goers who visited company owned Caribou locations between Aug. 28 and Dec. 3 of this year could be potentially impacted.