Over a billion users, records, hacked, exposed!
In what has to be one of the worst weekends ever for cybersecurity affects hundreds of millions of people and could potentially have devastating consequences.
139 million users were hit in a Canva data breach. The Australian web-design online service leaked real names, usernames, email addresses and city and country information. On the bright side, email passwords were salted and hashed. Other good news – dates of birth and street addresses do not seem to have been part of the compromised data.
If you’ve ever signed up for Canva, you should probably change your Canva account password. If you’ve ever used that same password elsewhere, definitely change it on those other services.
However, Canva also lets you use its services by signing in with your Google or Facebook accounts, and there is no evidence that those accounts are in any danger from this breach.
The even bigger concern is First American Financial Corp. who leaked hundreds of millions of title insurance records. Discovered by KrebsOnSecurity the digitized records — including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a web browser.
This is a major organization – it employs some 18,000 people and brought in more than $5.7 billion in 2018.
KrebsOnSecurity confirmed that First American’s website exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents!
These two cybersecurity incidents are jet fuel for those who would use social engineering to spear phish users. This is very, very bad.
In other news – Perceptics, maker of US border’s license-plate scanning tech ransacked by hacker, blueprints and files dumped online. The company while confirming the intrusion and theft, stays quiet on the details.
Also happening within the last 24 hours, New Zealand Crypto Firm Cryptopia Limited was hacked to death, and seeks U.S. bankruptcy after $16 million was stolen from as many as 300,000 accounts.
Finally – the City of Baltimore is still crippled they were hit by Ransomware 2 weeks back. They had to switch to Gmail accounts in order to function and now those accounts are not working because of a technical issue with Google’s bots.
How can other companies try to stay ahead of hackers and keep their information secure?
Simple ideas to improve cybersecurity are to keep computer operating systems and software patched. Ensure social media accounts are private. Be careful what you share. Be aware of phishing emails which can be used to hack your computer, network, bank accounts and steal your identity.
Regularly use a phishing simulation service like Phish360 to send fake phishing emails and train users who click.
- General Cybersecurity training must be done regularly.
- Auditing and documentation must be performed regularly to ensure systems are secure.
- Anomaly detection should be running constantly to detect threats as they emerge.
- Penetration testing shows if systems can easily be reached from the outside.
- Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
Cybersecurity is part technology, strategy, science and competition. That last term may be surprising but it shouldn’t be. With millions of companies which hackers might want to hit and billions of users… If one individual or company is more secure than others, the hacker is likely to just move along to the next target.