Dual data exposures and a wide-scale data leak due to a vulnerable MongoDB database have kicked off 2019 so far.
2019 has so far been making good on security experts’ predictions that there will be no ebb in data exposures for the new year: In the first half of January, several data breaches and leaks have already come to light, including three notable incidents at well-known firms in just the past week.
Over the course of the last few days, OXO and Amazon India disclosed that customers’ personal data had been compromised in separate incidents. Also making headlines last week was a massive data leak stemming from a vulnerable MongoDB that left millions of resumes open for the taking on the internet.
“Breaches at large entities, such as Amazon, are inevitable given the complexity of their technology and the size of their proprietary development, where a single bug can result in sizable data loss,” said Raj Bakhru, partner at ACA Aponix, in an email. “It’s likely we’ll continue to see this with large-cap companies across sectors, and that there are on-going breaches at many of these entities.”
OXO, the modern kitchen tool and housewares firm, said in an advisory sent to customers that it had discovered a breach that impacted data entered on its e-commerce website during certain times in 2017 and 2018.
Specifically, compromised data had been entered during these timeframes: June 9 2017 to November 28 2017, June 8 2018 to June 9 2018, and July 20 2018 to October 16 2018. The breach was first discovered Dec. 17.
The NYC-based manufacturing firm said that the compromise may have allowed access to names, billing and shipping addresses, and credit-card information.
OXO did not reveal the cause of the breach other than to say that unauthorized code was discovered on its website: “OXO has investigated the nature of the malicious code, removed the unauthorized code, conducted systems scans and reissued access credentials,” it said.
Robert Capps, vice president and authentication strategist for NuData Security, said the breach appears to be a Magecart-like attack.
The Magecart threat group, known for using digital skimmers to steal payment data from unsuspecting website visitors, which has been behind several large-scale breaches, including those of Ticketmaster and British Airways.
“The loss of credit-card data is a worry for all organizations, not just the targeted company,” Capps said in an email. “The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime.”
Amazon India also suffered a data exposure this week, which revealed the tax data of about 400,000 sellers on Amazon. According to the India Economic Times, the breach came from an internal technical glitch, and ended up exposing the tax reports of sellers.
The issue was discovered last Sunday, and has since been fixed.
When reached for comment, Amazon did not give additional details about the breach’s root cause, but an Amazon spokesperson told Threatpost: “On Sunday, some sellers who attempted to download Merchant Tax Reports (MTRs) for the month of December 2018 experienced a technical issue. Our teams identified the issue and resolved it on priority and sellers were soon able to download the correct MTR reports.”
This is not Amazon’s only recent breach. In November, the company notified customers that their email addresses were inadvertently exposed due to an API issue. Details still remain scant about how many are impacted by that incident, but Amazon says its servers were not breached and it didn’t give away any other personal info.
Meanwhile, a Thursday report disclosed a data leak stemming from an unprotected MongoDB that exposed millions of job-seekers’ resumes.
The leak, discovered by Bob Dianchenko, director of Cyber Research at Hacken.io, was due to a 854 GB-sized MongoDB database that lacked password or login authentication. The database contains the details of more than 200 million details resumes for Chinese job-seekers.
The unprotected data was open and available for about a week, according to the report.
“Each of the 202,730,434 records contained the details not only on the candidates’ skills and work experience ,but also on their personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more,” said the report.
The database, the owner of which Dianchenko was unable to discover, has since been secured – but that doesn’t stop concerns of what could happen if a bad actor got his hands on the data.
“No matter what the reason is behind this data exposure, this incident surely points out that any kind of data could be at risk at any given time,” Jonathan Deveaux head of enterprise data protection for Comforte said in an email. “More must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimize exposures of all sizes.”