Major Data Breaches and Hackings in September 2023

Data Breaches

Freecycle

Organization description: Freecycle is a non-profit online forum dedicated to exchanging used items.

Breach size: 7 million

Data exposed: User names, user IDs, email addresses, passwords

The online forum revealed it suffered a massive data breach affecting more than 7 million users. Freecycle discovered the breach on August 30th several weeks after the hacker shared the stolen data on a hacking forum on May 30th. Affected users were advised to change their passwords immediately. Link to Source.

Duolingo

Organization description: Duolingo is the largest language-learning app boasting more than 74 million monthly global users.

Breach size: 2 million +

Data exposed: User IDs, phone numbers, and email address

A mix of public and private data was scraped from a vulnerability in an open API connected to Duolingo and posted for sale on a hacking forum with a starting bid of $1,500 earlier this year. Now, the data is readily available on the cybercrime marketplace, BreachForums, for only $2.13. A Duolingo spokesperson explained that the data is used to help users search for friends on the app, and profiles can be made private if preferred. Although Duolingo commented that the scraped data was not technically a breach or hack, ethical hackers warn it could be used to dox users. The company is taking precautions to limit future leaks. Link to source.

Topgolf Callaway Brands

Organization description: Callaway is a golf equipment manufacturer and e-commerce website.

Breach size: 1 million +

Data exposed: Names, phone numbers, mailing and email addresses, order histories, account passwords, and security question answers

Topgolf Callaway sent a letter to its impacted users on August 29th, warning them of the data breach that began on August 1st. The data exposed included a long list of private information, but, fortunately, no credit card information, government IDs, or Social Security numbers were compromised in the incident. Several sub-brands, including Odyssey, Ogio, and Callaway Gold Preowned sites were also affected. Customers are strongly recommended to update login credentials like passwords to minimize the risk of further cyberattacks. Link to source.

U.S. National Safety Council (NSC)

Organization description: The National Safety Council (NSC) is a United States-based non-profit organization focusing on workplace and driving safety training.

Breach size: 2,000 companies and nearly 10,000 employees

Data exposed: Employee emails and passwords

The NSC provides online resources for large corporations, government organizations, and other companies across various industries like energy, technology, pharmaceuticals, and education. The employee credentials were publicly accessible due to a website vulnerability left unaddressed for five months, impacting a wide array of well-known companies and governmental agencies, like Shell, Boeing, Pfizer, Tesla, The Occupational Safety and Health Administration (OHSA), Verizon, Amazon, Home Depot, and more. Experts are concerned that the possible risks extend beyond the NSC systems and could be used for credential stuffing attacks, a cyberattack strategy to gain access to a company’s private internet-connected networks. Link to source.

Paramount

Organization description: Paramount is a popular entertainment and streaming company with a portfolio of brands like CBS, Showtime Networks, Paramount Pictures, MTV, Comedy Central, and Paramount+.

Breach size: Less than 100

Data exposed: Name, date of birth, Social Security number or other government-issued identification number (like driver’s license numbers or passport numbers)

Although the breach is small in scale, the personal data exposed is particularly sensitive personally identifiable information (PII). After discovery of the data breach, Paramount took swift steps to investigate the extent of the breach and send notification letters to affected individuals. The company said in the letter that it retained the help of a third-party cybersecurity expert, coordinated with law enforcement, and is working to upgrade security measures to prevent this type of breach in the future. Paramount has not yet disclosed if employees or customers are the affected individuals. Link to source.

Johnson & Johnson

Unknown Number of Breached Customers Icon IDSeal

Organization description: Pharmaceutical company

Breach size: Unknown, but 1.16 million patients in the United States were helped through the CarePath program in 2022

Data exposed: Full names, contact information, date of birth, health insurance information, medication information, and medical condition information

Johnson & Johnson Health Care Systems (“Janssen”) recently informed its CarePath customers that sensitive healthcare data was compromised due to a vulnerability in a third-party application managed by IBM. Last month, we reported a similar data breach affecting the Colorado Department of Healthcare & Policy Financing (HCPF). Like HCPF, CarePath uses IBM technology to manage patient applications and data related to prescriptions, insurance coverage, and customer communications. Although IBM was among countless organizations affected by the Clop ransomware attack exploiting the zero-day vulnerability on the MOVEit Transfer software, a spokesperson for IBM said that this breach was a separate cyberattack from different threat actors. Link to source.

Sabre

Organization description: Sabre is a travel reservation platform used to complete airline and hotel bookings, check-ins, and apps.

Breach size: Unknown, but the ransomware group claiming responsibility says it has 1.3 terabytes of data

Data exposed: Employee email address, work location, names, nationalities, passport and visa numbers, I-9 forms, and corporate financial information

Sabre confirmed on September 6th that it was conducting a cyber investigation after the Dunghill Leak group boasted about successfully extracting 1.3 terabytes of information from its databases. In a post on a dark web forum, the group showed a portion of the information the hackers claimed to have stolen, which included databases on ticket sales, passenger churn, employee’s sensitive information and corporate finance statements. The exact date of the breach is unknown, but screenshots from the post imply that it could have been back in July of 2022. Link to source.

Hacking News

Hack or Glitch? T-Mobile App Leaks Customers’ Sensitive Data

Recently, T-Mobile customers using the company’s official mobile app logged in to find other customers’ sensitive data, including names, phone numbers, addresses, account balances, and most concerning, credit card details.

Despite T-Mobile’s official announcement that there was no hack and that the issue impacted fewer than 100 individuals, customers took to social networking sites like X/Twitter and Reddit to raise concerns.

In 2023, T-Mobile’s cybersecurity team started the new year on rocky footing when its first data breach was reported in January where 37 million customers’ sensitive data was stolen. Before half of the year was out, another breach was reported in May.

Another data breach in the summer of 2021 exposed more than 100 million customers’ personal information like home addresses and date of birth.

Since 2018, T-Mobile has experienced seven other data breaches, a concerning track record for customers who believe the company may have been hacked again. Whether glitch or another cyberattack, the carelessness of customer data is a stark reminder that everyone should take proactive steps to protect their data.

Cyberattack on MGM Resorts Affects In-Casino Services

After ten grueling days, MGM Resort’s Las Vegas casinos are finally back online with no interference from hackers. MGM first realized something was amiss with its Aria, Bellagio, and MGM Grand locations on September 10^th when multiple customer-facing systems came to a halt. Everything from slot machines to room key cards began malfunctioning, even smart TVs wouldn’t turn on.

An investigation revealed that the breach occurred due to a successful vhishing (voice phishing) scam in which the hackers posed as an employee to gain access to internal operating systems that controlled restaurant reservations, hotel bookings, corporate emails, and multiple other channels.

A rival casino, Caesars Entertainment, reported a cyberattack to federal regulators a few days before on September 7^th . Casino operations were unaffected, but it warned millions of customers that their personal information like driver’s license and Social Security numbers of loyalty-rewards members may have been compromised.

Although systems were fully restored at MGM, recent customers are still unsure of the extent of the attack and how much of their personal data may have been compromised. MGM advised guests to monitor their credit and financial accounts for any suspicious activity, especially those with a MGM Rewards Mastercard.

A class action lawsuit was filed against the company alleging that MGM Resorts was negligent and gained unjust enrichment from failing to protect their data.

Apparently, the house doesn’t always win. One analyst predicts that MGM is looking at a $4.2 million to $8.4 million loss because of the cyberattack. The incident shows that companies shouldn’t gamble with cybersecurity.