Breach Report – March 2019
Welcome back to our monthly overview of major cyberattacks from around the world as well as the latest tips and hottest topics in cybersecurity.
Security Topics of the Month
Data Leaks Dangerous for Password Re-users
Stolen user data from the MyFitnessPal and Coffee Meets Bagel data breaches has recently popped up for sale on the Dark Web. All users were required to change their passwords after the breaches, so the stolen credentials are no longer valid on the sites.
But if you’re one of the 25 percent of employees who use the same password for pretty much everything, these leaked credentials could be a serious problem. A Dark Web buyer could cross-reference breached email addresses with previous hacks to see if someone reused a password.
It’s vitally important to regularly change your passwords and use a unique password for every site you log in to.
5 Tips for Upgrading Your Data Security
ItProPortal shares 5 steps to implement for preventing data breaches and protecting your company’s information:
- Create a workplace culture that values cybersecurity
- Do your system and software updates regularly
- Encrypt data
- Back up your data
- Test, test, test your cybersecurity measures
Zero Trust: Protecting Your Business From Its Own Users
Phishing attacks are becoming so sophisticated they can fool even web browsers and experienced users. How can a responsible organization protect itself?
The answer is the Zero Trust principle – “trust no one, verify everything.” This approach requires every person and/or device to be validated and authenticated to access each resource on the network.
That takes care of your organizational data, but what about web browsing? Zero Trust says: “what you can’t authenticate, isolate.” In other words, assume no site can be trusted. Using remote browser isolation (RBI) lets employees visit the sites they need, while keeping all content safely away from endpoints and networks.
The Month in Breach
Dunkin’ Donuts Gets Stuffed
On February 12th, Dunkin’ Donuts announced that it suffered a credential stuffing attack back in January. This news comes just a few months after the company fell victim to a similar attack on October 31, 2018.
This credential stuffing attack leveraged previously leaked usernames and passwords to breach DD Perks rewards accounts. The exposed accounts contain personal information such as first and last names, email addresses, 16-digit account numbers, and QR codes.
While these credentials are useful for orchestrating further cyberattacks, the hackers weren’t just after this personal info. They’re also selling access to the accounts on the Dark Web so buyers can cash out on reward points they didn’t earn.
American Consumers Fall Prey to Massive Malvertising Campaign
Over Presidents Day weekend (Feb. 16-18), the eGobbler group launched a major malvertising campaign targeting U.S. users that garnered more than 800 million impressions. Those who unfortunately clicked on the ads were redirected to a wide range of phishing sites that tried to trick them into entering personal details, including financial information.
With the information collected, cyber criminals can conduct spear phishing email campaigns or sell the stolen credentials on the Dark Web.
Read Past Breach Reports
Interested in amping up your IT security? See all of our security training, tools, and resources on our Security page.