Multiple Breaches Expose Millions of Users’ Data
NJCCIC Data Breach Notification
Original Release Date: 7/30/2020
Summary
An extraordinary number of breaches have been disclosed this week. At least eighteen of these breaches were exposed after companies’ databases were leaked and offered for free on a hacker forum by a threat actor known as ShinyHunters. So far, 386 million user records have been exposed in this list alone. Additionally, a GitHub public repository of leaked source code has been discovered affecting large corporations such as Microsoft, Disney, and Adobe, to name a few. These breaches were largely due to misconfigurations in the companies’ infrastructure and could have been avoided. Breaches can be caused by internal threats, such as misconfigured databases or cloud servers, and external threats, such as hackers. Leaked data often contains various forms of PII, which can be used by threat actors to conduct future attacks, including credential-stuffing attacks, business email compromise (BEC), phishing, smishing, vishing, financial theft, and identity theft. Individuals impacted by these breaches are urged to take proactive measures to safeguard themselves against cyber-attacks, immediately change exposed passwords across all accounts that use the same password, and enable multi-factor authentication, where available. Additional resources can be found in the NJCCIC Alert Identity Theft: The Aftermath of Compromised Information and the Informational Report Freezing Your Credit. Below is a list of some of the companies impacted by the ShinyHunters data leak, as well as additional breaches disclosed this week.
|
Affected Company |
Estimated |
|
|
7.5 million |
Hashed passwords, names, email addresses, dates of birth, physical addresses, phone numbers |
|
|
22.1 million |
Email addresses, names, gender, geographic location, hashed and decrypted passwords |
|
|
70,000 |
Names, email addresses, physical addresses, phone numbers, dates of birth, medications, health insurance information |
|
|
19 million |
(both customers and employees affected) Names, phone numbers, dates of birth, email addresses, physical addresses, GPS coordinates, security tokens, OAuth tokens, internal logs, account settings, technical server information |
|
|
278,000 |
Names, email addresses, last four digits of credit/debit cards, order history, other shopping-related data |
|
|
2.5 million |
Email addresses, dates of birth, hashed passwords, delivery addresses |
|
|
1 million students |
GPA scores, unofficial transcripts, ACT, SAT, and PSAT scores, student IDs, student and parents’ names, physical addresses, phone numbers, email addresses, pictures and videos, recruiting material |
|
|
700,000 |
Transcripts, injury reports, names, dates of birth, Social Security numbers, Driver’s License number/State ID numbers, student ID numbers, passport numbers, other ID numbers, financial account information, payment card information, mother’s maiden names, birth certificates, email credentials, electronic signatures, health insurance information, medical information |
|
|
17,000 |
Slack personal and workspace credentials |
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.