The Month in Hacks: December 2017

Nissan and TIO Networks suffer data breaches, hackers steal 4,700 Bitcoins, and a massive unencrypted password database is found online. It's all this and more in The Month in Hacks.

1.13 Million Canadian Customers Potentially Affected by Nissan Finance Data Breach

Nissan announced in December that they had become aware of a data breach that occurred on December 11, targeting Nissan Canada Finance and INFINITI Financial Services Canada. The two branches are primarily responsible for helping customers finance their car purchases.

While the company doesn't know exactly what data was accessed, the hackers may have been able to access customer's names, home addresses, vehicle makes and models, VINs, credit scores, loan amounts, and monthly payments. Nissan doesn't believe that payment information was compromised, but are offering 12 months of free credit monitoring to all Canadian customers.

1.6 Million Customers' Data Revealed in PayPal Subsidiary Breach

TIO Networks, a cloud-based multi-channel bill payment processor that was acquired by PayPal this year, has discovered that their customers' data was likely compromised in a breach. While PayPal did not announce the data that was released or the customers that were affected, they are working with researchers to discover the source of the attack.

PayPal customers were not affected by the breach, as the data lives on a separate network. TIO Networks has shut down their services until further notice and is providing free credit monitoring to all customers for one year.

Collection of 1.4 Billion Plain Text Passwords Found Online

Researchers from the security firm 4iQ found a database on the dark web and torrenting sites that contains 1.4 billion plain text usernames and passwords. The information in the files did not come from one data breach - instead, credentials were leaked from Bitcoin, Pastebin, LinkedIn,, Anti Public, Minecraft, Runescape, Redbox, Zoosk, YouPorn, Netflix, MySpace, and Badoo.

The database has been circulating on the dark web for most of December but received significantly more exposure when a link to the database was posted on Reddit. To avoid having your data compromised, users are recommended to choose different passwords for each site and to use difficult passwords.

300,000 WordPress Sites Targeted by Malicious Captcha Plugin

The popular WordPress plugin, Captcha, was recently sold by its developer to an undisclosed buyer. The buyer than modified the plugin, actively used by over 300,000 WordPress sites, to contain a malicious backdoor that allows hackers to gain administrative access to WordPress sites without authentication.

When the malicious code was discovered, WordPress pulled the plugin from their official plugin store. The developer is working with WordPress to patch the plugin, so all website administrators who use the plugin should update it with the latest official Captcha version 4.4.5.

Trojans Mimicking Porn and Antivirus Apps Can Physically Affect Phones

Several fake porn and antivirus applications have been found to contain an Android malware that can mine cryptocurrencies and launch DDoS attacks. The trojan, called Loapi, performs so many background activities that it can cause a phone's battery to bulge out of the cover in two days.

The main purpose of Loapi seems to be to mine Monero, which is likely what causes the physical effect on the phone. The trojan mimics over 20 different adult-content apps and legitimate antivirus software apps, including AVG, Psafe, Kaspersky Lab, and Norton. The malicious apps are not available in the Google Play Store, so users are advised to only download apps from the official Play Store to protect their phones.

Pre-Installed Windows 10 Password Manager Contains Critical Vulnerability

Microsoft recently added a feature to Windows 10 that will install suggested third-party apps without asking for user permission. Recently, a researcher discovered that one of these apps, Keeper Password Manager, allows attacks to remotely steal your credentials. Any password stored in the app can be accessed by hackers due to a critical flaw.

Fortunately, there was no sign that the vulnerability had been exploited by hackers. While the Keeper developers fixed the flaw in the newest version of the app, researchers recommend that users avoid storing sensitive information on unverified third-party apps.

MoneyTaker Hackers Steal Over $11 Million in 18 Months

Researchers have recently discovered a group of Russian-speaking hackers, called MoneyTaker, that have been targeting financial institutions, banks, and legal firms in the U.S., U.K., and Russia over an 18-month period. The group has stolen nearly $10 million and taken sensitive documents that could be used as blackmail in future attacks.

The hacks started in May 2016 and mainly targeted small community banks in the U.S. that had limited cyber defenses. While the existence of the group has been confirmed, the individuals behind the attacks are still unknown.

Bitcoin Mining Marketplace Hacked, Losing Over $57 Million Worth of Bitcoin

The largest Bitcoin mining marketplace, NiceHash, has been targeted by hackers. On December 6, several NiceHash users reported that their wallets had been emptied. Shortly afterward, the service went offline and posted a note that there had been a security breach.

The hackers stole 4,700 Bitcoins, which, at the time, was worth $57 million. Due to the skyrocketing value of Bitcoin, that amount is worth $67 million at the time of publishing. While the attackers have not been identified, NiceHash encourages customers to change their passwords across all their frequently used sites. Two-factor authentication is also available on and recommended for many Bitcoin sites.

Keyboard App Releases Personal Information of 31 Million Users in Breach

Researchers have found an unencrypted database of personal information from 31 million AI.type users. The virtual keyboard app had been collecting personal data on its users, including their full name, phone number, email address, phone contacts, device details, mobile network name, country of residence, IP address, GPS location, birthdates, and photos on social media.

All of this information was released in the breach, which was due to a misconfigured MongoDB database. Users of the app had to grant permission for the app to fully access all the data stored on their phone upon installation.

Talk To An Expert

Interested in learning about how TeleSign's identity and engagement solutions can prevent fraud while fostering secure and global growth for your business? Let's chat.