The Month in Hacks: September 2017

Equifax hack compromises the information of 143 million consumers, Vevo suffers after alleged employee message, and Bluetooth flaw exposed. It's all this and more in The Month in Hacks.

Equifax breach exposes the information of 143 million consumers

In one of the largest and most publicized breaches in recent memory, a hack at the credit reporting agency Equifax compromised sensitive information of 143 million American and Canadian consumers. The revealed data includes names, birth dates, addresses, Social Security numbers, and driver's license numbers. While other attacks, like the Yahoo hacks, have affected more consumers, the severity of this attack is worse due to the nature of the information stolen.

Since the hack was revealed, the CEO of Equifax has stepped down, and the company faces legal retribution. After an initial response that was condemned by many, Equifax provided a free service that allows consumers to view if their account was affected, and made their credit protection service free for one year.

SVR Tracking leak allows hackers to track cars' locations and movements

Over 500,000 login credentials for the vehicle tracking device company SVR tracking have been leaked online, compromising the personal data and vehicle details of drivers and businesses. The leaked information could allow hackers to view the GPS location of every car attached to one of the compromised accounts.The information was stored on an unsecured Amazon Web Server cloud storage bucket, meaning that anyone could access the data. The server has since been secured, but SVR has not provided any information to users about the hack or how to secure their information.

Artist notes and unreleased videos released after OurMine's Vevo hack

OurMine, the hacking group behind the recent HBO and WikiLeaks hacks, leaked over 3 TB of internal files from the video streaming service, Vevo. Released files included internal documents, videos, notes on artists, and promotional materials.

The hackers were able to access the files through a LinkedIn phishing scam. OurMine claimed that they weren't planning on releasing the information - originally, they notified Vevo of the breach privately. When an employee responded, “F*** off, you don't have anything,” the hackers went public with the files. The files are no longer online after “a request from Vevo,” according to the OurMine website.

Syringe infusion Pump vulnerabilities allows hackers to remotely control doses

The IoT Medfusion 4000 Wireless Syringe Infusion Pump, manufactured by Smiths Medical, has been found to have eight security vulnerabilities, enabling hackers to access and control the pumps' communications and therapeutic modules. If successfully accessed, hackers could change the dosage administered by the machine, resulting in a potentially fatal dosage.

The pumps are used for remotely delivering small doses of medications to those in critical care, including for patients in neonatal and pediatric care, as well as those in the operating room. Since patches haven't been released yet, it is recommended that healthcare organizations install the pumps on isolated networks and implement secure password practices.

PC-Wahl voting software vulnerabilities may compromise German election integrity

Researchers from a German hacking group discovered several critical vulnerabilities in PC-Wahl, the software that is used to capture, count, and transfer the votes from local polling centers to the state level during German elections. The researchers stated that the vulnerabilities are easily exploitable and that “elementary principles of IT security were not heeded.

The group claimed that the vulnerabilities could be exploited to change total vote counts during an election. The manufacturer of the voting machines claims that the allegations are false and that the software is secure.

28 million Taringa user's information exposed in breach

Taringa, known as the Latin American Reddit, was targeted by hackers. As a result of the hack, the login details of almost all of the site's 28 million users have been compromised. While the leaked passwords were encrypted, the method of encryption was weak, allowing 94% of the passwords to be decrypted in a few days.

Information revealed in the hack contained usernames, passwords, and email addresses of users. After discovering the breach, Taringa posted a blog detailing the hack and sent a password reset link to all users. Security best practices would also include offering users two-factor authentication for their accounts.

Bluetooth flaw allows hackers to gain control of Bluetooth-enabled devices

Security researchers recently discovered eight vulnerabilities in Bluetooth protocol, impacted more than 5.3 billion devices, including Android, iOS, Windows, and Linux. The vulnerabilities allow hackers to gain control of Bluetooth-enabled devices, spread malware, and access critical data.

The hackers can only access devices that have Bluetooth turned on and are close to the hackers physical location. However, once infiltrating one device, hackers than then access any other Bluetooth-enabled devices close to the compromised phone.  Google and Microsoft have already released patches to fix the vulnerabilities, and Apple users with the recent iOS (10.x) are safe.

Talk To An Expert

Interested in learning about how TeleSign's identity and engagement solutions can prevent fraud while fostering secure and global growth for your business? Let's chat.