Cybersecurity news headlines 1-15 February

Cybersecurity news headlines 1-15 February

In this edition of cybersecurity news headlines, we talk about cryptocurrency exchange QuadrigaCX and how they are unable to access $145 million funds, Russia’s disconnect from the internet test, Dunkin‘ Donuts credential stuffing attack, and dating app’s Coffee Meets Bagel data breach.

$145 million funds frozen after death of cryptocurrency exchange CEO

Cryptocurrency exchange service QuadrigaCX has found itself in quite a pickle after the person with sole access to the company’s cold wallets suddenly died. Roughly $145 million worth of users’ cryptocurrency is stored in those offline wallets, in what is believed to be a security measure that would prevent hackers from gaining unauthorized access to funds. The CEO had sole access to the cold wallets, and now no one can access roughly 26,000 Bitcoin, 11,000 bitcoin cash, 200,000 Litecoin, over 400,000 Ether and other cryptos.

While CEO Gerry Cotten died in December, 2018, his death was not noticed by users until about a month ago when his wife Jennifer Robertson released a statement announcing his passing. She also said neither she nor anyone on the QuadrigaCX team can access the laptop which Cotten used for managing the company’s business. According to reports, a consultant has been hired to break into the laptop but is yet to be successful. With no access to the wallets, thousands of QuadrigaCX users are unable to retrieve their money.

Understandably, a lot of QuadrigaCX users are frustrated as they might not be able to get their money back. The CEO’s death is also questioned, as some believe it may be a scam of some sort.

Russia’s planned test will disconnect the country from the Internet

Russian authorities and internet providers are preparing for an experiment that would briefly disconnect the entire country from the internet. The test would be carried out in preparations for a new law proposed in the Russian Parliament in December 2018, which aims to have all Russian traffic stay in the country, instead of it being routed through points abroad. This would ensure that the Russian internet space can act independently in case the country is cut off from the rest of the internet by foreign aggressors.

During the experiment, traffic between Russian users will stay in the country, instead of being rerouted through servers abroad. The experiment is expected to be carried out before April 1, and will also test internet providers’ ability to direct data to routing points controlled by Russia’s telecom and internet regulator Roskomnadzor. Banned content would be blocked, and traffic would remain in the country.

While the law is expected to pass, internet providers are in a disagreement about the technical aspects of it all. The test should give internet providers feedback on how their networks would react and how to proceed with minimal inconvenience to consumers, if Russia’s disconnect from the rest of the internet actually happens.

Dunkin‘ Donuts suffers credential stuffing attack

Fast food restaurant Dunkin‘ Donuts revealed to have suffered a credential stuffing attack. A security notification was sent out to DD Perks reward program members, warning them that their accounts may have been accessed by unauthorized third-parties. This is not the first time Dunkin‘ Donuts falls victim to this kind of attack, with one reported a mere couple of months ago, in November, 2018.

Credential stuffing attacks have become quite common, and many well-known companies (Reddit, DailyMotion, and even HSBC bank) have fallen victim. The way this kind of attack works is pretty simple. Attackers try different combinations of usernames and passwords leaked in various past data breaches to access the accounts. Since some users are in the habit of reusing passwords, such attacks can be successful in many cases.

The company was informed of the attack by their security vendor on January 10, 2019, who were successful in stopping the attack for the most part. However, it is believed that some accounts were successfully accessed by attackers. While certain personal information is stored in the DD Perks accounts (full names, email addresses, as well as the 16-digit DD Perks account number and QR code), it does not seem that hackers were after the personal information, but rather the accounts themselves. Those accounts would be sold on Dark Net forums to people looking to use the discounts on the accounts.

An internal investigation has been launched and Dunkin‘ Donuts is working with their security vendor to ensure that this kind of attack does not happen again. Furthermore, all possibly affected DD Perks accounts were forcefully logged out and had a password reset.

In order to avoid having your account accessed via a credential stuffing attack, you need to have a strong unique password. We cannot stress enough how important it is that you do not reuse passwords, particularly for important accounts. The more difficult the password is to remember, the better it is. If you have too many accounts to keep track of passwords, we recommend using a password manager.

Dating app Coffee Meets Bagel reveals data breach

Online dating app Coffee Meets Bagel revealed on Valentine’s day that a data breach exposed users’ user names and email addresses. The company became aware of the breach on February 11 when The Register reported on stolen accounts being sold on the dark web. According to the The Register report, around 6 million Coffee Meets Bagel accounts were breached.

The email sent to users detailing the breach notes that since the company does not store payment information or passwords, only user names and emails addresses prior to May 20 were stolen by hackers. The data was being sold on a Dark Net marketplace, along with data from 620 million accounts from MyFitnessPal, MyHeritage, Dubsmash, HauteLook, and others. While Coffee Meets Bagel only had user names and email addresses stolen, the data could still be used for credential stuffing or phishing attacks.

The company has employed forensic security experts to review their systems and infrastructure, and are auditing their vendor and external systems. Law enforcement has also been contacted.