Cybersecurity news headlines for September 1-30, 2019

This month’s edition of cybersecurity news headlines is all about data breaches and leaks. Food delivery service DoorDash suffered a data breach affecting 4.9 million users, the majority of Ecuador’s population had their data leaked, 419 million Facebook users’ phone numbers stored on an unsecured database, and two Lion Air companies suffer breach involving 35 million customers.

In no particular order, here are the data leaks and breaches that made the biggest headlines.

DoorDash reveals data breach affecting 4.9 million customers, drivers and merchants

On-demand food delivery service DoorDash revealed a data breach that affects 4.9 million customers, drivers and merchants. Said data breach took place on May 4, 2019 but it took 5 months for the company to notice.

Not much information is provided and the incident is still under investigation, but according to the company, an unauthorized third-party accessed DoorDash user data and stole information of 4.9 million users, which include customers, drivers and merchants.

According to the breach notification posted in the company’s blog, 4.9 million users who joined before April 5, 2018 had their profile information (name, email address, delivery address, order history, phone number, hashed and salted password) stolen, a number of users had the last four digits of their payment cards accessed, and some number of Dashers and merchants had their bank account’s last four digits revealed. Furthermore, 100,000 Dashers had their driver’s license numbers stolen.

The company is notifying affected users but there’s not much users can do. They are recommended to change their passwords but this will only protect their accounts. It does not change the fact that their highly sensitive information has been stolen by an unknown hacker.

An unsecured database leaks 20.8 million Ecuadorian citizen records

A misconfigured database leaked personal information of millions of Ecuador citizens, including 6.7 million children. The database was discovered by security researchers Noam Rotem and Ran Locar of vpnMentor, who shared their discovery with news website ZDNet.

The database in question, an Elasticsearch server, contained around 20.8 million user records, and included duplicate and old records, as well as those of the deceased, which is why the number of records is larger than Ecuador’s population of 16.6 million people. The leak is considered to be the biggest breach in the country’s history. The database was taken offline after vpnMentor contacted the Ecuador Computer Emergency Response Team.

ZDNet reports that the data contained information such as names, family members/tress, civil registration data, financial and work information, and also information on car ownership. The data seems to be gathered from both government sources as well as private databases. The most worrying part of this leak is the database containing records of 6.77 million citizens under 18 years old.

Citizens’ full names, dates of birth, places of birth, home addresses, phone numbers, marital status, national ID numbers, work and education related information seems to have been collected from Ecuadorian government’s civil registry. According to ZDNet, the database was up to date, with information as recent as 2019. Reportedly, the database even contained records of the country’s president and Julian Assange, the founder of WikiLeaks, who once received political asylum in Ecuador.

The database also contained financial records of some citizens, including account status, balance, credit type, job details and other information. Furthermore, the database had information on car owners, such as their car models and license plates.

The owner of the database was revealed to be Novaestrat, a data analytics company. After the leak became public, an investigation was launched and Ecuadorian authorities arrested Novaestrat’s executive. Ecuador’s government also sped up the process of passing a new data privacy law.

Not only did the company expose highly sensitive information of essentially the whole country’s population, but according Ecuadorian officials, the company was not supposed to have the data in the first place. It is yet to be known how exactly the company managed to obtain the information.

Unprotected database found to contain 419 million phone numbers connected to Facebook accounts

An unprotected database containing 419 million phone numbers linked to Facebook accounts was discovered earlier this month. The database was not password protected, meaning anyone could access it. According to news website TechCrunch who broke the story, out of 419 million records 133 million were of US-based Facebook users, 18 million were of users in the UK, and more than 50 million of Vietnam-based users. The records contained users’ Facebook IDs and phone numbers. An ID number can easily be traced back to a Facebook account’s username.

More than a year earlier, Facebook scrapped the feature that allowed users so search for someone with a phone number. While phone numbers are no longer public, it is believed that the phone numbers in the database were collected via that feature.

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” Facebook’s spokesperson Jay Nancarrow told TechCrunch.

The database was pulled offline after TechCrunch contacted the web host. However, it is not know who the database belongs to or why the phone numbers were collected in the first place. Users who had their phone numbers exposed are now at increased risk of suffering SIM-swapping attacks. In order to bypass two-factor authentication/verification, attackers can trick mobile phone service providers into transferring someone’s phone number to them. Such attacks are becoming a major issue, to the point where security specialists advise against using SMS for two-factor authentication. Authentication apps would be a better option.

35 million Lion Air passenger records leaked

Two databases circulating on data exchange forums were found to contain records of customers of two airlines owned by Lion Air. One database contains 21 million records, while the other has 14 million. The airlines in question are Malindo Air and Thai Lion Air, both belong to Lion Air. A third Lion Air company Batik Air is also suspected to be affected by the breach. The records were stored in an Amazon bucket.

The databases contain names, passenger and reservation IDs, home addresses, phone numbers, email addresses, dates of birth, phone numbers, passport numbers and their expiration dates.

Malindo Air acknowledged the breach and released a statement about the incident.

“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident,” the statement reads.

The airline later revealed that the breach was caused by two individuals working for their e-commerce provider GoQuo (M) Sdn Bhd in India. The said individuals had improperly accessed personal data of customers. The company notes that the incident was not caused by issues in their system, and reassures users that payment details were not compromised. Nevertheless, customers should be wary of unsolicited calls or emails asking for personal information.