Database Security Digest – January 2019

Database Security Digest – January 2019
Please take a look at the biggest database security incidents in January 2019.

Tower of Salem

While other people were enjoying their Christmas holidays more than 7.5 million players of a famous online game Tower of Salem have been affected by a data leak caused by the developers of the game BlankMediaGames(BMG).

DeHashed, a hacked database search engine provider, said in a blog post that it had received an anonymous email offering a full trove of just breached data.

The company declared that the accident happened because of a local file inclusion/remote file inclusion vulnerability.

The leaked data includes but not limited to: usernames, emails, passwords, IP addresses, all in-game activity and, more importantly, payment information. The total row count is: 8,388,894, with 7,633,234 unique email addresses.

Luckily, BMG doesn’t store payment and bank card information, but the hacked information above could be easily used to unleash follow-on phishing attempts.

It took BlankMediaGames a few days to address the incident. The company apologized to all its customers, blaming the “terrible timing” of the hack.

202 Million CVs

A simple BinaryEdge or Shodan search may bring very interesting results. For example, a huge MongoDB database containing detailed CVs for over 202 million job-seekers from China.

The huge 854GB trove contained data on 202.7 million Chinese individuals looking for a job. The sensitive data included mobile phone number, email, marriage status, children, information on political views, height, weight, driver license, literacy level, salary expectations and other personal information. Cybercriminals can easily use and will use this information in well-planned phishing attacks.

The origin of the data is not known but some IT security researchers believe that all this information was scraped from third-party CV sites. Others believe that this data is coming from a GitHub repository which contained a web app source code with look-alike pattern as those used in the leaked resumes.

This database was secured shortly after information on it was made public of Twitter, but is unknown for how long it has been laying there fully exposed. The IT security researches say it may have been accessed by at least a dozen IPs.

Google Fined According to GDPR

In France Google has been fined €50m ($57m, £44m) in accordance with the GDPR regulatory requirements. That happened because the company failed to notify how their data is used.

CNIL, the French regulator, imposed the fine after complaints by two rights, noyb and La Quadrature du Net (LQDN).

CNIL says it has observed two breaches of the General Data Protection Regulation (GDPR).

Security updates for databases

Oracle

https://nvd.nist.gov/vuln/detail/CVE-2019-2547
https://nvd.nist.gov/vuln/detail/CVE-2019-2548
https://nvd.nist.gov/vuln/detail/CVE-2019-2549
https://nvd.nist.gov/vuln/detail/CVE-2019-2550
https://nvd.nist.gov/vuln/detail/CVE-2019-2552
https://nvd.nist.gov/vuln/detail/CVE-2019-2553
https://nvd.nist.gov/vuln/detail/CVE-2019-2554
https://nvd.nist.gov/vuln/detail/CVE-2019-2555
https://nvd.nist.gov/vuln/detail/CVE-2019-2545
https://nvd.nist.gov/vuln/detail/CVE-2019-2546

MS SQL Server

https://nvd.nist.gov/vuln/detail/CVE-2019-2529
https://nvd.nist.gov/vuln/detail/CVE-2019-2537
https://nvd.nist.gov/vuln/detail/CVE-2017-18359
https://nvd.nist.gov/vuln/detail/CVE-2019-6799

MySQL

https://nvd.nist.gov/vuln/detail/CVE-2018-14704
https://nvd.nist.gov/vuln/detail/CVE-2018-15719
https://nvd.nist.gov/vuln/detail/CVE-2018-17957
https://nvd.nist.gov/vuln/detail/CVE-2019-2420
https://nvd.nist.gov/vuln/detail/CVE-2019-2434
https://nvd.nist.gov/vuln/detail/CVE-2019-2435
https://nvd.nist.gov/vuln/detail/CVE-2019-2436
https://nvd.nist.gov/vuln/detail/CVE-2019-2455
https://nvd.nist.gov/vuln/detail/CVE-2019-2481
https://nvd.nist.gov/vuln/detail/CVE-2019-2482

SAP HANA

https://nvd.nist.gov/vuln/detail/CVE-2019-0243

Amazon Aurora

https://nvd.nist.gov/vuln/detail/CVE-2017-5754

Google Cloud SQL

https://nvd.nist.gov/vuln/detail/CVE-2019-3576

Apache Hive

https://nvd.nist.gov/vuln/detail/CVE-2018-17189

Vertica

https://nvd.nist.gov/vuln/detail/CVE-2018-20725
Download free 30 days Trial