Database Security Digest – January 2019
Please take a look at the biggest database security incidents in January 2019.
Tower of Salem
While other people were enjoying their Christmas holidays more than 7.5 million players of a famous online game Tower of Salem have been affected by a data leak caused by the developers of the game BlankMediaGames(BMG).
DeHashed, a hacked database search engine provider, said in a blog post that it had received an anonymous email offering a full trove of just breached data.
The company declared that the accident happened because of a local file inclusion/remote file inclusion vulnerability.
The leaked data includes but not limited to: usernames, emails, passwords, IP addresses, all in-game activity and, more importantly, payment information. The total row count is: 8,388,894, with 7,633,234 unique email addresses.
Luckily, BMG doesn’t store payment and bank card information, but the hacked information above could be easily used to unleash follow-on phishing attempts.
It took BlankMediaGames a few days to address the incident. The company apologized to all its customers, blaming the “terrible timing” of the hack.
202 Million CVs
A simple BinaryEdge or Shodan search may bring very interesting results. For example, a huge MongoDB database containing detailed CVs for over 202 million job-seekers from China.
The huge 854GB trove contained data on 202.7 million Chinese individuals looking for a job. The sensitive data included mobile phone number, email, marriage status, children, information on political views, height, weight, driver license, literacy level, salary expectations and other personal information. Cybercriminals can easily use and will use this information in well-planned phishing attacks.
The origin of the data is not known but some IT security researchers believe that all this information was scraped from third-party CV sites. Others believe that this data is coming from a GitHub repository which contained a web app source code with look-alike pattern as those used in the leaked resumes.
This database was secured shortly after information on it was made public of Twitter, but is unknown for how long it has been laying there fully exposed. The IT security researches say it may have been accessed by at least a dozen IPs.
Google Fined According to GDPR
In France Google has been fined €50m ($57m, £44m) in accordance with the GDPR regulatory requirements. That happened because the company failed to notify how their data is used.
CNIL, the French regulator, imposed the fine after complaints by two rights, noyb and La Quadrature du Net (LQDN).
CNIL says it has observed two breaches of the General Data Protection Regulation (GDPR).
Security updates for databases
Oracle
https://nvd.nist.gov/vuln/detail/CVE-2019-2547https://nvd.nist.gov/vuln/detail/CVE-2019-2548
https://nvd.nist.gov/vuln/detail/CVE-2019-2549
https://nvd.nist.gov/vuln/detail/CVE-2019-2550
https://nvd.nist.gov/vuln/detail/CVE-2019-2552
https://nvd.nist.gov/vuln/detail/CVE-2019-2553
https://nvd.nist.gov/vuln/detail/CVE-2019-2554
https://nvd.nist.gov/vuln/detail/CVE-2019-2555
https://nvd.nist.gov/vuln/detail/CVE-2019-2545
https://nvd.nist.gov/vuln/detail/CVE-2019-2546
MS SQL Server
https://nvd.nist.gov/vuln/detail/CVE-2019-2529https://nvd.nist.gov/vuln/detail/CVE-2019-2537
https://nvd.nist.gov/vuln/detail/CVE-2017-18359
https://nvd.nist.gov/vuln/detail/CVE-2019-6799
MySQL
https://nvd.nist.gov/vuln/detail/CVE-2018-14704https://nvd.nist.gov/vuln/detail/CVE-2018-15719
https://nvd.nist.gov/vuln/detail/CVE-2018-17957
https://nvd.nist.gov/vuln/detail/CVE-2019-2420
https://nvd.nist.gov/vuln/detail/CVE-2019-2434
https://nvd.nist.gov/vuln/detail/CVE-2019-2435
https://nvd.nist.gov/vuln/detail/CVE-2019-2436
https://nvd.nist.gov/vuln/detail/CVE-2019-2455
https://nvd.nist.gov/vuln/detail/CVE-2019-2481
https://nvd.nist.gov/vuln/detail/CVE-2019-2482