Database Security Digest – November 2018
Voxox, a San Diego communications provider has leaked a database containing at least 26 million text messages, most of which are password reset links, two-factor authentication codes and shipping notifications.
It has been found out that the database was not password protected and that resulted in the exposure of the personal sensitive data, phone numbers and two-factor authentication codes messages, etc. What made this data leak more dangerous is the fact that the messages were being exposed in near real time.
Such information is very useful for criminals engaged in account hijacking. The main reason for this data exposure is the fact that the database wasn’t protected with a password. And this is the first step in securing data.
It’s impossible for humans to carry out the continuous monitoring of all proprietary IT assets. Only the machine can do that! DataSunrise Database Security Suite has several module that can do that and much more! Please download your trial version right now!
US Postal Service
60 million account details of US Postal Service customers have been exposed due to an API vulnerability.
USPS offered to businesses a service called “Informed Visibility” which allowed them to get tracking data on packages near real time. But together with this information, the API was also enabling anyone logged into the official website of the company to query the account details of any other users of the website and even change some sensitive information.
According to researchers any potential cybercriminal could get access to email addresss, usernames, user IDs, account numbers, street addresses, phone numbers.
Also, the researchers say that the API developers forgot to add the key element of cybersecurity when designing the API: access controls.
USPS claim that the potential data exposure has not been used in any criminal endeavor and they are taking this accident very seriously.
Atrium Health, a healthcare and wellness program provider, formerly known as Carolinas HealthCare Systems, has made an announcement about a massive data breach. After the company’s third-party vendor AccuDoc was hacked, Atrium Health announced that about 2.65 million patient records had been potentially compromised. The exposed data includes the patients’ insurance details, medical record numbers, invoice numbers, addresses, dates of birth and social security numbers.
IT security researchers say that third-party risk management is a very important problem nowadays. Your company database protection can be very efficient but when it comes to sharing proprietary data with third parties big problems may arise. So, companies should be very careful when choosing a vendor, partner or when expanding business.
A forensic investigation has been started by both companies.
Marriott, the famous hotel chain has confirmed that sensitive details of 500 millions of its customers have been possibly compromised.
In the official statement the company is saying about in September 2018 Marriott was alerted by their internal security tool about an attempt to get access to one of their guest reservation databases. The company immediately started an investigation to understand what was happening.
Marriott soon learned that somebody had had unauthorized access to their internal network starting since 2014. The accessed information had been copied and encrypted and some steps have been taken to remove the information. In November 2018 the company was finally able to decrypt the information.
The company fears that up to approximately 500 million guests who made a reservation may be in the exposed database. The data includes the following: names, mailing addresses, phone numbers, emails, passport numbers, customer account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.
Security updates for databases
MS SQL Serverhttps://nvd.nist.gov/vuln/detail/CVE-2018-18982
MS SQL Azurehttps://nvd.nist.gov/vuln/detail/CVE-2018-8600