Bitglass Security Spotlight: Facebook stores countless passwords in plaintext

Here are the top cybersecurity stories of recent weeks: 

• Facebook stores countless passwords in plaintext

• Toyota struck twice by cyberattacks within five weeks

• Information on 2.3 million disaster victims exposed

• Tracking application leaks real-time locations

• Dental insurance carrier suffers a month-long breach

  Facebook stores countless passwords in plaintext

  A routine security review revealed that Facebook had stored ‘hundreds of millions’ account passwords in plaintext for years. The data was accessible to about 2,000 engineers and developers. The social media platform blames the misstep on a bug, but claim that they are still unsure how it happened. Consequently, one-fifth of the company’s users could be affected, which raises another concern on Facebook’s list of security issues. Also, the incident was not confirmed until months later, and the matter is still under investigation.

  Toyota struck twice by cyberattacks within five weeks

  Recently, hackers were able to infiltrate Toyota’s database for the second time. The first attack was confirmed to be APT32, a Vietnamese hacker group that usually concentrates on the automotive industry. Toyota has not confirmed that APT32 is responsible for the second attack, but they have confirmed that the hackers accessed the stored information of up to 3.1 million Toyota and Lexus customers. The Japanese manufacturer has not confirmed what the attackers had access to, but they mentioned that customer financial details were not part of the compromised data. Toyota has stated that they will be conducting an internal audit to pinpoint their security vulnerabilities.

  Information on 2.3 million disaster victims exposed

  A government report revealed that the Federal Emergency Management Agency
  (FEMA) shared the personally identifiable information (PII) of 2.3 million survivors of recent natural disasters. The data came from a FEMA sheltering program . The government agency usually sends necessary information to its contractors, but about 33 data points were shared, including addresses, banks that victims used, and other financial data. Most of the information shared was not essential for the rescue operation, which put victims, who are already vulnerable, at risk.

  Tracking application leaks real-time locations

  Family Locator, a widely used application that allows users to locate their families in real time, left their server publicly available. Anyone who knew where to find the online database could access the data without a password. Additionally, the information was not encrypted, so someone that accessed the data could read the information in plain text. The server contained usernames, email addresses, and passwords. Some records displayed the real-time locations of users, some of them being children. No timeline has been established as to how long the database had been online.  

  Dental insurance carrier suffers a month-long breach
  Superior Dental Care discovered that their patients’ PII had been accessed illicitly via an employee email account. The dental insurance carrier wasn’t aware of the initial hack, so the attackers could have viewed the data repeatedly. Superior Dental Care finally detected the attack one month later and has since been working on strengthening its security system.

   To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from data leakage, misconfigurations, and more, download the Definitive Guide to CASBs below.