Bitglass Security Spotlight: Over 200k Instacart Users’ Data Is Being Sold on Dark Web

Here are the top stories of recent weeks:

• Instacart Customer Data for Sale on Dark Web
• 17 Million users exposed on SaaS platform
• First American Financial Corp. Charged Over 2019 Breach
• COVID-19 Research Data Hacked by Chinese Contractors
• University of York, the Latest Victim of a Data Breach

Instacart Customer Data for Sale on Dark Web

As of Wednesday, the 22nd of July, over 200k Instacart user accounts have been for sale on the dark web. However, Instacart is known to have millions of customers across the US and Canada. It is reported that the data includes names, the last four digits of credit card numbers, and order histories. The company stated that it wasn’t aware of any data breach at this time, however, the PII for sale is dated as recently as July of this year. In regards to remediation steps, users were recommended to change passwords, utilize a password manager, and enable two-factor authentication.

17 Million users exposed on SaaS platform

CouchSurfing, a SaaS startup that provides free lodging for platform users, reported a data leak that rendered over 17 million user accounts. Malicious actors took to Telegram to sell the breached data and is reportedly selling it for $700. The data includes user details such as user IDs, real names, email addresses, and account settings. It is likely that CouchSurfing is hosted on AWS and oftentimes organizations get exposed here, accidentally, due to misconfigured S3 buckets. 

First American Financial Corp. Charged Over 2019 Breach

Approximately 885 million records related to mortgage deals going back to 2003, were exposed in a massive data leak, in the fall of 2019. Regulators in New York charged the corporation in their first ever cybersecurity enforcement action and are expecting steep financial penalties. As mentioned in a previous BSS blog, First American’s website exposed over 16 years worth of digitized mortgage title insurance records–including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The hearing on the charges alleged by the DFS is scheduled for Oct. 26, 2020.

COVID-19 Research Data Hacked by Chinese Contractors

Two Chinese nationals have been indicted for hacking COVID-19 data in a decade-long cyber espionage campaign. The two individuals are being accused of targeting defense contractors, COVID researchers and hundreds of other victims worldwide. Li Xiaoyu and Dong Jiazhi, who have been identified as Chinese government contractors, stole terabytes of weapons designs, drug information, software source code, and personal data from targets that included dissidents and Chinese opposition figures.

University of York, the Latest Victim of a Data Breach

Students and staff members of the University of York have been affected in a recent cyberattack, due to an unsecure third party cloud service provider. According to the university, names, titles, genders, dates of birth, student numbers, phone numbers, email addresses, physical addresses, and LinkedIn profile records may have been taken. In addition, course information, qualifications received, details surrounding extracurricular activities, professions, employers, survey responses, and both documented alumni and fundraising activities may have been exposed.