Preventing 2022’s Application Security Fails: What We Can Learn
As the number of risks and security attacks grows, 2022 left us with a vast list of incidents to learn from, demonstrating the significance of prioritizing security more. The following list includes significant incidents and failures from 2022.
Notable Data Breaches
2.5 Million Records Leaked from Student Loan Data Breach
In June 2022, a data breach at student loan servicer Nelnet resulted in the disclosure of more than 2.5 million individuals’ private information.
On August 17, 2022, the inquiry came to the conclusion that from June until July 22, 2022, an unidentified third party had access to the student loan account registration data due to a vulnerability in the web portal, which included names, home and email addresses, phone numbers, and social security numbers.
Optus Leak Exposed 11 Million People’s Medical and Personal Data
On September 22, 2022, the Australian telecommunications firm Optus had a severe data breach that exposed the personal information of 11 million users.
Customers’ names, dates of birth, phone numbers, email and home addresses, driver’s licenses and/or passport numbers, and Medicare ID numbers were among the data obtained.
After Optus declined to pay a ransom sought by the hacker, files containing this private information were shared on a hacking site. Victims of the attack also said that the alleged hacker called them and demanded they pay AU$2,000 (US$1,300) or their data would be sold to other malicious parties.
The Optus data breach happened due to an unsecured and publicly accessible API. This API does not require user authentication before allowing a connection to be established. Because there was no authentication mechanism, anybody who found the API on the internet may connect to it without entering a username or password.
Twitter Accused of Hiding Data Breach Affecting Millions
On November 23, 2022, Los Angeles-based cyber security specialist Chad Loder posted about a Twitter data breach that impacted “millions” in the US and EU. Loder stated the data breach happened “no earlier than 2021” and “had not been notified previously”. Twitter had disclosed a data breach that compromised millions of user accounts in July 2022.
Loder said that unless the firm “lied” about the July incident, this “cannot” be the same breach. The November hack data is in a “totally different format” and involves “different impacted
accounts,” according to Loder. Loder thought bad actors used the same vulnerability as the July intrusion.
A weakness in a Twitter application programming interface, or API, enabled attackers to input contact information such as email addresses, and obtain the corresponding Twitter account, from June 2021 until January 2022.
Notable 2022 hacks
Hacking of Crypto.com
No surprise Crypto.com was hit with a major hack at the beginning of 2022; the cryptocurrency industry is booming. On January 17th, an incident occurred that compromised the bitcoin wallets of approximately 500 individuals (opens in new tab).
Even while blockchain transactions are generally safe, the hackers utilized a rather straightforward technique: they just avoided the site’s two-factor authentication (2FA). Both Bitcoin and Ethereum, worth a total of $18 million, were stolen.
Crypto.com first dismissed the attack as an “incident” and denied any theft, but a few days later, the company provided further details and compensated those who had been impacted.
Red Cross Attacked
It seems unlikely that someone would target the Red Cross, yet that’s exactly what occurred in January of 2022. More than half a million records, including those deemed “particularly susceptible” by the Red Cross, were compromised during an assault on a third-party contractor.
Data belonging to thousands of individuals was compromised, and the majority of those affected are still missing or at risk. The Red Cross temporarily disabled its servers to halt the assault and examine the apparent political motivations behind the hack, but so far, the perpetrator has not been found.
Chinese hackers compromise telecoms and other systems
The US Cybersecurity and Infrastructure Security Agency issued a warning in early June that Chinese government-backed hackers had compromised a number of key victims globally, including “important telecoms corporations.” According to CISA, they did so by exploiting known router vulnerabilities and faults in other network equipment, including Cisco and Fortinet routers, among others. The warning did not name any individual victims, but it did express concern about the results and the need for enterprises to strengthen their digital defenses, particularly when dealing with large amounts of sensitive user data. “The alert describes the targeting and breach of key telecommunications corporations and network service providers,” according to CISA. “Over the previous years, a number of high-severity vulnerabilities for network devices presented cyber criminals with the ability to consistently exploit and obtain access to susceptible infrastructure equipment. Furthermore, these devices are often neglected.”
Separately, News Corp was likely infiltrated by hackers undertaking Chinese espionage in an incident revealed on January 20. As part of the compromise, attackers gained access to journalists’ emails and other material. News Corp owns a number of high-profile news organizations, including The Wall Street Journal and its parent company, Dow Jones, the New York Post, and many Australian magazines.
LastPass Compromised
Although there have been other data breaches this year, the recent hack at password management site LastPass has caused the most concern.
The potential damage has Infosec Twitter terrified; the firm is the industry leader in password management, and 33 million clients trust them with their credentials. With each new update, the hack became more serious.
When LastPass originally reported its servers had been hacked back in August, it said there was “no proof” that users’ personal information or their encrypted password vaults had been compromised.
On the other hand, things changed during the holiday season when LastPass revealed that hackers had broken into an employee’s cloud storage and stolen clients’ encrypted password vaults.
However, the corporation now claims that “it would take millions of years to guess your master password using widely available password-cracking technologies” if consumers stick to the original settings.
Conclusion
In 2022, several significant incidents demonstrated the increasing risks and security threats, emphasizing the importance of prioritizing security. The incidents included notable data breaches and hacks affecting millions of users, and they could have been avoided through better security measures.
To avoid similar incidents, companies should prioritize data security, regularly conduct security assessments, establish a secure software development lifecycle where code is scanned for security issues at scale, and ensure that software and web portals have up-to-date patches and fixes. The use of multi-factor authentication and strong password policies should also be implemented, and companies should have incident response plans in place in case of a breach. Additionally, companies should keep up-to-date with the latest vulnerabilities and cyber threats and train their staff on how to identify and avoid them.
By taking these measures, companies can reduce the risks of data breaches and hacks, protecting their customers’ data and avoiding significant financial and reputational damage.
The post Preventing 2022’s Application Security Fails: What We Can Learn appeared first on GuardRails.
*** This is a Security Bloggers Network syndicated blog from GuardRails authored by GuardRails. Read the original post at: https://blog.guardrails.io/preventing-2022s-application-security-fails-what-we-can-learn/
