Security News Survey – August 9, 2019

This week, we look at a data breach impacting 23.3 million online shoppers and several misconfigured databases that exposed troves of sensitive information.

It’s been an exciting week with the Interset team attending Black Hat USA in Las Vegas! We always enjoy getting a chance to chat face-to-face with security professionals, and it’s been great to see some interesting headlines stem from the show this week. But in addition to keeping an eye on Black Hat news, we’ve also been tracking broader cybersecurity headlines. Here are a few items that caught our eye. 

CafePress data breach compromised 23.2 million accounts

Online t-shirt seller CafePress is making headlines this week after Have I Been Pwned (HIBP) began notifying impacted users (that have opted into HIBP’s “Notify Me” service) of a February 2019 data breach that it has tied to the e-retailer. According to HIBP, the CafePress breach has compromised email addresses, names, and contact information associated with more than 23.2 million accounts. 

The company has not commented on claims of a data breach. Coincidentally, however, CafePress has been forcing customers to reset their passwords due to what they are calling an update in their corporate “password policy.” These notifications make no mention of a data breach, which is leaving many customers with questions about whether the company is aware of the breach, if it’s investigating the issue and boosting security, and why it isn’t willing to disclose the breach to impacted individuals. We don’t know the circumstances of the breach as of right now, but hopefully we will learn more when CafePress issues a statement. 

Political committee leaves millions of email addresses exposed for 9 years

We’re no strangers to exposed, unsecured servers these days. Unfortunately, the latest example of this trend is setting a new record. Security researchers recently discovered that a misconfigured Amazon S3 cloud storage bucket belonging to the Democratic Senatorial Campaign Committee left around 6.2 million email addresses exposed since 2010. The file, which was meant to suppress individuals from the DSCC’s marketing emails, included personal email addresses as well as government and military email addresses. The misconfiguration of the S3 bucket allowed anyone full control, including changing access permissions. The storage bucket was secured by the DSCC following the security researchers’ discovery, but it’s unclear if or how many people had accessed the information in the nine years that it was left exposed. 

Two misconfigured databases expose thousands of patients

Security researchers have also discovered two additional misconfigured databases belonging to healthcare companies, Medico and Amarin Pharma. According to reports, the Medico database contained 1.7 GB of documents that contained personal, financial, and medical data dating back to 2018. The database also stored usernames and default passwords. Similarly, an unsecured Amarin Pharma database exposed names, contact info, and medical data of more than 78,000 patients. Both databases were secured after the companies were notified. 

The healthcare industry, in particular, appears to be struggling with misconfigured databases that leave sensitive information exposed. Security experts are pointing to gaps in “operations processes” that may be leading to patterns in exposed data.