Security News Survey – September 6, 2019

This week, we look at data breaches compromising 400 million Facebook records, 2.5 million Canadian Yves Rocher customers, and half a million XKCD webcomic fans.

We’re kicking off September with a number of fairly substantial data breach discoveries and disclosures—at least two of which appear to stem from unsecured online servers. Security researchers have unearthed dozens of unprotected databases over the last few months, in some cases bringing to attention troves of sensitive data that have put millions of individuals across the globe at risk. This particular trend isn’t showing any signs of slowing down. 

Unsecured server exposes over 400 million Facebook user records

A security researcher has discovered an unsecured server containing more than 419 million records containing Facebook user information. According to reports, the exposed user information contained IDs and phone numbers associated with the accounts, and in some cases, usernames, gender, and location. Roughly 133 million of the records stemmed from U.S. users, 18 million from U.K. users, and over 50 million from Vietnamese users. Experts are warning that the exposed data may put users at risk of SIM-swap attacks, in which cybercriminals can steal your mobile identity by convincing a cell carrier to switch your phone number over to a SIM card that they own. 

The security industry has been quick to point out that this appears to be the latest in a series of privacy incidents involving Facebook data; however, it’s not yet clear who was responsible for scraping and collecting the data found in the exposed server. The researcher who discovered the database was unable to identify and contact the owner, but the database was pulled offline with the help of the web host. Facebook has confirmed that the data in question is “old” and was collected before policy changes were made last year to tighten privacy around user phone numbers. According to the company, there is no indication that any accounts have been compromised as a result of this breach.

2.5 million Canadian Yves Rocher exposed by unsecured third-party database 

Another unsecured database has exposed data belonging to millions of customers of international beauty brand Yves Rocher. The unprotected Elasticsearch database appears to belong to Aliznet, a French retail consultancy that boasts a long list of marquee clients including IBM, Salesforce, and more, in addition to Yves Rocher. According to reports, security researchers who discovered the database were able to access a treasure trove of data that included names, contact information, postcodes, and more of 2.5 million Canadian customers. They also discovered six million customer orders and associated information, and internal business data, including metrics on store traffic, product descriptions, prices, and turnover data. Thankfully, no financial information appears to have been compromised. Yves Rocher has yet to comment on the breach.

Webcomic XKCD forum data breach compromises email addresses and passwords

Forums for popular webcomic XKCD shut down this past weekend following a security breach that exposed thousands of users’ data. According to reports, site administrators confirmed that 562,000 usernames, email addresses, and hashed and salted passwords were compromised in the breach, and cautioned users to change their account passwords immediately. They warned users to change passwords of any other accounts for which a similar password is used to avoid falling victim to credential stuffing attacks, which are likely to follow breaches such as these. XKCD has been added to Have I Been Pwned’s list of compromised sites and tweeted that more than half of the affected email addresses were already compromised in previous breaches.