Roundup—The Rundown On 7 Recent High-Profile Data Breaches

A frequent news headline, even in mainstream outlets: “Company X Discloses Data Breach of 5 Million Customer Records”—this appears to be a disturbing new normal. In the last 4 months there have been several high profile breaches of customer-facing corporations who suffered exfiltration of some type of private customer data. We’re going to summarize 7 of the highest profile recent cases in this data breach roundup.

What Is Considered Data Breach?

Data breach is the main objective for a large number of cybersecurity attacks, that is to copy or “exfiltrate” sensitive private data. In contrast to vandalism or espionage, the purpose of stealing private data is either financial—to resell it on some black market—or to utilize it as intelligence for subsequent attacks, like password vaults or endpoint asset data. Often the data is that of retail service customers and includes emails, phone numbers, addresses, social security numbers, or files, and can be used to spearhead future phishing or targeted attacks on users.

Security Magazine says the cost of data breaches increased exponentially in 2022 to $4.35 billion, which is the highest noted in IBM Security’s annual report, The Cost of a Data Breach. Still, the more critical point is the impact on businesses and consumers. And the companies targeted are often big names. In this digest we’re covering LastPass, Norton, GoDaddy, T-Mobile, LogMeIn/GoTo, CircleCI, and Paypal.

1. GoDaddy’s Multi-Year Breach

In mid-February 2023, domain registrar and hosting giant GoDaddy Inc. disclosed a breach that they say was initially discovered in early December 2022, after customers complained of intermittent redirects made by their GoDaddy-hosted websites:

“As our investigation continued, we discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites. Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections”

While they state: “we are working with multiple law enforcement agencies around the world” to investigate, they have been criticized for their slow handling of the issue and limited disclosure of IoCs to the infosec community. In their most recent 10-K filing with the SEC, GoDaddy stated that the breach was related to repeat actors from previous security events from March 2020 and November 2021.

2. LastPass Data Breaches of 2022

LastPass had a rough 2022. After first getting attacked in August, the hackers took what they learned and returned for another round in November.

LastPass informed its users that it had detected unusual activity in its development environment. In response, it deployed mitigation and containment measures and engaged a cybersecurity and forensics firm. Unfortunately, the threat actors took the information they gained in the August attack and returned to obtain more information on November 30, 2022.

During the November attack, thieves used the stolen source code and technical data from the earlier breach to target an individual employee. This information allowed them to get credentials/keys to access and decrypt a few storage volumes on a third-party cloud storage provider.

Following a lengthy investigation, LastPass warned its customers that the criminals could attempt to brute force master passwords or decrypt the stolen vault data. If customers and end users have followed suggested best practices for their master passwords, it should be highly challenging for anyone to guess by brute force methods.

Security experts still emphasize that password managers like LastPass are critical tools in any cybersecurity platform and help protect users against attacks.   

3. Norton LifeLock Credential Stuffing Incident

In January, using Norton Password Manager, Norton Life started sending out notices to customers that hackers had compromised their accounts. According to the letter sent to the Office of the Vermont Attorney General, the attacks were attributed to account compromises on other platforms.

The threat actor appears to have bought username and password pairs from the dark web. Norton noticed a large volume of failed login attempts beginning December 1, 2022. After an internal investigation, Norton found that the credential-stuffing attacks had successfully compromised a large number of customer accounts.  

Since the attacks, Norton reset the passwords on affected accounts but has warned customers using the Norton Password Manager that the attackers may have acquired personal details stored in their private vaults.

Norton has recommended that its customers enable two-factor authentication and offers a special incentive for a credit monitoring service to help protect their accounts and personal information.

4. CircleCI Data Breach

In the CircleCI breach, malware installed on an engineer’s laptop by a compromised third-party was used to steal a genuine, 2FA-backed session. The device was compromised in mid-December, but installed antivirus software did not detect the malware. That gave the malware time to steal a session cookie that let the threat actors impersonate the targeted employee working remotely. The hackers then escalated their access to a subset of CircleCI production systems.

CirleCI could have limited the scope of the breach by acting on time. Since the attack, it has been working with external investigators and a third-party cybersecurity firm to roll out additional layers of security.

5. LogMeIn/GoTo Cyber Breach

GoTo, formerly known as LogMeIn, suffered a security breach in November 2022. Threat actors breached its development environment and exfiltrated encrypted backups stored in a third-party cloud facility.

The exfiltrated backups included the following information for Central and Pro accounts:

• Account usernames
• Account Passwords (hashed and salted)
• Provisioning and Deployment data
• (Central accounts only) One to Many Scripts
• MFA Information
• Purchasing and Licensing details (emails, phone numbers, last 4 digits of credit cards, and billing addresses)

The security breach on the cloud storage service also affected LastPass.

Immediately following the incident, GoTo contacted affected customers directly, alerting them that they were investigating the incident with Mandiant’s help and informed various law agencies.

6. PayPal Credential Stuffing Attack

This month PayPal is sending notifications to thousands of its users that their accounts were accessed through credential stuffing attacks in its latest data breach.

Generally, threat actors will victimize targets who use the same password for multiple online accounts, also called “password recycling.”

According to PayPal, this credential stuffing attack took place December 6-8, 2022. Once the company detected the attack, it took steps to mitigate it and also began an internal investigation to determine how the threat actors gained access.  

Based on information obtained from its investigation, PayPal says the access was not gained because of a breach in its systems and suggests it was via another source. It reports that the attack affected 34,942 users.

PayPal was able to limit the impact of the attack through timely action and password resets of accounts involved in the breach. They recommend affected users change passwords for all their online accounts and use long-string passwords of 12 or more characters. It has also asked users to enable two-factor authentication (2FA) protection on their accounts.

7. T-Mobile Data Breach 2023

T-Mobile is once more in the news with a new breach which began in November 2022 but was reported January 5, 2023. This breach marks the eighth hacking of T-Mobile since 2018. According to the telecom provider, the intruder stole personal data from 37 million customers.

T-Mobile says that once it discovered which vulnerability the threat actor was leveraging, it took steps to mitigate it quickly.

Limits imposed on the exploited API reportedly prevented access to social security numbers, tax IDs, driver’s license data, passwords and PINs, and payment card data. A vulnerable API is now attackers accomplished August 2021’s breach, which resulted in a $350M class action settlement for customers. At that time, T-Mobile pledged $150M to security enhancements in the coming years. But is it proving effective a year and a half later?

T-Mobile customers may be growing fatigued and comfortable in the wake of these incidents, relieved that nothing has yet happened since their data was stolen. But every piece of personal data breached is ammunition for phishing attacks and targeted scams such as SIM-wapping. It’s a reminder that users should move away from SMS as a 2FA method due this inherent vulnerability.