It’s rare that a week goes by without at least one data breach making the news. Criminals are targeting companies of all sizes to see if they can slip past their digital defenses and steal confidential data.
The constant stream of new data breaches in the news can feel a little overwhelming. And it can be tricky to know what to do when it’s not your company or service that’s been breached, but one that you’ve simply used or bought from in the past.
In this month’s edition of Breach Bulletin, you’ll find a recap of the major incidents from November 2022, along with some practical advice for protecting yourself against these kinds of attacks.
Dropbox
Date disclosed: 11/01/2022
What Dropbox has said:
“We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled.
To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users).
We take our commitment to protecting the privacy of our customers, partners, and employees seriously, and while we believe any risk to them is minimal, we have notified those affected.”
Learn more
(via BleepingComputer)
Louisiana Department of Public Safety and Corrections
Date disclosed: 11/01/2022
What DPS&C has said:
“The Louisiana Department of Public Safety and Corrections announced on November 1, 2022, that a cybersecurity incident at a third-party health administrator under contract to process medical claims led to the exposure of personal health information (PHI) of certain members of their incarcerated population.
The exposure of two file directories on a single server operated by CorrectCare (the Company) was discovered on July 6, 2022, and impacted approximately 80,000 pretrial and DOC inmates who were incarcerated and received offsite medical care between January 1, 2013, and July 7, 2022.
DPS&C contracts with CorrectCare to process medical claims for state and pretrial inmates who receive offsite non-primary and emergency medical care. This is separate and apart from the Department’s onsite medical care and electronic health records (EHR), which are managed by the Department and are not part of this breach.”
Learn more
(via Health IT Security)
Whoosh
Date disclosed: 11/14/2022
What Whoosh told RIA Novosti in a statement:
“The leak did not affect sensitive user data, such as account access, transaction information, or travel details. Our security procedures also exclude the possibility of third parties gaining access to full payment data of users' bank cards."
Learn more
(via Bleeping Computer)
Sonder
Date disclosed: 11/23/2022
What Sonder has said:
“On November 14, 2022, Sonder learned of unauthorized access to one of its systems that included certain guest records.
Sonder believes that guest records created prior to October 1, 2021 were involved in this incident. Some combination of the following guest information has been accessed:
- Sonder.com username and encrypted password
- Full name, phone number, date of birth, address, email address
- Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts
- Dates booked for stays at a Sonder property
Additionally, Sonder believes that copies of government-issued identification such as driver’s licenses or passports may have been accessed for a limited number of guest records."
Learn more
(via Infosecurity)
Connexin Software
Date disclosed: 11/29/2022
What Connexin Software has said:
“On August 26, 2022, Connexin detected a data anomaly on our internal network. We immediately launched an investigation and engaged third-party forensic experts to determine the nature and scope of the incident. On September 13, 2022, we learned that an unauthorized party was able to access an offline set of patient data used for data conversion and troubleshooting. Some of that data was removed by the unauthorized party.
The live electronic record system was not accessed in this incident, and the incident did not involve any physician practice group’s systems, databases, or medical records system at all. Connexin is not aware of any actual or attempted misuse of personal information as a result of this event."
Learn more
(via Health IT Security)
LastPass
Date disclosed: 11/30/2022
What MyDeal has said:
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here."
Learn more
(via PCMag)
How you can protect yourself against data breaches
Here are the top three steps you can take to protect your personal information and keep your online data safe:
Create a strong, unique password for every account
One of the best ways to limit the consequences of a data breach is to use a strong, unique password for each account. A strong password is long – we recommend at least 16 characters – and doesn’t include anything predictable, like your name or date of birth.
Using unique passwords means that if a single site is compromised, an attacker can’t use the same credentials to access other accounts. Plus, you only need to sign in and update a single password, rather than every password for every account you own.
Turn on two-factor authentication (2FA)
Two-factor authentication makes it even tougher for criminals to access your accounts. In addition to your password, the service will ask for a code – one that you’ve chosen to always be sent via email, SMS (though you shouldn’t use SMS as it’s vulnerable to interception), or an authentication app. The 2FA system works because an attacker is unlikely to have access to both your password and the place where you retrieve your special codes.
Take action immediately if there’s a data breach
When you find out about a data breach, you should take action as quickly as possible to protect any compromised accounts. You can keep up with the latest breaches by reading the news and visiting sites like haveibeenpwned.com, which track known data breaches. Using a password manager like 1Password will also notify you if any of your passwords appear in a data breach.
Learn more
Want to learn more about data breaches and how to protect yourself? We’ve got you covered.
From the blog:
- How to protect yourself against data breaches
- Data breach 101: How you can stay safe online
- Received a data breach notification in 1Password? Take these 5 steps
- What if 1Password gets hacked?
Downloadable guides:
- How to avoid a data breach
- Data breach prevention checklist
- Incident response guide: what to do if you experience a breach
Ready to protect yourself?
1Password
Tweet about this post