The constant stream of new data breaches in the news can feel a little overwhelming. And it can be tricky to know what to do when it’s not your company or service that’s been breached, but one that you’ve simply used or bought from in the past.

Here, you’ll find a recap of the major data breaches from October 2022, and some practical advice for protecting yourself against these kinds of attacks.

Verizon

Date disclosed: 10/18/2022
What Verizon has said to affected customers:

“During our regular account monitoring, we identified unusual activity on the prepaid line that received the SMS linking to this notice. Upon further review, we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it.”

Learn more
(via BleepingComputer)

Toyota

Date disclosed: 10/07/2022
What Toyota has said (translated via Google Translate):

“On September 15, 2022, we confirmed that part of the source code of the user site of “T-Connect” was published on GitHub (software development platform). As a result, it was revealed that from December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub. It was discovered that the published source code contained an access key to the data server, and by using it, it was possible to access the email address and customer management number stored in the data server. On the same day, the source code was immediately made private on GitHub, and on September 17, we changed the access key of the data server, etc., and no secondary damage has been confirmed.”

Learn more
(via GitGuardian)

See Tickets

Date disclosed: 10/24/2022
What SeeTickets has said:

“See Tickets was alerted to activity indicating potential unauthorized access by a third party to certain event checkout pages on the See Tickets website in April 2021. We promptly launched an investigation with the assistance of a forensics firm and took steps to shut down the unauthorized activity."

“Our response efforts had multiple phases and resulted in the complete shutdown of the unauthorized activity in early January 2022. In the following months, we worked with Visa, MasterCard, American Express, and Discover to identify potentially affected pages and transactions. This wide-ranging effort was supported by multiple forensics firms, and included coordination with law enforcement. On September 12, 2022, we determined the event may have resulted in unauthorized access to the payment card information of certain of our customers.”

Learn more
(via Infosecurity Magazine)

MyDeal

Date disclosed: 10/15/2022
What MyDeal has said:

“MyDeal has identified that a compromised user credential was used to gain unauthorised access to its Customer Relationship Management system resulting in unauthorised access to some customer data within our network. We are extremely sorry to all of our affected customers that this has occurred. MyDeal is contacting all affected customers by email."

“If you have not been contacted by MyDeal you have not had your details accessed in the incident, as the large majority of our customers are not affected by this incident. The majority of affected customers have only had their email address exposed. For remaining customers, information accessed includes customer names, email addresses, phone numbers, delivery addresses, and in some instances, the date of birth of those customers who have previously been required to prove their age when purchasing alcohol.”

Learn more
(via BleepingComputer)

Medibank

Date disclosed: 10/14/2022
What Medibank has said:

“The ongoing investigation has now found that the criminal has accessed data that includes some My Home Hospital patient (MHH) information. My Home Hospital is a service delivered by a joint venture between Calvary and Medibank on behalf of Wellbeing SA and the South Australian Government. The data accessed includes some personal information (including some health data)."

“While Medibank has not yet determined if the information has been illegally taken from our system, we know it has been accessed. We unreservedly apologize to our patients who have been the victims of this very serious crime. We appreciate this will be distressing for you. If we find your data has been stolen or accessed, we will notify you as soon as possible, which will include specific advice and support.”

Learn more
(via The Guardian)

Microsoft

Date disclosed: 10/19/2022
What Microsoft has said:

“Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services. Upon being notified of the misconfiguration, the endpoint was quickly secured and is now only accessible with required authentication. Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.”

Learn more
(via The Register)

Twilio

Date disclosed: 10/07/2022
What Twilio has said:

“…the same malicious actors likely were responsible for a brief security incident that occurred on June 29, 2022. In the June incident, a Twilio employee was socially engineered through voice phishing (or “vishing”) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers. The threat actor’s access was identified and eradicated within 12 hours. Customers whose information was impacted by the June Incident were notified on July 2, 2022.”

Learn more
(via TechCrunch)

How you can protect yourself against data breaches

Here are the top three steps you can take to protect your personal information and keep your online data safe:

Create a strong, unique password for every account

One of the best ways to limit the consequences of a data breach is to use a strong, unique password for each account. A strong password is long – we recommend at least 16 characters – and doesn’t include anything predictable, like your name or date of birth.

Using unique passwords means that if a single site is compromised, an attacker can’t use the same credentials to access other accounts. Plus, you only need to sign in and update a single password, rather than every password for every account you own.

Turn on two-factor authentication (2FA)

Two-factor authentication makes it even tougher for criminals to access your accounts. In addition to your password, the service will ask for a code – one that you’ve chosen to always be sent via email, SMS (though you shouldn’t use SMS as it’s vulnerable to interception), or an authentication app. The 2FA system works because an attacker is unlikely to have access to both your password and the place where you retrieve your special codes.

Take action immediately if there’s a data breach

When you find out about a data breach, you should take action as quickly as possible to protect any compromised accounts. You can keep up with the latest breaches by reading the news and visiting sites like haveibeenpwned.com, which track known data breaches. Using a password manager like 1Password will also notify you if any of your passwords appear in a data breach.

Learn more

Want to learn more about data breaches and how to protect yourself? We’ve got you covered.

From the blog:

• How to protect yourself against data breaches
• Data breach 101: How you can stay safe online
• Received a data breach notification in 1Password? Take these 5 steps

Downloadable guides:

• How to avoid a data breach
• Data breach prevention checklist
• Incident response guide: what to do if you experience a breach

1Password