As if you didn't have enough to worry about, a group of hackers is selling account information on the dark web taken from as many as 10 sites. In total, as many as 73 million records are affected, according to a report from ZDNet.
At a time when we've seen plenty of people step up and serve their neighbors in some incredible ways, the hacking group, known as ShinyHunters, apparently didn't get the memo. Instead of helping people, they're scooping up personal information from a variety of sites and selling it off to the highest bidder, a reminder that bad actors don't take time off--not even during a pandemic.
The breach has been confirmed by at least one site, the photo printer Chatbooks. That company also sent an email to users over the weekend that says in part:
Unfortunately I am writing today to inform you of a breach in data security at Chatbooks. On the evening of May 5, 2020, we learned that certain user information was stolen from our database in a cyber attack ... the stolen information appears to consist primarily of Chatbooks login credentials, including names, email addresses, and individually salted and hashed passwords.
The company says that phone numbers and Facebook IDs have also been compromised in some cases. This could be especially troublesome considering that phone numbers are one of the primary forms of two-factor authentication protecting financial accounts, for example.
I wrote last year about how SIM-swapping is becoming an increasing threat. That's when hackers use social engineering to swap your number onto their SIM. Then, when that text-messages with that special code you're supposed to enter on your bank's website arrives, it instead shows up on their device and they're able to access your account.
According to ZDNet, the other sites that have been affected include:
- Zoosk (an online dating site)
- Chatbooks (printing service)
- SocialShare (South Korean fashion platform)
- Home Chef (food delivery service)
- Minted (online marketplace)
- Chronicle of Higher Education (online newspaper)
- GGuMim (South Korean furniture magazine)
- Mindful (health magazine)
- Bhinneka (Indonesia online store)
- StarTribune (US newspaper)
If you use one of those services, the first thing you should do is change your password--like, now. Second, if you have payment information stored at any of those sites, you may want to notify your bank that your card may have been included in a breach. In some cases, the bank may place a fraud alert on your account or may issue a new card altogether to be safe.
If you receive email notifications that your information has changed at any of those sites, or at your bank or credit card, pay attention. If you didn't change your password, but someone else did, I suggest you reach out immediately.
Finally, while there are no indications at this time that the breach included Social Security numbers, it still might be wise to take advantage of one of the many free credit monitoring services so that you can be notified if someone attempts to open new accounts in your name.
While these sites are primarily consumer-focused, there's actually a lesson for every business that right now: Be vigilant about the security of your employees and customers. Just because we're all working from home doesn't mean the bad guys aren't still hard at work.