What do a typo, a hacked database, and a tweet have in common? Leaked credentials. This week we saw three major leaks that could have been avoided. While we are constantly advised to be on the lookout for malicious actors, sometimes we are our own worst enemies.
You Had One Job
An email from the National Australia Bank (NAB) containing 60,000 customer names, addresses, emails, branch, account number, and NAM identification number was sent to an email address at nab.com rather than nab.com.au. While the bank is working to ensure the accounts are secure, the personal information these sixty thousand users is now beyond the bank’s control.
Portal Brazil mistakenly posted a tweet with a link containing all their passwords including Instagram, Facebook, and Gmail. The link was attached to a tweet saying the National Force will remain another 60 days in Rio Grande do Norte. A note, written in red, by one of the passwords said “do not change the password ever”. After the incident, the post was deleted and Portal Brazil changed their passwords - supposedly. Not a good day.
Regardless of how quickly an organization realizes their mistake, the damage is already done. The organization earns a reputation of carelessness with their (and others’) data, and there’s a strong likelihood that others saw (and saved) the information.
But Wait, There’s A Tool For That
There exists a myriad of tools that automatically crawl, copy, and save sensitive information (mistakenly) posted online. Most of the time these robots are written with malicious intent, as they seek to monetize and exploit human error.
But some of these automatic tools have a more noble quest. Truffle Hog, a python program which was recently published on Github, allows programmers to scan the source code they’ve published online for any credentials (i.e., API keys) left hard-coded in the files. (The program even scans all previous versions of your code).
Breaches from external actors will always remain a big threat, but as individuals, businesses, and governments steadily accrue lengthy lists of credentials, human error becomes an increasingly costly mishap.
One more thing
In the world of data breaches, not even one of the world’s most beloved kitties is safe. A list of 3.3 million Sanrio user credentials surfaced including 180,000 accounts belonging to underage users. Sanrio, the parent company of Hello Kitty, denied this information was stolen in a leak or a breach in 2015, but the current available data matches the other leaked information.
The information includes names, birthdates, gender, country of origin, emails, usernames, unsalted SHA-1 hashed passwords, and password hints. This leak comes as yet another hit in the wake of the ongoing exploitation of MongoDB database vulnerabilities. As of Monday 27,000 databases were hijacked.