Security

Welcome back from the holiday, Americans! Here's who leaked data while you were away

TrueDialog, Mixcloud, Magento Marketplace expose accounts

2 Got Tips?

Thanksgiving is an ideal time to either hack (IT admins need holidays too) or to drop news of hacks (because no one's reading much news) so here's your roundup of the weekend's shenanigans.

In the past few days, researchers have disclosed breaches at mobile carrier TrueDialog, music streamer MixCloud, and Adobe's Magento Marketplace service. Millions of people are thought to be affected.

TrueDialog exposes "massive" activity database

The research team at VPNmentor took credit for the discovery and disclosure of a database owned by business comms provider TrueDialog. They report that the data of millions of users, including the content of SMS messages, was left out in the open after an Azure-hosted database was mistakenly set to public availability.

"This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages," reported the VPNmentor team.

"Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more."

TrueDialog provides SMS services to its customers, mostly businesses and educational institutions. The Texas-based company partners with phone carriers to offer things like alerts and large-scale marketing campaigns, as well as campus alerts and student admissions.

Those are the sort of SMS communications that were exposed, along with account details (email addresses, passwords in either plaintext or base64,) and contact information. VPNmentor says that, in total, the exposed database was 604GB in size and included data on tens of millions of people.

"It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways," the report reads.

"It’s rare for one database to contain such a huge volume of information that’s also incredibly varied."

TrueDialog confirmed the incident to The Register and said that while it is still investigating, currently it is believed that VPNmentor's team were the only people to spot the database before it was pulled from the public.

"We were notified on Thursday that for a short period text message logs between our business customers and individuals were potentially accessible on one of our Azure servers," CEO John Wright told El Reg.

"The data was located at a non-published network port which is now secured. We have internally found no evidence that the data was downloaded or viewed by anyone other than the security analyst who notified our company that the data was potentially accessible."

MixCloud punter profiles put up for sale

UK music streaming service MixCloud is said to be investigating after it was reported that the details on 21 million users are being flagged for sale on the dark web.

Just what could be done with this pilfered data (usernames, email addresses, hashed passwords) isn't quite clear. The passwords are said to have been securely encoded, and no payment data is included.

Still, those who have a Mixcloud account will want to change up their password and if those credentials were re-used on other sites (don't do this) those logins should also be updated.

Adobe warns of Magento Marketplace breach

Recently, Adobe began notifying developers on its Magento Marketplace plug-in store that someone had managed to break into a system containing account details, but no payment card information.

Russian bloke charged in US with running $20 million stolen card-as-a-service online souk

READ MORE

"On November 21, we became aware of a vulnerability related to Magento Marketplace. We temporarily took down the Magento Marketplace in order to address the issue," Magento said in announcing the incident.

"The Marketplace is back online. This issue did not affect the operation of any Magento core products or services."

The exposed data included name email address, account name, billing/shipping address, and, in some cases, the percentage of plug-in sales that Magento had paid out to third-party developers. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

Keep Reading

Intel, VMware collaborate on virtualized RAN platform

Helpful as Huawei is increasingly swept aside for 5G infrastructure

Microsoft and VMware end ancient grudge with new VM privilege workaround

Workstation has one job: running VMs. And now it can do it on Windows with Hyper-V enabled

We spent way too long on this Microsoft, Intel, Adobe, SAP, Red Hat Patch Tuesday article. Just click on it, pretend to read it, apply updates

Patch Tuesday Please, thanks, good show, cheers, ta

Microsoft teases more hybrid VMware-on-Azure action

For now, you get a preview of the official Azure VMware Solution to play with and a promise of availability in H2 2020

Alibaba takes VMware where AWS and Microsoft don't – behind the Great Firewall

Only in China ‘for the moment’ which leaves the world to conquer

Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh?

More than dozen services down, customers left unable to work

VMware gets into apps with Bluetooth-pinging COVID-safe-office tools

And expands its Horizons VDI into new clouds

NASA to stop using names like 'Eskimo Nebula' and 're-examine' what it calls cosmic objects

‘Horsehead Nebula’ is okay, ‘Siamese Twins Galaxy’ is not

Take a dip in our joint data lake, 'seamlessly' hoover up intel on customers – Microsoft, SAP and Adobe

Tech trio put Accenture, EY, WPP on advisory council for 'Open Data Initiative'

VMware's flagship vSphere now in never-ending beta, if you're up for it

Go forth and test code that may never become a product if you dare

Tech Resources

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Accelerate Your Journey to the Cloud

Increasingly, enterprises are looking to the cloud to run their core mission-critical systems and the cloud is often the primary platform for launching new applications.

Manage your data, not just your storage

In this paper we look at the challenges that cold data presents, at techniques and technologies that can help with the problem, and at the advantages organizations can gain from a smarter approach to data management.