Security breach/compromise - 2012

[AplusWebMaster]

FYI...

Global Payments breach - 1.5M exposed ...
- https://krebsonsecurity.com/2012/04/...ards-exported/
April 2, 2012 - "Global Payments, the credit and debit card processor that disclosed a breach of its systems late Friday, said in a statement Sunday that the incident involved at least 1.5 million accounts. The news comes hours ahead of a planned conference call with investors, and after Visa said it had pulled its seal of approval for the company... In a press release issued 9:30 p.m. ET Sunday, Atlanta based Global Payments Inc. said it believes “the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained”. It remains unclear whether there are additional accounts beyond these 1.5 million that were exposed by the breach; the company’s statement seems to be focusing on the number of cards it can confirm that thieves offloaded from its systems..."

Breach anatomy graphic
- https://krebsonsecurity.com/wp-conte...my-600x430.png

- http://h-online.com/-1498448
2 April 2012

- http://www.reuters.com/article/2012/...83102P20120402
Apr 1, 2012 - "Visa Inc. has dropped payment processor Global Payments Inc. from its list of approved service providers after a major cyber intrusion that could expose Visa, MasterCard, American Express and Discover card holders to fraud. Global Payments said it believes less than 1.5 million credit card numbers were stolen in the cyber security breach..."

- http://www.databreaches.net/?p=23827
March 30, 2012
___

- http://corporate.visa.com/media-center/index.shtml
Mar 30, 2012 - "Visa Inc. is aware of an announcement from Global Payments Inc. that it experienced unauthorized access into a portion of its processing system... Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity..."
- http://www.visasecuritysense.com/en_US/index.jsp

- http://newsroom.mastercard.com/2012/...personal-data/
March 30, 2012 - "... MasterCard and financial institutions do not proactively solicit personal or payment card information from customers... be wary of unsolicited requests by anyone claiming to represent one of these entities..."

[AplusWebMaster]

FYI...

Breach window at Global Payments expands
- https://krebsonsecurity.com/2012/05/...indow-expands/
May 1, 2012 - "A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012... Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time. Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011... so far, Global Payments has offered few details about the incident beyond repeating that less than 1.5 million card numbers may have been stolen from its systems... Global Payments spokeswoman Amy Korn declined to comment for this story, but said the company would be releasing additional information about the incident in a statement on its Web site, http://www.2012infosecurityupdate.com/ , later this evening*."
* http://www.2012infosecurityupdate.com/
"... Based on our announcement of unauthorized activity in a limited segment of our North American processing system, some card brands removed us from their list of PCI compliant service providers. They have requested we revalidate our PCI status, which we will do following the current investigation. We anticipate that we will be re-instated to those lists at the conclusion of the re-validation and any required remediation... We have not publicly communicated any time periods and there is a full investigation underway. It would be premature and inappropriate for us to speak to or confirm any timeframes until the investigation is complete. We identified and self-reported this incident in early March, and we will continue to provide information to the appropriate parties as revealed by the investigation."
... As of May 1, 2012

[AplusWebMaster]

FYI...

Debit card accounts stolen - Global Payments breach ...
- https://krebsonsecurity.com/2012/05/...id-card-fraud/
May 14, 2012 - "Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud. At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer. That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc. According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers... The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have -some- of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised -both- Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were were not obtained by the criminals. Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN... USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that..."

[AplusWebMaster]

FYI...

WHMCS breach ...
- https://krebsonsecurity.com/2012/05/...f-the-trouble/
May 24, 2012 - "A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords — and in some cases credit cards — may turn out to be the least of the company’s worries.. for the past four months hackers have been selling an exclusive zero-day flaw that they claim lets intruders break into Web hosting firms that rely on the software... Following an extended period of downtime on Monday, the privately-owned British software firm disclosed that hackers had broken in and stolen 1.7 gigabytes worth of customer data, and deleted a backlog of orders, tickets and other files from the firm’s server... WHMCS’s user forums have been and remain under a constant denial-of-service attack, and the company is urging customers to change their passwords... Many users seem to be worried that the data stolen the now-public breach may include WHMCS direct customer data, as well as the location of the installed software and credit card data, and passwords for WHMCS installs that were done by them or supplied during troubleshooting..."
___

- http://www.databreaches.net/?p=24284
May 22, 2012

[AplusWebMaster]

FYI...

LinkedIn Blog:
- http://blog.linkedin.com/2012/06/06/...s-compromised/
June 6, 2012 - "... update on this morning’s reports of stolen passwords.
We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should -never- change your password on any website by following a link in an email.
3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases..."

LinkedIn passwords leaked ...
- http://nakedsecurity.sophos.com/2012...ke-action-now/
June 6, 2012 - "Although not yet confirmed by the business-networking website, it is being widely speculated that over six million passwords belonging to LinkedIn users have been compromised. A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them. Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals. Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords. As such, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step..."

- http://www.reuters.com/article/2012/...8H68FJ20120606
Jun 6, 2012

- https://krebsonsecurity.com/2012/06/...your-password/
June 6, 2012
> http://krebsonsecurity.com/password-dos-and-donts

[AplusWebMaster]

FYI...

eHarmony dating site data-breach
- http://www.theregister.co.uk/2012/06...password_dump/
7 June 2012 - "Along with the LinkedIn password dump, dating site eHarmony has confirmed that some of its users’ passwords have also been published online, possibly by the same attacker as that obtained the LinkedIn data... It says all affected user passwords have been reset, along with providing the usual advice of creating strong passwords, using a different password for every site, and changing passwords every few months*. The LA Times says that the eHarmony list contained only passwords..."

* http://advice.eharmony.com/blog/2012...sed-passwords/
June 6, 2012

> http://www.reuters.com/article/2012/...85511820120607
Jun 7, 2012

eHarmony admits to leaking 1.5 million passwords
- http://h-online.com/-1612654
7 June 2012