It’s August 2020 and many families take this time to go on vacations. COVID-19 has caused many people to delay or cancel those plans so instead of Beach Week, here at Between The Hacks, we are dubbing this week as Breach Week.

Why? Because there was an unusually large number of data breaches made public this week. Avon, Drizly, Dave.com, Havenly and many others had data breached publicly online. So if you didn’t make it to the beach this year, put on your swimsuit, grab a frozen, fruity drink and relax as you learn which companies were breached, check if you were impacted, and learn how to be alerted if you are impacted by data breaches in the future.

Avon

According to Infosecurity Magazine, researchers at SafetyDetectives found the Elasticsearch database on an Azure server publicly exposed with no password protection or encryption which leaked 19 million records including personally identifiable information (PII) on customers and potentially employees, including full names, dates of birth, home addresses, phone numbers, email and GPS coordinates.

The SafetyDetectives report lists the following items that their researchers found on the unsecured server.

• More than 665,000 technical log entries, including token values and internal resources such as APIs,

• Almost 3 million technical log entries and errors including private/sensitive information such as login PIN codes sent by SMS, date of birth and phone numbers,

• 11,000+ entries marked as “salesLeadMap”, showing values such as full names, addresses, account settings, dates of birth, token values, last payment amounts and GPS coordinates,

• Approximately 780,000 technical log entries exposing potentially sensitive technical information, such as administrator user emails and what seems to be a list of admin system permission categories,

• Close to 450,000 technical log entries and application/Java errors, potentially exposing sensitive technical information about the server.

Eighteen Startups Breached

This week we learned that a threat actor posted online, more than 386 million user records from 18 companies. “Since July 21st, a seller of data breaches known as ShinyHunters has begun leaking the databases for free on a hacker forum known for selling and sharing stolen data” reported Bleeping Computer on July 28th.

Later in the week, Bleeping Computer posted an update on the breach collection as more of the startups have begun to disclose the breaches to the public. You can see these status updates in the following table. Bleeping Computer reported, “ShinyHunters told BleepingComputer that they released the databases for free to benefit the "community" and as they already made enough money from selling them in private sales.”

Biggest data breaches of the 21st century

In addition to the mass of data breaches this week, you may have been impacted by other breaches in the past. Last week Between The Hacks covered the Blackbaud data breach that leaked data of many universities and non-profits and there seems to be a steady stream of breach news to make data breaches a concern for everyone online.

With this week’s updates, it seems that Avon and Wattpad may be added to the list of the biggest data breaches of the 21st century which was covered by CSO online on April 17, 2020.

What Can You Do?

• If you have an account on any of the sites that were breached, change you password immediately, even if the vendor doesn’t force you to change your password.

• Never reuse passwords. Every one of your accounts should have a unique, complex password.

• Create, store and manage all of your passwords with a Password Manager

• Sign up for Have I Been Pwned (HIBP). Between The Hacks recommended HIBP as a Tip of The Week on June 26, 2020. You can read more about it here.