data security

Auto Added by WPeMatico

Indian state government website exposed COVID-19 lab test results

A security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test.

The website is part of the West Bengal government’s mass coronavirus testing program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to its website containing their test results.

But security researcher Sourajeet Majumder found that the link containing the patient’s unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser’s address bar and view other patients’ test results.

The test results contain the patient’s name, sex, age, postal address, and if the patient’s lab test result came back positive, negative, or inconclusive for COVID-19.

Majumder told TechCrunch that he was concerned a malicious attacker could scrape the site and sell the data. “This is a privacy violation if somebody else gets access to my private information,” he said.

Two COVID-19 lab test results, but with details redacted, to show what kind of data has been exposed.

Two redacted COVID-19 lab test results exposed as a result of a security vulnerability on the West Bengal government’s website. (Screenshot: TechCrunch)

Majumder reported the vulnerability to India’s CERT, the country’s dedicated cybersecurity response unit, which acknowledged the issue in an email. He also contacted the West Bengal government’s website manager, who did not respond. TechCrunch independently confirmed the vulnerability and also reached out to the West Bengal government, which pulled the website offline, but did not return our requests for comment.

TechCrunch held our report until the vulnerability was fixed or no longer presented a risk. At the time of publication, the affected website remains offline.

It’s not known exactly how many COVID-19 lab results were exposed because of this security lapse, or if anyone other than Majumder discovered the vulnerability. At the time the website was pulled offline at the end of February, the state government had tested more than 8.5 million residents for COVID-19.

West Bengal is one of the most populated states of India, with about 90 million residents. Since the start of the pandemic, the state government has recorded more than 10,000 coronavirus deaths.

It’s the latest of several security incidents in the past few months to hit India and its response to the coronavirus pandemic.

Last May, India’s largest cell network Jio admitted a security lapse after a security researcher found a database containing the company’s coronavirus symptom checker, which Jio had launched months earlier.

In October, a security researcher found Dr Lal PathLabs left hundreds of spreadsheets containing millions of patient booking records — including for COVID-19 tests — on a public storage server that was not protected with a password, allowing anyone to access sensitive patient data.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.

Cybersecurity startup SpiderSilk raises $2.25M to help prevent data breaches

Dubai-based cybersecurity startup SpiderSilk has raised $2.25 million in a pre-Series A round, led by venture firms Global Ventures and STV.

In the past two years, SpiderSilk has discovered some of the biggest data breaches: Blind, the allegedly anonymous social network that exposed private complaints by Silicon Valley employees; a lab leaked highly sensitive Samsung source code; an inadvertently public code repository revealed apps, code, and apartment building camera footage belonging to controversial facial recognition startup Clearview AI; and a massive spill of unencrypted customer card numbers at now-defunct MoviePass may have been the final nail in the already-beleaguered subscription service’s casket.

Much of those discoveries were found from the company’s proprietary internet scanner, SpiderSilk co-founder and chief security officer Mossab Hussein told TechCrunch.

Any company would want their data locked down, but mistakes happen and misconfigurations can leave sensitive internal corporate data accessible from the internet. SpiderSilk helps its customers understand their attack surface by looking for things that are exposed but shouldn’t be.

The cybersecurity startup uses its scanner to map out a company’s assets and attack surfaces to detect vulnerabilities and data exposures, and it also simulates cyberattacks to help customers understand where vulnerabilities are in their defenses.

“The attack surface management and threat detection platform we built scans the open internet on a continuous basis in order to attribute all publicly accessible assets back to organizations that could be affected by them, either directly or indirectly,” SpiderSilk’s co-founder and chief executive Rami El Malak told TechCrunch. “As a result, the platform regularly uncovers exploits and highlights how no organization is immune from infrastructure visibility blind-spots.”

El Malak said the funding will help to build out its security, engineering and data science teams, as well as its marketing and sales. He said the company is expanding its presence to North America with sales and engineering teams.

It’s the company’s second round of funding, after a seed round of $500,000 in November 2019, also led by Global Ventures and several angel investors.

“The SpiderSilk team are outstanding partners, solving a critical problem in the ever-complex world of cybersecurity, and protecting companies online from the increasing threats of malicious activity,” said Basil Moftah, general partner at Global Ventures.

Mixcloud data breach exposes over 20 million user records

A data breach at Mixcloud, a U.K.-based audio streaming platform, has left more than 20 million user accounts exposed after the data was put on sale on the dark web.

The data breach happened earlier in November, according to a dark web seller who supplied a portion of the data to TechCrunch, allowing us to examine and verify the authenticity of the data.

The data contained usernames, email addresses, and passwords that appear to be scrambled with the SHA-2 algorithm, making the passwords near impossible to unscramble. The data also contained account sign-up dates and the last-login date. It also included the country from which the user signed up, their internet (IP) address, and links to profile photos.

We verified a portion of the data by validating emails against the site’s sign-up feature, though Mixcloud does not require users to verify their email addresses.

The exact amount of data stolen isn’t known. The seller said there were 20 million records, but listed 21 million records on the dark web. But the data we sampled suggested there may have been as many as 22 million records based off unique values in the data set we were given.

The data was listed for sale for $4,000, or about 0.5 bitcoin. We’re not linking to the dark web listing.

Mixcloud last year secured a $11.5 million cash injection from media investment firm WndrCo, led by Hollywood media proprietor Jeffrey Katzenberg.

It’s the latest in a string of high profile data breaches in recent months. The breached data came from the same dark web seller who also alerted TechCrunch to the StockX breach earlier this year. The apparel trading company initially claimed its customer-wide password reset was for “system updates,” but later came clean, admitting it was hacked, exposing more than four million records, after TechCrunch obtained a portion of the breached data.

When reached, Mixcloud spokesperson Lisa Roolant did not comment beyond a boilerplate corporate statement, nor did the spokesperson answer any of our questions — including if the company planned to inform regulators under U.S. state and EU data breach notification laws.

Co-founder Nico Perez also declined to comment further.

As a London-based company, Mixcloud falls under U.K. and European data protection rules. Companies can be fined up to 4% of their annual turnover for violations of European GDPR rules.

Corrected the fourth paragraph to clarify that emails were validated against the site’s sign-up feature, and not the password reset feature. Updated to include comment from the company.

Read more:

Web host Hostinger says data breach may affect 14 million customers

Hostinger said it has reset user passwords as a “precautionary measure” after it detected unauthorized access to a database containing information on millions of its customers.

The breach is said to have happened on Thursday. The company said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database. That database contained customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm, which has been deprecated in favor of stronger algorithms after researchers found SHA-1 was vulnerable to spoofing. The company has since upgraded its password hashing to the stronger SHA-2 algorithm.

Hostinger said the API database stored about 14 million customers records. The company has more than 29 million customers on its books.

The company said it was “in contact with the respective authorities.”

hostinger

An email from Hostinger explaining the data breach. (Image: supplied)

News of the breach broke overnight. According to the company’s status page, affected customers have already received an email to reset their passwords.

The company said that financial data was not compromised, nor was customer website files or data affected.

But one customer who was affected by the breach accused the company of being potentially “misleading” about the scope of the breach.

A chat log seen by TechCrunch shows a customer support representative telling the customer it was “correct” that customers’ financial data can be retrieved by the API but that the company does “not store any payment data.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.

Chief executive Balys Kriksciunas told TechCrunch that the remarks made by the customer support representative were “misleading” and denied any customer financial data was compromised. A company investigation into the breach, however, remains under way.

Updated with remarks from Hostinger.

Related stories: