This week, we look at data breaches affecting the entire Mexican voter database, the exclusive online dating site BeautifulPeople.com, and the Minecraft ‘Lifeboat’ community…
Hello and welcome to the IT Governance podcast for Friday, 29th April. Here are this week’s stories.
A security researcher has found the entire Mexican voter database – some 93.4 million voter registration records – on a publicly accessible Amazon Cloud server.
Chris Vickery of Kromtech found the database via Shodan (a search engine popular with cyber security professionals and criminal hackers alike that collects data from any device with an Internet interface – such as web servers, routers and webcams).
The data included voters’ names, addresses, dates of birth, occupations and unique voting credential codes. Vickery explained: “There was no password or authentication of any sort required. It was configured purely for public access.”
The Mexican National Electoral Institute confirmed that the data was legitimate, saying that “An internal investigation has been launched and the case has been reported to the special prosecutor for electoral crimes.” The database has been removed from the server in question.
This isn’t the first time Mexican voters have had their personal details passed into the wrong hands: in 2003, ChoicePoint managed to get hold of the Mexican voter database in exchange for $250,000.
It emerged this week that BeautifulPeople.com – an online dating site that caters only for particularly pulchritudinous punters – has suffered a data breach affecting 1.2 million members. Personal data now being sold online, according to Troy Hunt’s haveibeenpwned.com, includes dates of birth, email addresses, genders, geographic locations, names, passwords and an awful lot more besides.
Beautiful People confirmed in a statement to Forbes that the breach occurred last December, saying: “The breach involves data that was provided by members prior to mid July 2015. No more recent user data or any data relating to users who joined from mid July 2015 onward is affected. […] The data does not contain any credit card information and user passwords are encrypted.”
No stranger to cyber security matters, Beautiful People once claimed that its site had “been hit by a virus that allowed 30,000 ‘ugly’ people to invade the site” as a publicity stunt.
BeautifulPeople aren’t the only ones to lose personal information: seven million members of the Minecraft ‘Lifeboat’ community were also affected by a data breach, in which their email addresses, usernames and passwords – which, to make matters worse, were encrypted with the notoriously weak MD5 algorithm – were swiped by hackers in January. (For older listeners, Minecraft is a bit like online Lego. No, me neither.)
When questioned about the incident this week, Lifeboat told Vice’s Motherboard: “When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act.” In other words, Lifeboat members weren’t told that their accounts were at risk. And some told Motherboard that their passwords weren’t reset at all.
Even more unfortunately for them, if they reused their login information on other sites, these potentially would have been compromised too. That said, they would’ve been foolish to do so: leaving aside the well-known dangers of password reuse, Lifeboat’s Getting Started guide gives some pretty ropey password advice in the first place, saying “we recommend short, but difficult to guess passwords. This is not online banking”.
Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.