Research Team Analysis

WEEKLY REVIEW FROM THE BREACHAWARE RESEARCH TEAM
Share this analysis

24,556,799 leaked accounts discovered by the BreachAware® Research Team last week.

08 May 2022

A total of 13 breaches were found and analysed resulting in 24,556,799 leaked accounts containing a total of 9 different data types. The breaches found publicly and freely available included Gecko Super VPN, GoGames, Y Can Tho, Xfinity and Wintip. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

COMMENTARY

An article this week by The Daily Swig reported a data breach on a USA regional Utility Company. What prompted our interest? Within the data types exposed were card CVVs. We do not often see CVV data types as they are considered 'Sensitive Authentication Data' and are therefore subject to PCI-DSS Compliance.

The Payment Card Industry - Data Security Standard (PCI-DSS) requirement 3.2 states that Sensitive Authentication Data can never be stored after authorisation is completed. This means that the data can be collected for the purposes of authorising a payment transaction, but must be deleted once authorisation is completed. Encryption of this data is not sufficient; all data must be securely deleted so that it is unrecoverable. (Source: globapayments Intergrated and highlighted by Michael Smith, Cyber Security Consultant, Washington).

An older breach has started to circulate on the underground forums, a combo list of free VPN Services; GeckoVPN, SuperVPN and ChatVPN where 21 million mobile VPN app users were swiped and advertised for sale in early 2021. This data is now free to download on various forums so the assumption is that hackers have exploited the commercial value of this data hence its free availability.

Advertising companies have had several notable data breaches in the past few years, but this recent 250GB dump is definitely a formidable one. We are currently assessing the data and whether it is linked to a previous breach.

The company in question analyses and sells customer and business data with a large variety of datasets included in this breach, along with some datasets we don’t see every day such as recent mortgage interest rates and whether a person owns a computer.

A second Nestle data list of individuals, we assume from groups targeting western companies still operating in Russia, was uploaded, together with a tech forum, education, oil industry and retail domains.

DATA CATEGORIES DISCOVERED

Contact Data, Technical Data, Usage Data, Locational Data.

  • Key Statistics
  • Breaches Discovered
    13
  • ACCOUNTS DISCOVERED
    24,556,799
  • DATA TYPES DISCOVERED
    9