Over a terabyte of customer data, along with various sensitive documents, were stolen.
22 May 2023BREACHAWARE HQ
A total of 20 breach events
were found and analysed resulting in 2,551,645 exposed accounts
containing a total of 21 different data types of personal datum
. The breaches found publicly and freely available included RentoMojo, QIP IM, Annex Trades, United States Postal Service and Eternity Modern. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Technical Data, Contact Data, Locational Data, Special Category, Socia-Demographic Data, National Identifiers, Social Relationships Data, Financial Data, Documentary Data.
Data Breach Analysis
RentoMojo, a furniture and appliance rental platform in India, likely stores user data related to delivery addresses, contact details, and payment information. A breach here could disrupt trust in subscription-based service models and open up opportunities for impersonation or fraudulent delivery communications.QIP IM, a once-popular Russian instant messaging service, may have exposed chat metadata or login credentials. This type of platform, though less mainstream now, can still pose serious privacy risks if access to historical communications or user identities is compromised.
Annex Trades, which appears to operate in global commodities or trading services, could carry both personal and professional data of clients and partners. A breach here might expose sensitive B2B relationships, impacting business confidentiality and potentially facilitating spear-phishing attacks.
The inclusion of the United States Postal Service (USPS) is especially noteworthy due to its role as a critical infrastructure entity. While publicly available breach data may not necessarily be current, any compromise of postal account data, such as addresses, mail tracking, or redirection settings, could have wide-reaching effects, including identity theft or mail fraud.
Eternity Modern, a furniture and home decor retailer, likely maintains customer records tied to large-item purchases. Data from such vendors can be valuable to attackers looking to target affluent consumers or launch phishing campaigns disguised as shipping or support correspondence.
Spotlight
The backend of an Italian motorcycle company website has been posted to a dark web forum. Although on the smaller side of things, the data contains a large amount of different types of data about its users. The Italian company has been growing rapidly, from running a shop on the high street to selling online and now having its own eBay store. They pride themselves on being a "real shop created by enthusiasts for enthusiasts!"An online clothing site based in Mumbai, India that caters mostly to women's clothes and lingerie has suffered a data breach. As well as a website, they also have an app available on iOS and Android, boasting over ten million downloads on the store. The data is currently for sale on a popular hacking platform, so we haven’t been able to analyse the whole breach; however, a sample has been posted publicly. It includes the core data types that one would expect, we’re not sure when we’ll see the whole data breach shared publicly, it could be a matter of days or years. There doesn’t appear to be any comment from the company in question regarding the breach.
Following a ransomware attack an Indonesian bank told its customers that the interruptions to its service were from maintenance. However, it turns out that around 1.5 terabytes of customer data, along with various other sensitive documents, were stolen.
Vulnerability Chat
A Russian ransomware gang member who has been linked to several ransomware gangs and their tactics of encrypting victims devices has been named, along with pictures of him posted to the FBI wanted list. He is wanted for a whole host of crimes, such as intentional damage to a protected computer and computer intrusion. Apparently, the FBI issued a $10 million reward for his arrest. We doubt that will happen given that he's a Russian national, unless he makes the mistake of boarding a plane to a destination outside Russia.What appears to be a blunder from the French authorities or the shape of things to come has seen the telegram URL link blocked by ISPs (Internet service providers). The URL t.me, which is used to direct users to Telegram, was blocked last week across France. The authorities were trying to block a certain telegram channel that was sharing child abuse material. However, they gave an order to block the entire telegram by accident. The URL was blocked for several hours last Saturday.
Information Privacy Headlines
Sports data, concerning how player data is collected and shared took centre stage at the first FIFPRO Player IQ Tech Experience. David Murphy, Deputy Commissioner of the Irish Data Protection Commission said it was eye-opening to learn the extent to which footballers are surveilled when it comes to collecting their data. The event highlighted the need for professional footballer to have more control on how their data is collected and used.Looks like Facebook (Meta) is to be fined more than £650 million and ordered to suspend data transfers to the US following the much talked about mishandling of user information. The fine could be a record for the EU's general data protection regulation which is currently held by Amazon who were punished 2021.
Smarter Privacy Starts with Awareness
Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan