[BreachExchange] MobiFriends data on 3.6 million users available for download online
Destry Winant
destry at riskbasedsecurity.com
Fri May 15 10:42:35 EDT 2020
https://www.scmagazine.com/home/security-news/mobifriends-data-on-3-6-million-users-available-for-download-online/
The leaked personal data of more than 3.6 million users registered on
dating site MobiFriends was made all the more vulnerable because the
site used the notoriously weak MD5 hashing.
“It is always troubling to hear about passwords being stolen in a data
breach, especially when the stolen passwords are hashed with MD5,which
is infamous for no longer being cryptographically secure,” said
ForgeRock Senior Vice President Ben Goodman. He pointed out that four
of five global breaches stem from weak or stolen passwords with the
problem exacerbated by users reusing username and password
combinations.
In this case, the compromised user credentials could unlock nearly 10
million accounts due to rampant password reuse,” said Vinay Sridhara,
CTO at Balbix , citing a recent company report that “found that the
average password is reused 2.7 times, and the average user is sharing
8 passwords between work and personal accounts.”
The information posted online – including mobile numbers, usernames,
birthdates and app activity – was nicked during a January 2019 breach.
”The leaked data sets are currently available in a non-restricted
manner despite being originally offered for sale,” according to
researchers at Risk Based Security (RBS).
“The compromised data sets were originally posted for sale on a
prominent deep web hacking forum on January 12th, 2020 by a threat
actor named ‘DonJuji’ and attributed to a January 2019 breach event,”
the researchers wrote in a blog post, noting another threat actor on
the same forum shared the data “in a non-restricted manner” April 12
of this year.
Some of the information came from professional email accounts
associated with American International Group (AIG), Experian, Walmart,
Virgin Media and other Fortune 1000 companies.
“It appears that at least some MobiFriends employees used their work
email addresses as well, so it’s entirely likely that full login
credentials for employee accounts are amongst the nearly 4 million
sets of compromised credentials,” said Sridhara.
Fausto Oliveira, principal security architect at Acceptto, said that
threat actors were able to access the data in the first place, and
went undetected until the data appeared on the Internet, raises
questions about how strong the security controls were that protected
that data.”
More information about the BreachExchange
mailing list