[BreachExchange] Japanese hosting company Kagoya hacked; credit card data stolen

Audrey McNeil audrey at riskbasedsecurity.com
Fri Dec 9 13:58:55 EST 2016 

https://www.hackread.com/japanese-hosting-company-kagoya-hacked/

Kagoya, a famous hosting service provider in Japan has suffered a security
breach in which personal and financial data of its customers has been
stolen.

In an email to their customers, Kagoya stated that the hack attack was
discovered this month after an in-house screening which revealed that
customers who used their credit cards between April 1, 2015, to September
21, 2016, are among the impacted ones.

The total number of customers who had their personal information stolen are
48,685 whilst 20,809 customers are those had their credit card data stolen.

The data stolen by hackers includes Name (card holder name), Address, Phone
number, E-mail address, Contract Account Name, Password, Credit card number
and Expiration date. What worse is that a user on another Webhosting forum
is claiming that all leaked data was in plain-text format.

The email further revealed that unknown hackers were able to exploit a
vulnerability and conduct an OS command injection attack. A command
injection attack takes place via a web interface in order to execute OS
commands on a web server. The attacker supplies operating system commands
through a web interface in order to execute OS commands. Any web interface
that is not properly sanitized is subject to this exploit – In Kagoya’s
case, the attackers were able to access its database and steal thousands of
accounts.

Kagoya has reported the incident to local police and also urging its
customers to keep an eye on their credit card transactions and inform the
bank in case of any suspicious activity.

According to Alexa, Kagoya’s is among top 4,000 sites in Japan hinting at
their big customer base. At the time of publishing this article, Kagoya’s
website was offline.

This is not the first time in Japan when hackers successfully stole credit
card data of users. In May 2016, hackers were able to steal 1.44 billion
Yen ($13 million) from 1,400 ATMs in just 2½ hours from all over the
country.

In June 2016, Japan Pension Service suffered a massive security breach in
which 1.25million people were affected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161209/5616dd1d/attachment.html>

More information about the BreachExchange mailing list