[BreachExchange] Quora, Marriott, Facebook and Huazhu Hotels – Another Matrix Moment?

[Destry Winant]

https://www.riskbasedsecurity.com/2018/12/quora-marriott-facebook-and-huazhu-hotels-another-matrix-moment/

Data breach announcements have been coming out at a fast and furious
pace lately – and not just the run-of-the-mill pilfering of payment
data from e-commerce sites or phishing for access to employees’ email
accounts. Year to date, the Cyber Risk Analytics breach research team
has cataloged over 5,000 breach events, making it the second most
active year for breach disclosures since 2005.  While the team at Risk
Based Security is accustomed to a certain amount of fluctuation in
breach activity from month to month, the collective hair on the back
of our necks has been standing at attention since October, accompanied
by a nagging feeling that something different is going on.

And it’s not just the number and frequency of breaches that has caught
our attention. It’s the nature of certain incidents that has us
wondering if we are seeing a concerted effort to steal more data
useful for spying, espionage and misinformation campaigns.

State-sponsored malicious activity is nothing new.  North Korean
actors have been accused of everything from cracking into Sony
Pictures Entertainment potentially out of spite to launching 2017’s
WannaCry ransomware campaign in an effort to generate hard currency
for the regime. The news cycle continues to spin around the latest
revelations from the FBI’s Special Counsel investigation, which was
launched in response to allegations of Russian interference in the
2016 presidential election. And it was only last week that two Iranian
men were indicted by the Department of Justice for allegedly creating
and launching SamSam ransomware. Although to be fair, the two
individuals were not expressly linked to the Iranian state.

So why is there a nagging feeling that something more is afoot?
Consider these events:

August 28, 2018 – Huazhu Hotels Groups, one of China’s largest hotel
chains, discloses that 240 million records had been compromised
including the following data exposed:

Customer names
Home addresses
Phone numbers
Email addresses
Bank account numbers
Passwords
Booking details (check-in, departure, hotel location, room number)

Other than the large number of records exposed, the incident doesn’t
really stand out as especially intriguing. Like so many other events,
the breach was discovered after data popped up for sale on a dark web
forum. Researchers close to the event believe that the information
originated from database backups uploaded by developers to a poorly
secured GitHub account, a sadly common data mishandling mistake. The
only detail to strike us as slightly odd – why would 240 million
records with financial data on as many as 130 million individuals be
offered up for sale for a mere 8 Bitcoin (and Bitcoin’s value isn’t
what it used to be at the start of 2018) and later lowered to all of 1
Bitcoin after the news broke? That seems like quite a deal. Unless
perhaps selling the data was an afterthought?

September 28, 2018 – Facebook makes headlines once again with
30,000,000 records exposed, including:

Names
Email addresses
Phone numbers
Usernames
Dates of birth
A host of demographic information gleaned from user profiles.

This time, hackers took advantage of a combination of vulnerabilities
in the “View As” feature.
Wired magazine reported:

“Facebook says it is cooperating with the FBI, and can’t reveal any
findings about the identity of the hackers or their possible
motivations, but the attack seems to have been well-coordinated, with
the right infrastructure in place to quickly begin fanning out and
exfiltrating data. The attackers used a group of established seed
accounts that they controlled to exploit the vulnerabilities and steal
access tokens from their accounts’ friends, friends of friends, and so
on.”

While they may not be disclosing possible motivations, it is clear the
attackers were targeting profile information. To date, no information
has surfaced indicating this data has been offered for sale or
monetized in some fashion.

November 30, 2018 – As many as 500,000,000 records are taken from
Starwood Hotels’ customer loyalty program including:

Names
Addresses
Email addresses
Passport numbers
Dates of birth
Genders
Booking details (arrivals, departures, reservation dates and
communication preferences)
A lesser amount of payment card data

It appears that attackers were in the Starwood system as early as 2014
and only discovered in September of this year. Similar to Facebook,
there is no indication the data has been offered for sale or otherwise
monetized. If attackers were after easily monetized data such as
payment card details, then,

a)   Why sit on data with a somewhat limited shelf life for so many years; and
b)   With such complete access, why focus on the booking information
over financial data?

December 3, 2018 – Now comes the Quora announcement that 100,000,000
account holder records were compromised by hackers including:

Names
Email addresses
Encrypted passwords
IP addresses
User IDs
Account settings
Data imported from linked networks such as contacts, demographic
details, and interests.

Quora has not confirmed when the intrusion first occurred, so it is
difficult to know how long attackers were mining this information.
What really caught our attention with Quora was the revelation that
the data was linked to social networking accounts.

Still not convinced that there may be more sinister motives at work here?

We offer up these tantalizing observations for your consideration:

If an organization wanted to track individuals’ movements on a large
scale, where is a good place to look? Hotel booking data.
If an organization wanted to understand connections between
individuals, where do you go? Social media platforms like Facebook.
If an organization wanted to try link this data together, what data
point is likely to be most useful and accessible? Email addresses.
What is even more useful for linking all this together? Email address
AND data from linked social networks.

We don’t know who is responsible for these events. We don’t know why
they targeted these organizations. And we certainly do not have
evidence linking these breaches together in any way.

So what we can say definitively?

We can say without a doubt, that we have witnessed the compromise of
some truly massive and unique databases this year. That the data
contained in these databases is estimated to be less valuable on the
black market than other data types useful for identity theft. If
linked together, this is the type of data that can provide profound
insight into people’s movements and connections.

Our research team will continue to watch these and new events as they
unfold. If any of our speculative musings come to pass, we will
certainly update this post. And if we are wildly mistaken, well, we’ll
own that too, but it won’t stop us from sharing our unique insights
with our loyal readers as this isn’t the first time we’ve seen a
glitch in the matrix!