ZDNet has reported that Eatstreet, an online and mobile food ordering service, disclosed today a security breach that took place last month and during which a hacker stole the company’s database, complete with customer and partner details. ZDNet learned that responsible for this breach is Gnosticplayers, a hacker who previously breached many other online services, including big names such as Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, Evite, and others.
For customers who ordered food through the EatStreet app and website, this included names, credit card numbers, expiration dates, card verification codes, billing addresses, email addresses, and phone numbers.
Israel Barak, Chief Security Officer at Cybereason:
“With it appearing that more than 1 billion records have been stolen from dozens of companies, the hacker has thus far achieved a level of notoriety not easily achievable. The startling admission by so many companies that they have been breached again sheds light on the advantage hackers have today against the vast majority of companies. It is time for all organisations to take a post breach mindset as inevitably adversaries will successfully breach every organisation. There is no shame in being breached, but it is unacceptable today to be using antiquated tools for discovery and adhering to outdated policies to protect personal identifiable information. This is again a wake up call to the industry to implement threat hunting capabilities. Build a security team now to make it easier to detect and remediate breaches and reduce the risk against your organisation before you are making headlines for the wrong reasons.”
“These types of hackers are very skilled and know all the weaknesses of systems, but they will move on to an easier target if it takes too much effort to get to the crown jewels. Ways to make yourself a difficult target are:
Education – get your user base to understand the simple steps they can take to help security and above all ensure they know that it is in their best interest to work securely (company health, job security, their data is also a target)
Strengthen authentication – either in the form of better password policy, multifactor authentication , adaptive authentication or all of the above
Privileged Access Management– the ultimate goal is to always protect admin credential: the better and more complete your PAM program is the safer your systems are. In this case,l the breach was probably allowed to continue for as long as it did because the PAM program was lacking session audit and analytics, which would have detected the anomalous activity and would have been able to shut it down before damage was done.”
ShlomieLiberow, Technical Program Manager at HackerOne:
“Attacks such as this really highlight the damage that can be caused in a short period of time. We work with hundreds of thousands of hackers who look at how they can best protect information rather than seek to exploit it, working with the organisation to fix any software issues before malicious attackers can take advantage. Organisations in return can make this process easy and transparent by implementing a clear Vulnerability Disclosure Policy that sets out the exact terms of engagement that enable ethical hackers to disclose any potential risks they find.”
“Delivery services and restaurant partners are also affected by this breach, proving that security stretches beyond their own control and to their supply chain. When a business relationship is formed, security – a major form of risk – must be taken into consideration since it can ultimately affect the relationship. For this reason, companies need to vet their partners from a security perspective, checking their security posture, practices and procedures. They should then work with the partner to close any gaps prior to onboarding. Once onboarded, the companies still need to continue with monitoring their partners to avoid any future mishap as security must be seen as an ongoing process.”
“The case of the Eatstreet breach is a doomsday scenario for the average consumer where a service was used for convenience or necessity, and ended up causing a major threat to the consumer’s interests: “I just wanted some food delivery, and now my banking information etc. may have been compromised.” With the number of mobile or cloud-based consumer services a person leverages day-to-day, and the two-week time-to-detect for complete access to a database that contains some of the most sensitive PII, this event shows that consumers deserve organizations who will proactively hunt for threats to minimize the risk to consumer data.”
Will LaSala, Director of Security Solutions, Security Evangelist atOneSpan:
“Sending passwords in the clear is not strong authentication. No matter what carriers and/or operating system providers might do, the fundamental system of sending an SMS containing a password in it is flawed. Stories like this grab headlines because they state that “multi-factor authentication has been cracked.” This situation, however, isn’t arising due to a failure of multi-factor authentication, it’s due to weaknesses of single factor authentication – that one factor being something a user has (i.e. their phone). True 2FA systems would combine the something you have factor with either something you know or are (biometrics). True MFA systems are all too often overlooked by app developers in favor of more simplistic solutions. SMS should be relinquished to doing what it was meant to do, notify users that they have something they need to respond to – it should not be considered a secure and private communications channel.
“There are other mechanisms that can securely generate and delivery OTP’s after a notification has been responded to, that do not open the user up to these style attacks. Leveraging MFA and employing the right authentication factor, at the right time in the process, is key to any true mobile application security strategy.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.