ZDNet has reported that Eatstreet, an online and mobile food ordering service, disclosed today a security breach that took place last month and during which a hacker stole the company’s database, complete with customer and partner details. ZDNet learned that responsible for this breach is Gnosticplayers, a hacker who previously breached many other online services, including big names such as Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, Evite, and others.
For customers who ordered food through the EatStreet app and website, this included names, credit card numbers, expiration dates, card verification codes, billing addresses, email addresses, and phone numbers.
Israel Barak, Chief Security Officer at Cybereason:
“With it appearing that more than 1 billion records have been stolen from dozens of companies, the hacker has thus far achieved a level of notoriety not easily achievable. The startling admission by so many companies that they have been breached again sheds light on the advantage hackers have today against the vast majority of companies. It is time for all organisations to take a post breach mindset as inevitably adversaries will successfully breach every organisation. There is no shame in being breached, but it is unacceptable today to be using antiquated tools for discovery and adhering to outdated policies to protect personal identifiable information. This is again a wake up call to the industry to implement threat hunting capabilities. Build a security team now to make it easier to detect and remediate breaches and reduce the risk against your organisation before you are making headlines for the wrong reasons.”
Todd Peterson, IAM Evangelist at One Identity:
“These types of hackers are very skilled and know all the weaknesses of systems, but they will move on to an easier target if it takes too much effort to get to the crown jewels. Ways to make yourself a difficult target are:
- Education – get your user base to understand the simple steps they can take to help security and above all ensure they know that it is in their best interest to work securely (company health, job security, their data is also a target)
- Strengthen authentication – either in the form of better password policy, multifactor authentication , adaptive authentication or all of the above
- Privileged Access Management– the ultimate goal is to always protect admin credential: the better and more complete your PAM program is the safer your systems are. In this case,l the breach was probably allowed to continue for as long as it did because the PAM program was lacking session audit and analytics, which would have detected the anomalous activity and would have been able to shut it down before damage was done.”
Shlomie Liberow, Technical Program Manager at HackerOne:
“Attacks such as this really highlight the damage that can be caused in a short period of time. We work with hundreds of thousands of hackers who look at how they can best protect information rather than seek to exploit it, working with the organisation to fix any software issues before malicious attackers can take advantage. Organisations in return can make this process easy and transparent by implementing a clear Vulnerability Disclosure Policy that sets out the exact terms of engagement that enable ethical hackers to disclose any potential risks they find.”
Matan-Or-El, CEO at Panorays:
“Delivery services and restaurant partners are also affected by this breach, proving that security stretches beyond their own control and to their supply chain. When a business relationship is formed, security – a major form of risk – must be taken into consideration since it can ultimately affect the relationship. For this reason, companies need to vet their partners from a security perspective, checking their security posture, practices and procedures. They should then work with the partner to close any gaps prior to onboarding. Once onboarded, the companies still need to continue with monitoring their partners to avoid any future mishap as security must be seen as an ongoing process.”
Colin Little, Senior Threat Analyst at Centripetal Networks:
“The case of the Eatstreet breach is a doomsday scenario for the average consumer where a service was used for convenience or necessity, and ended up causing a major threat to the consumer’s interests: “I just wanted some food delivery, and now my banking information etc. may have been compromised.” With the number of mobile or cloud-based consumer services a person leverages day-to-day, and the two-week time-to-detect for complete access to a database that contains some of the most sensitive PII, this event shows that consumers deserve organizations who will proactively hunt for threats to minimize the risk to consumer data.”
Will LaSala, Director of Security Solutions, Security Evangelist at OneSpan:
“Sending passwords in the clear is not strong authentication. No matter what carriers and/or operating system providers might do, the fundamental system of sending an SMS containing a password in it is flawed. Stories like this grab headlines because they state that “multi-factor authentication has been cracked.” This situation, however, isn’t arising due to a failure of multi-factor authentication, it’s due to weaknesses of single factor authentication – that one factor being something a user has (i.e. their phone). True 2FA systems would combine the something you have factor with either something you know or are (biometrics). True MFA systems are all too often overlooked by app developers in favor of more simplistic solutions. SMS should be relinquished to doing what it was meant to do, notify users that they have something they need to respond to – it should not be considered a secure and private communications channel.
“There are other mechanisms that can securely generate and delivery OTP’s after a notification has been responded to, that do not open the user up to these style attacks. Leveraging MFA and employing the right authentication factor, at the right time in the process, is key to any true mobile application security strategy.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.