What Expert Says On 500,000+ Bitbucket Hosts Have Been Infected With Malware

Tens of thousands of Brazilian soccer fans have been exposed as a publicly-accessible cloud storage bucket leaked several gigabytes of data with sensitive information stretching back several years.

Personal data belonging to supporters of a number of Brazilian organisations was involved in the incident, but the vast majority of the individuals exposed are fans of São Paulo-based soccer team Palmeiras, one of the country’s most popular and successful Brazilian clubs, with around 18 million supporters nationwide.

The 25GB sample analysed contained a myriad of CSV files listing tens of thousands of names, contact details, dates of birth, marital status, social security numbers, payment method used for the membership subscription and even details such as shirt sizes and a log of comments fans made when signing up.

https://twitter.com/marketemia/status/1225336991685980161

Subscribe
Notify of
guest

3 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Peter Draper
Peter Draper , Technical Director, EMEA
InfoSec Expert
February 6, 2020 2:20 pm

This breach is another example of how in today’s digital world an increasing volume of personally identifying information is being harvested whenever we interact with organisations online. If this data isn’t strongly secured, and it often isn’t, the information can easily end up in the hands of cyber criminals or on the dark web. The type of data exposed – names, dates of births, social security numbers – is a treasure trove for cyber criminals to launch phishing attacks or other sophisticated social engineering exploits that can lead to fraud and identity theft.

Last edited 2 years ago by Peter Draper
Niamh Muldoon
Niamh Muldoon , Senior Director of Trust and Security, EMEA
InfoSec Expert
February 6, 2020 2:15 pm

This latest data breach highlights the importance of access control, especially multi-factor authentication, and how access control protects Information Assets for organizations and individuals. Data types including customer info, employee PII, financial and health related data also have regulatory and compliance requirements that need to be met. These can be met by following these steps:

(1) Identify all organisations Information Assets

(2) Carry out Business Impact Assessment on their value (quantitative value)

(3) Starting with highest valued Information Assets list/document their information management life cycle for system of entry, to processing system including reporting systems The scope of this exercise should include on premise and cloud based applications

(4) Ensure same level of Access Control is applied to the information Asset throughout its lifecycle from system to system including back-up and archive environments

(5) Review Access Control regularly

Last edited 2 years ago by Niamh Muldoon
Erich Kron
Erich Kron , Security Awareness Advocate
InfoSec Expert
February 6, 2020 11:41 am

This is an example of people being tempted with a free ride, but ending up in a bad place. Using the promise of free software that is otherwise rather expensive, these attackers are using our human nature against us in order to drop some pretty nasty malware onto people\’s computers. This type of emotional manipulation is common in phishing attacks, such as the long-running Nigerian Prince scam, where something valuable is offered for nothing.

People need to be reminded that downloading \”cracked\” software is likely to carry a significant cost of its own in the long run. Instead, if a person really needs the software, they can look at subscription models, possible employer participation in programs that can get employees free or reduced price software, or even educational versions. These are all better options than cracked versions.

Last edited 2 years ago by Erich Kron
Information Security Buzz
3
0
Would love your thoughts, please comment.x
()
x