Hack hall of Shame May 2015May has brought with it an increase in the number of attacks and many of these breaches, apart from being large in quantity are also large in quality, especially when considering 100,000 taxpayers’ files were stolen from the IRS. This month also saw large-scale attacks on websites such as Adult FriendFinder and mSpy.

Countdown with us the top 10 hacks, attacks, bugs and vulnerabilities that happened in the month of May.

Adult FriendFinder

This is probably one of the worst attacks we’ve seen in recent times. Adult FriendFinder, a website that markets itself as a dating site, and which has almost 63 million users, was hit by hackers who made away with 3.9 million records. Passwords and billing information are said not to be compromised but the list still features rich information such as emails, partner preference, gender, date of birth, and IP addressed of the users. The list was later put up for sale on the Deep Web for $17,000, quite a low sum considering that whoever got their hands on this list has almost four million emails and a chance to use the information contained in the list for extortion purposes.

MSpy

Yet another shocking breach happened at mSpy, a software company whose products allow people to spy on others. Parents who want to know what their children are up to online normally use it and also employers who want to keep an eye out on their employees. However, as with all software, it can be used for less legitimate reasons such as spying on spouses. MSpy at first denied allegations of the breach and later downplayed them even though 400,000 records where leaked on the Dark Web exposing a total of 13GB of data including Apple IDs, passwords, payment details and countless screenshots taken from the mSpy software.

Hacktivism at the Italian Expo

On May 16, Anonymous Italy tweeted “Ecco a chi affidano la sicurezza virtuale di #Expo: @bestunion you have been hacked #OpItaly #NoExpo” (This is who they are relying on for the virtual security needs of the #Expo: @bestunion you have been hacked #NoExpo #OpItaly). This tweet also included an image of the list of personal details which were later published online.

This hack happened just after Anonymous targeted the Expo in the beginning of May when with a DDoS attack, they put out of service tickets.expo2015.org, Milan Expo’s ticketing arm.

More attacks on news outlets

If you read last month’s Hack Hall of Shame you’ll notice the large amount of attacks on news sites. May was no exception and on May 14 the Washington Post’s mobile site was attacked by the Syrian Mobile Army. The mobile site showed popup messages such as “US govt is training the terrorists to kill more Syrians” and “The media is always lying.” 

Attacks on education

May 14 also saw an attack on Penn State’s College of Engineering. The college had to be disconnected from the Internet in order to investigate the breach which exposed 18,000 people. The attack appears to have originated in China.

Yet more healthcare data breaches

2015 has to be the year of healthcare breaches and in a previous post, we also wrote about how the healthcare system needs to get more serious about security. After all, medical records are seen as incredibly juicy loot to attackers because of the detail in the records. The CareFirst breach happened back in June last year but was only confirmed this month. More than 1.1 million people have been affected by this breach and whilst no details about medical histories was exposed, names and emails might end up being used in many phishing scams.

An extra-large hacked latte

Starbucks might not have been hacked in May but attackers still found an incredibly clever way to siphon money from bank accounts using the Starbucks app. By breaking into individual customer rewards accounts, criminals were able to buy new gift cards, transfer funds from the victim’s PayPal or bank account and e-gifting it to another account.

And how about a side of malware?

Three’s the charm or at least here’s to hoping that this is the last time we see another attack on the Jamie Oliver site this year. On May 13 jamieoliver.com was at the receiving end of its third attack this year, serving its visitors with a gooey link that sends them to a compromised website downloading malicious code.

A text can now crash iPhones

Just by sending a few characters in a text to anyone who has an iPhone you are able to crash the device. This bug is very much of a nuisance, as it will immediately restart your phone, but some have reported their phones keep on crashing after the phone restarts. According to a Reddit user it is the banner notification that causes the crash as it tries to process the Unicode text. The best way to keep this from happening until Apple release some kind of fix is to disable banner notifications for texts.

Hackers turn their sight to the loot that rules them all – the IRS

Finally, and to end with a bang, on May 26 it was revealed that the IRS was hit by hackers that made away with 100,000 records. Wired reported that the IRS claimed the “attackers gained the full tax return transcript of the affected taxpayers, which could include a detailed dossier of their personal information including income and social security numbers.” The most disturbing bit about this news item is the fact that the attackers managed to gain access to all this information by using non-IRS taxpayer specific data which helped them clear the multi-step authentication process.