Web Hosting Service 'DreamHost' Leaked 814 Million Records of Customer Data

A database owned by Dreamhost was found unsecured and publicly accessible online. It contained 814 million entries of exposed usernames, display names, and emails for WordPress accounts.

The exposed log files contained what appears to be 3 years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. On May 4th a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team.

Update: DreamHost reached out to say that none of those records contain data that would have allowed access to DreamHost accounts. They consist entirely of entries that include object update records, error reports, and log entries. Data from just 21 individual websites were involved. More information can be found on its website.

Data Leak Exposes Customer Records With CVS Health

CVS Health recently leaked approximately one billion user records that include email addresses, user IDs, and metadata. The information was discovered in a non-password protected database.

CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs. I was informed that this was a contractor or vendor who managed this dataset on behalf of CVS Health, but it was confidential as to who the vendor was.

 

Finnish Mental Health Startup Vastaamo Leaked Patient Data

Vastaamo ran the largest network of private mental-health providers in Finland. William Ralston tells the story on WIRED, and how hackers used the data to threaten patients.

A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data.

What an incompetent company. No anonymization of patient records, no encryption of data. In other words, unfortunately common. Two developers hired at Vastaamo were even arrested in a previous security breach.

LinkedIn Data Leak of 500 Million People Sold Online

Just days after a Facebook data leak was discovered, security researchers found another one, this time involving LinkedIn. It affects a similar amount of users, 500 million, with data being sold on a “popular hacker forum.”

The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.

Facebook Leaks Data of 553 Million People Like Phone Numbers

The personal data of 553 million Facebook users was posted in a hacking forum over the weekend. Data includes phone numbers, full names, locations, email addresses, and other information.

While it’s a couple of years old, the leaked data could prove valuable to cybercriminals who use people’s personal information to impersonate them or scam them into handing over login credentials, according to Alon Gal, the chief technology officer of the cybercrime intelligence firm Hudson Rock, who discovered the trough of leaked data on Saturday.

Facebook PR has been downplaying the leak, saying it’s “only” two years old. But for most people, their phone number, email addresses, and full names probably haven’t changed in that time.

iPhone ‘Call Recorder’ App Leaked User Conversations

An iPhone app called Call Recorder lets users record their phone call conversations. But a recently discovered bug leaked those calls.

But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.

A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”