Crowdfunding Kickstarter Gets Hacked & Other Security Stories This Week

Feb 16, 2014 By Sarah Vonnegut

This week, Kickstarter suffered its’ first major breach with minor consequences, Target’s back in the ring with new reports indicating missed warnings from analysts about the payment systems, the Syrian Electronic Army strikes again, this time hitting Forbes, Internet Explorer suffered critical zero-day exploits and more. Before the next week full of security scares rolls in, take a moment to catch up on the stories you may have missed last week. 

Kickstarter Hacked, Customer Addresses, Usernames & Encrypted Passwords Taken

The fundraising platform that has raised millions of dollars for thousands of projects and businesses was hacked over the weekend. The breach has been repaired and no payment account information had been accessed or even stored, the company said, so no credit or debit cards were compromised.

Customer information that was accessed included “usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords,” Kickstarter wrote on its blog. Older passwords were salted and digested with SHA-1 multiple times while newer passwords were hashed with bcrypt. While it’s much harder to crack salted and hashed passwords, it’s still possible, and Kickstarter is recommending all users change their passwords.

Kickstarter said that it had stepped up its’ security since the attack and is working with law enforcement. The company’s CEO, Yancey Strickler, also noted that there were only two people with compromised accounts, and Kickstarter was working closely to secure them.

Get all the details, including one of the most sincere apologies for a breach you’ll read, on the Kickstarter blog.

Target Knew Of Possible Vulnerabilities Two Months Prior To Breach

The Wall Street Journal reported late last week after speaking to an employee of the national retailer that at least one analyst employed by Target had expressed concerns and a desire in a more thorough security review of its payment system but had been brushed off. The review request came on the heels of Target updating the payment terminals that would eventually be the source of the breach.  The source added that the update leaves analysts with little time to detect and secure any holes in the system.

The information was pulled from different interviews with former Target employees and people working with Target during the post-breach investigation. Considering the new details provided by the recent interviews, the Wall Street Journal wrote, “the breach wasn’t entirely a bolt from the blue, but instead a sophisticated attack on a known point of vulnerability.”

Target declined to comment on these recent findings. The new evidence points to the fact that Target may be found guilty of not acting to separate its payment systems from the rest of their network, thereby allowing an attack of such multitude to occur. I can just see the collective facepalm’s going on around the Target corporate offices this week. 

Read the original post here.

Forbes Hacked by the Syrian Electronic Army, Steals & Leaks Login Database

Just days after hacking into a domain management portal and, targeting Facebook, tried yet failed to hack into the social media giants’ server, the notorious Pro-Assad hacking group the Syrian Electronic Army has struck again.

Over the weekend, the Syrian Electronic Army, SEA for short, targeted the business news site Forbes and its’ WordPress platform, stealing and eventually leaking over one million user and contributor credentials that the group dumped onto a publically accessible server. The SEA also changed text in at least three stories on the site (which Forbes later took down) and posted their usual “Hacked by the Syrian Electronic Army” tag on the site and the @ForbesTech twitter handle.

The group appears to have perpetrated this attack using another phishing campaign to get account credentials from a Forbes’ employee. A tweet sent by the SEA told the Forbes team they could ‘thank’ social media editor and staff writer @TheAlexKnapp for the somehow serving up the information that allowed the hack to happen.

Forbes issued a statement on their site, noting that email addresses for anyone registered with may have been exposed and that while passwords were encrypted, they should still be changed as a precaution. They did not confirm how many accounts had been compromised. As of Sunday morning, the domain is still down.

If you have a Forbes account, make sure to change your password and follow these quick tips for choosing the most secure password. Read more about the Forbes hack here.

British Supermarket Company Tesco Suffered Customer Data Breach

British grocery store chain Tesco found itself hacked at the end of last week after over 2,000 customer accounts were stolen and posted in a dump file on Pastebin. The stolen information was used to steal loyalty vouchers from customers.

The data is thought to have been taken from other sites in similar security breaches and used to access customer accounts using the same login credentials as the other sites. To fully access the accounts, however, the hackers would have needed some secondary security information, leaving the company to believe that only a handful of customers were actually affected by the breach.

Tesco has begun to contact customers that may have been affected by the breach and is shutting own the posted accounts as a precaution. The company has had a few security incidents in the past few years, including one where they sent a mass email to customers in which they failed to hide the email addresses. In 2013, Tesco was also hit by a similar breach in which customers complained their loyalty accounts had been defrauded.

Security researcher Troy Hunt, who has already taken Tesco to task on their security issues has said he believes this is really only the ‘tip of the iceberg’ on this breach, and that we’ll be hearing more about this breach.

Read Hunt’s take on the Tesco breach here and check has been to see if your email address has been compromised on Hunt’s site Have I Been Pwned.

Critical Internet Explorer Vulnerabilities Found In The Wild 

Previously unknown zero-day vulnerabilities were being exploited in Microsoft’s Internet Explorer versions 9 and 10, security company FireEye Labs discovered last week.

On their blog, the researchers said they believe the attack is targeted towards American military personnel “amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend.” They’ve named the exploit ‘Operation SnowMan’.

A major site for U.S. veterans is one of the targets, they wrote. A redirect link sent visitors to a site containing malicious code. The victim wouldn’t have to click anything on the website for the attack to take place. Simply visiting the malicious site would start the download attack. One of the researchers, Darien Kindlund, said he believed the hackers may have been seeking information from current and former military personnel.

A spokesperson for Microsoft told The Next Web that they are aware of the attacks against Internet Explorer 9 & 10 and that they’re already taking steps to fix the issues. Internet Explorer users are all recommended to upgrade to the most recent version, Internet Explorer 11, to prevent such attacks from occurring.

Read FireEye’s account of the exploit here

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.