(From Credit Union Times) – If knowledge is power then not knowing makes organizations and individuals powerless, or does it, when it comes to protecting their information. This time security lapses involved Instagram and Google’s G-Suite.
TechCrunch reported the discovery of a The Amazon Web Services hosted database, left exposed and without even password protection, with over 49 million records containing contact information, including email and phone numbers, of Instagram so-called influencers, celebrities and brand accounts.
Security researcher Anurag Sen came across the files and notified TechCrunch in order to locate the owner and secure the database, traced to Mumbai, India-based social-media marketing firm Chtrbox. TechCrunch said each record contained public data scraped from influencer Instagram accounts, including bio, and profile picture. The database also contained a record determining each account’s value based on number of followers, engagements, reaches, likes and shares, according to TechCrunch.
Shortly after TechCrunch reached out, Chtrbox pulled the database offline. Facebook, which owns Instagram, said it was looking into the matter.
“Influencers, celebrities and brands carry a lot of clout on social media with their ability to impact their followers’ sentiments and actions,” Kevin Gosschalk, CEO, San Francisco-based Arkose Labs, said. He added, “The recent exposure of records containing the private contact information for more than 49 million accounts, including Instagram influencers and celebrities, is a timely reminder of the deep responsibility a company has to protect the mass amount of data that it collects.”
Gosschalk maintained, “Time is up – companies need to be proactively protecting their attack surface, especially online databases containing valuable customer records, to protect their digital ecosystems against damaging cyberattacks.”
Pankaj Parekh, chief product and strategy officer at Santa Margarita, Calif.-based SecurityFirst, offered his perspective, “This breach is really two breaches. How did Chtrbox get access to the private data of millions of Instagram users? It might have been a known API exposure in Instagram – the investigation is ongoing. And why didn’t Chtrbox secure the data they posted on AWS?” Parekh advised of the need and availability of cloud-based storage security. “Both Chtrbox and Instagram took a light approach to securing personal data, and both should be penalized.”
Robert Prigge, president, Palo Alto, Calif.-based Jumio, “Another data breach. Surprise, surprise. More of our personal information is seeping into the dark web on a daily basis making it easier and easier for fraudsters to perpetrate identity theft and account takeovers. That is why modern businesses should have zero confidence that the person purporting to be John Smith on 123 Main Street is actually the real John Smith on 123 Main Street if he is creating a new online account. Especially given the availability of username and password on dark web for pennies.”
Meanwhile, Google disclosed in a blog post it recently discovered a bug that caused some portion of G Suite users to having their passwords stored in plain text since 2005. Google said this affected “a small percentage of G Suite users,” some business and corporate accounts.
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Gosschalk noted, “It’s concerning that Google just discovered that G Suite passwords were stored in plaintext since 2005. Companies need to be constantly re-evaluating and testing their own security measures to make sure lapses in security or, in this instance, a faulty password setting and recovery offering, does not jeopardize its customers or their accounts. Google has more than five million enterprise customers using G Suite, and this mistake should have been recognized and prevented fourteen years earlier with proactive, ongoing security testing.”
Prigge, said, “When G Suite users are logging into their accounts, we want to believe, really believe, that they are the legitimate account owners. But, at the end of the day, we do not know for sure. Thanks to the dark web, phishing attacks and social engineering, there’s a huge quantity of user credentials available for purchase (for pennies).” Prigge added, “That’s why companies such as Google need to evolve past the username/password paradigm and adopt a more reliable and secure method of authentication.
As with all data breaches and/or events the risk could extend to credit unions and other financial institutions in the form of account takeover attempts and phishing attacks especially if it involves full or partial credentials.