British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers

british-retailer-jd-sports-discloses-data-breach-affecting-10-million-customers

British sports fashion retail firm JD Sports on Monday revealed that it has discovered a data breach impacting roughly 10 million of its customers. 

According to the company, the cyber incident affects information provided by customers who placed online orders between November 2018 and October 2020. The JD, Size, Millets, Blacks, Scotts and MilletSport brands are impacted.

Based on the company’s brief description of the incident, it’s possible that hackers stole names, billing addresses, delivery addresses, phone numbers, email addresses, order details, and last four digits of the customers’ payment cards. 

There is no indication that full payment card data or account passwords were compromised. 

The company has called in external cybersecurity experts to investigate the incident and authorities in the UK have been notified. The investigation is ongoing. 

In its statement, JD Sports warned customers that they may be targeted in scams and phishing attacks.

Related: Fashion Retailer Guess Notifies Users of Data Breach

Related: German Privacy Watchdog Investigates Clothing Retailer H&M

Related: Clothing Retailer Fallas Hit by Payment Card Breach

The post British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers appeared first on SecurityWeek.

820k Impacted by Data Breach at Zacks Investment Research

820k-impacted-by-data-breach-at-zacks-investment-research

Stock research firm Zacks Investment Research is in the process of notifying customers that their personal information was compromised in a data breach.

Founded in 1978, Zacks Investment Research is one of the largest providers of stock research, analysis and recommendations for firms in the US.

Earlier this week, the company informed the Maine Attorney General’s Office that the personal information of 820,000 individuals was compromised after a third-party gained unauthorized access to its systems.

The data breach, the firm says, was discovered in December 2022, but the unauthorized access occurred sometime between November 2021 and August 2022.

The notification letter to the impacted customers, a copy of which was submitted to the Maine Attorney General, reveals that the unauthorized third-party had access to an older database containing information about customers who had signed up for a Zacks product between November 1999 and February 2005.

The compromised personal information includes names, addresses, phone numbers, email addresses, and passwords for Zacks.com.

“We have no reason to believe any customer credit card information, any other customer financial information, or any other customer personal information was accessed,” the company says.

Zacks says it has implemented security measures to stop the breach and that it has reset the passwords for the impacted accounts.

“When you log into your Zacks account, you will be prompted to change your password. You should also change the password for all other online accounts for which you used the same e-mail address and password as your Zacks account,” the company tells users.

Zacks told the Maine Attorney General that it will begin notifying impacted customers on January 27.

Related: 18k Nissan Customers Affected by Data Breach at Third-Party Software Developer

Related: 251k Impacted by Data Breach at Insurance Firm Bay Bridge Administrators

Related: FCC Proposes Tighter Data Breach Reporting Rules for Wireless Carriers

The post 820k Impacted by Data Breach at Zacks Investment Research appeared first on SecurityWeek.

GoTo Says Hackers Stole Encrypted Backups, MFA Settings

goto-says-hackers-stole-encrypted-backups,-mfa-settings

IT management software firm GoTo on Tuesday said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach that also affected its LastPass affiliate.

GoTo chief executive Paddy Srinivasan confirmed the security breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.

In a notice posted online, Srinivasan the encrypted backups were related to multiple GoTo-owned software products:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere

We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. 

In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.” 

Srinivasan said the company has no evidence of exfiltration affecting any other GoTo products or any of GoTo’s production systems.

Even though all account passwords were salted and hashed in accordance with best practices, Srinivasan said GoTo plans to reset the passwords of affected users and/or reauthorize MFA settings where applicable. 

“In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options,” the GoTo CEO said. 

In August last year, GoTo affiliate LastPass disclosed a data breach that included the theft of source code and proprietary technical information.  In November, GoTo said it was also affected by that hack, which is linked to an unnamed third-party cloud security vendor.

In a worrisome update in late December, the password management outfit admitted the hackers behind the August breach stole a massive stash of customer data, including password vault data that could be exposed by brute-forcing or guessing master passwords.

LastPass said the hackers broke into its network in August and used information from that hack to return and hijack customer data that included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.  

In addition, the unidentified actor was also able to copy a backup of customer vault data from an encrypted storage container.

The exposed container contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Related: LastPass Says Password Vault Data Hijacked in Data Breach

Related: LastPass Source Code Stolen in Data Breach

Related: GoTo, LastPass Notify Customers of New Data Breach Related to Previous Incident

Related: LastPass Found No Code Injection Attempts Following August Data Breach

The post GoTo Says Hackers Stole Encrypted Backups, MFA Settings appeared first on SecurityWeek.

Zendesk Hacked After Employees Fall for Phishing Attack

zendesk-hacked-after-employees-fall-for-phishing-attack

Customer service solutions provider Zendesk has suffered a data breach that resulted from employee account credentials getting phished by hackers.

Cryptocurrency trading and portfolio management company Coinigy revealed last week that it had been informed by Zendesk about a cybersecurity incident

According to the email received by Coinigy, Zendesk learned on October 25, 2022, that several employees were targeted in a “sophisticated SMS phishing campaign”. Some employees took the bait and handed over their account credentials to the attackers, allowing them to access unstructured data from a logging platform between September 25 and October 26, 2022.

Zendesk told Coinigy that, as part of its ongoing review, discovered on January 12, 2023, that service data belonging to the company’s account may have been in the logging platform data. Zendesk said there was no indication that Coinigy’s Zendesk instance had been accessed, but its investigation is still ongoing. 

Zendesk does not appear to have published any statement or notice related to this incident on its website and the company has not responded to SecurityWeek’s inquiry.

However, based on the available information, it’s possible that the attack on Zendesk is related to a campaign named 0ktapus, in which a threat actor that appears to be financially motivated targeted more than 130 organizations between March and August 2022, including major companies such as Twilio and Cloudflare. 

The 0ktapus attackers used SMS-based phishing messages to obtain employee credentials and victims included cryptocurrency companies. 

Twilio and Cloudflare discovered breaches in August, but there was no indication that the campaign was not ongoing, so it’s possible that the same hackers targeted Zendesk a few months later. 

While Coinigy appears to have been notified by Zendesk about the data breach only in January 2023, other victims appear to have been informed much sooner. 

The US-based cryptocurrency exchange Kraken informed customers about a Zendesk breach that involved phishing and unauthorized access to the Zendesk logging system back in November. Kraken said at the time that while accounts and funds were not at risk, the attackers did view the content of support tickets, which contained information such as name, email address, date of birth and phone number.

This is not the first data breach disclosed by Zendesk. In 2019, the company revealed that it had become aware of a security incident that hit roughly 10,000 accounts

Related: Zendesk Vulnerability Could Have Given Hackers Access to Customer Data

Related: Recently Disclosed Vulnerability Exploited to Hack Hundreds of SugarCRM Servers

The post Zendesk Hacked After Employees Fall for Phishing Attack appeared first on SecurityWeek.

Companies Impacted by Recent Mailchimp Breach Start Notifying Customers

companies-impacted-by-recent-mailchimp-breach-start-notifying-customers

Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.

Marketing automation platform Mailchimp revealed recently that its security team discovered unauthorized access to one of its tools on January 11. The tool is used by the company’s customer-facing teams for support and account administration.

According to Mailchimp, the hacker targeted employees and contractors in a social engineering attack and used compromised employee credentials to gain access to some Mailchimp accounts.

“Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts. There is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts,” the company said in a notice published on its website.

In response to the breach, Mailchimp suspended access for the targeted accounts and notified impacted customers.

Some of those customers have started informing their own customers about the incident. One of the first to do so was WooCommerce, the WordPress ecommerce plugin made by Automattic, the company behind WordPress.com.

WooCommerce uses Mailchimp to send emails to customers and its account was one of the 133 that were impacted by the breach.

WooCommerce told customers that some of the information they shared may have been exposed, including name, URL, address, and email address. Passwords, payment data or other sensitive information was not exposed, nor was any store using WooCommerce.

Online gambling service FanDuel has also informed customers that their name and email address may have been compromised. The FanDuel notification says the incident involved a third-party technology vendor and does not name Mailchimp.

The Solana Foundation, the nonprofit behind the Solana blockchain and cryptocurrency network, was also impacted and it did name Mailchimp in its notification to customers.

In the case of Solana, exposed information included names, email addresses and Telegram usernames.

Yuga Labs, a blockchain technology company that develops NFTs and digital collectibles, best known for the Bored Ape Yacht Club NFT collection, also confirmed being hit by the Mailchimp breach. Yuga Labs said it only used the service for limited purposes and there was no evidence that data from its Mailchimp account was exported.

Mailchimp claims to have 13 million active customers around the world. This is not the first time the company has announced suffering a breach in recent months. In August 2022, it suspended some accounts following a cyberattack targeting some of its cryptocurrency-related customers.

A few hundred Mailchimp customers were hit at the time, including DigitalOcean, which was not happy with the way the email marketing company handled the incident.

Mailchimp also discovered a security incident in March 2022.

Related: Breached American Airlines Email Accounts Abused for Phishing

Related: Email Hack Hits 15,000 Business Customers of Australian Telecoms Firm TPG

The post Companies Impacted by Recent Mailchimp Breach Start Notifying Customers appeared first on SecurityWeek.