The Most Notable Breaches That Kicked Off 2023

LastPass 

What happened

On December 22nd, 2022, LastPass put out a statement and notified potentially affected users of a security breach. The statement is an update to an incident that occurred in August, where a threat actor gained access to LastPass’s third-party, cloud-based storage environment through a compromised developer account, which contained the app’s source code. The latest details reveal that the threat actor leveraged this data to target a LastPass employee and obtain credentials to decrypt the third-party storage volumes, copying a backup that contained customer information, including billing and email addresses, phone numbers, IP addresses, and end-user names. 

Who was impacted

In December, LastPass identified 3% of business customers as at risk as a result of the breach. They shared in the statement: “We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations.”

Additionally, GoTo, which owns LastPass, recently confirmed that as part of the breach, threat actors acquired encrypted backups containing customer data—as well as the encryption keys for some of those backups—through third-party cloud-based storage. GoTo products, including join.me, Remotely Anywhere, Pro, Hamachi, and Central were all affected. While different types of data were acquired from each product, GoTo confirmed that it may include users’ multifactor authentication (MFA) settings as well as salted and hashed passwords. The software company is contacting users individually to advise on specific security steps as needed, such as reauthorizing MFA, resetting passwords, and migrating to different IMPs (incident management plans).     

What’s my risk

Experts warn that LastPass users should assume that any data stored in their LastPass vaults is in the hands of bad actors. In addition to changing individual passwords for sensitive accounts, including banking, medical, and company accounts with proprietary information, users should consider switching to a new password manager to regain control of their privacy. 

While master passwords on LastPass utilize password-strengthening algorithms, meaning they are hard to crack, the password manager’s track record of breaches indicates that your personal data is better off stored elsewhere. For the time being, be sure not to reuse your LastPass master password on other sites.

Looking to switch password managers? Here’s why Dashlane is the safest alternative and how you can switch seamlessly today. 

T-Mobile

What happened 

T-Mobile announced in January that a threat actor had infiltrated their systems in November 2022. The hacker manipulated one of T-Mobile’s APIs and accessed their customers’ data, including names, email addresses, account numbers, dates of birth, billing addresses, and phone numbers. Highly sensitive data, including Social Security numbers and payment information, wasn’t accessed during this breach, but this type of PII (Personally Identifiable Information) had been exposed in a prior T-Mobile breach in August of 2021 (which resulted in a class action settlement) despite the company’s $150 million investment in cybersecurity. 

Who was impacted

The high-profile hack is believed to have impacted 37 million T-Mobile users, including prepaid and postpaid account holders. 

What’s my risk

The data collected during the breach, notably dates of birth and account information, plus specific account details such as customers’ service plans, has set the stage for identity theft, phishing scams, and, as pointed out by WIRED, SIM swapping scams. The risk of these targeted attacks is even higher considering the previous breaches, which exposed more sensitive info.

Norton LifeLock

What happened

Over the past few weeks, Norton LifeLock, a password manager that also offers a number of identity theft protection and other cybersecurity services, has alerted a large subset of users that their data may have been compromised. Norton’s parent company, Gen Digital, believes the compromised accounts resulted from a credential stuffing attack, an automated technique in which threat actors enter exposed credentials (the same username or email and password combos) on multiple sites. These logins may have been compromised in a previous breach. In addition to having access to full names, addresses, and phone numbers, Gen Digital says it’s possible that threat actors also accessed users’ saved passwords within their Norton password manager.

Who was impacted

Norton LifeLock identified about 6,450 customers as at risk as a result of the cyberattack, all of which have been notified by the company. 

What’s my risk

If you were one of the affected users and threat actors are able to access your accounts, they could potentially view any sensitive information that’s stored in your vault, including credit card numbers, passwords to other accounts, and other personal data. You could also potentially be locked out of your own accounts. 

Twitter

What happened

Because of a bug introduced to Twitter’s API after a 2021 update, threat actors were able to input email addresses and phone numbers into Twitter and reveal usernames for any associated accounts. The vulnerability allowed them to scrape troves of data, circulating a massive amount of email addresses and phone numbers and their associated Twitter IDs on criminal forums before the vulnerability was patched. 

Who was impacted

Various datasets of user information were found to be circulating on multiple criminal forums, with the most recent containing 200 million email addresses and associated account information, including usernames, account creation dates, and follower counts. 

What’s my risk

As most of the compiled and distributed information was already public, the biggest concern in this breach is that it exposed the identities of Twitter users who may wish to remain anonymous. As Twitter wrote in their statement, “We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.” By creating a dataset of emails and phone numbers associated with Twitter IDs, users could face targeted phishing attacks as attempts to steal their identities, or in certain cases, doxxing. 

Mailchimp 

What happened

Mailchimp, which was recently acquired by Intuit, faced its second hack within six months. The newsletter and marketing platform had its systems infiltrated through internal company tools on January 11th. While in the system, the hacker leveraged information and targeted employees with a social engineering attack. 

Who was impacted

Using employee passwords acquired through the social engineering attack, threat actors were able to access 133 Mailchimp customer accounts. Many of those accounts stored their own customers’ information within the platform, including names, emails, and web addresses. Among the affected accounts were WooCommerce, The Solana Foundation, and FanDuel. 

FanDuel recently emailed its customers, informing them that usernames, along with email addresses, were acquired by an unauthorized user as a result of the Mailchimp breach. The company urged users to stay vigilant against phishing attacks that may further exploit this information while clarifying that FanDuel’s systems themselves were not hacked.

What’s my risk

The affected Mailchimp accounts seem to belong primarily to business accounts, which have notified customers of the data that may have been exposed. Most of the information compromised does not seem to have a major impact on customers, as it doesn’t include sensitive data like credit card information. 

Deezer

What happened

Going by the pseudonym Sin, a threat actor posted a trove of Deezer user data on a criminal forum. The data included PII such as full names, dates of birth, location data, user IDs, and session IP addresses. Sin has claimed that they accessed the data back in 2019 through a third-party data analysis company hired by Deezer. 

Who was impacted

The file shared on the breach forum contained information for over 200 million Deezer users. 

What’s my risk

Though the breach did not contain passwords, threat actors could exploit customers’ personal data through phishing attacks or identity theft. 

The takeaways

If you were affected by any of these breaches, here’s what you can do to protect yourself and avoid becoming a victim of breaches in the future: 

• Protect your identity
  If you believe your sensitive PII (Personally Identifiable Information), like your date of birth or payment information, has been compromised, consider freezing your credit and using credit monitoring.

• Stay vigilant against phishing attacks
  Users should be on alert for targeted phishing attacks that might leverage their personal information, such as billing addresses and email addresses, to gain access to their accounts. Using a password manager can help prevent phishing attacks. For example, if you click a malicious link to a website designed to look like a site you ordinarily use and attempt to enter your credentials, Dashlane will know the difference and won’t autofill your password. Take this as an indicator that the site could be fraudulent.

• Utilize Dashlane’s Dark Web Monitoring feature 
  Take advantage of Dashlane’s built-in Dark Web Monitoring, which automatically scans 20 billion records on the dark web for leaked or stolen credentials. Users and employees can add up to five email addresses to be monitored at a time and will receive alerts of any compromised passwords with a link to take immediate action and update at-risk logins. 

• Pay attention to password health
  If you use a password manager, be sure to follow best practices when it comes to your master password and all other passwords stored in your vault. Dashlane uses the ZXCVBN algorithm to make sure your Master Password is hard to crack, but you shouldn’t reuse this password elsewhere. Additionally, you can regularly monitor your password health within your Dashlane dashboard to see if you have any reused, weak, or compromised passwords. If so, change these passwords immediately, and use Dashlane’s Password Generator to ensure they’re hard to crack.

• Make use of 2-factor authentication (2FA) 
  Multifactor authentication (MFA), or two-factor authentication (2FA), is an important additional step to protecting your accounts, and it’s offered by many apps, particularly those that store sensitive information. With 2FA, even if someone accessed your passwords, they would need additional verification to access your accounts. This would usually be in the form of a code sent to your email, a 2FA app like Duo on your smartphone, or a physical security key separate from your other devices. A threat actor would need additional access to one of these at the time of login to successfully access your account.

• Hide your email and falsify personal information
  When it comes to creating new accounts, especially for third-party apps, users have the option to “hide” their email addresses. When creating accounts through iOS, for example, Apple allows users to generate a random, unique email that will forward to your personal email, keeping your personal email private. 
  
  Similarly, when creating new accounts with third parties, users should consider entering false data for things like dates of birth and full names, and any personal details that hackers could leverage to steal your identity or tamper with your credit.