Leaked credentials can be both the cause and effect of data breaches. Regardless of the resources invested into cybersecurity, organizations are unfortunately not immune to cyberattacks.
There have been a number of disastrous data breaches in this past year. We’ll highlight the top 5 leaked credentials horror stories of the past few months (in no particular order), and explain what about each attack is so scary. Keeping track of recent data leaks help cybersecurity teams be aware of methods threat actors can take to attack.
Want to learn more about leaked credentials? Flare has been monitoring and archiving the dark web for over 5 years. We have analyzed interesting leaked credentials trends across organization size, industry, geography, and language.
Take a look at our report, Clear Insights from a Deep Analysis of Dark Web Leaked Credentials.
1. IHG Hotels & Resorts
IHG Hotels & Resorts operates 6,000+ hotels around the world, including the Holiday Inn, Crowne Plaza, and Regent hotels.
In the fall of 2022, customers complained there were issues with booking and checking in to hotels. IHG responded by mentioning the company was going through “system maintenance,” and later reported unauthorized access to its systems.
Threat actors describing themselves as a couple were responsible for the widespread disruption in service. They gained access to the internal databases with a weak password they found, Qwerty1234. They first tried a ransomware attack, but switched to a “wiper attack,” and destroyed data when their original plans didn’t work.
Why it’s Scary
The IHG IT team initially fended off the attack attempt by isolating the servers. However, this frustrated the malicious actors who wanted to hack IHG for monetary gain, so they ultimately deleted the data they accessed for fun.
The threat actors messaged the BBC over Telegram and revealed that, “We don’t feel guilty, really. We prefer to have a legal job here in Vietnam but the wage is average $300 per month. I’m sure our hack won’t hurt the company a lot.”
2. Optus, Telecommunications Company
Optus is one of the largest wireless carriers in Australia.
One alleged threat actor came forward claiming to sell the data they stole unless Optus paid them $1,000,000 AUD. The malicious actor posted the 10,000 Optus customer records on a data breach forum on the dark web. These records contained a lot of personal information including dates of birth, names, addresses, and included some state and federal government email addresses.
The malicious actor interestingly deleted the post and apologized shortly after, stating that they destroyed the only copy of the data. Though this may seem like a relief, it’s still unclear if this is true.
Unfortunately, other threat actors are trying to take advantage of this Optus breach, as some victims received a text crafted to extort $2,000 AUD. Australian police and the U.S. Federal Bureau of Investigation collaborated to make the first arrest related to this data breach, which was the threat actor who used this data for a text message scam.
Why it’s Scary
Optus had an API available online that didn’t require authorization or authentication to access the customer data. Anyone on the internet with the knowledge of the endpoint URL could have reached these records. The malicious actor didn’t even need to log in with this exposed attack surface.
3. BRP, Recreational Vehicle Company
BRP manufactures outdoor recreational vehicles like snowmobiles, ATVs, and more. Malicious actors targeted the internal systems, and the company temporarily suspended operations to address the severity of the attack. BRP and the ransom group’s negotiations didn’t go well, so the group published the employees’ private information as a way to get back at BRP. BRP employees unfortunately became collateral damage.
Why it’s Scary
As a part of its investigation, the company uncovered that some employees were using BRP computers for personal purposes. A general guideline in place instructing employees to use their work devices only for work-related purposes would have been helpful in preventing information from their personal accounts leaking.
4. Uber, Rideshare Company (2022 Breach)
An alleged teen threat actor got into Uber’s internal systems through social engineering. After obtaining an employee’s password, they repeatedly sent push notifications for MFA. When the employee did not respond, the malicious actor sent a WhatsApp message pretending to be a coworker in the IT department and asked to confirm that their login attempt was legitimate. From there, the threat actor gained access to internal systems, even posting a Slack message to Uber employees, who initially thought it was a joke.
Why it’s Scary
“MFA fatigue” and social engineering contributed to a successful cyberattack. Even though the employee initially did not react to the MFA push notifications, they were worn down by the threat actor reaching out individually through WhatsApp.
5. Uber, Rideshare Company (2016 Breach)
A San Francisco jury found Uber’s former Chief Security Officer Joe Sullivan guilty of covering up the 2016 data breach, specifically for the counts of obstruction of justice and deliberate concealment of felony. In this incident, threat actors took 57 million Uber customers’ and drivers’ personal data.
About a year after this attack, Uber fired Sullivan and one of his deputies for intentionally hiding information about the cyberattack, such as by paying $100,000 to the attackers and providing nondisclosure agreements falsely stating they had not taken any data.
Why it’s Scary
It is concerning that cybersecurity leaders within the organization deliberately hid the data breach. This is one example of somebody who faced consequences for their wrongdoing, and there’s the possibility that there may be other cybersecurity leaders or organizations doing similar things that have not come to light.
Leaked credentials continue to be a major area of concern, even for companies with significant investment into security. Cybersecurity teams must have a holistic understanding of their organization’s external attack surface and internal policies to prevent and remediate threats.
How Flare Helps
Flare’s digital footprint monitoring scans the dark web, clear web, and instant messaging platforms like Telegram.
Book a demo to see how to prevent leaked credentials horror stories.
