Following the publication of stolen databases on a hacker forum, several start-up companies have started to disclose details about the data breaches they have suffered.
The threat actor ShinyHunters, a group renowned for its data breaches, recently started leaking stolen databases it obtained from infiltrating 18 different websites and offering the sensitive information freely via a hacker forum. The massive data hoard included around 386 million records.
Out of the 18 businesses penetrated in the targeted attacks, which include Appen, Chatbooks. Havenly and Indabamusic, most appear to be start-up companies.
The threat actor group recently told computer help site, BleepingComputer, it had released the private data free of charge to the hacker community as it had already accrued enough funds from private sales of the databases. BleepingComputer contacted the companies identified by the hacker group, and now disclosures of data breaches are starting to be announced by some of the start-ups.
The first two companies to come forward were the alcohol delivery start-up Drizly and the perfume subscription start-up Scentbird.
Disclosure of a data breach at Drizly
The database belonging to Drizly that was posted on the public forum contained around 2.5 million data records. Within these records was a vast quantity of Personally Identifiable Information (PII), including user’s phone numbers, email and home addresses and hashed passwords.
A statement by Drizly confirmed the data breach:
“Drizly first identified that some customer data may have been impacted on July 13th and immediately began a forensic investigation with cyber security experts to understand what had happened and what information was impermissibly obtained. In addition, we quickly took steps to tighten security and further reduce risk of attack.”
The firm added details on the scale of the attack, stating 2.5 million user accounts had been impacted and delivery addresses were exposed in less than two percent of the data records.
Drizly also emailed its affected customers and informed them that no financial details were compromised. While passwords were stolen, the company uses encryption to protect them, but nevertheless advised all users to alter them as a precaution in case they are decrypted.
Scentbird discloses data breach
The Scentbird database exposed contained customer’s names, dates of birth, genders, email, home, and billing addresses, as well as their hashed passwords and details on their status as an influencer.
The perfume subscription service issued a notification outlining the data breach to its customers, and stated:
“We are writing to let you know that Scentbird recently learned that unauthorised individuals may have accessed a database containing the personal information of Scentbird’s users. We launched an investigation as soon as we became aware of this incident, and our investigation is in its initial stages.”
The start-up also commented that no debit or credit card details were exposed and that no ID numbers issued by the government, such as social security numbers, were compromised. According to Scentbird, a mandatory password reset will be required by all users on their return to the site to protect customer accounts.