Top 10 Mobile Breaches and Incidents of 2018
With the increasing popularity of mobile banking and mobile apps, the risks of mobile hacking are also growing. Here are top 10 of 2018’s most notable mobile breaches and incidents.
Users are putting more trust in mobile applications, and these apps are processing and storing larger quantities of more sensitive data. Four out of 10 people in the UK alone regularly use mobile banking – trusting their personal and financial information to the bank’s mobile app – and this is projected to rise to over 70% by 2023.
The changing landscape of mobile apps is giving more opportunities for useful and popular applications than ever, but also bringing more security risks and bigger, more appealing targets for attackers. Let's have a look at top 10 most significant mobile breaches in 2018:
10. The UK Conservative party conference app share MPs’ private details
When: September 2018
The damage: personal details of various MPs and the credibility of the Conservative party
The vector: total lack of authentication in conference app
Our first entry is negligible in terms of the number of users affected, but much bigger in impact and implication. The party conference for the UK’s Conservative party, held in September, featured a custom-built app, allowing attendees to create profiles and view information. This app allowed the attendees to log in with no authentication – an email address alone would provide access. As many of the conference attendees registered with their public, parliamentary email addresses, this allowed any and all comers to access and alter the MPs’ private profile details.
For the most part, the real-world damage from this breach was limited to vandalism and the loss of some MPs’ personal information – and dignity. However, the fact that such a basic yet glaring security error was made for the conference app is highly concerning and resulted in both ridicule and heavy criticism for the UK’s governing political party.
9. Snapchat suffers from phishing and internal leak
When: July 2017-February 2018, and August 2018
The damage: first, 55,000 matched usernames and passwords of Snapchat accounts. Later, the source code for Snapchat itself.
The vector: a phishing attack and an internal leak
Snapchat is no stranger to damaging data breaches, with 4.6 million users affected by one of 2014’s largest incidents. In July 2017, Snapchat was contacted by an official in regional UK government about a publicly available list of over 55,000 Snapchat accounts, acquired by phishing scams. This included matched usernames and passwords. Though the website concerned was soon taken down, the breach never came to light until reported on by The Verge in February 2018. This would certainly have caused problems for Snapchat had it occurred after 25 May 2018 – GDPR obliges data handlers to disclose a breach within 72 hours.
If these incidents weren’t enough, in August 2018 an employee of Snapchat had to invoke a Digital Millennium Copyright Act (DMCA) takedown request when an entry on GitHub purported to be the app’s proprietary source code. It’s likely that the GitHub repository was genuine, if the all-caps, panic-stricken tone of the DMCA request is any indication.
8. Babysitting app Sitter reveals personal information
When: August 2018
The damage: 93,000 account holders’ personal information and partial payment details
The vector: an unprotected database indexed by the Shodan search engine
A LinkedIn post by security professional Bob Diachenko revealed the discovery of an exposed MongoDB instance, indexed on the Shodan search engine. The database belonged to Sitter, an app for managing babysitting services, and affected 93,000 app users. The exposed data included encrypted passwords, phone numbers, addresses and partial credit card information.
Sitter’s dev team reacted quickly, and the unprotected database had only been indexed the day before being found by Diachenko, so it’s possible that the window of exposure was very small. However, once indexed, unprotected databases like this are remarkably easy to find, so the data may well have been accessed even in such a small window. There’s no way to be sure how long the database had been exposed prior to indexing by Shodan.
7. Drupe access via unsecured AWS server
When: May 2018
The damage: roughly 300,000 users’ photos, call logs and SMS messages
The vector: unprotected AWS server
Security researcher Simone Margaritelli discovered unprotected data from the Drupe multimedia messaging and contacts-managing app. In correspondence with Motherboard, he demonstrated how any of Drupe’s 10 million users’ pictures, SMS messages or audio recordings could in theory be accessed on an unsecured AWS server. This resulted in the temporary removal of Drupe from Google Play.
An official response from Drupe sent to Android Authority claimed that “Less than 3% of all Drupe users who chose to use very specific features” were impacted by the breach. A blog post on Drupe’s website says that the vulnerability only affected data sent using Drupe’s “Walkie Talkie” or image sharing features.
6. British Airways hackers could skim credit card details
When: August-October 2018
The damage: 244,000-565,000 customers’ payment details
The vector: payment information skimming malware
Previously seen in our list of 2018’s top 10 application security breaches, the British Airways incident affected both web-app and mobile app users. Both frontends connect to the same payment processing application in order to process payments, so the injected malware was able to skim credit card details from both sets of users.
5. mSpy database was out in the open
When: September 2018
The damage: unspecified “millions” of user records
The vector: unauthenticated online data storage
mSpy is a SaaS provider for mobiles which enables surveillance software to be deployed on the cell phones of friends and family. Functionally spyware, the service markets itself as a monitoring solution to keep tabs on your children’s – or possibly spouse’s – phone usage. This of course involves processing some very sensitive and private data, including passwords, SMS and call logs and location data.
In September, security researcher Nitish Shah found an exposed database containing just such information on both mSpy’s unwitting users and paying customers. This database appeared to be the current, active storage for the app rather than a backup, as the data was “up to the minute”. The exact number of records exposed was not recorded, but the database was described as containing “millions of records”.
4. Vovox SMS database discovered exposing 26 million SMS messages
When: November 2018
The damage: roughly 26 million SMS messages containing private information, password reset links and 2FA codes
The vector: unsecured and searchable databases
Many companies are beginning to wake up to the importance of multi-factor authentication to security, but it’s far from the last word in keeping applications secure. This is especially true when the second authorization factor becomes compromised in some way. A database, owned by Vovox, was recently discovered. The database stored many such 2FA messages, along with other data sent over SMS.
The exposed data included many 2FA authorization codes – including the phone numbers to which they were sent – password reset codes, tracking numbers and account keys. While there is some good news in that this breach has a narrower window for abuse, since the authorization codes and password reset links expire, the breach also included healthcare data. Appointment reminders and billing enquiries sent to some patients were exposed.
3. Careem attacked via data storage systems
When: January 2018
The damage: 14 million customers’ and 550,000 drivers’ personal details
The vector: a successful cyber-attack on data storage systems
Careem is a ride-hailing service in the same vein as Uber which caters to Africa, South Asia and the Middle East, founded in Dubai. In January, Careem reported a security breach in which attackers gained access to its data storage systems, which included users’ names, email addresses, phone numbers and trip history of 14 million customers.
This also included the personal details of the more than 550,000 drivers registered on Careem’s systems at the time. Precise details on the nature of the attack have not been provided, but the company’s official apology said that it had “learned from this experience and will come out of it a stronger and more resilient organization”, which implies that the breach may have exploited lax security controls rather than a sufficiently determined attack overcoming strong security.
2. Timehop unwittingly shares 21 million users’ personal details
When: July 2018
The damage: 21 million users’ personal details
The vector: compromised admin credentials
2018’s number three general application security breach is also the number two mobile breach. Timehop integrates with social media mobile apps as well as web applications, making this breach relevant across both app-sec and mobile security.
Timehop provided a detailed breakdown of the breach, including what data was and wasn’t accessed. Breached data included names, emails, dates of birth and some phone numbers. Access keys for users’ social media accounts were also compromised, but these were quickly reset by Timehop.
1. GOMO/Sungy Mobile exposes 50 million users
When: May 2018
The damage: 50.5 million users’ personal information, and internal corporate data
The vector: completely unauthenticated database access via vulnerable ports
The largest data breach of 2018 by far, but one of which many in Europe and the US may be unaware. Sungy Mobile, also operating as GOMO, is one of China’s most prolific mobile app makers and service providers. Thanks to an administrative oversight, two unsecured ports were discovered in May, with the data of over 50 million users exposed in plaintext databases.
Although primarily based in China, the breach affected users internationally, with 301 countries represented in the leaked data, including the US. Usernames, email addresses, dates of birth, phone numbers and even some passwords were all exposed. As well as end users, the database included sensitive corporate data for GOMO itself.
That was our version of the top 10 mobile breaches of 2018. If you know about other significant mobile breaches not mentioned in this article, leave your comment below.