Tax Returns Exposed in TurboTax Credential Stuffing Attacks

Sergiu Gatlan reports: Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack. A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site. Read more on BleepingComputer. It’s 2019.  Why is this still a thing? Here is Intuit’s notification to Vermont:

DailyMotion discloses credential stuffing attack

Catalin Cimpanu reports: Video sharing platform DailyMotion announced on Friday that it was the victim of a credential stuffing attack, ZDNet has learned. […] According to an email sent out to impacted customers, and seen by ZDNet, the credential stuffing started last weekend, on January 19, and appears to have been successful in some cases, with hackers gaining access to a limited number of accounts. Read more on ZDNet.

Eyeware retailer Warby Parker forces password reset; notifies 198,000 customers of credential stuffing attack

Sam Woods reports: Eyewear retailer Warby Parker announced Thursday that it had suffered a cybersecurity breach that may have affected up to 198,000 customers.Hackers accessed customer usernames and passwords from unrelated cyber break-ins at other companies, according to a Warby Parker news release. The hackers then used that information to try to gain unauthorized access to client data at several Internet retailers, including Warby Parker. Read more on Philly.com.

The 111 Million Record Pemiblanc Credential Stuffing List

Troy Hunt reports: ……. I’ve just loaded 111 million email addresses found in a credential stuffing list called “Pemiblanc” into HIBP. I had multiple different supporters of HIBP direct me to this collection of data which resided on a web server in France and looked like this:   That site has now been taken down and the data no longer accessible, but per the image above you can see the files dating it around early April. The “USA” folder above contained a loosely organised set of files filled with email address and password pairs: Read more on TroyHunt.com.

Humana notifies members after credential stuffing attack on Humana.com and Go365.com

Health insurer Humana recently began notifying an unspecified number of health plan members after detecting and blocking a credential stuffing attack against Humana.com and Go365.com. The attacks took place on June 3 and June 4 from overseas IP addresses. In a notification letter dated June 21, Jim Theiss, Humana’s Chief Privacy Officer, writes: On June 3, 2018 Humana was the target of a sophisticated cyber spoofing attack that occurred on Humana.com and Go365.com. Your personal information on these websites may have been accessed by the attackers. On June 3, 2018 Humana became aware of a significant increase in the number of secure log in errors that were the result of numerous attempts to log into Humana.com and/or Go365.com from foreign countries. Humana Cyber Security Operations blocked the offending foreign Internet Protocol (IP) addresses from the websites on June 4, 2018. The volume of log in attempts to Humana.com and/or Go365.com on June 3, 2018 and June 4, 2018 suggested that a large and broad-based automated attack had been launched. This was evidenced by the volume of log in attempts coming from a foreign country. The nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs) and corresponding passwords that were being inputted with the intention of identifying which might be valid on Humana.com and/or Go365.com. The excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana. Humana blocked the foreign addresses by June 4, 2018 In response to the incident, Humana took a number of steps, including forcing a password reset,  deploying new alerts of successful and failed logins and locked accounts, as well as deploying a series of technical controls to enhance web portal security. They are also offering members an identity theft protection product for one year. Of note, Humana informed members that Humana has determined there is no evidence that any data was removed from Humana systems. This incident does not yet appear on HHS’ public breach tool. When it does, we will have a number of affected members.