In recent months, the National Public Data (NPD) breach has been a topic of intense scrutiny, with cybersecurity experts like Brian Krebs highlighting the poor security practices that contributed to the breach’s magnitude. As we continue to analyze the aftermath, new findings have come to light that underscore the dangers posed by inadequate security measures and the rising threat of infostealer malware as a vector of attack.
New Findings: Malware Infections and Shared Credentials
Our latest investigation into the NPD breach has uncovered two instances of malware infostealer infections associated with the site recordscheck.net, which raise serious concerns about the security of the affected infrastructure.
Infection #1: Shared Credentials or Compromised Systems?
The first case involves a user named Sal Verini, whose email and username were found alongside numerous credentials from creationnext.com. This overlap suggests two possible scenarios:
Shared System Usage: Sal may have used the same computer as someone from creationnext.com, leading to a potential cross-contamination of credentials.
Credential Sharing: Alternatively, Sal may have shared his credentials with someone at creationnext, raising the risk of unauthorized access.
Both scenarios point to poor security practices that could easily be exploited by attackers, leading to significant data breaches.
2. Infection #2: Weak Security and Admin account exposure
The second instance is even more alarming. It involves a user named “admin” who was using one of the most simple passwords possible — “passw***”—a glaring example of weak security. Looking at the autofill data, this account appears to be linked to Thomas S, a young independent Software Developer in Togo. The infection date was recorded as of May 26, 2023.
Were these infections the vector of attack to the NPD breach?
Recent breaches have increasingly been traced back to infostealer malware, which harvests credentials and other sensitive information from infected systems. These stolen credentials and cookies are then used to gain unauthorized access to networks, leading to data breaches and other cyber-attacks.
In the case of the NPD breach, it’s plausible that infostealer malware was the vector of attack. The presence of shared credentials and weak security practices only amplifies this risk, as attackers can use these stolen credentials to infiltrate systems and exfiltrate valuable data.
A Call for Better Security Practices
The NPD breach serves as a stark reminder of the importance of robust security practices. The use of weak passwords, sharing of credentials, and reliance on autofill features are all practices that can lead to catastrophic breaches. Organizations must prioritize security by implementing strong, unique passwords, minimizing the use of autofill for sensitive information, and regularly monitoring for signs of malware infections.
In recent years, the landscape of cyber scams has evolved, targeting even the tools designed to protect consumers. One such concerning development involves the exploitation of trusted services to mislead and scam users. This article explores a specific case in which scammers may have taken advantage of these services to deceive users into divulging sensitive information, leading to potential financial losses and identity theft.
The Mechanics of the Cyber Scams
At the core of this issue lies a highly sophisticated cyber scam that exploits the trust consumers place in services that were designed to alert users regarding suspicious activities or data breaches. In this case, however, scammers have managed to breach the very systems intended to safeguard user identities. Here’s how the scam operates:
Compromised Alerts: Users receive seemingly legitimate alert emails from a trusted organization, notifying them of potential security issues. These emails include clickable links that direct users to what appear to be secure websites.
Redirects to Malicious Sites: Upon clicking the link, users are redirected to malicious domains designed to look like legitimate websites or are taken directly to scam sites hosted on platforms like Telegram. These sites may request further sensitive information under the guise of security checks or offer downloads that contain malware.
Exploitation of User Trust: The effectiveness of this scam lies in its exploitation of user trust. Since the alerts originate from a trusted source, users are more likely to click on the links without their usual level of scrutiny. This bypasses standard phishing detection mechanisms, which often filter out emails from suspicious or unknown sources.
Indicators of Deceptive Practices
Several red flags were identified during the investigation into these compromised alerts:
Clickable Links in Alerts: Unlike more secure practices adopted by other identity protection services, some alerts include clickable links. This practice is risky because it can easily be exploited to redirect users to malicious sites.
Use of Scam Domains: The domains used in these alerts were found to be registered for the explicit purpose of hosting scam operations. For example, one domain redirected users to a Telegram channel that further directed them to malicious downloads or additional scams.
High Click-Through Rates: Analysis of traffic to these scam domains revealed a substantial number of users clicking through from these alerts. This suggests a significant exploitation of these alerts, driving traffic to malicious sites and potentially resulting in a high number of compromised users.
Potential Implications and Risks of Cyber Scams
The consequences of this scam could be far-reaching:
Financial Loss: Users deceived by these scams might inadvertently provide sensitive information such as banking details, leading to financial fraud or unauthorized transactions.
Identity Theft: The exposure of personal information can lead to identity theft, where attackers use the information to open new accounts, make purchases, or engage in other forms of fraud.
Malware Infections: Users who download files from these scam sites could infect their devices with malware, further compromising their security and potentially leading to data loss or additional breaches.
Conclusion: How Constella Intelligence Leads the Way in Combatting These Threats
At Constella Intelligence, we’ve recognized the growing sophistication of scams targeting identity protection services and have implemented advanced mechanisms to safeguard our users.
Our systems incorporate a robust verification and curation process, designed to detect and mitigate these types of fraudulent attacks before they reach our customers. In line with the rigorous standards we detail in our blog Verifying the National Public Data Breach, we employ advanced data validation and monitoring techniques to ensure every alert is legitimate and free from manipulation. By continuously monitoring for suspicious patterns and ensuring that all alerts are authentic, we provide the most secure identity protection available on the market. As the leading identity protection provider, we’re committed to staying ahead of emerging threats and maintaining the trust our users place in us to protect their personal information.
Recommendations for Users
To safeguard against potential scams and enhance online security, consider the following steps:
Avoid Clicking on Links in Emails: Even if the email appears to be from a trusted source, manually navigate to the company’s official website instead of clicking on links in the email. This reduces the risk of being redirected to a malicious site.
Use a Password Manager: A password manager can help generate and store complex, unique passwords for each of your accounts, reducing the risk if one service is compromised.
Monitor Your Accounts Regularly: Frequently check your bank statements and credit reports for any unauthorized activity. Early detection of suspicious activity can prevent more significant financial losses.
Enable Multi-Factor Authentication (MFA): Whenever possible, use MFA on your online accounts. This adds an additional layer of security by requiring multiple forms of verification.
By following these recommendations, users can better protect themselves from the increasingly sophisticated tactics employed by scammers to exploit even the most trusted services.
Increase in Cryptocurrency Leaks After Trump Supports Bitcoin
Recently, Constella Intelligence has observed an increase in attacks and data breaches resulting in cryptocurrency leaks. This surge could be partly attributed to comments made by former President Donald Trump in support of Bitcoin, which may have heightened hackers’ interest in these sites.
Former President Donald Trump has recently positioned himself as a pro-crypto presidential candidate. During his keynote speech at the Bitcoin 2024 conference in Nashville, Tennessee, held from July 25-27, 2024, Trump emphasized the transformative potential of cryptocurrencies. He pledged to make the United States a leader in Bitcoin mining and digital asset management.
These comments could have caused crypto-related sites to increase in value, making them more attractive targets for cybercriminals. As Bitcoin prices surge, the incentive for attacks on these platforms grows, highlighting the need for robust security measures.
Crypto Leaks Overview
In the first half of 2024, over 250 possible breaches or leaks related to cryptocurrencies, NFTs, and Bitcoin have been reported. These potential breaches could have affected users of various cryptocurrency platforms, including Bitcointalk, Crypto.com, Binance, eToro, and others.
Below are examples of how threat actors are offering information about these crypto-related sites on the Dark Web
Zuelacoin Data Leak:
This information was published on March 31, 2024. According to the threat actor the data includes:
Emails
Names
Social media profiles (Twitter, Facebook, Telegram)
Binance Cryptocurrency Leak:
The post was made on May 27, 2024. The exposed information includes:
Emails
Full names
Phones
Countries
Mobile Apps like CashCoin, Coinbase, and KuCoin:
The threat actor “whix” published this on March 26, 2024. The exposed information includes:
Emails
Usernames
Passwords
Countries
IP Addresses
Payment methods
eToro Cryptocurrency Leak:
The same threat actor also reported this on March 25, 202, where the following information could be found:
Full names
Emails
Countries
IP Addresses
Amounts
Payment methods
Bitcointalk Cryptocurrency Leak:
According to the threat actor on March 25, 2024, a database exposing the following information was published:
Emails
Usernames
Ethereum Addresses
These platforms are integral to the crypto ecosystem, providing services such as trading, wallet management, and social interaction for crypto enthusiasts.
Extent of Infostealer Exposures
Constella Intelligence has checked if the information published could have been produced as the effect of infostealer infections. This check resulted in nearly 4 million users of these cryptocurrency companies being exposed to infostealer data. Most exposures have impacted major cryptocurrency exchange platforms:
Binance: More than 2M users exposed.
EToro: More than 500k users exposed.
Crypto.com: More than 300k users exposed.
Localbitcoins: More than 200k users exposed.
Digging into the infostealer exposures, Constella Intelligence also identified what seems to be infostealer infections of potential employees of some of those companies, including Binance.com, eToro.com, Crypto.com, and Localbitcoins.com, among others.
Implications of Crypto-Related Breaches
The exposure of such extensive and sensitive information has significant and far-reaching implications as it endangers the financial security and privacy of millions of users. The compromised data can be exploited for various malicious activities:
Identity Theft: Personal information such as full names, addresses, and birthdays can be used to steal identities.
Financial Fraud: Payment methods and transaction histories can be exploited to conduct unauthorized transactions.
Phishing Attacks: Email addresses and social media profiles can be used to create convincing phishing scams.
Recommendations for Users
To mitigate the risks associated with the recent breaches, users should adopt the following security practices:
Use Strong, Unique Passwords: Ensure that each cryptocurrency account has a strong, unique password. Consider using a password manager to generate and store complex passwords securely.
Enable Two-Factor Authentication (2FA): Adding an extra layer of security through 2FA can significantly reduce the risk of unauthorized access to accounts.
Monitor Crypto Transactions Regularly: Keep a close watch on your cryptocurrency transactions and wallet activity to detect any unauthorized activities. Early detection can help prevent significant financial losses.
Be Wary of Phishing Attempts: Be cautious with emails and messages requesting personal information or directing you to log in to your accounts. Verify the authenticity of such requests through official channels.
Update Security Settings on Crypto Platforms: Regularly review and update your security settings on cryptocurrency exchanges and wallets. Ensure that all recovery options are up-to-date and secure.
This year’s report highlights a dramatic shift in phishing tactics. With tools like FraudGPT and advanced natural language processing (NLP), phishing attacks have moved beyond the outdated Nigerian prince emails to become hyper-personalized and alarmingly convincing. These AI-driven attacks leverage Large Language Models (LLMs) to create realistic scams that often evade detection. Warren Buffett aptly noted that AI is propelling scamming into a “growth industry,” and research from Harvard Business Review confirms this trend, showing that AI reduces phishing implementation costs by over 95% while boosting success rates. This signifies a forthcoming surge in both the sophistication and frequency of phishing attacks.
The Escalation of Nation-State Cyber Threats
Our report also explores the rising influence of nation-state actors in cyber conflicts. In 2023, breaches linked to Russian entities were responsible for six of the top ten compromised domains, underscoring the escalation of cyber warfare. Accurate source attribution and a global data perspective are now indispensable for combating these state-sponsored threats. This approach is vital for effective defense against identity theft and for conducting thorough investigations to identify and neutralize bad actors.
The Growing Threat of Infostealers
Infostealers continue to be a significant threat in the cybersecurity landscape. These tools, which facilitate remote data exfiltration and theft, have seen a substantial increase in usage. Our report reveals a 140% rise in infostealer incidents since 2021, with no signs of this trend slowing. Infostealers remain a critical concern, emphasizing the need for advanced security measures to protect both consumer and corporate data.
Why This Report Matters
The 2024 Identity Breach Report provides crucial insights into the evolving cyber threat landscape shaped by AI and data complexities. Understanding these developments is essential for enhancing your cybersecurity strategies and effectively addressing the risks of identity exploitation and cyberattacks.
Stay Ahead of Emerging Threats
To safeguard your organization against sophisticated threats, staying informed is key. The 2024 Identity Breach Report equips you with the knowledge needed to navigate the changing cybersecurity terrain. Stay ahead of emerging risks and protect your organization with the latest insights and recommendations from our in-depth analysis.
There have been conflicting reports recently published related to the National Public Database (NPD) breach, including claims that “3 billion people have been exposed,” or that “all U.S. social security numbers (SSNs) may have been stolen,” as well as confusion on the quality and veracity of the data.
This blog seeks to clarify and shed light on the real risk and exposure of the breach based on in-depth analysis of the data.
Key highlights of this National Public Data Breach analysis:
How many people were affected?
Based on our analysis, the total number of unique individuals affected by the breach are:
292 million people were exposed, with 272 million including SSNs
This represents 60% of all historical SSNs issued by the IRS, marking the largest volume of SSN exposure on the dark web to date.
Who is affected?
The data is outdated and goes back to the beginning when SSNs were first issued in 1936, including deceased individuals. Some insights include:
Only a small percentage of the SSNs exposed include those assigned within the last 20 years.
The larger population affected was born between 1950 and 1970, as shown in the graph below:
Date of birth for individuals affected by this breach
What is the quality of the data?
The data comes from a poor collection operation from a mix of sources and includes many errors. We created tests to evaluate information with minimal accuracy that may pose some risk for identity attacks.
49% of the SSNs exposed don’t include the minimum quality to pose a risk for identity attacks
Data is always being updated on an ongoing basis, which most likely explains why the quality changes dramatically depending on the age of the data.
Note that even if there are deceased individuals in the dataset, the highest proportion of actionable information affects the living population.
The graph above shows the percentage of identities that have the minimal accuracy required to pose a risk to identity attacks
What is the magnitude of the risk of this dataset?
Even if only 51% of the SSNs exposed hold a minimal quality to be used in identity attacks, this translates to added risk to an unprecedented 138 million people.
NPD is the largest SSN exposure ever surfaced in the dark web – this breach could be used to attack 138 million people
Again, even though the dataset includes many deceased individuals, the highest proportion of actionable information affects the existing population.
Analysis of the Data
Total SSNs Exposed
The total unique SSNs from the collision of Part 1 and Part 2 is 272 million. Since each SSN can only be assigned to one person, the total number of people that had their SSNs exposed, if all SSN numbers are true.
The IRS has assigned 453 million from the 1 billion total possible. This means that this dump exposes 60% of the total historical SSNs. The distribution of SSNs is shown below.
Social security number distribution
Total Number of People Impacted
In the subsequent section, it’s noted that there are 21 million exposed email records not linked to an SSN. Dividing this by 1.1 (the average number of emails per person) reveals an estimated 19 million individuals whose emails were exposed without their SSNs. Adding these 19 million individuals to the 272 million with exposed SSNs, the total number of people affected by the NPD breach amounts to 292 million.
Detailed Numbers
All National Public Data Breach:
Unique People: 294 million
Unique SSNs: 272 million
Unique Emails: 32 million
Detailed information from each package:
Part 1, also called “partial”:
Records: 42,084,115
Unique SSNs: 16,229,269
Unique emails: 32,052,804
Unique emails not associated to an SSN: 21,539,497
Unique SSNs with one or more emails: 10,513,307
Average number of emails per person: 1.1
Part 2, also called “full”:
Records: 261,538,219
Unique SSNs: 261.538.218
Emails: 0
Unique emails: 0
Quality Tests
The data consists of a mix of different sources from scraping of non-public sources according to the class action lawsuit. This has led to concerns regarding the quality of the data with a number of people reporting real findings as well as erroneous ones.
Testing SSNs
The most difficult step when testing the accuracy of SSNs is to have a good quality test dataset. Unlike emails and other credentials, SSNs have rarely been exposed in substantial volumes and are difficult to validate due to their sensitive nature — people generally do not and should not disclose their SSN publicly.
At Constella, we can leverage our extensive experience in protecting millions of identities for nearly 10 years. To assess the validity of SSNs, we gathered 100,000 records containing SSNs that were previously exposed in different breaches and leakages and were tagged as “high confidence” by our Alert Engine.
SSN Numbers Test
Out of the 1 billion potential 9-digit SSN combinations, the IRS has assigned only 46%. Our first test was designed to verify the authenticity of the SSN numbers in isolation, without considering any accompanying information like names, addresses, phones, etc.
76% of the SSNs we tested were found in the NPD data
Minimal Accuracy Test
Despite having a robust test dataset, verifying identity information presents significant challenges, particularly when an email is not included, due to the ambiguity in identity details:
Names often have variations, such as aliases, abbreviations, or different spellings in surnames. Additionally, individuals may change their surnames due to marriage or other reasons.
For example, in our dataset, a man listed as Miguel Guz*** appeared as Michael Guz*** in the NPD dataset, a woman recorded as Josie So*** was listed as Osie So***, a surname Giess***l appeared as Phillip Giess*** without the final “l”, and a woman named Deborah was referred to as Debra.
Addresses and phone numbers are also subject to change over time, further complicating the verification process. For this reason, when alerting SSN records it is quite rare to find a full match of an SSN exposed identity and the identity being tested.
Due to these variations, seeking exact matches between the test dataset and the data under review is often not very productive, as perfect alignment of details is rare. However, partial matches of the data can be sufficient for impersonation attacks, or can be completed with other datasets, or used for creating synthetic identities.
We created tests aimed to evaluate how many of the records include enough real information to pose actual risk of an identity attack. The test evaluates if an SSN, a first name, and a 3rd identity attribute (a surname, DoB, address, or phone) matched. For example: a first name, a surname name and SSN will match the test.
Only 51% of the identities passed the test. But this percentage is highly dependent on the age of the person, being much higher for the younger population. Data from people born in the 90s decade produced a 90% match, from 80s a 73%, and from the 70s a 58% match.
Age of the Data
Only 56% of the records include a Date of Birth. These records contain some “impossible” dates, such as dates of birth in the future or in the first century, affecting a total of 8,900 identities. In analyzing the distribution across decades, the most populated ones are the 1950s and 1960s.
In conclusion, the larger portion of the population was born from 1940 to 1980, the data is quite outdated, with a sharp drop in recent years. It goes way back in the past with 1 million people being born in the 1900’s decade.
About the Breach Package
The breach, initially linked and recently attributed to the data provider National Public Data, was orchestrated by the cybercriminal group USDoD, who allegedly tried to sell the stolen data on the dark web for $3.5 million. This incident underscores the significant risks associated with unauthorized data collection and highlights the critical need for enhanced data protection measures, particularly for individuals in sensitive positions.
The breach first came to light on July 22, 2024, when a malicious actor known as Petrovic an 80GB partial dataset on BreachForums. While this initial leak was considerable, it was merely the tip of the iceberg, revealing only a glimpse of the total compromised data.
By August 6, another hacker named Fenice released the complete dataset, totaling 277GB and 2.69B lines, making this one of the largest data breaches in history.
Versions and Additions. What’s included in our Analysis
On top of the main data, there are additional files with dumps, including a criminal list with 2.8 million criminal records and another one with 2.1 million arrest records.
Some versions of the dump seem to have aggregated other 3rd party leak packages – Troy Hunt reports finding an Acuity directory with 100 million unique emails.
None of them include SSNs, and we won’t include those in this analysis, which will be focused on the core NPD database.
El Salvador Cyber Attacks Pose Significant Threats
Cybercriminals and hacking groups are increasingly exploiting geopolitical instability to launch attacks, like the recent El Salvador Cyber Attack, that create chaos and financial gain. Data breaches pose significant threats to national security, economic stability, and individual privacy. In countries like El Salvador, with a population of approximately 6.5 million, these effects can be even more pronounced due to limited resources and infrastructure to combat such threats.
Geopolitical Context of El Salvador
El Salvador’s geopolitical landscape is marked by internal political changes, economic developments, and technological initiatives, such as the adoption of Bitcoin as legal tender. The current administration, under President Nayib Bukele, has implemented measures aimed at reducing gang violence and has undertaken various reforms. These actions, alongside ongoing economic and social challenges, impact the country’s cybersecurity landscape, influencing its vulnerability to cyberattacks.
CiberinteligenciaSV Group
The group responsible for several recent leaks, known as CiberinteligenciaSV, is a Salvadoran data breach group that claims to have extensive information available for those who contact them. They are highly active on BreachForums, regularly posting detailed and sensitive information about Salvadoran citizens and institutions. CiberinteligenciaSV also maintains a Telegram group with nearly 3,500 members, expanding their influence and reach within the cybercriminal community.
Recent Data Breaches in El Salvador
Police Data Breaches:
On July 3, 2024, Constella Intelligence identified ten breaches related to the police in El Salvador. The leaked information involves reports on disappearances, vehicles, extortions, weapons, and other types of warnings and incidents. Moreover, on April 7, 2024, more than 10,000 arrest warrants from El Salvador were leaked.
This dataset provided freely by the attackers includes sensitive legal information that could be used to intimidate or manipulate individuals involved in ongoing legal proceedings. The data exposed in these breaches includes:
Full names
Telephone numbers
Identity documents
Addresses
Crimes and events
These breaches pose significant risks to individual privacy and public safety, as the compromised data could be used for various malicious activities, including identity theft, extortion, and targeted attacks.
Movistar/Telefónica El Salvador:
A breach affecting Movistar de El Salvador was reported on May 4, 2024, compromising the personal data of more than 74,351 individuals. The leaked data includes:
Phone numbers
Full names
Email addresses
Addresses
This breach exposes sensitive personal information, potentially compromising the privacy and security of Movistar customers.
PGR El Salvador – Justice Institution:
A breach affecting the Procuraduría General de la República (PGR), a key institution within El Salvador’s Ministry of Public Affairs, was reported on April 29, 2024. The leaked data includes:
SQL databases exported from the SQL server (37 GB)
Over 2,000 tables with millions of records
Complete files of backend and frontend systems (4 GB+)
CSV files, VPN access, IP addresses, and other credentials
This breach exposes sensitive legal and administrative information, potentially compromising the integrity of El Salvador’s justice system.
ATM Chivo Wallet:
The Chivo Wallet, an electronic wallet created by the Salvadoran government to facilitate payments in dollars and Bitcoin, suffered a data breach on April 23, 2024. The leaked information includes:
ATM code for Chivo Wallet
VPN credentials
This breach undermines the security of the country’s financial transactions and affects public confidence in the government’s digital initiatives.
Vehicle Registration Data:
A dataset containing information on 824,536 vehicles in El Salvador was leaked on April 7, 2024. The data includes:
Names
License plates
Models
Brands
Types
Colors
Years
Conditions of vehicles
This breach provides cybercriminals with a comprehensive registry of vehicle data, which could be exploited for various malicious activities.
Massive Database of Salvadoran Citizens:
On April 2, 2024, a massive database containing detailed personal information and high-quality images of 5 million Salvadoran citizens was leaked. The data includes:
ID and identification documents (DUI)
Names and last names
Dates of birth
Telephone numbers
Email addresses
Home addresses
5,129,518 high-definition photos labeled by DUI numbers
This database, totaling 144 GB, represents a significant portion of El Salvador’s population, highlighting the severe implications of such a breach on national security and individual privacy.
Exploitation of Leaked Data by Cybercriminals
The accessibility of such extensive datasets significantly empowers cybercriminals. Attackers can exploit the leaked personal information to orchestrate various malicious activities. With detailed data on individuals, including their identification documents, contact details, and even vehicle registration information, cybercriminals can execute a range of harmful actions such as:
Identity Theft: Stolen personal information can be used to create false identities for fraudulent activities.
Financial Fraud: Banking details and personal data can facilitate unauthorized financial transactions and scams.
Extortion: Cybercriminals can threaten to release sensitive information unless a ransom is paid.
Targeted Attacks: Detailed personal data enables highly targeted and effective phishing campaigns, leading to further data breaches and financial losses.
Recommendations
Given the increasing frequency and sophistication of cyberattacks, it is crucial for individuals to adopt robust cybersecurity measures. Here are some key recommendations:
Change and Strengthen Passwords: Individuals whose personal information has been exposed should immediately change and strengthen passwords for their online accounts, especially those related to financial and sensitive personal data, to prevent unauthorized access.
Enable Two-Factor Authentication (2FA): For added security, enable 2FA on all accounts where this option is available, particularly for services like Chivo Wallet and Movistar, to provide an additional layer of protection against unauthorized access.
Monitor Financial Accounts and Credit Reports: Individuals affected by the breaches should closely monitor their financial accounts and credit reports for any unusual activity or signs of fraud, especially given the exposure of data such as names, addresses, and identification documents.
Be Cautious of Phishing Attempts: With detailed personal data potentially compromised, individuals should be particularly vigilant against phishing attempts. Verify the authenticity of emails, messages, and phone calls that request personal information or direct to login pages.
By implementing these strategies, individuals in El Salvador can better protect themselves from the growing threat of cyberattacks and data breaches. Staying informed and proactive is essential to maintaining security and trust in an increasingly digital world.
A recent leak may have exposed sensitive information related to Taylor Swift’s concert tickets. This incident is directly connected to the data breach that occurred on TicketMaster a few weeks ago.
A New Data Package Surfaces on the Dark Web Following TicketMaster Breach
This new leak emerged following the TicketMaster incident. The threat actor known as Sp1d3rHunters has claimed responsibility for this potential data exposure, as shown in the screenshot below. The name suggests a possible connection to the user Sp1d3r and the group ShinyHunters, who have been linked to previous high-profile leaks, including those involving Santander Bank and AT&T.
According to reports, threat actors obtained barcode data for hundreds of thousands of tickets to Taylor Swift’s Eras tour. However, TicketMaster has denied engaging with the hackers and assured that their dynamic barcode technology will prevent the misuse of the leaked barcodes.
Details of the Incident
On July 4th, the malicious actor Sp1d3rHunters put the stolen data up for sale on a hacking forum for $2M, threatening to publish more data from the TicketMaster data breach and around 30 million barcodes for other events. These events supposedly include more Taylor Swift concerts as well as sporting events like F1 races, MLB games, and NFL matches.
The breach includes relevant information about Taylor Swift’s concert tickets, such as:
Event date
Event ID
Transaction ID
Ticket barcode
Ticket location (section, row, and seat)
Event location (venue, country, state, city, ZIP, address)
This exposure reveals crucial details that could potentially be misused by malicious actors.
Potential Risks and Implications of TicketMaster Breach
Potential Ticket fraud: While it’s unclear if the leaked data can be directly matched to specific TicketMaster accounts, the information provided, such as ticket barcodes and transaction IDs, could potentially be used by unauthorized individuals to create counterfeit tickets. This poses a risk of ticket fraud, which could lead to financial losses and disruptions at events.
Physical Security Risks: If it becomes possible to match the exposed TicketMaster data with specific tickets, there could be security risks for event attendees, including potential harassment or targeted attacks. However, we have not yet been able to confirm whether such a match is feasible.
If these potential scenarios are feasible, we could expect threat actors to engage in ticket scalping and resale fraud, using the stolen data to sell counterfeit tickets. Additionally, TicketMaster may face operational disruptions, including logistical challenges in reissuing tickets and managing event entries, which could affect both concertgoers and the company’s operational efficiency.
Recommendations for Users
Given the nature of the breach, users should take the following precautions to protect themselves:
Verify Your Tickets: Before attending an event, confirm the authenticity of your tickets through TicketMaster’s official channels to ensure they have not been compromised or counterfeited.
Protect Your Privacy: Avoid sharing specific details about your event plans on social media, as this information could be misused by malicious actors for tracking or targeting purposes.
Home Security Awareness: Refrain from posting event dates and locations online, as this can alert potential thieves to your absence and increase the risk of home burglaries.
Stay Informed: Keep up to date with communications from TicketMaster and other trusted sources regarding the breach. Follow any additional instructions provided to secure your personal information and tickets.
The recent Neiman Marcus data breach was detailed in an official communication to their customers. In May 2024, Neiman Marcus Group (NMG) discovered that an unauthorized party accessed a cloud database containing personal information. The compromised data included names, contact details, birthdates, gift card information (without PINs), transaction data, partial credit card numbers, Social Security digits, and employee IDs. For more information, you can visit their official statement here.
Breach Details and Data Exposed
On June 25th, a threat actor, known as “Sp1d3r,” attempted to sell the stolen data on a hacking forum for $150,000. The data set includes 12 million gift card numbers, 70 million transactions with detailed customer information, and 6 billion rows of customer shopping records and store information according to the threat actor.
The compromised data includes the following information, as can be found in the screenshots below.
Full names
Email addresses
Dates of birth
Partial credit card numbers
Credit card types
Home and billing addresses
IP addresses
Gift card numbers (with name, gift card number, balances and more)
Purchase locations
Constella Intelligence’s breach analysis confirmed the exposure of the previously mentioned customer data. Additionally, the analysis revealed that the dataset likely contained personal information of several high-profile individuals from various sectors, including politics, fashion, and film.
The exposure of their data significantly increases the risk of targeted attacks, identity theft, and other social engineering attacks.
Understanding Criminals’ Use of Data & AI: Safeguarding Against Scams with ScamGPT
Cybercriminals can take advantage of attributes such as names, email addresses, financial information, or transaction history using AI technologies to enhance their malicious activities. Here are some potential risks:
Automated Phishing Campaigns: AI can analyze the exposed data to craft highly personalized and convincing phishing emails, increasing the likelihood of recipients falling for scams.
Identity Fraud: Tools can quickly sift through large data sets to compile comprehensive profiles of individuals, making it easier for cybercriminals to impersonate victims and commit fraud.
Social Engineering Attacks: As previously mentioned, with the vast amount of compromised personal information, cybercriminals can craft highly sophisticated social engineering attacks. These attacks deceive individuals into divulging even more sensitive data or taking actions that compromise their security. By leveraging detailed personal profiles, attackers can tailor their tactics to exploit specific vulnerabilities, making their schemes more convincing and harder to detect.
Credential Stuffing. Algorithms can automate the process of trying to expose usernames and passwords across multiple websites, gaining unauthorized access to various accounts.
Below is an example of a scam automatically generated using AI and dummy data that simulates the information shared by “Sp1d3r.”
At Constella, we’ve identified a significant rise in the use of these techniques, leading to more sophisticated, credible, and effective attacks. These AI-driven scams leverage detailed personal profiles to craft convincing narratives, making them harder to detect and more likely to succeed.
To help combat this threat, Constella recently announced its new ScamGPT solution, which processes a target’s surface of attack using trained generative AI algorithms to generate hyper-targeted “scams,” which can then be used to help train individuals on this emerging, real-world threat.
Recommendations
Considering the recent Neiman Marcus data breach and the growing use of AI technologies by cybercriminals, victims should take precautions such as the below to help avoid further attacks:
Be Wary of Phishing Attempts: Be cautious of unsolicited emails, messages, or phone calls asking for personal information. Verify the authenticity of the source before responding.
Enable Multi-Factor Authentication (MFA): Add an extra layer of security to your accounts by enabling MFA. This helps protect your accounts even if your password is compromised.
Regularly Monitor Your Accounts: Keep an eye on your bank statements, credit card bills, and other financial accounts for any suspicious activity and report any unauthorized transactions.
Protect Gift Cards: Given that some gift card information was compromised, it is crucial to take proactive steps. If you have Neiman Marcus gift cards, monitor their balances regularly and report any unauthorized transactions to the issuer immediately. This will help protect your funds and ensure any suspicious activity is addressed quickly.
Warren Buffett’s prediction that AI scams are set to become the next major “growth industry” serves as yet another indicator of the transformative shift AI is bringing to cybercrime.
The days of easily identifiable phishing scams, typified by poorly worded emails or typo errors, are long gone. Today, AI can mass-produce hyper-personalized scams that include personal information and are crafted with a level of sophistication that makes them indistinguishable from genuine communications.
The Rise of Hyper-Targeted Scam Attacks
Generative AI enables criminals to automatically scrutinize an individual’s profile, pinpoint specific vulnerable details, and craft highly targeted scams. These attacks, promoted by dark web services such as FraudGPT and WormGPT, meticulously incorporate aspects of the victim’s work, relationships, hobbies, and family life, using actual names, websites, bank account details, and more. The specificity and relevance of these scams make them appear incredibly legitimate, which often lowers the victim’s guard and increases the effectiveness of the fraud.
Imagine receiving an email that appears to be from the bank branch in your town, referencing specific recent transactions and using your and your spouse’s full name. This scenario, once the hallmark of a well-crafted phishing attempt, is now commonplace due to AI’s ability to synthesize detailed information and craft convincing narratives. Each piece of compromised information is a vulnerability exploited by these scams, eroding traditional defenses and necessitating innovative countermeasures.
ScamGPT: Simulating Fraudster’s AI Scams
There is an urgent need to develop robust human defenses capable of detecting and mitigating AI-driven scams effectively to combat these evolving threats. Educational initiatives must highlight the potential consequences of compromised information and the new ways criminals can exploit it to orchestrate seamless scam narratives.
Constella’s all-new ScamGPT solution generates AI scams like fraudsters do to educate and build human defenses so users are trained to detect real scam attacks when they come in the future.
Automatic Profiling of the Victim: Surface of Attack
Powered by the world’s largest data lake comprising over one trillion identity assets, paired with the company’s proprietary AI profiling engine, ScamGPT gathers information about the victim using ID Resolution.
Generative AI Scams
Now that the system knows the victim in depth (emails, services used, locations, skills, relationships), Constella’s trained ScamGPT generative AI model generates scams that include real and very specific information to lower the victim’s defenses.
In the following example, ScamGPT uses the information gathered to identify that the target’s bank is Wells Fargo, and so automatically generates a Wells Fargo email with appropriate branding, and information pertinent to the target, including the bank number, spouse name, and address for the nearby branch office.
In another example, it identifies the model of the target’s car and even the VIN number to create the following email:
In another startling and scary example, ScamGPT impersonates a LinkedIn data identification representative, utilizing genuine user information and harnessing the full conversational capabilities of Generative AI to respond to the user’s inquiries.
The example simulates a scam attempt from an AI-generated female agent using compromised data to win the users trust.
Conclusion
As AI continues to evolve, so too will its application in both legitimate and criminal activities. The escalation of AI-driven scams underscores the imperative of building robust user and employee defenses. This can only be done through awareness and training to create a human firewall that is able to recognize a voice call attack where no software can protect users and employees.
By understanding the capabilities and risks associated with AI in cybercrime, organizations and individuals can better prepare themselves to navigate this complex and rapidly evolving digital landscape.
In recent weeks, South Korea has experienced a data breach surge that has heightened concerns among cybersecurity experts. Notably, this increase in cyber incidents aligns with South Korea’s prominent role in a significant cybersecurity debate at the United Nations Security Council (UNSC) in June. This situation underscores the intricate link between geopolitical events and cyberattacks, where major decisions or announcements can often trigger data breaches.
Context and Background
The United Nations Security Council is tasked with maintaining international peace and security, wielding powers such as peacekeeping, imposing sanctions, and authorizing military action. The presidency of the UNSC rotates monthly among its members. In June, South Korea, during its presidency, organized a high-level debate on cybersecurity to bolster the UNSC’s efforts in addressing cyber threats. This focus on cybersecurity has intensified due to the rise in cyber threats during the COVID-19 pandemic and the broader adoption of digital technologies.
Detailed Breach Information
The recent exposures have revealed various types of sensitive information, each posing unique risks:
Personal Information:
Names
Usernames
Emails
Passwords & Corporate Data
Contact Details:
Birthdates
Phone numbers
Addresses
Data Breach Surge Attack Vectors
With the data found and mentioned in the previous section, different types of attacks can be carried out, depending on the type of exposed data:
Phishing and Spear Phishing Attacks: Names, usernames, and emails can be used to craft targeted phishing emails. These emails deceive recipients into revealing more personal information, such as login credentials or financial details.
Account Takeover: Exposed passwords, especially if reused across multiple sites, allow attackers to gain direct access to personal and corporate accounts. This can lead to unauthorized transactions, data theft, and further compromises.
Social Engineering: Birthdates, phone numbers, and addresses provide attackers with the information needed to impersonate individuals or organizations, tricking targets into divulging sensitive information or performing actions that compromise security.
Corporate Espionage: Company affiliation data can be used to identify key personnel and exploit organizational weaknesses. This can result in the theft of proprietary information, disruption of operations, or targeted attacks against specific companies.
Network Attacks: IP addresses expose networks to unauthorized access and monitoring. Attackers can use this information to launch Distributed Denial of Service (DDoS) attacks, spread malware, or conduct further breaches.
Tips to Protect Your Personal and Sensitive Information
Enable Multi-Factor Authentication (MFA): Adding an extra layer of security for your accounts can help protect against unauthorized access, even if your password is compromised.
Use Secure Networks: Avoid using public Wi-Fi to access or transmit sensitive information. Instead, use a secured or virtual private network (VPN) to enhance online privacy.
Remove Unused Accounts: Regularly review and delete any accounts for no longer use services. Ensuring that your information is not stored unnecessarily reduces the risk of it being exposed to a breach.
By implementing these measures, individuals can significantly reduce their risk of falling victim to data breaches and better protect their sensitive information from cyber threats.
