18 million Ixigo user records leaked in major data breach
18 million records from travel bookings site Ixigo and 40 million records from YouTube were breached, as part of a larger data breach affecting 127 million user records across 8 companies, reports ZDNet. A hacker who stole 620 million user records from 16 major websites last year was behind the current breach. In all, the hacker is selling the current data for $14,500 in bitcoin.
Ixigo’s leaked user data included password hashes, full name, IP address, username, email, Facebook URL, and the passport ID number and the names of some users. Ixigo reportedly used an outdated MD5 hashing algorithm to scramble passwords, which is easy to unscramble.
Ixigo has, meanwhile, denied the breach and said it does not store any payment, card or financial information of its users. It also does not store user passwords for third-party logins via Google, Facebook, and Truecaller. It said that it is “proactively investigating the alleged security breach” and has taken “pre-emptive security measures and reset user passwords & auth tokens.”
ixigo is proactively investigating the alleged security breach reported by the media. While the claims have not been confirmed, we have taken pre-emptive security measures and reset user passwords & auth tokens. (1/2)
— ixigo (@ixigo) February 16, 2019
Leaked YouTube user data included full name, profile ID, IP address, email, Facebook email and ID, Instagram ID, Google ID, Twitter ID.
The other affected companies included Houzz, Ge.tt, cryptocurrency site Coinmama, gaming sites Roll20 and Stronghold Kingdoms etc. Last year, this hacker had stolen 620 million user records from 16 companies and put them up for sale on the dark web for $20,000 in bitcoin.
Census data of 138 million Americans made vulnerable
Personal information of up to 138 million American people was found to be potentially vulnerable after an internal team at the American Census Bureau discovered that the census information of 100 million Americans could be reconstructed from obscured data, albeit with a lot of errors. This was reported by Associated Press.
The vulnerable data included age, gender, location, ethnicity, race of 138 million people – data which is meant to remain private for 72 years. As of now, only internal hacking teams have discovered such details, and no third-party is known to have the data.
- Census data is meant to be scrambled in such way that it can be released publicly for research, without identifying individuals for 72 years
- In the last Census, which was in 2010, the Census Bureau did so by scrambling similar household information from one city to another
- However, internal officials were able to match 45% of the people in the Census with other public datasets like Facebook, due to errors in the scrambling technique
The Census Bureau said that it will now update its old data protection technique, and replace it with methods better than Google’s or Apple’s. Further, the 2020 Census will be the “safest and best protected ever”, said chief scientist of the Census Bureau John Abowd.
Data breaches in 2019 so far
All of these data breaches and vulnerabilities occurred in January alone:
- A ‘technical issue’ on Amazon led to sellers’ data being exposed to other sellers. It is unknown how many sellers were affected, although Amazon said that it reversed the error within hours.
- Sensitive information such as internal user details, project details, employee names and mail IDs from the NASA, was exposed through Jira, a web app that companies use for tracking tasks and issues
- HIV positive status of 14,200 people in Singapore along with identification numbers, contact details, addresses were leaked online.
- Ring employees in Ukraine and the US were able to access videos and information from Amazon’s Ring security cameras.