Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

In this week's news round up, 6 million Instagram accounts have their data stolen; job hunting mercenaries' personal information is leaked; the WikiLeaks homepage is compromised and more:

Hackers Steal Celebrities Data on Instagram          

Last week, hackers were able to steal phone numbers and email addresses belonging to 6 million alleged Instagram accounts, some of which belong to celebrities. This was due to a bug in the Instagram API and while the glitch has been fixed, it may be too late for some users of the social network.
Hackers have created a website, dubbed ‘Doxagram’, where it is alleged some Instagram users’ personal info can be searched for on a database. Some of the high profile Instagram users include sports stars, singers and politicians; as well as some ‘ordinary’ accounts.
“Instagram clearly hasn’t yet understood the full impact of this bug,” an individual behind the website told The Daily Beast.
Public figures caught in this data breach include Dan Scavino, the White House director of social media and assistant to the president, football player Cristiano Ronaldo and singers Selena Gomez and Jennifer Lopez.
A spokesperson for Instagram stated, “We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation,” it read.
“Our main concern is for the safety and security of our community. At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue,” the statement added. “As always, we encourage people to be vigilant about the security of their account and exercise caution if they encounter any suspicious activity such as unrecognized incoming calls, texts and emails”.
If you are curious to know if any of your accounts have been included in a data breach, visit breach notification site Have I Been Pwned for more information.

Mercenary Resumes Exposed

The resumes of thousands of individuals who applied to work at a US-based private security firm have been leaked following a security lapse by a recruiting firm.
Almost 10,000 resumes were discovered by Chris Vickery, director of cyber risk research at UpGuard on a public, unlisted Amazon Web Services storage server which belongs to recruitment company TalentPen. TalentPen had until February been contracted by the mercenary firm TigerSwan to provide services for voluntary resume submission.
The resumes contain personal details of those who had applied to work for TigerSwan as far back as 2008. The documents contain a wide range of personal information, including in some cases the applicants’ home address, phone numbers, email addresses, driver’s license and passport numbers as well as social security numbers.
In a statement released by TigerSwan on Saturday 2nd September, Jim Reese, TigerSwan CEO said, “We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans. As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize. The situation is rectified and we have initiated steps to inform the individuals affected by this breach,”
Whenever submitting information to a third party, it is always worth questioning the company on their security policies, especially when it concerns your personal information.

WikiLeaks Hack

WikiLeaks, known as the internet’s largest source of leaked data from (mostly) anonymous sources, was hacked last week by OurMine, the same group who hacked the Sony PlayStation twitter account.
In addition to Sony, OurMine has also hacked the twitter accounts for HBO and Game of Thrones and now the hacking group has set their sights on bigger targets.
Visitors to WikiLeaks.org were redirected to a page created by the Saudi-Arabian based hacking group which claimed that the attack was in response to a hacking challenge from the organisation.

National Infrastructure Failing on Cyber Security Standards

Over a third of national critical infrastructure organisations do not meet basic cyber security standards as set out by the UK government.
This information came as a result of Freedom of Information requests by Corero Network Security.
Among the organisations to respond to the FOIs were fire and rescue services, ambulance trusts, NHS trusts, police forces, energy suppliers and transport organisations. Out of 163 responses, 39 per cent have not completed the “10 steps” programme and only 58 per cent of NHS Trusts had completed the government scheme.
This is despite the new proposal by government to implement the EU’s Network and Information Systems (NIS) directive from May 2018.
Without proper security standards, organisations are at far greater risk of becoming victims of ransomware and DDoS attacks.
If you would like to find out more about the 10 steps Cyber Essentials scheme, get in touch with us today.

UK Law Firms Extremely Vulnerable to Email Fraud

Research by cloud data intelligence firm OnDmarc reveals only 1 of the UK’s top 100 law firms has sufficient measures in place to protect against basic forms of email fraud. UK Law firms alone saw an unprecedented 45 cases of cyber theft in the first quarter of 2017. The threat of phishing attacks increased by 65% in 2016 and as law firms have a duty to replace any lost client fund, OnDmarc warns that the financial implications of future email fraud attacks would be crippling.
Want to find out how at-risk your business is of phishing attacks? Find out more about the phishing testing and training Hedgehog Security offers to all sizes of business.
If you have any questions relating to how you can better protect your business from cyber attacks, get in touch today to speak with one of the team.