The past week has been particularly busy in the cyber-security world and not just because of the WannaCry ransomware worm outbreak. A pair of other, non-ransomware related breaches impacting electronic signature vendor DocuSign and restaurant rating app Zomato highlight ongoing security risks.
On May 15, DocuSign publicly confirmed that its' systems had been breached, helping to fuel a widespread phishing campaign against users.
"A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed," DocuSign stated. "No content or any customer documents sent through DocuSign's eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure."
DocuSign operates a secure signing services called eSignature, which has not been breached. That said, the attackers did get email addresses from DocuSign and the phishing campaign was sending fraudulent DocuSign branded emails with an embedded link that when clicked deploys malware. DocuSign has not publicly stated at this time how its' systems were breached and it's not known how many users may have clicked on one of the phishing emails.
The Zomato restaurant guide publicly disclosed on May 18 that it was the victim of a data breach and unlike DocuSign, Zomato has revealed how many accounts were stolen. According to Zomato, 17 million user records were stolen in the breach, including email addresses and hashed passwords. Hashing is an approach to encrypting passwords, making it unlikely that the attackers will be able to easily decrypt the passwords.
Zomato made contact with the hacker that breached its systems and was able to get full details on weaknesses in the Zomato network, which have now been patched. Zomato engineer Gunjan Patidar commented in a blog post that the hacker has been very cooperative.
"He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps," Patidar wrote. "His/her key request was that we run a healthy bug bounty program for security researchers."
Zomato is now planning on launching a bug bounty program with HackerOne. Also of note in the Zomato breach is the fact that the majority of Zomato's users don't actually have a username and password to access the service. Rather, 60 percent of Zomato's users login via OAuth single sign on from identity providers including Google and Facebook. Zomato has however reset passwords and is advising users that if they use the same password on other sites, they should change them.
Password and Email Risks
The DocuSign and Zomato breaches are just two more breaches in a long line of security breaches that have happened in recent years that expose users to risk.
There likely isn't a single reader of this story that hasn't had at least one email address tied up in at least one breach that has occurred in recent years. Given the massive scope and regular occurrence of data breaches, which almost always seem to include email addresses, it is seemingly unavoidable to get caught.
Attackers use email addresses, as demonstrated in the DocuSign breach, to fuel phishing campaigns. Certainly there are other ways that attackers can get your email address, but when an email comes from an alleged source that a user is familiar with, it is somewhat more likely they will click.
That's why trusted email authentication approaches like DMARC (Domain Message Authentication Reporting and Conformance) are important, to help limit risk. Unfortunately DMARC adoption is far from universal at the present time, which is why for now user vigilance remains a primary line of defence. Simply put, think twice before clicking on links in email and if a popup window asks for permissions to run a macro, err on the side of caution and don't allow it.
Beyond the issue of having validated email lists that hackers use in phishing attacks is the long-standing issue of password re-use. While at this point it doesn't look likely that either the DocuSign or Zomato attackers got access to passwords, both sites have recommended that users reset their passwords. It's unfortunately all too common that users re-use the same password on more than one site.
Reality today is that your email address and likely at least one password you have used at one point or another, is in a breached data dump somewhere. Remain vigilant, be wary of clicking on links on email, use Two-Factor Authentication and don't re-use passwords. The next data breach is just around the corner, so rather than being fearful, be prepared.