Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    Zomato, DocuSign Breaches Reveal Common Security Risks

    Written by

    Sean Michael Kerner
    Published May 19, 2017
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      The past week has been particularly busy in the cyber-security world and not just because of the WannaCry ransomware worm outbreak. A pair of other, non-ransomware related breaches impacting electronic signature vendor DocuSign and restaurant rating app Zomato highlight ongoing security risks.

      On May 15, DocuSign publicly confirmed that its’ systems had been breached, helping to fuel a widespread phishing campaign against users.

      “A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed,” DocuSign stated. “No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”

      DocuSign operates a secure signing services called eSignature, which has not been breached. That said, the attackers did get email addresses from DocuSign and the phishing campaign was sending fraudulent DocuSign branded emails with an embedded link that when clicked deploys malware. DocuSign has not publicly stated at this time how its’ systems were breached and it’s not known how many users may have clicked on one of the phishing emails.

      The Zomato restaurant guide publicly disclosed on May 18 that it was the victim of a data breach and unlike DocuSign, Zomato has revealed how many accounts were stolen. According to Zomato, 17 million user records were stolen in the breach, including email addresses and hashed passwords. Hashing is an approach to encrypting passwords, making it unlikely that the attackers will be able to easily decrypt the passwords.

      Zomato made contact with the hacker that breached its systems and was able to get full details on weaknesses in the Zomato network, which have now been patched. Zomato engineer Gunjan Patidar commented in a blog post that the hacker has been very cooperative. 

      “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps,” Patidar  wrote. “His/her key request was that we run a healthy bug bounty program for security researchers.”

      Zomato is now planning on launching a bug bounty program with HackerOne. Also of note in the Zomato breach is the fact that the majority of Zomato’s users don’t actually have a username and password to access the service. Rather, 60 percent of Zomato’s users login via OAuth single sign on from identity providers including Google and Facebook. Zomato has however reset passwords and is advising users that if they use the same password on other sites, they should change them.

      Password and Email Risks

      The DocuSign and Zomato breaches are just two more breaches in a long line of security breaches that have happened in recent years that expose users to risk.

      There likely isn’t a single reader of this story that hasn’t had at least one email address tied up in at least one breach that has occurred in recent years. Given the massive scope and regular occurrence of data breaches, which almost always seem to include email addresses, it is seemingly unavoidable to get caught.

      Attackers use email addresses, as demonstrated in the DocuSign breach, to fuel phishing campaigns. Certainly there are other ways that attackers can get your email address, but when an email comes from an alleged source that a user is familiar with, it is somewhat more likely they will click.

      That’s why trusted email authentication approaches like DMARC (Domain Message Authentication Reporting and Conformance) are important, to help limit risk. Unfortunately DMARC adoption is far from universal at the present time, which is why for now user vigilance remains a primary line of defence. Simply put, think twice before clicking on links in email and if a popup window asks for permissions to run a macro, err on the side of caution and don’t allow it.

      Beyond the issue of having validated email lists that hackers use in phishing attacks is the long-standing issue of password re-use. While at this point it doesn’t look likely that either the DocuSign or Zomato attackers got access to passwords, both sites have recommended that users reset their passwords. It’s unfortunately all too common that users re-use the same password on more than one site.

      Reality today is that your email address and likely at least one password you have used at one point or another, is in a breached data dump somewhere. Remain vigilant, be wary of clicking on links on email, use Two-Factor Authentication and don’t re-use passwords. The next data breach is just around the corner, so rather than being fearful, be prepared.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.