At a glance.
- The pitfalls of SAS tokens.
- US software company discloses MOVEit-related breach exposing health data.
- Pizza Hut Australia discloses data breach.
The pitfalls of SAS tokens.
A coordinated vulnerability disclosure issued by Microsoft and cloud security specialists Wiz.io highlights the risks of oversharing of data privileges when it comes to shared access signature (SAS) tokens. The report focuses on a June 2023 data leak stemming from an “overly permissive” SAS token. As Computer Weekly explains, the token was inadvertently shared by an employee who referenced an Azure Blob store in a public GitHub repository while working on an open source artificial intelligence learning model. The Wiz researchers found that the token could be used to access the entire storage account, which amounted to 38TB of data including sensitive employee information.
As the research explains, SAS tokens come with inherent insecurities that allow the user to easily manipulate access levels and expiry times, and the nature of these tokens makes it difficult for administrators to revoke privileges once they’ve been granted. Wiz.io’s Hillai Ben-Sasson and Ronny Greenberg of Wiz.io explain, “Due to the lack of security and governance over account SAS tokens, they should be considered as sensitive as the account key itself. Therefore, it is highly recommended to avoid using account SAS for external sharing. Token creation mistakes can easily go unnoticed and expose sensitive data.” While Wiz and Microsoft caught the issue before it was exploited, the researchers published the report in an effort to keep others from making the same mistake. “We are sharing … learnings and best practices … to inform our customers and help them avoid similar incidents in the future,” the report reads.
US software company discloses MOVEit breach exposing health data.
The MOVEit-related data breaches keep rolling in. This one centers around Nuance Communications, Inc, a business intelligence software company based in the US state of Massachusetts. According to a notice of data breach Nuance filed with the Attorney General of Texas, hackers took advantage of the bug discovered in the popular MOVEit final transfer app to access Nuance customer data including names, medical information, and health insurance details. Nuance uses MOVEit to exchange files related to clinical documentation services provided to various health systems, and the data breach notice lists upwards of a dozen impacted health systems including Atrium Health, Duke University Health System, Novant Health, and WakeMed. JDSupra reports that Nuance began notifying impacted individuals on September 18.
Pizza Hut Australia discloses data breach.
Pizza Hut's Australian operations have experienced a data breach in which the personal information of almost 200,000 customers was taken by unauthorized parties. ABC News says the incident is being attributed to the Shiny Hunters. Pizza Hut, which says only Australian customers were affected, said in their disclosure, "At this stage, we have confirmed that the data impacted relates to customer record details held on our customer database which includes information such as a customer's name, delivery address and instructions, email address and contact number." No paycard information or government identification data are thought to be at risk.
Darren James, senior product manager at Specops Software, an Outpost24 company, wrote that hashing is not necessarily a panacea. “This is a major concern for registered Australian customers of Pizza Hut. Even though the passwords were hashed, if the hashing algorithm is known or can be guessed then these password hashes can be either be brute forced or used against a rainbow table (a precomputed list of hashes and plain text passwords) which can be used to reveal the underlying password," James said. "As these hashes are offline, there is no limit to the number of attempts or time the threat actors have to crack this data, even with readily available hardware billions of hashes per second can be processed. As we all know, we have many passwords to remember in our digital world and it is common practice for people to re-use passwords across multiple websites for both personal and business use. I would suggest that it is imperative that any Pizza Hut Australia customer change their passwords across all the systems immediately especially if they know they have used it elsewhere or even a variant of it. Try to create long, strong passphrase, for example three memorable random words, and ideally use a password manager to keep track of them.”
Chris Hauk, consumer privacy champion, Pixel Privacy, also warns against complacency with respect to the possibility that encrypted paycard information may turn out to be accessible to the criminals. “This breach is concerning, due to the inclusion of credit card information, although it is encrypted. Affected customers should immediately monitor their credit card or debit card accounts that were used for purchases from Pizza Hut, and customers should contact their bank or credit card issuer for a new card with a new number. Customers should also stay alert for possible phishing attempts, as bad guys look to glean more information from the breach.”
And, finally, Paul Bischoff, privacy advocate with Comparitech, also advises customers to take precautions with respect to their credit card data. “Although the stolen passwords and credit card info was encrypted, Pizza Hut customers should still take precautions. Change your password, and if you use the same password on any other accounts, change those too. Using the same password on multiple accounts opens the door to credential stuffing attacks, in which attackers attempt to use the same login information stolen from one place in many other places. Keep an eye on your credit card statements, and don't ignore small charges---thieves often charge small amounts to test whether a stolen card is still valid.”