This Month in Cyber Security: January 2023

Another month has passed, and we’ve seen some alarming updates to kick off the year.

In January, Riot Games were hit by a cyber attack, Mailchimp are in the news once again, a major instant messaging service was fined €5.5 million for a recurring data violation, and security researchers discovered one of the biggest ad frauds the industry has seen. Meanwhile, rising living costs are expected to fuel a tsunami of cyber attacks on UK businesses.

Keep reading to deep dive into our January roundup for your monthly dose of cyber security updates!

Riot Games Hit by Cyber Attack

Video game developer, Riot Games, has recently hit the headlines after the source codes for League of Legends and Teamfight Tactics were stolen in a recent cyber attack.

Riot disclosed the breach as a social engineering attack, while also revealing the company has received a ransom email from attackers, which they have refused to pay.

Riot Games have assured that an update will be provided after a full investigation, and that no player data or personal information was compromised. The source code obtained by attackers may result in new cheats, however, Riot have promised to deploy necessary fixes as quickly as possible.

Mailchimp Falls Victim to Cyber Attack

This month, intruders accessed 133 customer accounts after successfully deploying a social engineering attack against newsletter and email marketing giant Mailchimp.

On the 11th of January, Mailchimp’s security team detected an unauthorised actor accessing customer-facing tools used for customer support and account administration. Attackers gained access to the 133 Mailchimp customer accounts using employee credentials, although Mailchimp has reassured users that no customer data was compromised beyond these accounts.

This is the second time in recent months Mailchimp has hit the news, after employees previously fell for a phishing scam in August 2022, which was an identical breach to the one that took place this month.

Ad Scam Affects Over 11 Million Devices

Security researchers have discovered a vast ad fraud operation, known as VASTFLUX, after the detection of unusual web traffic patterns related to a popular mobile app.

Described as one of the biggest ad frauds ever discovered, the attack impacted 11 million phones and spoofed more than 1,700 applications from 120 publishers. At its peak, the ad fraud scheme made 12 billion requests for ads per day, primarily on iOS devices.

The group behind the attack attempted to buy advertising slots within popular apps, then inserted malicious code to ‘stealthily’ allow multiple video ads to be stacked on top of each other. For users, up to 25 ads were displayed on top of each other, while attackers received an additional payment for each stacked ad.

Twitter Data Dump

Twitter has been back and forth in the news in recent months, and this time, the social giant has fallen victim to yet another major data leak. The latest data dump includes user account names, handles, email addresses, and account creation dates. While the data doesn’t include phone numbers, passwords, or addresses, cyber security experts are warning that the leak poses a risk to exposed account owners, with the potential for social engineering attacks and doxing.

Public figures included in the 63GB database leak include Donald Trump Jr., Sundar Pichai, SpaceX, CBS Media, and the World Health Organisation (WHO). The database was previously listed for sale at $200,000. However, this data is now free and available for anyone to download.

Twitter claims that there is no evidence to suggest that the leak was a result of attackers exploiting a bug in its system, however, this has not been proven.

WhatsApp Fined €5.5 Million

Ireland's Data Protection Commission (DPC) has imposed a €5.5 million fine on WhatsApp following breaches over the last five years.

WhatsApp, an instant messaging service actively used by 2 billion monthly users, was accused of violating data protection laws after failing to explicitly state the legal basis or precise justifications for their data processing. Currently, the Meta-owned platform intends to appeal the ruling.

In addition to the €5.5 million fine, WhatsApp has been ordered to bring operations into compliance within six months.

Cost of Living to Fuel Tsunami of Attacks

The rising cost of living has already sent shockwaves to businesses worldwide, while UK businesses have felt immense pressure with inflation hitting a 40-year high. The cost-of-living crisis is also expected to fuel a surge in cyber attacks on UK businesses, with experts advising cutting security costs will end in disasters.

Naturally, some businesses are looking to cut back costs. However, cutting corners with cyber security can be costly, in an area that is an integral part of operations. This is of particular concern in the United Kingdom, where ongoing industrial disputes are occurring with workers in various industries taking strike action.

Cyber criminals have been quick to exploit individuals and businesses alike. Therefore businesses are advised to spend around 3-4% of their annual revenue on cyber security defences.

Our Thoughts

Companies are still not doing enough to protect themselves from phishing attacks, and the recurrence of Mailchimp’s breaches demonstrates that steps were not taken following the first breach.

Human error is one of the most prominent security threats organisations face; therefore, training your employees and introducing cyber security measures should be a key component of your cyber security strategy. Investing in a team of cyber security professionals is crucial for the protection of businesses.

Explore TryHackMe business training to offer customised staff training and reduce the risk of human error to your cyber security.