Monday, 19 December 2016

LinkedIn training arm suffers data breach

Online training company, owned by LinkedIn (which itself is being acquired by Microsoft), has suffered a security incident which saw a user database accessed by unauthorised parties.

The "cryptographically salted and hashed" passwords of some 55,000 accounts were reportedly accessed in the incident, which is resetting.

A further 9.5 million users of the skill-learning site are being warned in an advisory email that other information has been accessed - including contact information and details of viewed courses - although their password data is said not to have been exposed.

In an advisory email, is informing those users of the incident:

We recently became aware that an unauthorized third party breached a database that included some of your learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.

Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.

If you have questions, we encourage you to contact us through our Support Center.

The team

The wording of the email is a little odd, and makes me wonder whether this was a traditional "hack" or more a case of a security researcher stumbling across a user database on a server that shouldn't have been publicly accessible, or found a vulnerability that allowed them to access user information.

Disappointingly, I was unable to find any reference to the data breach on the website. I always think breached sites should post an online notice so users can confirm the incident, rather than blindly trust an email received in their inbox.

Cited by Graham Cluley 

300,000 PayAsUGym user details compromised in hack attack

The company, which sells passes for gyms around the UK, acknowledged that 300,000 email addresses and passwords of its members had been accessed on Thursday.
The website said it did not hold financial or credit card details of its users on its servers.
Customers have been advised to change their passwords and the company has also migrated to new servers.
PayAsUGym alerted its members to the security breach in an email on Friday which said "one of the company's IT servers was accessed by an unauthorised person".
It went on: "Although we do not hold any financial or credit card information, the unauthorised person could have accessed the e-mail address and password of our customers.
"Passwords are encrypted when saved in the database, nevertheless I would encourage you to change your password."
Several customers' email addresses and passwords appear to have been published online.
PayAsUGym said once it was alerted, it "closed down" the breach and contacted the police.
It has also started using new servers after speaking with cybersecurity professionals.
The website uses a "tokenised system" for customer payments which, it says, means card details are stored at the payment gateway - not on its servers.
"This is the highest level of security process for dealing with payments," it said.
PayAsUGym added: "We take the security of customer information very seriously. Unfortunately cyber attacks are becoming more frequent which is why, as a policy, we do not (and will never) hold financial or credit card details and we insist that all passwords are encrypted when stored."
Cited at BBC news