(In) Secure Digest: IS specialist changing team, biometrics theft by aggrieved contractors and electronic signature platform hack

We have compiled a monthly roundup of high-profile IS incidents that were reported in May. The latest issue includes details about vengeful employees and contractors, leaks at the world's largest companies  and unpatched vulnerabilities.


What happened: Dropbox Sign e-signature platform fell victim to a cyberattack.

How it happened: unknown attackers managed to compromise the Dropbox Sign service account and use it to gain access to the platform's internal automated system configuration tool.

This way hackers managed to steal customer data, including: full name, email addresses, passwords (in hashed form), PI keys and OAuth authentication tokens.

In response to the incident, the company experts started working on mitigation of incident consequences, reset users' passwords, notified clients of the leak and terminated all sessions. In addition, API keys and OAuth tokens were rotated.

It should be noted that having such a data set, malicious actors could have gained access to customers’ documents. However, Dropbox representatives claimed there was no confirmation of that.


What happened: an IS specialist blackmailed his former employer with stolen data.

How it happened: from May 2022 to June 2023, Vincent Cannady worked as a pentester for an international IT company, but was fired for low performance. After the dismissal, Vincent was supposed to return all corporate devices and data, and receive two weeks' salary as compensation.

However, he considered the compensation amount insufficient. So, he used his corporate laptop to download confidential corporate information, including lists of potential vulnerabilities to his personal cloud storage and lately used that data to blackmail the former employer.

Kannadi initially demanded the sum, equal to his 5-year salary, but later the ransom increased to $1.5 million. In his threats, the former pentester noted that if he did not receive the desired amount as compensation for stress, he would divulge confidential data.

Cannady's former employer didn’t pay ransomware and filled a lawsuit against the former employee. The attacker was eventually charged with extortion under the Hobbs Act, with a maximum penalty of 20 years of imprisonment.


What happened: Data on 49 million of Dell customers was leaked into public domain.

How it happened: the world's largest manufacturer of computing equipment confirmed the fact of the leak and began sending notifications to the victims. The company officials claimed that the portal, containing information about customers and their purchases was hacked.

The leaked data included information about equipment&orders and personal details: product descriptions, serial numbers, order dates, support calls, warranty information, name, physical address.

The company officials reported they were working with law enforcement and a third-party IS contractor.
Notably, an attacker under the pseudonym Menelik had previously tried to sell a database with similar information on a hacker forum. According to the hacker's claim, he stole data from Dell about purchases made between 2017 and 2024. 

Shortly after posting, the publication disappeared from public access. This may indicate that the hacker had found a buyer.


What happened: data on users and employees of two major foreign media outlets leaked

How it happened: On the 3rd of May, unknown attackers defaced the websites of The Post Millennial and Human Events, large social and political media outlets owned by Human Events Media Group.

A compromising statement, allegedly written on behalf of the editor-in-chief of the portals, was posted on the spoofed pages. The hackers also added links to the data stolen from users and media employees. The set of data contained the following information: full names, email addresses, passwords, usernames, phone numbers, physical and IP address.

The authenticity of the data was not confirmed, but due to its large amount (data on approximately 26 million people was leaked), the data set quickly appeared on a hacker forum and in the Have I Been Pwned service.

Representatives of the affected companies haven’t commented on the incident. 


What happened: former contractors stole the data of an unscrupulous employer.

How it happened: in early May, the website Have I Been Outaboxed appeared online. Its developers claimed being former developers for the IT company Outabox, which didn’t pay them for work. 

In order to attract attention to the problem, the anonymous group stole over 1 million records (including biometrics, driving licence scans, personal signatures, etc.) and created the aforementioned Have I Been Outaboxed. They claimed it wasn't difficult because the company didn't protect the data, keeping it in a regular unprotected spreadsheet.

The site existed for a short time and allowed visitors to find out whether their data was in the stolen Outaboxed database by inputting their name on the web-site. It's worth noting that the personal data, obtained from smart cameras that the company was in charge of on people, who visited bars and clubs in New South Wales, was kept in the database.

The company representatives told they “are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff”. Australian Police enforcements were also aware of the site. They quickly announced the arrest of the 46-year-old man allegedly behind the leak. He was charged with blackmailing, although the site was purely whistleblowing and the ransom demands weren’t published in public domain.


What happened: telemedicine company will pay $7.8 million for inappropriate transfer of personal data.

How it happened: the US Federal Trade Commission (FTC) conducted an investigation into BetterHelp, an online service that provides telemedicine services: online therapies and psychological counseling. The investigation revealed that the service collected users' data without their consent. The illicitly gathered set of data included: email addresses, IP addresses, answers to a preliminary medical questionnaire.

This information was shared with Facebook, Snapchat, Criteo and Pinterest for contextual advertising. 
A trial was held in this regard, as a result, BetterHelp agreed to pay the compensation to affected parties. The company will soon begin sending out letters to nearly 800,000 users and will overall pay them $7.8 million.


What happened: the Helsinki Department of Education was hacked.

How it happened: an unknown attacker gained access to the education department's network drive after exploiting a vulnerability in the remote access server. Representatives of local government noted that a patch to fix the vulnerability was available but not downloaded.

The compromised drive contained tens of millions of files, including personal data and other sensitive data, such as: usernames, email addresses, personal IDs , physical addresses, salary, children's education information and statuses, social security requests, medical certificates, etc.

The representatives of local government expressed their concerns regarding the incident and claimed that the required steps for addressing the incident were taken. They also told that “data breach affects over 80,000 students and their guardians”.

IS tip of the month: don't wait for an unscrupulous contractor or an employee, planning a resignation to leak your customers' biometrics! Analyze user activity in real time mode with the help of DCAP solution and prevent leaks with DLP. You can request a 30-day free trial of the solutions.

Votes: 0
E-mail me when people leave their comments –

SearchInform is a 100% private company that develops risk management products being one of the industry leaders. More than 4,000 companies across 20+ countries are SearchInform clients. The development team has been creating search technologies for unstructured data since 1995 and started developing information security solutions in 2004. Today, the team has products and services for comprehensive protection against insider threats at all levels of corporate information systems.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!