|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Outcome":
Blackmail, Chaos, Deceit, Defacement, Disclosure Only, Downtime, Extortion, Identity Theft, Information Warfare, Leakage of Information, Link Spam, Loss of Sales, Monetary Loss, Phishing, Planting of Malware, Political Defacement, Spam, Worm
List of incidents for which Outcome is Leakage of Information
44 incidents listed
Reported: 17 February 2008Occurred: 09 March 2005
Classifications:
- Attack Method: Insufficient Anti-automation
- Country: USA
- Outcome: Leakage of Information
- Vertical: Information Services
The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.
In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.
As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.
Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.
References:
Reported: 12 February 2008Occurred: 10 February 2008
Classifications:
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Korea
- Origin: China
- Outcome: Downtime
- Outcome: Leakage of Information
- Vertical: Retail
A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.
The attack description is vague but can be best described as session hijacking.
This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.
References:
Reported: 10 February 2008Occurred: 01 August 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Sports
It is already February, and we still add 2007 incidents. If
you wonder why, it is because organizations such as MLS only now find
out that they were hacked last year! Sometime between January and
August of 2007, names, addresses, credit and debit card data, and
passwords of an unknown number of people, including 169 New Hampshire
residents were stolen from the site.
Why New Hampshire? Because the company has to report to the
authorities there about the incidents, but only specify the number of
individuals from this state affected. Why only New Hampshire? Since
regulations and bills requiring disclosures exist in many states, one
would expect that the company would have to provide such a testimonial
in many states. This incident is another good example of the size of
the hidden part of the iceberg.
References:
Reported: 10 February 2008Occurred: 09 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Entertainment
Sensitive information about people who created an account on the site leaked and was published through IRC.
References:
Reported: 04 February 2008Occurred: 04 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack method is not known, but it seems very much like a web hack.
References:
Reported: 28 January 2008Occurred: 07 November 2007
Classifications:
- Attack Method: Administration Error
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Again a Microsoft Excel file was left on a University's web site for anyone to view.
References:
Reported: 28 January 2008Occurred: 21 January 2008
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Drive by Pharming
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Mexico
- Location: Client
- Outcome: Leakage of Information
- Outcome: Monetary Loss
- Software: DSL Router
- Vertical: Finance
Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.
References:
Reported: 08 January 2008Occurred: 05 January 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV). The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment.... And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.
References:
Reported: 01 January 2008Occurred: 04 May 2007
Classifications:
- Attack Method: Misconfiguration
- Country: UK
- Outcome: Planting of Malware
- Outcome: Leakage of Information
- Vertical: Service Providers
Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites. This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.
References:
Reported: 01 January 2008Occurred: 17 September 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Leakage of Information
- Software: Cerberus Helpdesk
- Vertical: Service Providers
A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.
References:
Reported: 22 December 2007Occurred: 22 December 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: USA
- Outcome: Monetary Loss
- Outcome: Leakage of Information
- Outcome: Identity Theft
- Vertical: Security & Law Enforcement
The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.
The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.
References:
Reported: 19 December 2007Occurred: 30 September 2007
Classifications:
- Attack Method: Unknown
- Country: Germany
- Outcome: Leakage of Information
- Vertical: Retail
An unidentified group had stolen credit card numbers and billing addresses of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of Ticketmaster. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de web site between October 24, 2006 and September 30, 2007 were affected.
References:
Reported: 19 December 2007Occurred: 01 December 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school.
References:
Reported: 07 November 2007Occurred: 11 September 2007
Classifications:
- Attack Method: Unknown
- Country: New Zealand
- Outcome: Information Warfare
- Outcome: Leakage of Information
- Vertical: Government
An attack on New Zealand government web sites required New Zealand Prime Minister, Helen Clark to comment and ensure the public that no confidential information was stolen. However official sources in New Zealand confirm attacks were carried out by unnamed, but known, foreign governments on New Zealand government web site that resulted in stealing of information.
References:
Reported: 07 November 2007Occurred: 17 September 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: UK
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.
While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.
References:
Reported: 07 November 2007Occurred: 18 September 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Media
Vertical Web Media, publisher of Internet Retailer magazine, suffered a security http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/breach and credit card information of readers had been stolen. The Irony is that Internet Retailed magazine is covering the risks of e-commerce. While the actual technique used is not known, signs are that it was a web hack as it was done by a distributed network of bots all over the world and since the information stolen belonged to customers who paid online. The information stolen includes names, addresses, e-mail addresses, phone numbers, credit card account numbers and card expiration dates. The number of records stolen is unknown.
References:
Reported: 04 November 2007Occurred: 30 September 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.
References:
Reported: 29 October 2007Occurred: 28 October 2007
Classifications:
- Attack Method: Unknown
- Country: Global
- Outcome: Leakage of Information
- Vertical: Retail
A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.
References:
Reported: 17 October 2007Occurred: 09 October 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.
References:
Reported: 12 October 2007Occurred: 10 October 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.
References:
Reported: 11 October 2007Occurred: 02 October 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.
References:
Reported: 30 July 2007Occurred: 25 July 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Leakage of Information
- Vertical: Health
In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.
References:
Reported: 25 July 2007Occurred: 23 July 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Media
Fox News left non public files on a directory accessible to everyone on their web server.
References:
Reported: 01 July 2007Occurred: 15 June 2007
Classifications:
- Attack Method: Unknown
- Outcome: Leakage of Information
Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?
References:
Reported: 12 June 2007Occurred: 30 May 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Internet
Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.
References:
Reported: 12 June 2007Occurred: 03 June 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.
This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.
References:
Reported: 12 June 2007Occurred: 19 April 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.
References:
Reported: 12 June 2007Occurred: 19 May 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Approximately 1100 students and faculty members' personal information records which includes social security numbers were exposed by a vulnerable web application at the Molecular and Cellular Biology program at the University of Iowa. The report suggests that the application was actually compromised.
References:
Reported: 14 May 2007Occurred: 10 May 2007
Classifications:
- Attack Method: SQL Injection
- Country: Sweden
- Outcome: Leakage of Information
- Vertical: Internet
Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found.
This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.
References:
Reported: 09 May 2007Occurred: 08 May 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.
References:
Reported: 26 April 2007Occurred: 23 April 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Australia
- Outcome: Leakage of Information
- Vertical: Media
The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!
References:
Reported: 23 April 2007Occurred: 23 April 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Government
Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.
References:
Reported: 02 April 2007Occurred: 21 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
The personal information of about 3,000 current and former Georgia Tech employees may have been compromised. The informatoin included names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers.
References:
Reported: 29 March 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Health
Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.
The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.
References:
Reported: 29 March 2007Occurred: 18 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Identity Theft
- Outcome: Monetary Loss
- Outcome: Leakage of Information
- Vertical: Retail
11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.
The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.
References:
Reported: 29 March 2007Occurred: 23 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
Names and social security numbers of former employees of Fruit of the Loom where available for download from the company's web site.
References:
Reported: 27 March 2007Occurred: 10 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
A student at a community college in Sacramento who was "Googling" himself last month found his name, among 2000 others, in a file accidentally left by school staff online and picked by Google crawler.
References:
Reported: 26 March 2007Occurred: 03 January 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Government
On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site. While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.
References:
Reported: 26 March 2007Occurred: 10 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.
References:
Reported: Occurred: 13 September 2000
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Leakage of Information
View other customers orders by changing a sequential number within a URL parameter
References:
Reported: Occurred: 06 September 2000
Classifications:
- Attack Method: Improper Error Handling
- Attack Method: Insecure Direct Object Reference
- Country: ?
- Outcome: Leakage of Information
- Vertical: Retail
Error message revealed a database file location, which could be downloaded.
References:
Reported: Occurred: 25 September 2003
Classifications:
- Attack Method: Predictable Resource Location
- Outcome: Leakage of Information
User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.
References:
Reported: Occurred: 01 February 2005
Classifications:
- Attack Method: Directory Indexing
- Attack Method: Insufficient Authentication
- Outcome: Leakage of Information
Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords
References:
Reported: Occurred: 06 September 2000
Classifications:
- Attack Method: Abuse of Functionality
- Country: USA
- Outcome: Leakage of Information
E-mail addresses of other customers displayed by mistake, no hacking was required
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
