[ad_1]
Vladimir Ivanovo (VŽ) nuotr.
The programmers, who posted data about CityBee’s car-sharing service in an online forum, say the company’s security measures were poor and said it had made everything it had public.
A member of the RaidForums online forum, nicknamed “000,” posted information from CityBee on Monday about customers who signed up before February 2018.
“First of all, I want to apologize if you or someone you know has been affected by this incident. At first, I didn’t understand that CityBee is such a big company, “he writes.
“So the security of CityBee is worrying. We have already seen other companies hacked in the same way, whether they are open S3 cubes or Azure Blobs, the point is that companies have not learned,” add the programmers.
Photo 1
He also made his contacts public after posting. He was contacted by the BNS news agency through the Telegram application.
“It just came to our attention then. If I had spent more time on it, I probably would have been able to get the latest information as well, ”says the person who posted the CityBee customer data.
According to him, CityBee’s data protection is extremely poor, as almost anyone who discovers the security vulnerability and has some knowledge of IT could access it.
CityBee used the Azure Blob data warehouse service provided by Microsoft. Microsoft allows the security of these repositories with additional authentication, but CityBee has chosen not to do so for some reason, ”he said.
“Researchers, programmers, and programmers use so-called DNS records, which are like a phone book that branches out to other domains associated with the main domain. “I searched the Citybee CNAME type DNS records to find an interface to the Azure repository,” it says “000”.
In other words, the copy of the database was publicly available, all that was required was to guess the name of the folder it was stored in.
Discovered by accident
He adds that CityBee was discovered by chance and is more interested in data from US companies. The hacker, who posted the CityBee data, says he didn’t expect the story to resonate.
“At first I thought it was just another data breach that would get me a couple of credits. However, in the morning I saw the issue “explode”, I watched the news in Lithuania and saw the damage, “he says.
It is said that “000” worked together with other forum participants – “Goofy TaeTae” and “ISUPK”.
110,000 people
The announcement of the three-year CityBee user data was announced online Monday night. The company says data has been leaked for about 110,000 customers.
The data published by hackers includes emails from customers. email addresses, phone numbers, personal codes, encrypted passwords.
The Lithuanian Criminal Police Office launched an investigation into the theft of data.
Illegal interception and use of electronic data is punishable by a fine or imprisonment of up to four years.
CityBee chief Kristijonas Kaikaris said at a press conference Tuesday that programmers did not steal consumer payment data because the company does not collect or store this data.
CityBee encourages its customers who have registered in the company system before February 22, 2018 to change their passwords in both the CityBee system and other systems if the same or similar password has been used.
CityBee operates in Lithuania, Latvia, Estonia and Poland. The car fleet managed by the company consists of more than 2,000 vehicles, the company has more than 750,000 registered customers.
[infogram id=”aef06213-db76-4a57-9ea9-a5e78af9c5e5″ prefix=”Yj1″ format=”interactive” title=”UAB CityBee Solutions: dosjė”]
Write a comment
[ad_2]
