"They all involve customer information that can be used for spamming/phishing campaigns, and in Gawker's case the password hashes make it easy for attackers to compromise other online accounts," says Chris Wysopal, CTO of Veracode. "All of this will at least be a nuisance to the customers of these organizations, and in some cases it may result in further compromises. These types of data breaches don't typically hurt the companies breached, but cause collateral damage to their customers."
Wysopal says it's always a risk to enter your name, email address, and password into another website. "You are raising the risk that you will be attacked back with this data," he says.
All three attacks, although different, underscored the fallout for the victim customers whose email addresses and other information were grabbed by attackers. This information ultimately has been, or will be, used to spam, phish, or socially engineer them for other more lucrative information, security experts say.
McDonald's breach reportedly might be related to that of a major breach at email marketing provider Silverpop Systems, which reportedly has McDonald's as a customer and is a subcontractor to Arc Worldwide, also a McDonald's partner. (This is a developing story Dark Reading will continue to follow).
The fast-food chain has declined to name the database firm associated with its breach.
Gawker was the target of a publicly malicious attack this week by a group known as "Gnosis," which appears to have gone after the media blogging company for taunting the 4chan hacker channel and Anonymous. Gnosis published its notes on the hack here, but the bottom line is it exposed 1.5 million user accounts on Gawker.com, a breach that spread to Twitter as well for those users who used the same credentials for both their Gawker and Twitter accounts.
Gnosis reportedly was trying in part to teach Gawker a security lesson. It also exposed Gawker's source code as well as internal correspondence and other confidential information.
"Gawker was using DES, an old encryption standard, and they were using an older, 3-year-old version of Linux. That's embarrassing," says Chris Drake, founder and CEO of FireHost, a secure Web hosting firm that has Kevin Mitnick among its clients.
Drake says Gawker left the door open a while back and had "early warnings" of its vulnerability to attack.
The attackers obtained access to Gawkers' MySQL database and, because the passwords were encrypted in DES, were able to glean the first eight characters in the passwords.
"The data breach compromising 1.5 million accounts at Gawker.com parallels the VA data breach of 2006. Before that breach, companies were complacent about encrypting data stored on laptops and portable hard drives," said Garret Grajek, founder and CTO at SecureAuth, in a statement. "An apology to 1.5 million commenters for the first major cloud data breach is unacceptable."
Some of the problem, of course, was in the types of passwords created by the victims: Out of a sample of around 188,000 passwords studied by Daniel Peck, a research scientist with Barracuda Labs, 3,057 passwords were "12345," 1,055 were "password," and the rest of the list included "12345678," "lifehack," "qwerty," and "abc123."
McDonald's and Walgreens, meanwhile, were hit with a more common type of breach that exposed their customers' information, namely email addresses. McDonald's contractor Arc Worldwide, which handles marketing and other promotions for the fast-food giant, alerted McDonald's that some of its customer information associated with some McDonald's websites and promotions had been hacked.
The breach came via the systems of a third-party email database management firm used by Arc: "Arc retained the services of an email database management firm whose computer systems were improperly accessed by a third party," McDonald's said in a statement. "We are also working with Arc and their database management firm to understand how the security was bypassed."
A McDonald's spokesperson declined to provide any details on the breach, but the company says the information accessed was neither credit card or financial, nor social security numbers. However, the database containing McDonald's customer emails also included birthday information and phone numbers.
"McDonald's does not collect this type of information on-line or through email. Rather, the limited information includes what was required to confirm the customer’s age, methods to contact the customer, and other general preference information," the statement said.
Walgreens contacted its customers as well during the past few days after discovering customer emails had been siphoned from its database. The information exposed was email addresses only, a Walgreens spokesperson said. Some of its customers have received spam messages attempting to lure them to another website and to enter personal information, said the spokesperson, who declined to reveal additional details on the hack. "We are adding some additional steps before a customer's email list can be accessed, as well as monitoring for suspicious activity."
But an underlying problem was the outsourced element of McDonald's customer data. "In McDonald's case, they outsourced the management of their customer data to a service provider who, in turn, outsourced it to another provider. It is unlikely that McDonald's did their security due diligence for the first provider, let alone the second," Veracode's Wysopal says."It is important that businesses make sure their service providers have at least as good security protections around customer data that they would have and disallow further outsourcing unless the secondary outsourcer is vetted to the same degree."
Despite the seemingly innocuous nature of the customer data pilfered from Gawker, McDonald's, and Walgreens, any of this information can be used to socially engineer more valuable information from the victimized customers.
"Hacking email addresses for targeted lists like Walgreens and McDonald's just continues to happen," FireHost's Drake says. The emails can be sold to spammers, and information such as a customer's birthdate can be used to lure them to trust a message is from McDonald's or another reputable source. "Then you know enough about a person to make them think they can trust you" and use a "Happy Birthday" wish to lure them to another link and wage a cross-site request forgery or other attack, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.