Identity Fraud in Focus quarterly report
8 min
In our roundup of data breaches, security incidents, and scams, we take a closer look at some of the biggest headlines you need to know.
A security incident affecting 35.8 million Comcast customers was reported to Maine's attorney general's office in late 2023. Citrix, a software company used by many companies, suffered a vulnerability that compromised the company's security systems. As a result, Xfinity, owned by Comcast and using Citrix software, was also affected by this vulnerability, which allowed hackers to access customer data, including the last four digits of Social Security numbers, birth dates, and secret questions and answers. Comcast quickly released a statement apologizing for the incident and promising to take steps to protect customer data in the future.
In mid-2022, the file transfer software company MOVEit suffered a significant cybersecurity incident. Attackers exploited a vulnerability in MOVEit's software to gain unauthorized access to sensitive files and information, leading to additional data breaches for some companies that used this third-party software.
Since MOVEit was used by U.S. government agencies to ship sensitive data, including Social Security numbers, medical records, and billing information, the FBI issued a cybersecurity advisory in early June.
Officials in several states, including Louisiana, Oregon, Maryland, Colorado, Minnesota, Illinois, and California urged residents to take steps to protect themselves. This cyberattack also raised concerns about the overall security of critical data transfer systems and prompted organizations to reevaluate their cybersecurity measures.
GoDaddy, a leading web hosting and domain registration company, says it suffered a cyberattack in December 2022 that was likely related to a series of security incidents dating back to 2020.
As part of a recent filing with the Securities and Exchange Commission, GoDaddy revealed that an unauthorized third party installed malware on the company’s shared hosting environment late last year; a statement on the company's website confirmed the incident. As a result, some customer websites were redirected to malicious sites.
In the SEC filing, the company goes on to say that this recent attack is only one part of a multi-year security breach committed by a "sophisticated threat actor group." GoDaddy recalled security incidents that happened in March 2020 and November 2021 — where a number of GoDaddy customer accounts were reportedly compromised. For some impacted users, exposed information included email addresses and passwords.
GoDaddy says they have evidence to believe that these incidents are linked, and are working with law enforcement to continue to investigate the root cause and block further hacking attempts.
T-Mobile, one of three major wireless carriers in the U.S., recently announced that a bad actor stole data from approximately 37 million customer accounts.
In a regulatory filing to the U.S. Securities and Exchange Commission, the mobile giant confirmed that the bad actor obtained basic customer information — such as names, billing addresses, emails, and phone numbers. T-Mobile says that passwords, Social Security numbers, and other financial account information were not compromised in the breach, which started on or around November 25, 2022.
T-Mobile is in the process of informing its impacted customers and confirmed that they are committed to strengthening its cybersecurity programs.
PayPal has sent a security notice to account holders that have been affected by a recent cyberattack. The notice states that attackers gained unauthorized access to almost 35,000 PayPal accounts between December 6 and 8, 2022, using a credential stuffing attack.
In credential stuffing, bad actors reuse usernames and passwords from past data breaches across multiple accounts. One way to protect yourself from this type of attack is to set strong and unique passwords for every account you hold.
PayPal says that the attackers potentially gained access to personal customer data, including names, addresses, Social Security numbers, and tax identification numbers, but has seen no evidence of unauthorized transactions.
LastPass, a password manager that secures the login credentials and personal information of millions of people, has experienced its second data breach of 2022.
In an article published in late December, LastPass CEO Karim Toubba recalled a security incident that occurred in August 2022, when an unauthorized party gained access to parts of the LastPass development environment. At that point, LastPass says that the third-party breach showed no evidence that customer data was stolen.
However, three months later, LastPass reported that the same unauthorized party from August used the data they acquired (such as source code and other technical information) to access "certain elements" of customers' information, including account information, billing addresses, email addresses, telephone numbers, and the IP addresses they used to last access LastPass.
LastPass has added enhanced security measures to prevent this from happening in the future and says law enforcement and other regulatory authorities have been notified about this latest incident. Meanwhile, LastPass urges all of its customers to ensure their passwords are strong and steer clear of phishing attacks that may arise as a result of this breach.
A 2021 data breach at Twitter continues to cause problems for the social media platform and some of its users. In August of 2022, Twitter confirmed that it had experienced a data breach that left user details exposed. The data was originally stolen in 2021, when hackers were able to take advantage of a software vulnerability.
The flaw was reportedly fixed in January 2022, but according to some reports, 5.4 million user records — including sensitive details such as phone numbers — were posted for sale on hacker forums in July 2022.
In December 2022, Twitter confirmed that the same batch of user records were leaked once again online. While Twitter claims that no passwords were exposed, they encourage everyone who uses Twitter to enable two-factor authentication to protect their accounts from unauthorized logins.
In the past, Twitter has said it would contact users impacted by the breach.
If your information has been exposed, our resources can help. For guidance on what to do next, see our article on what to do after your data has been breached.
On March 18, HubSpot, a customer relationship management (CRM) platform that offers marketing and sales products, experienced a cyberattack. The company is still investigating the incident, but initial evidence suggests that attackers were targeting HubSpot clients in the cryptocurrency industry.
According to a statement from HubSpot, hackers used a compromised employee account to access and export contact data from nearly 30 HubSpot portals. Cryptocurrency services companies Swan Bitcoin and BlockFi have indicated that they were among the HubSpot clients who were compromised.
Unfortunately, third-party hacks are becoming a thorny problem in many industries. If a third-party company collects your information without your knowledge, and then experiences a security incident involving your data, you may be unaware that your information has been exposed. But, if you're an Allstate Identity Protection member, you have access to comprehensive monitoring features and fast alerts. If you haven’t already, log in to your account today to activate features, such as dark web monitoring. From there, we’ll let you know if we find your information where it doesn’t belong. And if identity theft does occur, we're available 24/7 to help you with recovery.
In March, global identity and access management company Okta announced it had suffered a data breach in January 2022. Hackers gained access to the company's internal network via Sitel Group, a subcontractor providing customer support. The reveal came in response to hackers publicly posting screenshots of Okta’s internal systems. Okta provides software that helps companies secure user authentication for apps, websites, and devices.
Customer service contractor Sitel Group has conducted an investigation of the incident with an external security firm and shared the findings with Okta. Okta released a statement saying the situation has been contained, though as many as 366 of its clients may have had data exposed. Both Sitel Group and Okta have stated there is no longer a security risk. It remains unclear what or how much data was revealed in the hack or which of Okta's more than 15,000 clients may have been affected.
With many data breaches, the scope of the exposure may never be publicly known. Fortunately, if you're an Allstate Identity Protection member, you can rely on features like our Dark Web Monitoring, which alerts you when we detect your sensitive information — like driver’s license numbers and email addresses — where it doesn't belong. Plus, if identity theft occurs, members can rest easy because we're available 24/7 to help you with recovery.
On December 13, global payroll software provider UKG (Ultimate Kronos Group) disclosed a ransomware attack impacting Kronos Private Cloud, which houses a range of applications for tracking employee work hours and attendance, as well as managing payroll.
The attack has caused outages as UKG has been forced to pause some services, leaving clients across a wide range of industries unable to access payroll systems. Some companies who rely on the software are creating backup plans, such as issuing paper checks.
In a statement, UKG said that the company is working with cybersecurity experts to resolve the attack, and that it has notified authorities. However, the company expects outages to continue for at least the next several weeks.
In an FAQ about the security incident, UKG says it is “working diligently to determine whether customer data has been compromised.”
If you’re an Allstate Identity Protection member, know that our Customer Care team is available 24/7 to help with recovery if anything should come up with your identity.
Retailer Neiman Marcus Group recently alerted 4.6M of its customers to a breach that occurred in May 2020. Many customers' online accounts may have been exposed, including contact details, credit card information, gift card numbers, usernames, and passwords.
According to the company's public statement, "approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid." Neiman Marcus says its subsidiaries Bergdorf Goodman and Horchow have not been affected by the breach.
The company is presently working with law enforcement and a cybersecurity firm to resolve the incident. In the meantime, Neiman Marcus encourages customers to alert their payment card issuer to any unauthorized purchases, request and review a copy of their credit report, and update any of their credentials that may be reused across other sites.
If you're an Allstate Identity Protection member, consider adding important information like your credit card numbers to our dark web monitoring tool. If we find your data where it doesn't belong, we'll alert you as soon as it's detected. If you think you may be a victim, you can rest easy knowing our customer care team is on standby to help you fully resolve any potential identity theft.
On September 13, global tech company Apple introduced an emergency software update to fix a vulnerability impacting 1.65B of the company's products worldwide. Apple's security team quickly developed the fix after being notified by security researchers that a flaw in the company's mobile and desktop products could allow invasive spyware to easily infect users' devices.
The spyware, allegedly developed by a foreign espionage agency, uses a "zero-click" infection method, allowing it to invisibly infect a target's device and gain total access — without the user having to click a suspicious link or fall victim to a phishing attempt.
Apple has urged users to run the latest software updates containing a fix for the vulnerability, by installing iOS 14.8, MacOS 11.6, and WatchOS 7.6.2.
T-Mobile recently announced a data breach affecting 47M of its current, former, and prospective customers. The records, posted for sale on a dark web forum, included personal data like customer names, dates of birth, Social Security numbers, and driver’s license numbers.
T-Mobile stated that “no phone numbers, account numbers, PINs, passwords, or financial information were compromised” in the leak. The company reported that 850K current customer names, phone numbers, and account PINs may have been exposed.
If your data is involved in a breach, we fully remediate any identity-theft related issues our members might face. For more information on what to do if you believe you were affected by a breach, read our article on What to Do After Your Data Is Breached.
Business and employment networking platform LinkedIn recently experienced a scraping incident that exposed 700M people — 92% of its total users. On June 22, 2021, a hacker advertised a database of LinkedIn user records for sale on the dark web, containing phone numbers, physical addresses, geolocation data, and inferred salaries.
The hacker appears to have exploited the official LinkedIn application programming interface to access and download records. While there are no passwords included in the data, the exposed information could be used to boost phishing attempts, sharpen social engineering attacks, commit identity theft, or even access other sites where users may have accounts.
In a statement, LinkedIn says they are still investigating the incident and while user data was obtained from their servers and other sources, "no private LinkedIn member data was exposed."
The sensitive personal data of more than 533 million Facebook users was recently posted on a cybercriminal forum. The cache of information was initially leaked back in 2019. Unfortunately, despite the company reportedly resolving the security flaw when it was first discovered, the breached data is still circulating on the dark web. The information initially sold for tens of thousands of dollars, but has continued to spread, selling for lower and lower prices. The most recent share was offered for free.
More than 32 million records were exposed during the breach, including phone numbers, birth dates, and individuals' biographical details. Overall, this ongoing exposure is affecting Facebook users in 106 countries. “Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” tweeted Alon Gal, of Israeli cybercrime intelligence company Hudson Rock, who flagged the recent release of the Facebook data.
Social engineering is when cybercriminals get access to someone's personal information by gaining their trust. Scammers use details obtained in a breach to convince a target to reveal even more sensitive information that can be used for identity theft and other types of fraud.
It's important to remember that even past breaches could still affect you today. Old data can resurface as it's passed along in dark web cybercriminal networks and could then be used for many types of fraud. Keeping a close eye on your personal information is a critical step you can take to help protect yourself.
According to a recent report by tech market analyst firm Canalys, even though companies are spending more and more to protect themselves — investment in cybersecurity efforts grew 10 percent in 2020 to $53 billion — the amount of sensitive personal data exposed in data breaches continues to climb.
Ransomware attacks have become more targeted, allowing for cybercriminals to gain access to much more data than in the past. In fact, more records were exposed in 2020 than in the previous 15 years combined. Research shows companies are still under-investing in cybersecurity and haven't made security a top priority when adapting their business processes to the pandemic.
“Cybersecurity must be front and center of digital plans, otherwise there will be a mass extinction of organizations, which will threaten the post-COVID-19 economic recovery,” said Canalys Chief Analyst Matthew Ball in a statement. “A lapse in focus on cybersecurity is already having major repercussions, resulting in the escalation of the current data breach crisis and acceleration of ransomware attacks.”
Hackers continue to take advantage of security vulnerabilities putting businesses and ultimately, individuals, at risk.
IT management company SolarWinds recently experienced a cyberattack, leading to data breaches at several federal agencies, including the Department of Energy and the Department of Homeland Security. The hack is under investigation by U.S. officials, and it's suspected that Russian-linked hackers are behind the breach.
SolarWinds has indicated that as many as 18,000 of its customers may have been running software containing the vulnerability that allowed the attack. With a client list compromising more than 300,000 customers globally — including Fortune 500 companies and education institutions — many other organizations outside of the government sector may have been compromised.
On November 8, 2020, news and entertainment platform Mashable announced they were a victim of a security incident that exposed some users’ data. The organization learned of the breach when a hacker posted a copy of a Mashable database online.
The security incident stemmed from a feature that allowed users to sign in using a social media profile. According to Mashable, the compromised data included users’ names, email addresses, genders, IP addresses, and the month and date of their births.
Canadian eCommerce platform Shopify confirmed an internal breach that occurred between August 15 and September 15, 2020, when two of its employees allegedly stole customer data from nearly 200 merchants.
The two employees were subsequently fired, and Shopify reports it has contacted the FBI. Stolen customer data included names, postal addresses, order details, and the last four digits of customers' payment card, but the company says no other financial data was compromised.
Shopify has not indicated the total number of customer records that were stolen, but stated they have discovered no evidence that the stolen data was ever used. Shortly after the breach was discovered, Shopify notified the merchants affected by the breach.
A security researcher discovered gaming hardware vendor Razer leaked more than 100,000 customers' personal data by leaving a database exposed. The database was not only unprotected, it was also indexed in public search engines.
Razer has acknowledged the leak and says that no passwords or credit card numbers were among the exposed information. However, the database did include customer email addresses, physical addresses, and phone numbers, along with information about the items customers purchased.
Data breaches that do not include passwords or credit card information may seem less alarming, but it's important to take them seriously. Even without access to a credit card number or a password, cybercriminals could use other stolen personal information to increase the precision of targeted phishing attacks or engage in synthetic identity fraud.
Credit reporting agency Experian has experienced another data breach. While Experian has not revealed how many victims were affected, the non-profit South African Banking Risk Information Center (SABRIC) has indicated as many as 24 million South African customers and nearly 800 thousand businesses have had their data compromised.
Experian claims the exposed records contained data that was already publicly available and did not include consumer credit or financial information. The credit agency noted that the individual responsible for the breach has had their "hardware" confiscated and any stolen information has been secured and deleted.
Several major companies, as well as a number of high profile political and technology figures, like Elon Musk, were recently targeted in a widespread hacking operation that some experts are calling the biggest Twitter hack to date.
The hack appears to be part of a cryptocurrency scam devised to steal money from Twitter users. Cybercriminals hacked into high-profile verified accounts and posted fraudulent messages promising financial gain if users "invest" in Bitcoin by sending it to the scammers' accounts.
Before the scam was detected, the hackers stole more than $100,000 in Bitcoin through hundreds of transactions. Twitter and the FBI are currently investigating the hacking.
It can be difficult to confirm the identity of someone you may be communicating with on social media. Even verified public accounts could be hacked. Stay alert on social media and be careful responding to any requests for money or personal details, even from "official" or verified accounts.
In January 2020, the math learning app Mathway was breached. A cybercriminal stole 25 million Mathway user email addresses and passwords, most of them likely belonging to children. The user records were posted for sale on a dark web marketplace for $4,000 in cryptocurrency and have subsequently appeared on other dark web sites. Mathway acknowledged the breach in a recent statement and promises to notify all impacted users.
With the increase in use of online learning apps and websites, it's important to protect children's personal data which may be more vulnerable to exposure.
On June 23, 2020, Twitter confirmed some business customers had their personal details exposed. An official spokesperson would not confirm the total number of customers involved, but she did state that Twitter notified victims. The personal data compromised includes names, phone numbers, and even the last 4 digits of the credit card on record.
At the time of publishing, nearly 40 million people have filed for unemployment benefits due to the impact of COVID-19 — and many Americans are now learning they’re the victims of unemployment-related identity theft. This places not only victims at risk but their former employers as well. Based on how unemployment benefits are funded, fraudulent claims significantly increase the employer’s unemployment tax.
While fraud is spiking across the nation, some states have been hit harder than others. This is especially true for Washington, where officials have experienced “hundreds of millions of dollars” in unemployment-related losses. By contrast, the Employment Security Department reports that it lost just $1.4 million in the prior month.
See our tips for avoiding COVID-related tax and stimulus fraud.
Cybercriminals are taking full advantage of the COVID-19 pandemic and economic crisis. The Federal Trade Commission reports it received four times as many identity fraud complaints in early April as it received in the previous three months combined. Experian recently discovered a new cache of stolen personal data, exposing 3 million people to potential fraud. And Google reports it intercepted 18 million COVID-19 scam emails in just one week.
With many people losing their jobs and facing precarious financial situations, it's more important than ever to protect your personal information and preserve your access to critical government economic support.
Cybersecurity agency Cyble discovered cybercriminals selling over 500,000 stolen Zoom credentials for very low prices — even giving away some for free — on hacker forums. The stolen information included Zoom user passwords, personal meeting room URLs, and meeting host ID numbers.
Experts believe the hackers gained access to these accounts because they were created with re-used passwords. Password re-use can put your security at risk. It's important to create a new, unique password for each of your online accounts.
The Centers for Disease Control (CDC) and the World Health Organization (WHO) are both warning the public about new phishing attempts. Readers are urged to click links promising the latest Coronavirus news and reports. These emails can appear convincing, with some including the organizations' logos. In reality, the emails are designed to steal a victim’s information, download harmful files onto their computer, or — in some instances — both.
It’s important to remember the CDC and WHO will never email, call, or text you about the Coronavirus or to request a donation.
On February 19, 2020, MGM Resorts confirmed a data breach that exposed 10.6 million guests' personal information. The compromised data, which was reportedly uploaded to a hacker forum the same week, includes guests' first and last names, addresses, phone numbers, and dates of birth. MGM reports that no financial information or passwords were exposed.
Once the breach was discovered — during the summer of 2019 — the company says it began working with two cybersecurity forensic firms to internally investigate, review, and remediate the incident. They then notified guests potentially impacted by the incident and took steps to strengthen their network security.
As of yet, it’s unclear who was behind the MGM Resorts hack.
Back in 2017, Equifax experienced one of the largest data breaches in recorded history. Nearly 150 million Americans had their personal information, like home addresses and Social Security numbers, exposed.
For years, many details of the breach remained unclear, including answers to the most obvious questions: who did it and why? That changed on February 10, 2020, when the Department of Justice indicted four members of the Chinese military for their role in the Equifax hack. The hackers’ efforts appear to be part of China’s well-documented effort to obtain as much information on U.S. citizens and businesses as possible.
On February 11, 2020, China denied playing a role in the Equifax breach.
On January 22, 2019, Microsoft announced a security incident that exposed around 250 million customer service records and support logs. Microsoft says personally identifiable information (PII) was redacted prior to the incident. However, there are a few exceptions — like when data entries contained a non-standard format (e.g. an email address containing spaces).
Still, security experts fear criminals might use victims’ case details from the customer service records and support logs to more successfully perpetrate fraud. For tips on identifying and avoiding Microsoft technical support scams, you can view this article.
On December 14, the personal details of 247 million Facebook users were discovered in a public database. The sensitive data included users’ names, phone numbers, and user IDs — which cybercriminals can decode to reveal a victim’s username and other sensitive profile information.
According to the researchers who discovered the database, the data was accessible for nearly two weeks before Facebook restricted access. They believe it was enough time for hackers to upload its content to at least one dark web forum.
A Facebook spokesperson says the company is actively researching the breach, though the data was likely harvested prior to changes the company made to better protect user information.
This marks the latest in a long line of Facebook incidents involving user data, including the Cambridge Analytica breach, a Facebook API loophole that exposed the personal details of more than 50 million Americans, and the alleged logging of some users’ texts and calls.
Earlier this year, the state of Louisiana was forced to make two emergency declarations due to widespread cyberattacks causing outages that disabled many government agencies and services. Now, there's been a third incident.
Last week, New Orleans' emergency alert twitter account, "NOLA ready," warned that there had been "suspicious activity" on city networks. The city has activated its Emergency Operations Center and is working with the FBI, Secret Service, and National Guard to investigate. It's unclear how widespread this attack is or which local agencies and services have been affected, but additional tweets from the "NOLA ready" account confirm emergency services and emergency communications have not been affected.
Ransomware attacks on local governments also continue to occur, with evidence of previous attacks this year in Atlanta, Baltimore, Tallahassee, and other major cities. These ransomware attacks often involve cybercriminals using tools to lock computer networks, affect city services, and demand a ransom from state or local governments.
Earlier this month, a contractor for a major cell phone provider reportedly exposed hundreds of thousands of customers' cell phone bills from multiple cell phone carriers.
Over 261,300 documents, dated as far back as 2015, were held online in cloud storage without password protection, making the contents accessible to anyone online. The bills were stored as part of a promotion to encourage users to switch to a new cell phone service.
The exposed information included account holders’:
Bank statements
Usernames
Passwords
Cell phone account PINs
If you’re an Allstate Identity Protection member, call us anytime you need assistance restoring your identity or if you have questions about fraud, using the number on your account dashboard.
If you're not a member and you need guidance on what to do next if you’ve been affected, read our article on what to do after your data has been breached.
If you're considering one of our services, want more information, or need assistance, please reach out. We’re here to help.