Data gap of Apps or services: how they affect users

The number of records with personal information of users exposed as a result of security breaches increased during the pandemic. Applications such as Zoom or Nintendo were some of those that were at the center of these attacks that led to data breaches during the course of the year. ESET, a leading company in proactive threat detection, analyzed the risks that these information leaks imply on the security of users, according to Francisco D’Agostino.


The information disclosed between one breach and another may vary, from contact, identification, biometric or employment data, such as email addresses, government identifiers, passwords, or financial information, among others. Not all records have the same value and in some cases they do not seem to have a significant monetary value, but a strategic one.


In the cases of the Zoom and Nintendo leaks, cybercriminals used phishing or brute force techniques, such as password spraying and credential stuffing, to obtain account access credentials. Through the first, they sent emails impersonating the identities of the applications, informing some kind of excuse for the user to enter their credentials on a fake site. For the second, they automatically used credentials made up of weak passwords and credentials already released in old attacks and that users had apparently reused to access other apps or services. Altogether, these incidents resulted in obtaining more than 100,000 accesses in each case, causing fraudulent purchases and improper access to services.


“Many are unaware of the consequences of personal data such as names, age or email addresses being exposed on the internet because they do not know how attackers use this information to carry out their malicious activity. The lack of awareness that often exists about the importance of taking care of personal data and good security practices, such as creating secure passwords, installing security solutions on each device or updating systems, has a direct impact on the number of data breaches that occur today and also in the number of attacks or security incidents suffered by users. ”, says Martina López, IT Security Researcher at ESET Latin America.


What can an attacker do with an email address?


An attacker can use this information as part of his phishing campaign that reaches our inbox, better known as phishing. These attacks seek to steal access credentials or financial data or also download malware. Depending on the objective of the campaign, they could contain malicious files or links to web pages where they carry out the theft of information, this time directly from the user. Likewise, with email accounts they can face extortion campaigns in which the attackers often use social engineering and present the victim with some personal or private information to request a sum of money to avoid the disclosure of the information.


What can an attacker do with a password or financial data?


Obtaining passwords and financial data can cause fraudulent activities within or outside of the application involved. In the case of financial data, these can be used to make purchases on behalf of the owner or to sell them on the black market. In the case of passwords, in addition to being marketed, they can be used to access the service or application for malicious purposes, as well as to try to access other services by testing whether the user reused the same combination or with few variations in another account.


A study carried out in 2018 revealed that around half of users reuse their passwords with little or no modification across various sites, the most affected being online shopping sites or mail services. On the other hand, the worst passwords of 2020 are very similar to the lists of previous years, thus confirming the analyzes on the use of passwords that maintain that users continue to use weak criteria, such as numerical combinations such as 123456. These decisions can lead to automated logins on sensitive sites at the time of an information breach, or in a future attack.


“In addition to the importance that the companies behind the services and applications take the necessary measures to protect user data and thus avoid being compromised after exploiting a vulnerability, users have their share of responsibility and it is important that they know how to minimize the risks in the event that your data is affected and how to act in the event that this happens.

It is important to stay alert and know the recommendations to protect themselves from the impact that a data breach could have on the accounts. ”, concludes López, Researcher at ESET Latin America.


To learn more about computer security, go to the ESET news portal: