At a glance.

  • Hacker makes stealing Roblox data look like child’s play.
  • Alibaba questioned for Shanghai National Police data breach.
  • Flight booking site suffers data breach.

Hacker makes stealing Roblox data look like child’s play.

Vice’s Motherboard reports that popular gaming platform Roblox has apparently experienced a data breach. A hacker has published what he claims are internal company documents stolen from a Roblox employee. Roblox stated, “These stolen documents were illegally obtained as part of an extortion scheme that we refused to cooperate with. We acted quickly upon learning of the incident, engaged independent experts to complement our information security team and have tuned our systems to seek to detect and prevent similar attempts.” It’s estimated that Roblox, which lets creators develop their own games and monetize them, is played by half of all the children in the US. Based on images released by the threat actor, the 4GB of stolen documents appear to include data on some of the platform’s most popular games, including email addresses, identification documents, and spreadsheets connected to Roblox creators. PCGamesN adds that Roblox says the hacker used “highly personalized scare tactics” to obtain the documents, indicating a possible employee phishing scheme. If so, this is not the first time that Roblox employees have been targeted, as in 2020 an attacker bribed an employee in order to gain access to user data.

A number of industry experts commented on the incident. Paul Farrington, chief product officer at Glasswall, sees a challenge of risk estimation:

“This latest incident reminds organisations that without a proper understanding of online privacy risks, they can be left defenceless against hackers. Interestingly, according to the Verizon 2022 Data Breach Investigations Report, phishing attacks were behind 20% of data breaches.

“The solution to fending off cyberattacks like this at both an individual and company level is twofold: training and technology. Training will arm employees to be alert to risks and follow best practices. This can be as simple as using strong passwords and multi-factor authentication, not opening links and/or attachments from unfamiliar sources, and using anti-virus software. In the case of Roblox, adversaries successfully used social engineering and phishing to access internal systems and leak documents for extortion leverage. 

“On the technology side, taking a proactive, zero trust (never trust/always verify) approach when it comes to security can not only protect the companies that implement them but their customers as well. Having these measures in place will not only assist with preventing attacks, but it’s also more cost effective and efficient than using employees as an organisation’s first line of defence. By combining training and technology, individual, company, and client data privacy is significantly more achievable for organisations around the globe.”

Neil Jones, director of cybersecurity evangelism at Egnyte, notes that attackers are getting ahead of disclosure, the better to pressure their targets:

“The alleged cyberattack on gaming platform Roblox reminds us that organizations’ IT security programs are only as strong as their weakest links. Here, we see how advanced social engineering and spear-phishing tactics can lead to exfiltration of sensitive documents and ultimately impact a brand’s reputation. Such focused tactics are much more likely to generate exfiltration payments to cyberattackers because organizational insiders logically have easier access to sensitive data than outsiders do. In addition to general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user’s “Business Need to Know” are powerful deterrents. Finally, this incident reminds us that cyberattackers are increasingly making claims of attacks—even before all of the details have emerged publicly—to proactively generate payouts from organizations. You need to have a plan in place for that inevitability.”

Amit Shaked, CEO of Laminar, sees an important role for situational awareness with respect to data:

“Visibility into where companies’ data resides — and where it goes — is critical, both on internal networks and in the cloud. In today’s multi-vendor, multi-cloud world, this has become more challenging than ever before. Perimeter defenses will fail at some point — as demonstrated by this Roblox social engineering attack that led to internal document leaks and extortion. 

 “Business leaders must assume adversaries will one day break through. To combat this, data security solutions need to be completely integrated with the cloud in order to identify potential risks and understand their data’s journey. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.” 

Jeannie Warner, director of product marketing at Exabeam, warns that phishing remains a common method of attack:

“Many network attack vectors start with a link to a phishing URL. A carefully crafted email containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, malware is loaded and the cycle of information loss and damage begins. Any company that houses sensitive data should aim to nip this problem early on by identifying and alerting these malicious links.

“There are many public and commercial data providers that offer block- or allow-listing services, or databases for potential phishing domain/URL lookup. However, like any signature-based approach, newly-crafted phishing domains and URLs cannot always be identified this way. New machine learning approaches can flag a suspicious phishing URL previously unknown to malicious list data providers and should be considered by frequently targeted industries, like gaming. Gaming platforms should also have security information and event management (SIEM) with user and entity behavior analytics (UEBA) solutions in place on their networks to ingest all alerts and events, create baseline activity to detect anomalous behavior, and prioritize incident response to help.”

And Arti Raman, CEO and Founder of Titaniam, points out that the attackers’ approach in this case was entirely traditional:

“In this recent extortion attack on Roblox, traditional phishing tactics were used to access company systems and leak internal documents. While cybersecurity training for employees and perimeter defenses can help prevent successful social engineering attacks, to truly minimize the risk of potential extortion and minimize the theft of sensitive documents, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is recommended.

“In the last eighteen months, companies have been misled into believing that investing in backup and recovery solutions is the answer to their ransomware woes. Attack and extortion data are proving this to be false over 68% of the time. If companies want to stand up to data-related extortion then data-in-use encryption is the technology of choice for unmatched immunity. Should adversaries gain access to data, by any means, data-in-use encryption keeps the sensitive data encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”

Alibaba questioned for Shanghai National Police data breach.

As we previously noted, in late June a hacker attempted to sell a database containing the info on a staggering one billion Chinese residents he claimed to have stolen from the Shanghai National Police. Researchers concluded that the database was hosted on a cloud platform run by Alibaba Group Holding, and the Wall Street Journal reports that Shanghai authorities have asked to speak with members of the multinational e-commerce company’s cloud division as part of the ongoing investigation into the alleged breach. Experts say the hacker was able to access the database because a dashboard had been left unprotected on the internet for over a year. The cause of the breach has not yet been determined, but cybersecurity experts say the tech used to store the data on Alibaba’s cloud was outdated by several years and was lacking basic security features, an issue connected to over a dozen other databases hosted by the company.  

Flight booking site suffers data breach.

Cleartrip, a popular Indian flight booking platform, has disclosed a data breach that exposed customer and vendor data. It’s unclear how many users were compromised, but Cleartrip told the Record by Recorded Future that a third-party forensic team has been enlisted and an investigation is underway. According to a company spokesperson, “The investigation so far has indicated that limited information like name, email id and phone number are suspected to have been impacted.” Customers were sent a notification email yesterday stating that a “security anomaly” gave hackers “unauthorized access to a part of Cleartrip’s internal systems.” Though Cleartrip has not stated when the breach occurred, the hacker has posted images of the stolen files on a private forum, and file names indicate some of the data was collected as recently as May of this year.