WhatsApp sues Indian Government over new Internet rules

WhatsApp fired a legal salvo against the Indian government to block new regulations that would require messaging apps to trace the “first originator” of messages shared on the platform, thus effectively breaking encryption protections.

A WhatsApp spokesperson said that requiring messaging apps to ‘trace’ chats would break end-to-end encryption and fundamentally undermine people’s right to privacy.

India is WhatsApp’s biggest market by users having 450 million active users.

 
The Facebook-owned messaging service has filed a lawsuit in the Delhi High Court, seeking to bar new internet rules that come into force effective May 26. 
The new rule called the Intermediary Guidelines and Digital Media Ethics Code require significant social media intermediaries — platforms with 5 million registered users in India and above — to remove non-consensual sexually explicit content within 24 hours, and appoint a resident grievance officer for acknowledging and addressing complaints from users and victims.

WhatsApp currently uses end-to-end encryption for its messaging service, which encrypts messages in such a way that no one apart from the sender and receiver are able to read the messages sent between them.

The Indian government has proposed that WhatsApp assign an alphanumeric hash to every message sent through its platform or tag them with the originator’s information to enable traceability without weakening encryption. But both the solutions have been condemned by WhatsApp and cryptographic experts, who say the methods would undermine the platform’s end-to-end encryption.

The company also claims that traceability is not so effective as it’s highly susceptible to abuse, noting that users could be labelled as “originators” simply for sharing an article or a downloaded image that could then be repurposed by other users on the platform in an entirely different circumstance.

In response to WhatsApp’s legal challenge to new digital rules on grounds of violation of user privacy, India’s IT Minister Ravi Shankar Prasad stated that the government of India is committed to ensuring the right of privacy to all its citizens but at the same time, it is also the responsibility of the government to maintain law and order and ensure national security.
It also laid the responsibility on WhatsApp’s doorsteps to find a technical solution that ensures the “Right of Privacy to all its citizens as well as have the means and the information necessary to ensure public order and maintain national security,” whether through encryption or otherwise.

Mercari suffers major data breach

 

E-commerce giant Mercari suffers major data breach

17,085 records related to the transfer of sales proceeds to customer accounts that occurred between August 5, 2014, and January 20, 2014. The exposed data includes bank code, branch code, account number, the account holder (kana) and the transfer amount.

• 7,966 records on business partners of “Mercari” and “Merpay,” including names, date of birth, affiliation, e-mail address, etc. exposed for a few.

•  2,615 records on some employees including those working for a Mercari subsidiary. Names of some employees current as of April 2021, company email address, employee ID, telephone number, date of birth, etc. Details of past employees, some contractors, and employees of external companies who interacted with Mercari

• 217 customer service support cases registered between November 2015 and January 2018. Exposed data includes customer name, address, e-mail address, telephone number, and inquiry content.

• 6 records related to an event that occurred in May 2013.

E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack.

Mercari is a Japanese public company and an online marketplace that has recently expanded its operations to the United States and the United Kingdom.

The Mercari app has been downloaded by more than 100 million users worldwide as of 2017, and the company is the first in Japan to reach unicorn status.

The popular code coverage tool Codecov was a victim of a supply-chain attack that lasted for two months. During this two-month period, the attackers have modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments.

Codecov attackers managed to breach hundreds of customer networks by using the credentials gathered from the tampered Bash Uploader.

Now, the e-commerce giant Mercari has disclosed major impact of the Codecov supply-chain attack on its customer data.

The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.

Based on the investigation conducted, Mercari states that the compromised records include:

Mercari became aware of the impact from the Codecov breach shortly after Codecov’s initial disclosure made in mid-April.

On April 23rd, GitHub also notified Mercari of suspicious activity related to the incident seen on Mercari’s repositories.

When Mercari determined that a malicious third party had acquired and misused their authentication credentials, the company immediately deactivated the compromised credentials and secrets and continued investigating the full impact of the breach.

On April 27, Mercari discovered that some of its customer information and source code had been illicitly accessed by unauthorized external parties.

Mercari has now concluded its investigation and has published the disclosure today.

Those users whose information has been compromised were notified by the company and they also notified relevant authorities, including the Personal Information Protection Commission, Japan, of this data breach.

The company apologised for the inconvenience caused and stated that they will continue to implement further security enhancement measures and investigate this matter while utilizing the knowledge of external security experts, and will promptly report any new information that should be announced.

Bigbasket data leaked

 

20 million BigBasket user records leaked online

Around 20 million BigBasket user records containing personal information and hashed passwords were leaked on a popular hacking forum.

BigBasket is a popular Indian online grocery delivery service by which people can shop online for food and deliver it to their homes.

ShinyHunters, a famous seller of data breaches posted a database for free on a hacker forum that he claims to have stolen from BigBasket.

In November 2020, BigBasket confirmed that they had suffered a data breach after ShinyHunter had previously tried to sell the stolen data in private sales.

Similar to older breaches privately sold by ShinyHunters, the threat actor has now released the whole database for free, which reportedly contains more than 20 million user records.

The database includes BigBasket customer information, including email addresses, SHA1 hashed passwords, addresses, phone numbers, and other assorted information.

The passwords are hashed using the SHA1 algorithm, and forum members have claimed to crack 2 million of the listed passwords already. Another member claims that 700k of the customers used the password ‘password’ for their accounts.

All BigBasket users are highly recommended to immediately change their passwords on BigBasket and at any other sites using the same password.

Air India data leaked

 

Air India data leaked affects 4.5 million customers

Air India disclosed a data breach when the personal information of around 4.5 million of its customers was leaked following the hack of Passenger Service System provider SITA in February 2021.

The Indian national carrier informed passengers in a breach notification that its data processor, SITA, was the victim of a cyberattack in the last week of February. This incident affected around 4,500,000 data subjects in the world.

The breach impacted the data of passengers registered between August 2011 and February 2021.

The data includes details such as name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data. However, after investigating the security incident, it was found that no credit card information or password data was accessed during the breach.

As a precaution, Air India urges its passengers to change their credentials to block potential breach attempts and ensure their data security.

Many other air carriers besides Air India informed passengers that some of their data were accessed due to the breach of SITA’s Passenger Service System (PSS), which handles transactions from ticket reservations to boarding.

SITA also confirmed the breach saying that it reached out to affected PSS customers and all related organizations in early March.

DATA LEAKED!!! Domino's India

 

Domino’s India discloses data breach after hackers sell data online

Domino’s India has disclosed a data breach where a threat actor hacked their systems and sold their stolen data on a hacking forum.

In April 2021, a threat actor posted on a hacking forum claiming to be selling 13 TB of stolen data, including details for 18 crores (180 million) orders and 1 million credit cards, from Domino’s India.

The data was put up for sale for approximately 10 BTC, or $380,000 and samples of the database structure for the allegedly stolen data was also shared in the forum.
This month, the same threat actors launched a Tor dark web search engine for the users to enter their phone numbers or email addresses to check if their information is exposed in the database.

However, one should keep in mind that the same threat actor runs this service. So, any data entered by the users could be used for further malicious activity, such as phishing and smishing attacks.

Domino’s India users have tested the search engine and confirmed that their orders and other personal information from their account were included in it.

Finally, after over a month, Domino’s India has disclosed the data breach. Jubilant Networks, the master franchise owner for Domino’s Pizza in India sent a short email to its customers stating that they were hacked on March 24th, 2021.
They said that the threat actor’s claims of having stolen 1 million credit cards are not true as they do not store any financial details of users on their site.
From the database tables and information shared by users who used the search engine, the data include customers’ mobile numbers, names, email addresses, and GPS coordinates.

When combined, hackers can use this information to perform further attacks, such as phishing scams and SMS messaging scams, to steal further sensitive data from those exposed in this breach.

All Domino’s India customers are requested to be cautious about emails and texts pretending to be from Domino’s and not to provide any information, such as credit cards and passwords unless they are specifically accessing the https://www.dominos.co.in/ website.