KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
We have previously published reports on several data breaches that exposed personal data. One of the cases featured a MongoDB database that contained a large amount of scraped LinkedIn data, first identified as open to public access on October 5th.
As of today, the number of records related to that breach has increased as more similar data has since appeared online.
In total, we can confirm there are now 66,147,856 unique records exposed in what seems to be different “chapters” of the same huge collection of data which include:
The three-part database was hosted on different IPs and was exposed due to the lack of authentication in the case of the MongoDB instance.
We could not identify the owner of the MongoDB hosted database due to the lack of recognizable patterns in the dataset structure, however, data is now uploaded to the HaveIBeenPwnd system, so you can check whether your profile has been scrapped.
It did not contain any sensitive personal data such as credit card details or passwords but they did contain a lot of private information like an individual’s professional background, name, phone number, email address, address, and even their IP.
Read more: https://wp.hacken.io/research/industry-news-and-insights/how-sensitive-is-your-non-sensitive-data
To cut a long story short, data scraping without first obtaining the prior individual’s written consent or regarding the Terms of Service is illegal. However, it’s not that simple and the answer to this question can vary from case to case depending on how the extracted data will be used. It’s also important to consider how the information was obtained, i.e was it obtained manually or by using various software programmes. Since the data displayed on websites is meant for public consumption, it is legal to copy the information to a file on your personal computer. However, if that information is used in any way that goes against the best interests of the owner, then it is totally illegal.
Data scraping is an easy way to steal confidential data from web pages that have not taken the necessary steps to ensure sensitive data protection. There are things all of us can do to ensure our private information won’t be stolen by cybercriminals or scammers. Here are some of them:
When you hear the term ‘personal data’ then the GDPR or General Data Protection Regulation applies immediately. Enforced from 25th May 2018, the law provides data protection and privacy for all individuals within the European Union and European Economic Area as well as their confidential data exported outside these areas. It means that gathering, processing, selling and buying the private information of citizens from those areas is illegal without their prior written consent. However, the GDPR can also apply if a business is operating in the USA if it uses private information of European Union citizens.
Non-compliance and exposure of the GDPR sensitive data (name, address, phone number, email address, IP, job title, cookies etc.) can lead to significant fines of up to 20 million euros.
In conclusion, many aspects of our lives are now connected through the internet including social networks, cloud services, bank accounts, emails, online shops, etc. This means that a lot of your confidential information is potentially at risk. You may consider data such as email addresses, phone numbers or IP addresses to be less important and of lower risk than credit card details but when you think objectively about what your emails contain, the reality is that we often keep all our info in one place.
When you scan through your emails you will often see that they actually contain a lot of sensitive personal data such as contacts, tax forms, invoices, photos, reset passwords for every one of your accounts or even credit card PINs! We are often unaware that a malicious actor can easily gain access to all that. data and take advantage of it just by hacking an email address. Cybercriminals can use that private information to steal your identity and make financial transactions in your name, including taking out loans and opening bank accounts etc. By getting access to your calendar, planner or travel itinerary it gives them the inside knowledge of when your house might be empty, so they can break in or potentially do something even worse.
Don’t let the idea that this only happens to celebrities or important CEO’s mislead you, the reality is that one in four email accounts get hacked. With all that said, do you still think that your non-sensitive data is that non-sensitive?
At Hacken, we take security extremely seriously and security checks are performed according to the highest standards. If you have any questions about the topic or need a consultation, feel free to learn more about the services Hacken offers and contact our team!