Puma Investigates Data Leak Allegations Involving More Than 2,30,000 Customers - 1

Puma Investigates Data Leak Allegations Involving More Than 2,30,000 Customers

  • Written by Ari Denial Cybersecurity & Tech Writer

A hacker forum allegedly contained the private data of over 230k Puma customers in Chile.

In January 2023, a hacker listed an 84MB dataset allegedly belonging to Puma for sale. According to Cybernews, “the leaked database included customers’ names and contact information, such as emails, telephone numbers, and billing and shipping addresses. It also contained details about their purchases – order numbers, payment methods, total monies paid, shipping costs, and discounts.”

According to the cybercriminals behind the dataset listing, it comes from Puma’s Chilean e-commerce website, but Cybernews was unable to verify this independently as of 3 February 2023.

Threat actors can launch targeted phishing attacks using Puma’s alleged data leak. Using the information found in this dump, they could send texts and emails pretending to be from Puma, and use valid order numbers and names. Additionally, they may be able to use this information in conjunction with partial credit card information that has been leaked previously to make purchases with the victim’s card, said a Cybernews researcher, Aras Nazarovas.

As a result of a ransomware attack on Kronos, one of Puma’s Human Resource management providers, Puma suffered a data breach in 2022. Kronos was breached by ransomware in December 2021, disrupting payroll processing and staff management.

As per Cybernews, Hackers gained access to employees’ personal data, including social security numbers, as a result of the massive attack. In the US, employees were left without salaries for weeks afterward.

Research by Cybernews shows that e-commerce websites are easy targets for cybercriminals, which is why leaks like these happen frequently. Increasingly, threat actors are trying to exploit such sites, so developers should ensure that security measures are implemented.

News Heading - 2

Oyetalk, the Android Voice Chat App With 5M Downloads Leaked Private User Conversations

  • Written by Ari Denial Cybersecurity & Tech Writer

OyeTalk, a popular app for voice chats, left user chats unencrypted and stored them on an unprotected database without a password.

With over five million downloads on the Google Play Store and a 4.1 out of 5-star rating from 21,000 reviews, OyeTalk is a popular voice-chat app. The platform enables users to engage in discussion rooms on diverse topics and host podcasts. The app is promoted on the website as one of the fastest-growing audio talent-hosting applications, which can be downloaded in over 100 countries.

Unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services, caused data leakage. Over 500MB of data, including unencrypted user chats, usernames, and cell phone International Mobile Equipment (IMEI) numbers, was exposed.

Furthermore, it was reported that sensitive hardcoded data, such as Google API (application programming interface), was present on the client side of the app. This is considered unsafe because it can be easily accessed through reverse engineering.

Before the most recent data leak, the OyeTalk app had already experienced prior security breaches. According to an investigation, an unidentified party previously identified and flagged the app’s database as susceptible to data leaks. This discovery was likely made without malicious intent. The database also had specific fingerprints, referred to as “Proof of Compromise (PoC),” which are typically used to indicate open Firebases.

According to CN, “hardcoding sensitive data into the client side of an Android app is unsafe, as in most cases it can be easily accessed through reverse engineering. In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems.”

Although the app developers were notified of the data leak, they neglected to restrict public access to the database. However, since the extent of the leak was significant, Google’s security measures intervened and terminated the instance. A notification was issued indicating that the dataset was too voluminous to download in a single attempt.