Just last month, two high-profile data breaches occurred for varying reasons, showing how companies have fallen behind in ensuring that attack vectors are not covered.
Stack Overflow, one of the biggest developer-centric sites in the world, reported last month that a data breach occurred on May 11th. With over 250 million users on the site, it is now in the public eye for a data breach.
The other high profile case was that of Canva, an Australian image creation site, which has over 10 million active users, reported that around 139 million users’ data had been accessed.
What Happened In Stack Overflow’s Breach
The breach first came to light in a security update shared by the site on May 15th, where Mary Ferguson, the VP of Engineering at Stack Overflow, released a blog post informing users of the breach. This was called an ‘attack’ which resulted in malicious parties gaining access to the production environment of Stack Overflow.
The production environment of a site is where the main systems and supporting systems exist. This includes applications, backend and frontend architecture. It is integral towards ensuring seamless functioning for end users.
A later blog post revealed that the intrusion occurred on May 5th, which saw a bug being pushed to the development tier for the site. This bug allowed the attacker to log in to the development layer and escalate their privileges.
Between May 5th to 11th, the attacker was simply snooping on the site. Then, they accessed the production environment and granted themselves privileged access on May 11th. To prevent further damage, this was immediately identified and their access was revoked.
Stack Overflow clarified that the sensitive data of their Teams, Business and Enterprise products were not compromised. They also stated that the data that could have been compromised includes IP addresses, names or emails for a small number of users. 184 public network users were affected by this, who were notified of the issue.
In the light of the breach, the team has terminated unauthorized access, conducted an audit, fixed the bug that caused the issue, and hired a third-party forensics firm to identify further issues.
The Story Behind Canva’s Breach
The breach at Australian tech unicorn Canva occurred later in the month, with the attack being detected on May 24th. This was a high-profile hack conducted by an individual or group who has collected the data of 932 million users from over 40 companies.
Once the breach was detected, Canva locked the site down, and the hacker was interrupted in the middle of the attack. This caused him/her to tweet about the attack, with Canva scrambling to provide information about the attack.
The breach saw the data of 139 million users such as usernames, names, email addresses, country and user-supplied data about their location being compromised.
Apart from this, hashed passwords were found for those users who used the username/password combination for logging in. For users signed in via Google, the OAuth tokens required for logging in were said to be compromised. Moreover, partial credit card and payment information were also compromised, which Canva confirmed could not be used for payments.
The attacker, known as GnosticPlayers, has now leaked the details of over 1 billion users when counting the Canva breach. In a statement to a prominent hacker news site, he/she stated, “I download everything up to May 17. They detected my breach and closed their database server.”
The site revealed their considerable security measures while thwarting the attack. All of the passwords were hashed, and the OAuth tokens used for the Google login were also encrypted with AES128. The keys for both of these were stored in a different location.
To prevent the further occurrence of such incidents, Canva has partnered with 1Password and offered one free year of the service for Canva users. They also released a blog post and what users can do to protect themselves from further attacks through phishing.
The actions of the sites post the breaches showed that they were prepared for such attacks. Moreover, multiple security measures and industry best practices, such as salting passwords and maintaining discrete databases, had also been instrumental in reducing the damage done.
In the second case, even though Canva lost a lot of user data in the breach, they actively informed them and provided steps to protect from further attacks. This will be helpful for someone who is not well-versed with cybersecurity practices. All in all, these breaches might be indicative of how data breaches in the future could be handled to prevent damage.