Some 5.8 million customer records stolen from Singapore-based hotel company RedDoorz have been found for sale on the dark web following the company being hacked in September.
RedDoorz, formally named Commeasure Pte. Ltd., which offers hotels across Southeast Asia, disclosed the hack Sept. 28. It said at the time only that it was aware that one of its information technology databases suffered a breach and that “no sensitive data pertaining to financial information such as customer credit cards or passwords was compromised to the best of our knowledge.”
The claim from RedDoorz is notable for what it left out. It’s correct that no financial data or unhashed passwords were stolen, but plenty of other information was. According to Bleeping Computer, the database offered for sale on the dark web includes RedDoorz members’ email, bcrypt hashed passwords, full name, gender, link to profile photo, phone number, secondary phone number, date of birth and occupation.
“The RedDoorz data breach is particularly nasty as the hackers have gained access and stolen the ‘holy grail’ of information — all the essentials to perform some pretty nasty and targeted identity fraud on its customers,” Dan Panesar, director of U.K. and Ireland for security information and event management firm Securonix Inc., told SiliconANGLE. “Furthermore, if customers have used their work address for example to register with the site again this poses threats to any organization from a targeted spear phishing attack to plant malware in an attempt to gain unauthorized access to the employer’s network.”
Chris Clements, vice president of solutions architecture at cybersecurity software company Cerberus Cyber Sentinel Corp., said that the good news is that RedDoorz appears to have used a secure hashing algorithm, bcrypt, to secure user passwords in the stolen database. “Secure hashing algorithms like bcrypt make it much harder for attackers to crack user passwords but they aren’t a silver bullet,” he said. “Although it makes cracking passwords much slower, simple and short passwords can still be cracked relatively quickly.”
The details of how the data was stolen from RedDoorz have never been disclosed with the hack itself currently under investigation by both Singapore Police and Singapore’s Personal Data Protection Commission.
“The attackers have apparently stolen RedDoorz complete database which suggests that the most likely attack methods were insecure configuration or storage of the database, or a web attack such as SQL injection,” Clements added. “Insecure configuration or storage can often happen if developers who aren’t familiar with security best practices inadvertently expose databases, especially in cloud services.”
If it was a case of misconfigured cloud storage, RedDoorz is certainly not the first company to expose their data to all and sundry, since there are reports weekly of such cases. Prestige Software S.L., a Spanish company that specializes in hotel bookings was reported to have exposed more than 10 million hotel reservations Nov. 9.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the