Imagine waking up one day and finding out that your personal data has been stolen and put up for sale by hackers. That’s the kind of nightmare scenario that customers of a popular e-commerce platform, Temu, recently faced when a threat actor claimed to have breached their database and stolen 87 million records of customer information.

Did the hacker really breach Temu?

Temu, a Chinese e-commerce platform known for its low-cost clothing, home goods, electronics, and accessories, has gained popularity in the United States and Europe for its deep discounts and promotional strategies. Despite facing scrutiny over data privacy, product quality, and shipping times, the platform had never found itself at the center of a major data breach incident – until now, that is.

Recently, a threat actor going by the name “smokinthashit” claimed to have stolen a database containing 87 million records from Temu and attempted to sell it to other cybercriminals. The alleged stolen data included usernames and IDs, IP addresses, full names, dates of birth, gender, shipping addresses, phone numbers, and hashed passwords.

Temu denies the breach

When we reached out to Temu for a statement, they categorically denied that the published data belonged to them and said they would press charges against those spreading this misinformation. According to Temu, their security team conducted a comprehensive investigation into the alleged data breach and found that the claims were false and that the data being circulated didn’t match their transaction records.

Temu also emphasized that the security and privacy of their users are of utmost importance and that they follow industry-leading practices for data protection and cybersecurity. The platform highlighted its MASA certification, independent validations, its HackerOne bug bounty program, and compliance with the PCI DSS payment security standard.

The threat actor insists the breach is real

When we contacted the threat actor about the breach, they continued to insist that they had indeed breached Temu. They even claimed to have ongoing access to the company’s email and internal panels, as well as knowledge of vulnerabilities in their code. However, the threat actor didn’t share any proof to support these claims, and we couldn’t determine whether they were valid or not.

Regardless of the authenticity of the data breach claims, they can still damage a company’s reputation and sow distrust among customers. With that in mind, if you’re a Temu user, it’s a good idea to enable two-factor authentication on your account, change your password to something new and unique, and stay alert for potential phishing attempts.

We reached out to Temu again about the threat actor’s further claims, but no response was immediately available.

Update 9/19: The threat actor has been banned on BreachForums for misrepresenting and attempting to sell data that was already publicly available. CheckPoint Research, investigating the claim, informed us that some of the information the threat actor posted appears to originate from a data breach at foreup.com, dating back to mid-2021.

In conclusion, it’s essential to stay vigilant and take every precaution to protect your personal data. Cybersecurity threats are constantly evolving, and companies must invest in robust security measures to keep their customers’ information safe. And as users, we should take every step to safeguard our data and ensure that we’re not falling victim to any potential breaches. If you want to learn more or need help securing your data, don’t hesitate to contact us and keep coming back for more information on cybersecurity.

The Federal Communications Commission (FCC) has reached a $13 million settlement with AT&T to resolve a probe into whether the telecom giant failed to protect customer data after a vendor’s cloud environment was breached three years ago.

The FCC’s investigation also examined AT&T’s supply chain integrity and whether the telecom giant engaged in poor privacy and cybersecurity practices.

The massive data breach investigated by the FCC occurred in January 2023, when threat actors accessed customer data of roughly 9 million AT&T wireless accounts stored by a vendor contracted to generate personalized video content, including billing and marketing videos.

“Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan,” AT&T told us at the time.

“The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers.”

The CPNI data exposed in the January 2023 breach included customer first names, wireless account numbers, phone numbers, and email addresses.

Even though the vendor was required to destroy or return the data after the contract ended—years before the breach—it failed to do so. AT&T was found to have inadequately monitored the vendor’s compliance with their contractual obligations.

“Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

AT&T agrees to boost customer data protection

To settle the investigation, AT&T has also agreed to strengthen its data governance practices to protect its consumers’ sensitive data against similar vendor data breaches in the future.

The consent decree mandates AT&T to implement a comprehensive Information Security Program that includes broad customer data protection, improve its data inventory processes to track data shared with vendors, ensure that vendors follow retention and disposal rules for customer information (to limit the amount of customer data vulnerable to date breaches), and conduct annual compliance audits to assess AT&T’s compliance with these requirements.

“The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches,” said FCC Chairwoman Jessica Rosenworcel.

“Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that’s the case no matter which provider a customer chooses.”

Enforcement Bureau Chief Loyaan A. Egal also underscored the significance of the case, noting that “Communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data.”

“Protecting our customers’ data remains one of our top priorities. A vendor we previously used experienced a security incident last year that exposed data pertaining to some of our wireless customers,” an AT&T spokesperson told us after publishing time.

“Though our systems were not compromised in this incident, we’re making enhancements to how we manage customer information internally, as well as implementing new requirements on our vendors’ data management practices.

“Consistent with FCC requirements, we began notifying customers of this incident in March 2023. The data included information like the number of lines on an account. It did not contain credit card information, Social Security Numbers, account passwords or other sensitive personal information.”

In July 2024, AT&T warned of another massive data breach after threat actors stole the call logs for roughly 109 million customers (nearly all of its mobile customers) from an online database on the company’s Snowflake account between April 14 and April 25, 2024.

The exposed data contained phone numbers, call durations, communications metadata, and number of calls or texts. However, AT&T said the attackers couldn’t access the content of the calls or texts, customer names, or any other personal information like Social Security numbers or dates of birth.

In April, the company also notified 51 million former and current customers of a data breach linked to a massive amount of AT&T customer data leaked in March on the Breached hacking forum and previously offered for sale for $1 million in 2021.

Update September 17, 14:54 EDT: Added AT&T statement.

A Call to Arms for Data Security Enthusiasts

As we continue to witness breaches and vulnerabilities, it becomes increasingly essential for individuals and businesses to prioritize cybersecurity. We invite you to join us in our mission to empower users with the knowledge and tools they need to protect their data and privacy. Don’t hesitate to get in touch with us, and keep coming back to learn more about the ever-evolving landscape of cybersecurity.

Imagine receiving a package in the mail containing a small tube that holds the key to uncovering your ancestry, traits, and health predispositions. You trust the company to keep your most sensitive information, your DNA, safe and secure. But what happens when that trust is broken? In 2023, 23andMe, a leading DNA testing company, faced this very issue when a massive data breach exposed the personal information of 6.4 million customers.

Fast forward to today, and 23andMe has agreed to pay a whopping $30 million to settle a lawsuit resulting from the breach. The proposed class action settlement is currently awaiting judicial approval and includes cash payments for affected customers. While the company believes the settlement is fair, they also deny any wrongdoing and maintain that they properly protected their customers’ personal information.

Addressing Security Weaknesses

In addition to the financial settlement, 23andMe has agreed to strengthen its security protocols, such as adding protections against credential-stuffing attacks and requiring mandatory two-factor authentication for all users. The company also plans to conduct annual cybersecurity audits and create a comprehensive data breach incident response plan.

Furthermore, 23andMe will no longer retain personal data for inactive or deactivated accounts and will provide an updated Information Security Program to employees during annual training sessions. While these actions may help rebuild trust, it’s important for us to recognize that data breaches can happen to anyone – even trusted companies like 23andMe.

Understanding the Data Breach

So, how did the breach occur? In October 2023, 23andMe discovered unauthorized access to customer profiles resulting from compromised accounts. Hackers exploited credentials stolen from other breaches to access 23andMe accounts. In response, the company implemented measures to block similar incidents, such as requiring customers to reset passwords and enabling two-factor authentication by default.

However, the damage was already done. Starting in October, threat actors leaked data profiles belonging to 4.1 million individuals in the United Kingdom and 1 million Ashkenazi Jews on the unofficial 23andMe subreddit and hacking forums. In total, data for 6.9 million customers, including information on 6.4 million U.S. residents, was downloaded in the breach.

Moreover, the company confirmed that attackers stole health reports and raw genotype data during a five-month credential-stuffing attack that took place from April to September. As a result, multiple class-action lawsuits were filed against 23andMe, leading to the recent settlement.

A Call to Action for Cybersecurity Awareness

As we reflect on the 23andMe data breach, it’s crucial to recognize that we all play a role in safeguarding our personal information. By staying informed about cybersecurity best practices and understanding the risks involved in sharing sensitive data, we can better protect ourselves from potential threats.

At IT Services, we’re committed to helping you stay informed and secure. Keep coming back to learn more about cybersecurity, and don’t hesitate to contact us with any questions or concerns. Together, we can build a safer digital world for all.