Breach Roundup: Real Estate Firm Exposes Celebrity DataAlso: Yakult Australia Admits to Experiencing 'Cybersecurity Incident'
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches worldwide. This week, a breach at real estate firm Wealth Network exposed 1.5 billion records, Corewell Health patients were hit by a second breach, data of 1.3M LoanCare mortgage customers was exposed, Yakult Australia admitted to experiencing a "cybersecurity incident" that exposed 95 gigabytes of data, a Pro-Palestinian group leaked an Israeli customer database, and stealth backdoor Android/Xamalicious is actively infecting devices.
Real Estate Wealth Network Data Breach
An unsecured database linked to the Real Estate Wealth Network exposed 1.5 billion records including property details, financial data and even internal user logs, according to the security researcher who found the vulnerability.
Researcher Jeremiah Fowler of security services firm Security Discovery said in a report that the database, belonging to the New York-based Real Estate Wealth Network, was swiftly secured after Fowler's responsible disclosure notice.
While celebrities' data including addresses and purchase details could be accessed, the full extent of the exposure's duration remains unclear.
"The exposure of celebrities' home addresses online could pose potential risks such as threats to their safety or an invasion of their privacy. Famous people and politicians could face potential stalking or harassment by fans or even individuals with malicious intent," Fowler said.
Second Data Breach Affects 1 Million Corewell Health Patients
An unidentified threat actor compromised the data of over 1 million Corewell Health patients in Michigan in another data breach. HealthEC, a vendor serving Corewell's Southeast Michigan properties, disclosed that certain systems had been accessed by an unauthorized user.
Corewell suffered its second data breach in recent months. Last month, the health system disclosed a breach involving Welltok Inc., a contracted software company providing communication services. The breach affected 1 million people.
The unknown actor accessed specific files from July 14 to July 23, resulting in the copying of the files and information including names, addresses, birthdates, Social Security numbers, taxpayer identification numbers, medical record numbers, and medical information including diagnosis, mental-physical condition, prescription information, and provider's name and location.
Other compromised customer health insurance-related information included beneficiary number, subscriber number, Medicaid/Medicare identification, plus billing and claims information.
HEC said it had notified clients such as Corewell Health and collaborated to inform potentially affected individuals. The firm said business partners affected by this event include HonorHealth and the State of Tennessee's Division of TennCare.
LoanCare Notifies 1.3M Customers of Incident
Mortgage loan subservicer LoanCare LLC said it is notifying over 1.3 million homeowners about a potential data compromise during a cyberattack on parent company Fidelity National Financial.
The breach, discovered Nov. 19, exposed personal details, including names, addresses, Social Security numbers and mortgage loan numbers. While LoanCare said it has not seen any fraudulent use of the data so far, it offered 24 months of free identity monitoring through Kroll.
"The investigation has determined that an unauthorized third party exfiltrated data from certain FNF systems. As part of the review of the potentially impacted data, LoanCare identified that some of your personal information may have been among that data," the notification letter said.
In a data breach notification letter, LoanCare said that FNF had initiated an investigation with third-party experts, informed specific law enforcement and governmental authorities, and implemented measures to assess and contain the breach. FNF contained the incident by Nov. 26 and restored operations by Dec. 6.
Yakult Australia Admits to 'Cybersecurity Incident'
Yakult, renowned producer of a probiotic milk drink, said it is investigating a "cyber incident" affecting its IT systems in Australia and New Zealand, according to an official release on its website.
The hack in mid-December resulted in the theft of approximately 95GB of data, which was subsequently leaked on the dark web. It remains unclear how much of the data was posted online or the specific nature of the compromised information.
David Whatley, the director of Yakult Australia, told 9news.com.au on Christmas Day that he had discovered the threat actor published at least some of the claimed data on their dark web forum.
Whatley did not provide specific details about the stolen data but said the incident is under investigation. "We are collaborating with our cybersecurity experts to ascertain the extent of the incident and identify the accessed data," he said.
BleepingComputer said it has analyzed leaked data dumped by the DragonForce hacker group onto its leak site and has found that the data contains various business documents, spreadsheets and credit applications submitted to Yakult Australia as well as employee records and copies of identity documents such as passports.
Pro-Palestinian Group Leaks Israel Firm Database
The Pro-Palestinian group Cyber Toufan said that it has successfully exfiltrated the customer and distributor database of Maytronics in Israel and released a sample of this data.
The group said Maytronics is an Israeli company that's a global leader in the swimming pool industry. The company offers a variety of robotic pool cleaners, pool safety products and mineral-based water treatment technologies. It operates five subsidiaries worldwide and has global partners in 65 countries across five continents and over 100 distributors.
"We are leaking a part of database of the company. It contains their customers and distributors and their details. We are reminding you. We will keep striking your industrial interests, as you continuing killing our children," the group posted on its official Telegram channel.
At the time of this writing, the official website for Maytronics remained inaccessible.
Stealth Backdoor "Android/Xamalicious" Actively Infecting Devices
Researchers at the McAfee Mobile Research Team unveiled the presence of Android/Xamalicious, an Android backdoor leveraging the Microsoft-built open-source framework Xamarin, used for creating mobile and desktop applications.
In the wild since mid-2020, this malware exploits social engineering to gain accessibility privileges. A second-stage payload is downloaded after communication with the command-and-control server, providing full device control for fraudulent activities such as ad-clicking and unauthorized app installations.
A connection to the ad-fraud app Cash Magnet suggests a financial motive. The Xamarin framework enables stealth, using APK file packing and obfuscation techniques. Though Google Play has removed identified apps, the threat persists, potentially compromising over 327,000 devices globally.
The use of non-Java code frameworks such as Xamarin poses a challenge for security measures, allowing malware authors to conceal their activities and avoid detection.
Researchers are advising users to exercise caution with apps requiring unnecessary accessibility services, as the second-stage payload gains control through granted permissions.