Mobile Telecomm, Retailer, and Online Dating Company Leads January Data Breaches

• Bonobos suffered a data breach when the hacking group, ShinyHunters, downloaded and posted a database on a free hacker forum, compromising close to three million accounts.  
• ShinyHunters also stole a database from online dating website MeetMindful.com, compromising 1.4 million accounts and exposing 2.28 million user’s information. Data in the database included IP addresses, encrypted account passwords and Facebook information. 
• A U.S. Cellular data breach occurred after hackers were able to scam employees to gain access to one retail store’s computer, affecting 276 people.  
• For more information about January data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
• If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website. 

Notable January Data Breaches in 2021 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in January, three stood out: Bonobos, MeetMindful.com and U.S. Cellular. All three data events are notable for unique reasons. One compromised close to three million accounts; another includes a compromised dating website, leading to the attacker leaking millions of user’s data; the third event happened when criminals successfully targeted a handful of retail store employees, leading to malware being added to the company’s point-of-sale system.  

Bonobos Breach

The E-commerce apparel company, Bonobos recently suffered a data compromise after Black-hat hacker group, ShinyHunters, downloaded a cloud backup of a database and then posted the full database to a free hacker forum, compromising 2.8 million accounts.

According to bleepingcomputer.com, the 70 GB database consisted of addresses and phone numbers for seven million shipping addresses, account information for 1.8 million registered customers and 3.5 million partial credit card records. The article says that one threat actor claims to have already cracked the passwords for 158,000 accounts. The hacker turned the cracked passwords into a ‘combolist’ used in credential stuffing attacks to log in using the stolen credentials at other sites.

Bonobos is emailing data breach notification letters to people who may have been affected. 

MeetMindful.com 

Online dating company, MeetMindful, had more than 1.4 million user accounts compromised and 2.28 million user details exposed after the same hacker group, ShinyHunters, struck the dating site by leaking a 1.2 GB file on a publicly accessible hacking forum.

According to ZDNet, some of the most sensitive information in the file includes names, email addresses, locations, IP addresses, encrypted account passwords and Facebook information. Not all of the leaked accounts have full details included in them. However, for many of the MeetMindful users, the provided data can be used to trace their dating profiles back to their real-world identities.

U.S. Cellular 

Mobile wireless carrier, U.S. Cellular, recently suffered a data breach after hackers gained access to protected systems by installing malware on a computer at a U.S. Cellular retail store. According to Forbes, hackers targeted multiple U.S. Cellular retail store employees who had access to the company’s customer relationship management (CRM) software.

The Office of the Vermont Attorney General reports that hackers may have gained access to a wireless customer account and wireless phone number. Employees were successfully scammed by unauthorized individuals and downloaded software onto a store computer. Since the employees were already logged into the CRM, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee’s credentials.

The U.S. Cellular data breach affected 276 people and exposed names, addresses, PIN codes and mobile phone numbers, as well as information about wireless services, including service plan, usage and billing statements known as Customer Proprietary Network Information (CPNI). 

What to Do If These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager, and keeping an eye out for phishing attempts claiming to be from the breached company.

If you receive a suspicious email, especially if it asks to click on a link, download a file, or verify your login & password, ignore it. Victims of the U.S. Cellular data breach should contact U.S. Cellular to establish a new PIN, reset their password, and contact U.S. Cellular at 888.944.9400 with any questions or concerns

notified  

For more information about January data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.

Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.