A quick glance at the most notable mobile data breaches of 2021 is a good indicator of what awaits in the following year. Let's take a look at the five most significant mobile data breaches that made headlines last year.
The ''Shared Invite Link'' within Slack contained a bug present from April 17, 2017, until fixed on July 17, 2022. The bug caused transmitting a hashed version of a user's password to another workspace member. This action was triggered either by creating or revoking the ''Shared Invite Link''.
Slack's reaction on the matter was prompt – they made a password reset for the affected users, fixed the bug, and continued the investigation on further risk potential the bug may have caused.
Slack's public statement on the matter, available on their official website, is as follows:
'' We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset the affected users’ Slack passwords. They will need to set a new Slack password before they can log in again.''
The Amazon Ring Neighbours App allows users to share neighborhood watch information. In case someone sounds a safety alarm within the app, every user with a set radius around the area is notified about a potential safety threat.
According to TechCrunch, all was well until the exact locations of users who posted on the app weren't available to the public. Detailed information about the user's home addresses, including longitude and latitude, are available on the Ring's servers. Luckily, despite a pretty big flaw, no incidents tie to the mentioned data leak.
Another instance of a mobile data breach happened in March 2021, concerning the ParkMobile app. The ParkMobile, an app for cashless parking across the United States, revealed personal information of 21 million users. The details of the breach were reported by an online tech columnist stating that mentioned personal data is being sold by Russian hackers.
The company stated that, although hackers managed to get to the encrypted passwords, they were unable to get a hold of the keys to unlock the passwords. The company also states that no parking history nor credit card information was compromised.
Among the top mobile data breaches is Apple as well. A zero-day flaw involving all 900 million active users of MacBooks, iPads, watches, and iPhones was the largest mobile data breach of 2021. The flaw was exploited in order to push the Pegasus spyware granting its government customers access to the target's device. This includes the device owner's photos, messages, personal data, and location.
Apple's head of security, Ivan Krstić, as reported by TechCrunch, commented the following:
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. Such attacks cost millions of dollars to develop, often have a short shelf life, and target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
One of the most popular apps on Playstore in 2019, with over 1 billion downloads, found its way into our top 5 list. SHAREit gained its reputation as one of the best file-sharing apps due to its compatibility with a wide variety of devices and platforms; Android, iOS, macOS, and Windows.
In February 2021, it was revealed that the app contains flaws that allow hackers to conduct malicious attacks on the app's users. These malicious acts include Remote Code Execution attacks. This scenario assumes that an attacker is able to remotely access the device and execute attacks on it. The developers of the SHAREit app did not share any further details on the incident. Supposedly, to reduce the fuss and avoid mass panic. According to Bloomberg, actionable steps the company took were notifying the users to update their application and publishing a brief statement on a patch release, addressing the alleged vulnerabilities.
Next on our list of most significant mobile data breaches is Klarna. A rather peculiar case of an application flaw, where users were supposedly logging in to other people's accounts at random, raised a lot of heads in 2021. Keep in mind, Klarna is a payment application, meaning it contains sensitive personal and credit card information. As users started to share their experiences online, the Swedish payment giant, Klarna, shortly locked down the app service.
Luckily, the press revealed that the bug was actually not an external hacker attack, but a human error coming from inside the company. The official statement on Klarna's website fully addresses the incident.
“It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data). Even though GDPR would classify the information visible as ‘non-sensitive’, for Klarna all data is important. We are taking this incident very seriously and we will work tirelessly to regain the affected consumers’ trust”.
Mobile data breaches are gaining popularity among hackers. Being the low-hanging fruit due to a number of flaws that are simple to exploit, as well as loose regulation around mobile application security practices, mobile applications are the perfect target.
Most of the incidents are the direct result of poor security practices. With testing and improved secure coding practices, a great number of breaches can be avoided. Code hardening techniques, as well as RASP mechanism, are proving to be a reliable partner in securing mobile applications and, most importantly, their users' data.
Read more on the topic of mobile app security in some of our recent blog posts.
In case you're curious, feel free to contact us - zero obligation. Our ASEE team will be happy to hear you out.