Real-Case Analysis #21: Data of Hey You Allegedly for Sale

On June 25, 2024, a hacker known as Billy100 claimed to have acquired and put up for sale a database reportedly belonging to Hey You, an Australian food ordering service.

Highlights

The data is reportedly split into two sets:

1. The first set contains 101,703 lines of data, including names and phone numbers.
2. The second set has 100,765 lines, containing usernames, emails, passwords, and addresses.

Overview of the Alleged Data Breach

The alleged data breach impacting Hey You, an Australian meal ordering app, involved unauthorized access and exfiltration of user and partner information. The breach reportedly impacts over 100,000 Hey You customers and partners, and sensitive personal information is being sold on a famous hacking forum.

While the exact initial attack vector is not specified in the available material, the breach appears to have involved unauthorized access to Hey You's customer database. Given the nature of the exposed data, the attackers may have exploited weaknesses in Hey You's online application or acquired access via compromised credentials. The passwords in the released data are supposedly hashed using SHA-1, which is deemed obsolete and potentially vulnerable to cracking attempts.

The timeline of the attack is not fully detailed in the provided information. However, we can outline the known events:

• Unknown Date: The actual breach occurred, with attackers gaining access to Hey You's customer database.
• June 25, 2024: A hacker known as Billy100 posted the allegedly stolen data for sale on a popular hacking forum.
• June 26, 2024: The breach was reported by Cyber Daily, and Hey You had not yet publicly responded to the allegations.

The alleged perpetrator of this data breach is identified as a hacker using the alias "Billy100". While the hacker's exact identity is unknown, some details regarding their recent activity have been revealed:

• Billy100 has been actively posting databases for sale almost daily since June 17, 2024.
• The hacker (or possibly a data broker) has previously sold data belonging to various organizations, including the Panamanian government, Satu Data Indonesia, and India's eMigrate emigration system.

The primary goal for this alleged breach appears to be financial gain. Billy100 intends to benefit from illegal access to Hey You's client information by selling the stolen data on a hacking forum. This is consistent with the larger trend of cybercriminals monetizing stolen data via underground marketplaces.

It's important mentioning that Hey You had not publicly acknowledged the authenticity of the breach or the data being offered for sale at the time of reporting. As the crisis progresses, more details about the nature of the attack, its timeframe, and the entire scope of the data breach may become available.

Impact Analysis

Here's an analysis of the potential consequences:

User Privacy and Security Risks

The claimed breach apparently contains sensitive user information such as names, phone numbers, email addresses, and hashed passwords. If this information gets into the wrong hands, it could lead to:

• Identity Theft: Criminals could use the personal information to impersonate users.
• Phishing Attacks: With access to email addresses, hackers might target users with convincing scam attempts.
• Account Takeovers: If the hashed passwords are cracked, users' Hey You accounts could be compromised.

Financial Implications for Hey You‍

While the exact financial impact has yet to be determined, the corporation could face:

• Potential Fines: If found in violation of data protection regulations.
• Legal Costs: Defending against possible lawsuits from affected users.
• Cybersecurity Investments: Upgrading systems to prevent future breaches.
• Customer Compensation: Possible reimbursements or free services to affected users.

Reputational Damage‍

The breach could have a substantial impact on Hey You's reputation, potentially leading to:

• Loss of User Trust: Customers may be hesitant to continue using the app.
• Decreased User Base: Some users might delete their accounts or switch to competitors.
• Negative Media Coverage: Prolonged negative publicity could impact the company's image.

Operational Disruptions‍

Hey, you may need to give large resources to resolve the breach, possibly causing:

• Diversion of staff and resources to incident response.
• Temporary service interruptions for security upgrades.
• Delays in planned feature releases or expansions.

Long-term Business Impacts‍

The breach may have long-term implications for Hey You's business, including:

• Increased cybersecurity insurance premiums.
• Potential loss of partnerships with restaurants and cafes.
• Challenges in attracting new users and expanding to new markets.

Regulatory Scrutiny‍

The incident may attract regulatory scrutiny, potentially resulting in:

• Investigations into Hey You's data protection practices.
• Mandated security improvements and audits.
• Stricter compliance requirements moving forward.

Lessons Learned

Following the reported data breach, here are the lessons learned:

Robust Data Protection Measures

The breach highlights the need of putting in place adequate data protection procedures. This involves using powerful encryption techniques for sensitive data like passwords. In this situation, the passwords were hashed with the SHA-1 hash function, which is considered outdated and prone to attack. Businesses should use more secure hashing algorithms, such as Bcrypt or Argon2.

Regular Security Audits

Regular security audits can help detect and remediate vulnerabilities before they are exploited. These audits should include penetration testing, code reviews, and compliance checks to ensure that security measures are updated.

Incident Response Plan

Having a clear incident response plan is critical. This strategy should specify what activities will be followed in the event of a data breach, such as notification tactics, containment methods, and recovery processes. Quick and open communication with affected users can assist to lessen the damage and retain trust.

User Education

Educating users on recommended practices for data security, such as establishing strong, unique passwords and enabling two-factor authentication, can help to lessen the risk of data breaches. Users should be reminded to update their passwords frequently and to be aware of phishing attacks.

Third-Party Risk Management

The breach also emphasizes the importance of comprehensive third-party risk management. Businesses should verify that their partners and vendors follow strict security protocols, as breaches can occur via third-party systems.