WCCO reports:
On Monday, Star Tribune subscribers were notified of a possible security breach in its website log-in database.
The paper says it only stored usernames and passwords there.
Read more on CBS Minnesota.
This is in response to claims by ShinyHunters, who have listed what they claim is data from 1 million subscribers for sale. The hackers posted a sample with more than 60 alleged users’ email addresses and passwords.
Reporting on itself yesterday morning, the Star Tribune reported:
The hackers didn’t access subscribers’ credit card or other forms of financial information, and Star Tribune leadership is still working to confirm whether a hack took place, said Steve Yaeger, vice president and chief marketing officer for the newspaper.
“We haven’t been able to verify that it happened, but we’re acting though it has,” Yaeger said. “The information that the hackers alleged to have accessed is simply used by our subscribers to log on to startribune.com and read the news.”
On Monday, the Star Tribune sent an e-mail to subscribers alerting them of the alleged hack.
DataBreaches.net was able to confirm that email addresses in the sample data provided are working email addresses, but did not attempt to confirm anything about the passwords, which were not in clear text.
As of this morning, the listing for the data on a dark web marketplace does not indicate that any sales of the data have been made, but ShinyHunters mentioned to this site yesterday that most of the sales are not through the market, leaving the possibility that the data are being shared or sold elsewhere. The Star Tribune data are listed for $1100.00
In other ShinyHunters-related news, Tokopedia has appointed an independent cybersecurity company to investigate data theft affecting allegedly 91 million customers of the massive e-commerce site. ShinyHunters attracted significant attention to the breach by leaking 15 million users’ information on a popular clear web forum where individuals post databases that can be acquired with forum tokens.
ShinyHunters is currently offering what they claim is the entire 91 million set for sale on the same dark web market where the Star Tribune data are listed, but they ask $5,000.00 for the Tokopedia data. Inspection of a sample by ZDNet had revealed that the data fields included full names, emails, phone numbers, hashed passwords, dates of birth, and Tokopedia profile-related details (account creation date, last login, email activation codes, password reset codes, location details, messenger IDs, hobbies, education, about-me fields, and lots more).
As of yesterday morning, there were five sales of the data reported, but not all sales may have been through the market.
In addition to the two listings noted above, ShinyHunters also offers data from 9 other entities.