Open Exchange Rates, a public API, has sent a notification of data breach to its customers, announcing that hackers had access to their systems and data for a month.

According to the notification, provided by Sylvia van Os, a Linux and Open Source engineer/consultant, the company says the security breach occurred at one of their third-party IT providers and that it appears that a secure access key for their Amazon Web Services (AWS) infrastructure was compromised. "Using these compromised credentials, an unauthorized third party was able to gain access" to their network, including a database containing user data, says the company. 

On Monday, March 2, 2020, Open Exchange Rates received reports that requests to their API were taking longer than usual to receive a response, resulting in timeouts for a number of users. 

Upon investigating, they determined that this was the result of a network misconfiguration. While attempting to correct the issue, they identified that changes has been made to their AWS environment by an unauthorized user account. 

The company notes that they immediately shut off access to this user and worked to restore full operation to their platform. After the incident was contained, they began working to establish the cause and extent of the unauthorized access, alongside specialized IT security consultants. 

They determined the user appeared to have initially gained access on February 9, 2020 and could have gained access to a database in which they store user data. In addition, they found evidence indicating the information contained within the database was most likely extracted from their network. 

Information which may have been extracted includes:

  • Name and email address
  • Encrypted/hashed password used to access account connected with the platform
  • IP addresses 
  • App IDs (32-character strings used to make requests to service) 
  • Personal and/or business name and address (if provided )
  • Country of residence (if provided)
  • Website address (if provided)

Jack Mannino, CEO at nVisium, tells Security Magazine that“From the details provided, it appears as though an attacker was able to compromise an externally exposed service and successfully moved laterally within their cloud architecture to gain unauthorized access to sensitive data. Many environments fail to perform internal network segmentation, secrets management, and least-privilege IAM access, which can aid attackers in elevating their privileges across systems.”

Heather Paunet, Vice President of Product Management at Untangle, tells Security Magazine that there are some key takeaways for IT personnel from this breach. They are to pay attention to the following:

Employee Passwords

  • Every employee safeguards their passwords.
  • IT should ensure that passwords are changed according to a policy, such as every 30, 60 or 90 days.
  • IT should ensure that passwords adhere to complexity rules; requiring letters, numbers and other characters.

Employee Access

  • Just as it’s important to have an onboarding process for users that join the company, it’s just as important that there is an offboarding process for users leaving the company.  All accounts should be deactivated when someone leaves, any laptops should be wiped clean as credentials may be cached in them and confidential data may be available, and of course building access for employing reporting to a physical location should be removed.

Network Protection

  • It’s important to set up separate guest networks for any visitors so that they don’t gain access to corporate materials
  • Setting up such features such as Captive Portal, and authentication for accessing the corporate network will ensure that only authorized users are allowed to access company systems and data.

Employee Education

  • Often phishing emails can persuade employees to give out their credentials or other private information. Teaching employees how to recognize these types of messages will shut down this route of people with malicious intents from gaining access to corporate systems.

Shahrokh Shahidzadeh, CEO at Acceptto, says, "We are currently stuck in this quagmire of resetting our passwords, hoping that we can buy our way to overtime, and some magic will take place before our next breach is discovered. Well, that is not going to happen unless you own your own tomorrow, eh?"

"The good news is that cybersecurity is becoming a principal business initiative," says Shahidzadeh. "There are a number of enterprises where the CFOs are actively sponsoring their CISOs and CIOs in the hunt to kill passwords, all in the light of that inevitable breach that can result in a brand receiving a black eye that can, and most likely will, be financially devastating."

"Now, what to replace binary-authentication with, is the craft, here. Note that not all passwordless solutions are equal," Shahidzadeh adds. "If you are in the hunt for replacing binary authentication, you better not go with nonperforming solutions that can be quickly exploited in a few short months nor simply pick the solution that everyone else is using, yet still getting breached." For example, notes Shahidzadeh, replacing your passwords with passphrases or even a combination of passwords with weak, "off the shelf 2FA/MFA, including biometrics, is just asking for trouble. Instead, think about the opportunities to adopt a real next-gen authentication that is continuous (including capabilities to detect anomalies post-authorization) and leverages and drives the paradigm shift. Keep in mind that authentication is not a single event with a start and an end, or a simple “yes” or “no” process. It is a continuum."

Ashlie Blanca, Senior Consultant at the Crypsis Group, notes that breaches are an increasing phenomenon, "and unfortunately, with the scope and scale of many past breaches, most people have been affected by at least one incident." 

That said, adds Blanca, "it’s important for anyone affected to take steps quickly. In data breaches such as these where data may have been exposed for quite some time, taking needed steps quickly is necessary to minimize the chances of negative repercussions. This includes limiting future exposure of your personal data by protecting your credentials: change your passwords and implement multi-factor authentication."

She notes it is never recommended to use the same password for multiple different accounts, yet, people often do. "Going forward, users should adhere to the best practices of ensuring varied, complex passwords across their many accounts and maintaining a schedule of changing them as frequently as they can support," says Blanca. "Keep in mind that these events happen and will continue to happen, as they are unfortunately part of the norm in the age of information sharing and a definite risk we take as consumers and participants. Minimizing this risk, though, should be in our line of sight when doing our part to protect the information we do share and being constantly aware of the ongoing sophistication and determination of hackers.”