Collateral Damage In McDonalds, Walgreens, Gawker Hacks

This weeks wave of attack revelations aim at customer information databases

If last week was the week of the distributed denial-of-service attack (DDoS), this week was the week of the customer information hack, with Gawker Media, McDonalds, and Walgreens all suffering high-profile breaches that put their patrons at risk.
They all involve customer information that can be used for spamming/phishing campaigns, and in Gawkers case the password hashes make it easy for attackers to compromise other online accounts, says Chris Wysopal, CTO of Veracode. All of this will at least be a nuisance to the customers of these organizations, and in some cases it may result in further compromises. These types of data breaches dont typically hurt the companies breached, but cause collateral damage to their customers.
Wysopal says its always a risk to enter your name, email address, and password into another website. You are raising the risk that you will be attacked back with this data, he says.
All three attacks, although different, underscored the fallout for the victim customers whose email addresses and other information were grabbed by attackers. This information ultimately has been, or will be, used to spam, phish, or socially engineer them for other more lucrative information, security experts say.
McDonalds breach
reportedly
might be related to that of a major breach at email marketing provider Silverpop Systems, which reportedly has McDonalds as a customer and is a subcontractor to Arc Worldwide, also a McDonalds partner.
(This is a developing story Dark Reading will continue to follow).
The fast-food chain has declined to name the database firm associated with its breach.
Gawker was the target of
a publicly malicious attack this week
by a group known as Gnosis, which appears to have gone after the media blogging company for taunting the 4chan hacker channel and Anonymous. Gnosis published its notes on the hack
here
, but the bottom line is it exposed 1.5 million user accounts on Gawker.com, a breach that spread to Twitter as well for those users who used the same credentials for both their Gawker and Twitter accounts.
Gnosis reportedly was trying in part to teach Gawker a security lesson. It also exposed Gawkers source code as well as internal correspondence and other confidential information.
Gawker was using DES, an old encryption standard, and they were using an older, 3-year-old version of Linux. Thats embarrassing, says Chris Drake, founder and CEO of FireHost, a secure Web hosting firm that has Kevin Mitnick among its clients.
Drake says Gawker left the door open a while back and had early warnings of its vulnerability to attack.
The attackers obtained access to Gawkers MySQL database and, because the passwords were encrypted in DES, were able to glean the first eight characters in the passwords.
The data breach compromising 1.5 million accounts at Gawker.com parallels the VA data breach of 2006. Before that breach, companies were complacent about encrypting data stored on laptops and portable hard drives, said Garret Grajek, founder and CTO at SecureAuth, in a statement. An apology to 1.5 million commenters for the first major cloud data breach is unacceptable.
Some of the problem, of course, was in the types of passwords created by the victims: Out of a sample of around 188,000 passwords
studied by Daniel Peck, a research scientist with Barracuda Labs
, 3,057 passwords were 12345, 1,055 were password, and the rest of the list included 12345678, lifehack, qwerty, and abc123.
McDonalds and Walgreens, meanwhile, were hit with a more common type of breach that exposed their customers information, namely email addresses. McDonalds contractor Arc Worldwide, which handles marketing and other promotions for the fast-food giant, alerted McDonalds that some of its customer information associated with some McDonalds websites and promotions had been hacked.
The breach came via the systems of a third-party email database management firm used by Arc: Arc retained the services of an email database management firm whose computer systems were improperly accessed by a third party, McDonalds said in a statement. We are also working with Arc and their database management firm to understand how the security was bypassed.
A McDonalds spokesperson declined to provide any details on the breach, but the company says the information accessed was neither credit card or financial, nor social security numbers. However, the database containing McDonalds customer emails also included birthday information and phone numbers.
McDonalds does not collect this type of information on-line or through email. Rather, the limited information includes what was required to confirm the customer’s age, methods to contact the customer, and other general preference information, the statement said.
Walgreens contacted its customers as well during the past few days after discovering customer emails had been siphoned from its database. The information exposed was email addresses only, a Walgreens spokesperson said. Some of its customers have received spam messages attempting to lure them to another website and to enter personal information, said the spokesperson, who declined to reveal additional details on the hack. We are adding some additional steps before a customers email list can be accessed, as well as monitoring for suspicious activity.
But an underlying problem was the outsourced element of McDonalds customer data. In McDonalds case, they outsourced the management of their customer data to a service provider who, in turn, outsourced it to another provider. It is unlikely that McDonalds did their security due diligence for the first provider, let alone the second, Veracodes Wysopal says.It is important that businesses make sure their service providers have at least as good security protections around customer data that they would have and disallow further outsourcing unless the secondary outsourcer is vetted to the same degree.
Despite the seemingly innocuous nature of the customer data pilfered from Gawker, McDonalds, and Walgreens, any of this information can be used to socially engineer more valuable information from the victimized customers.
Hacking email addresses for targeted lists like Walgreens and McDonalds just continues to happen, FireHosts Drake says. The emails can be sold to spammers, and information such as a customers birthdate can be used to lure them to trust a message is from McDonalds or another reputable source. Then you know enough about a person to make them think they can trust you and use a Happy Birthday wish to lure them to another link and wage a cross-site request forgery or other attack, he says.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Collateral Damage In McDonalds, Walgreens, Gawker Hacks