Tuesday, July 23, 2024
RSS

Shadow silent on data breach as hacked data appears genuine

In a recent data breach at French cloud gaming provider Shadow, stolen data appears to be genuine and may be more extensive than originally reported. The breach, which occurred through an advanced social engineering attack on one of Shadow’s employees, has compromised sensitive customer information such as full names, email addresses, billing addresses, and credit card details. A hacker claiming responsibility for the breach has reportedly accessed the data of over 530,000 Shadow customers and is now offering it for sale. Despite this significant security breach, Shadow has remained silent on the matter, leaving customers concerned about the company’s response and whether proper measures are being taken to address the issue.

Shadow silent on data breach as hacked data appears genuine

This image is property of techcrunch.com.

Table of Contents

Data breach at Shadow

A recent data breach at French cloud gaming provider Shadow has raised significant concerns about the security and privacy of customer data. Initial reports indicate that the breach may be worse than originally implied, with extensive personal information and API keys being compromised. It is essential for customers to be aware of the details of the breach and the potential impact on their privacy and security.

Initial report suggests breach worse than implied

According to a sample of the stolen data seen by TechCrunch, the data breach at Shadow may be more severe than initially suggested. In an email sent to affected customers, Shadow CEO Eric Sèle stated that a hacker carried out an advanced social engineering attack that allowed unauthorized access to customers’ private information. The stolen data includes full names, email addresses, dates of birth, billing addresses, and credit card expiry dates. The breach has raised concerns about the extent to which customer data has been compromised.

Hacker claims responsibility and offers data for sale

The hacker responsible for the data breach has claimed responsibility and is offering the stolen data for sale. They allege that Shadow deliberately ignored their attempts to inform the company of the breach. TechCrunch has verified a portion of the stolen records and confirmed that the hacker has access to the data of over 530,000 Shadow customers. This revelation highlights the significance of the breach and the potential ramifications for affected customers.

TechCrunch verifies stolen records

TechCrunch obtained a sample of the stolen data, comprising 10,000 unique records, from the hacker responsible for the data breach. To validate the authenticity of the data, TechCrunch matched unique staff-related email addresses found in the dataset with the company’s sign-up form, which returns an error if an email address is already registered. They discovered that several Shadow staff accounts were registered using company email addresses containing long strings of letters and numbers unique to Shadow. This verification confirms the accuracy of the stolen data and the severity of the breach.

Data includes customer billing addresses and API keys

The stolen data includes sensitive customer information, such as billing addresses and API keys. It is unclear whether customers have access to these API keys, which could potentially lead to further breaches and unauthorized access to customer accounts. Additionally, the dataset contains non-personal information related to customer accounts, including subscription status and whether accounts have been blacklisted. This wide range of compromised data raises significant concerns about customer privacy and the security of their personal information.

Shadow breached at the end of September

The data breach at Shadow occurred at the end of September, according to the most recent record in the stolen data. While Shadow sent an email notification to affected customers, it has not yet been published publicly on their website or shared on the company’s social media channels. The lack of transparency regarding the breach and its timing is worrisome and leaves affected customers questioning the effectiveness of Shadow’s security measures.

Shadow’s response

The response from Shadow to the data breach has been mixed, with the CEO sending an email to affected customers while the spokesperson remains silent on the matter. It is uncertain whether Shadow informed the data protection regulator, CNIL, as required by European law. The company’s lack of transparency and accountability in addressing the breach raises concerns about their commitment to protecting customer data.

Shadow CEO’s email to affected customers

In an email sent to customers affected by the data breach, Shadow CEO Eric Sèle acknowledged the breach and provided some details about the incident. He stated that an employee fell victim to an advanced social engineering attack, resulting in unauthorized access to customers’ private data. However, the CEO’s email did not disclose the full extent of the breach, leaving affected customers questioning the level of compromise and potential risks to their personal information.

Shadow spokesperson’s silence on the matter

Despite the CEO’s email to affected customers, the Shadow spokesperson, Thomas Beaufils, has remained silent on the data breach. When approached for comment by TechCrunch, Beaufils did not respond, leaving customers and the public unaware of the company’s official stance on the breach and its efforts to address the situation. This lack of communication raises concerns about Shadow’s commitment to transparency and customer trust.

Unknown if Shadow informed data protection regulator

It is currently unknown whether Shadow informed France’s data protection regulator, CNIL, about the data breach, as required by European law. CNIL plays a crucial role in ensuring compliance with data protection regulations and investigating breaches. Shadow’s failure to disclose information regarding their communication with CNIL further raises questions about their adherence to data protection laws and their commitment to customer privacy.

Valve’s mandate for two-factor authentication

In a separate development, gaming company Valve has implemented mandatory two-factor authentication checks for developers following recent compromises of game developers’ accounts. While it is unclear if this is directly related to the Shadow data breach, it highlights the importance of strong security measures in safeguarding personal data. TechCrunch has reached out to Valve for a response, awaiting clarification on any potential connection to the Shadow breach.

Shadow silent on data breach as hacked data appears genuine

This image is property of images.unsplash.com.

Details of the data breach

Understanding the details of the data breach is crucial to comprehend the extent of the compromise and the potential impact on customer privacy and security.

Type of attack: advanced social engineering

The data breach at Shadow was the result of an advanced social engineering attack. Social engineering involves manipulating individuals to gain unauthorized access to secure information or systems. In this case, a hacker exploited an employee’s vulnerability to deceive them into granting access to customers’ private data. The sophisticated nature of the attack emphasizes the importance of ongoing security awareness training and measures to prevent such incidents.

Data exposed: full names, email addresses, dates of birth, billing addresses, credit card expiry dates

The stolen data includes a range of sensitive customer information, comprising full names, email addresses, dates of birth, billing addresses, and credit card expiry dates. This comprehensive set of personal data raises significant concerns about the potential for identity theft, fraud, and other malicious activities. Affected customers must remain vigilant and take necessary precautions to protect their information and prevent any unauthorized use.

Number of affected customers: over 530,000

The scale of the data breach is extensive, with over 530,000 Shadow customers affected. This substantial number highlights the widespread impact of the breach and the urgent need for Shadow to address the situation effectively. Customers must be proactive in monitoring their accounts, reviewing their personal information, and reporting any suspicious activity to prevent further harm.

Data for sale on hacking forum

The hacker responsible for the breach has posted the stolen data for sale on a popular hacking forum. This further emphasizes the seriousness of the breach and the potential market for compromised customer information. Shadow customers should be cautious of any attempts at identity theft or fraud that may arise from the availability of their personal information.

Claims of being deliberately ignored by Shadow

The hacker responsible for the data breach has claimed that they were deliberately ignored by Shadow when attempting to disclose the breach. This allegation raises concerns about Shadow’s responsiveness to potential threats and their commitment to promptly addressing security issues. Customers need assurance that their data is being protected and that any vulnerabilities or breaches will be addressed immediately.

Verification of stolen data

TechCrunch has verified a portion of the stolen data to confirm its authenticity and the severity of the breach. The validation process offers valuable insights into the compromised information and the potential risks to affected customers.

TechCrunch obtained a sample of the stolen data

TechCrunch acquired a sample of the stolen data containing 10,000 unique records. This sample allowed them to analyze the data and confirm its legitimacy, providing a basis for their reporting. It is important to note that the verified portion represents only a small fraction of the total stolen data, further highlighting the need for customers to remain vigilant.

Sample contained 10,000 unique records

The sample of the stolen data obtained by TechCrunch consisted of 10,000 unique records. This subset of the stolen data is significant and provides a glimpse into the scope of the breach. Each record represents an individual customer whose personal information has been compromised, underscoring the severity of the situation.

Matching email addresses with the website’s sign-up form

TechCrunch cross-referenced the stolen data with Shadow’s website sign-up form to validate the accuracy of the records. By checking if the email addresses in the stolen data were already registered on the website, TechCrunch confirmed the legitimacy of the data. This verification process provides reassurance that the stolen information is genuine and raises concerns about the security measures in place at Shadow.

Shadow staff accounts registered using company email addresses

In the process of verifying the stolen data, TechCrunch discovered that several Shadow staff accounts were registered using company email addresses. This finding suggests that internal accounts were compromised, allowing the hackers access to a variety of sensitive information. The use of company email addresses by staff to register accounts further highlights potential vulnerabilities within the organization’s security systems.

Billing addresses correspond with private home addresses

Another significant finding during the verification process was that many of the customer billing addresses in the stolen data corresponded with private home addresses. This connection exposes affected customers to potential privacy risks and emphasizes the need for robust security measures to protect personal information. It also raises concerns about the potential for physical harm or targeted attacks on individuals whose information has been compromised.

Shadow silent on data breach as hacked data appears genuine

This image is property of images.unsplash.com.

Concerns regarding customer data

The data breach at Shadow raises several concerns regarding the security and privacy of customer data. These concerns encompass both personal and non-personal information related to customer accounts.

Access to customer API keys

The stolen data includes private API keys that correspond with customer accounts. While it remains unclear whether customers have access to these API keys, their compromise could have significant consequences for account security. Unauthorized access to API keys may enable further breaches and the potential for additional unauthorized access to customer accounts or personal information. Shadow must address this issue promptly and provide clarity on the extent to which customer accounts and data have been compromised.

Uncertainty regarding customer access to the keys

As of now, it is uncertain whether customers have access to the API keys that are included in the stolen data. The lack of clarity surrounding customer access to these keys raises concerns about the potential for unauthorized parties to exploit them. Shadow must provide immediate clarification to customers regarding their access to these keys and take necessary steps to mitigate any risks associated with their compromise.

Non-personal information related to customer accounts

In addition to personal data, the stolen data includes non-personal information related to customer accounts. This information comprises subscription status and whether accounts have been blacklisted. While this data may not directly impact customer privacy, it raises concerns about the potential misuse of non-sensitive account information. Shadow should address these concerns and provide reassurance to affected customers regarding the security of their account information.

Subscription status and blacklisted accounts

The stolen data includes information about customers’ subscription status and whether their accounts have been blacklisted. This raises concerns about the privacy and security of customer accounts. Customers need assurance that their subscription status will remain confidential and that their accounts will be protected from unauthorized access or malicious activity. Shadow must take immediate action to address any vulnerabilities that may have led to the compromise of this information.

Potential impact on customer privacy and security

The extensive compromise of customer data raises concerns about the potential impact on customer privacy and security. With personal information, billing addresses, and API keys exposed, affected customers may face significant risks, including identity theft, fraudulent activity, and unauthorized access to their accounts. Shadow must acknowledge the severity of the breach and provide affected customers with robust support and resources to enhance their security and protect their privacy.

Timeline of the breach

Understanding the timeline of the data breach is crucial to grasp the sequence of events and assess the response of Shadow and other involved parties.

Breached on or shortly after September 28

Based on the most recent record in the stolen data, it appears that Shadow was breached on or shortly after September 28. This timeframe provides important context for the incident and allows affected customers to assess any potential impact on their personal information and accounts. The breach occurring over a month ago raises concerns about the delay in notifying customers and the potential for further unauthorized access during that time.

Email notification to affected customers not yet published publicly

Shadow has sent an email notification to affected customers regarding the data breach. However, this notification has not been published publicly on the company’s website or shared on their social media channels. The lack of public disclosure by Shadow raises questions about the company’s transparency and the extent to which they are holding themselves accountable for the breach. Customers must have access to clear and timely information regarding the breach and the steps being taken to address it.

Unclear if Shadow informed data protection regulator

There is currently no information regarding whether Shadow informed France’s data protection regulator, CNIL, of the data breach, as required by European law. The involvement of regulatory authorities in data breaches is crucial to ensure compliance and protect affected individuals. Shadow’s failure to disclose their communication with CNIL further raises concerns about their commitment to data protection regulations and their willingness to address breaches promptly and responsibly.

Shadow silent on data breach as hacked data appears genuine

This image is property of images.unsplash.com.

Silence from Shadow

Shadow’s response to the data breach has been marked by silence from their spokesperson and a lack of response to TechCrunch’s findings. This silence raises concerns about Shadow’s commitment to transparency, accountability, and customer trust.

Shadow spokesperson not commenting

Despite the severity of the data breach, Shadow’s spokesperson, Thomas Beaufils, has remained silent on the matter. When contacted by TechCrunch, Beaufils did not provide a comment, leaving customers and the public in the dark regarding the company’s official stance on the breach. This lack of communication hinders customer confidence in Shadow’s ability and willingness to address security issues promptly and effectively.

Lack of response to TechCrunch’s findings

TechCrunch’s investigative reporting and verification of the stolen data are crucial in understanding the extent of the breach and informing affected customers. However, Shadow’s lack of response to TechCrunch’s findings raises concerns about the company’s engagement with the press and their willingness to address the breach publicly. Open and transparent communication is essential in such situations to ensure customers are informed and feel supported.

Questions about compliance with data protection laws

Shadow’s silence on the matter raises questions about their compliance with data protection laws and regulations. Without clear and transparent communication, customers and regulatory authorities are left in the dark regarding Shadow’s adherence to their obligations and the steps they are taking to protect customer data. Shadow must address these concerns promptly to regain the trust of affected customers and demonstrate their commitment to data protection and customer privacy.

Data protection regulations

Compliance with data protection regulations is essential to ensure the security and privacy of customer data. The Shadow data breach raises concerns about whether the company fulfilled its obligations under these regulations.

Unknown if Shadow informed France’s CNIL

It is currently unknown whether Shadow informed France’s data protection regulator, CNIL, about the data breach as required by European law. CNIL plays a vital role in overseeing compliance with data protection regulations and responding to breaches. Shadow’s failure to disclose any communication with CNIL raises concerns about their adherence to data protection laws and their commitment to providing customers with a secure and trustworthy service.

Requirement for companies to notify regulatory authorities

Companies that experience a data breach are required by law to notify the relevant data protection regulator. This notification allows regulatory authorities to assess the severity of the breach, investigate any potential infringements, and ensure that affected individuals are provided with the necessary support and information. If Shadow failed to inform CNIL, it would be a significant breach of their obligations and may lead to further scrutiny and potential penalties.

Implications of non-compliance

Non-compliance with data protection regulations has severe implications for companies. Failure to fulfill reporting obligations and adequately protect customer data can result in monetary fines, reputational damage, and legal consequences. It is crucial for Shadow to address any potential compliance issues promptly, rectify any shortcomings in their security measures, and demonstrate their commitment to data protection and customer privacy.

Shadow silent on data breach as hacked data appears genuine

Valve’s mandate for two-factor authentication

Valve, a prominent gaming company, recently mandated two-factor authentication checks for developers following compromises of game developers’ accounts. While it is unclear if this is directly related to the Shadow data breach, it underscores the importance of robust security measures in safeguarding personal data.

Recent compromises of game developers’ accounts

Multiple game developers’ accounts have been compromised in recent attacks, leading Valve to implement two-factor authentication checks for developers. These compromises highlight the prevalence and sophistication of security threats in the gaming industry. While the direct connection to the Shadow data breach is uncertain, it serves as a reminder of the need for heightened security measures in protecting personal data in online platforms.

Connection to the Shadow breach unclear

While Valve’s mandate for two-factor authentication may be a response to recent compromises in the gaming industry, its specific connection to the Shadow data breach remains unclear. Valve’s response to TechCrunch’s inquiries will provide further insights into any potential links between the two incidents. Nevertheless, the mandate highlights the broader importance of strong security measures in protecting customer data.

Waiting for Valve’s response to TechCrunch’s inquiries

TechCrunch has reached out to Valve for clarification on any potential connection between the Shadow breach and the recent compromises of game developers’ accounts. Valve’s response will shed light on their motivations for implementing two-factor authentication and whether it directly relates to the Shadow data breach. This response is crucial in understanding the broader implications of the breach and the steps being taken to address security vulnerabilities.

Conclusion

The data breach at Shadow raises significant concerns about the security and privacy of customer data. The initial report suggests that the breach may be more severe than originally implied, with extensive personal information and API keys compromised. Shadow’s response to the breach, marked by silence and a lack of transparency, further compounds these concerns.

The verification of stolen data by TechCrunch confirms the accuracy and severity of the breach, underscoring the urgent need for Shadow to address the situation promptly and effectively. The uncertain timeline of the breach and potential non-compliance with data protection regulations raise questions about Shadow’s commitment to customer trust and regulatory obligations.

The lack of response from Shadow’s spokesperson and silence regarding TechCrunch’s findings only amplify concerns about the company’s accountability and transparency. Shadow must take immediate steps to rectify this and provide clear and timely communication to affected customers.

The Shadow data breach highlights the importance of data protection and cybersecurity. Customers must remain vigilant, monitor their accounts for any suspicious activity, and take necessary precautions to protect their personal information. The implications of the breach extend beyond immediate concerns, emphasizing the broader need for robust security measures and regulatory compliance to safeguard customer data.

Source: https://techcrunch.com/2023/10/13/shadow-data-breach-hacked/