Cybersecurity Roundup: Dropbox Data Breach and REvil Hacker Sentenced

Here are the week’s most significant cybersecurity news stories.

Dropbox Confirms Breach of User Data and Secret Keys

Cloud service Dropbox reported a breach of its Dropbox Sign eSignature platform’s production systems, allowing attackers access to its customer database. The incident occurred on April 24.

Compromised data includes email addresses, usernames, and general account settings. In some cases, phone numbers, hashed passwords, and certain authentication data, including API keys, OAuth tokens, and MFA information, were exposed.

An internal investigation found no evidence of unauthorized access to customer documents or agreements, nor to other Dropbox services.

The company enforced a password reset for all users, terminated their Dropbox Sign sessions, and restricted the use of API keys until clients replaced them. Security recommendations were issued for affected users.

REvil Affiliate Sentenced to Nearly 14 Years in Prison

A US court found guilty 24-year-old Ukrainian citizen Yaroslav Vasinskyi of conducting over 2,500 attacks using Sodinokibi/REvil ransomware, causing $700 million in damages. 

In cases where ransoms were not paid, Vasinskyi, known as Rabotnik, and his accomplices would leak victim data. Authorities report that the cybercriminals used cryptocurrency exchanges and mixers to conceal illicit proceeds.

Vasinskyi was arrested in Poland in November 2021 and added to the US sanctions list. Authorities confiscated 39.8 BTC ($6.1 million at the time). The hacker later pleaded guilty to 11 charges.

He was sentenced to 13 years and seven months in prison and ordered to pay over $16 million in restitution. 

Meanwhile, in Finland, 26-year-old Julius Aleksanteri Kivimäki received a six-year sentence for hacking the private psychotherapy center Vastaamo in Helsinki back in 2018. 

According to local media, the hacker stole sensitive data from about 33,000 patients. He was found guilty of 9,200 cases of disseminating private information, 22,000 attempts at extortion, and 20 instances of blackmail. 

Additionally, Kivimäki faces over 5,000 compensation claims.

UK Bans Default Weak Passwords

On April 29, the UK enforced the PSTI Act, tightening security measures for consumer smart devices, including mobile phones, tablets, entertainment gadgets, home surveillance systems, and household appliances.

One key requirement is that devices must not be shipped with factory-set passwords that are easily guessable.

The law also mandates manufacturers to provide a contact for reporting security issues and to inform about the minimum update period for the device.

Companies violating the law face fines of up to £10 million ($12.5 million) or 4% of their annual global turnover, whichever is greater.

Europol Shuts Down 12 Fraudulent Call Centers

In Operation Pandora, German law enforcement, supported by hundreds of colleagues from other countries, halted the operations of 12 call centers involved in phone fraud in Albania, Bosnia and Herzegovina, Kosovo, and Lebanon. 

The call scripts ranged from romance and investment scams to impersonating police calls.

During numerous raids, police identified 39 suspects and arrested 21 individuals.

Evidence seized included data carriers, documents, cash, and other assets worth approximately €1 million.

monobank Targeted by Powerful DDoS Attacks

On May 1 and 2, Ukrainian monobank was hit by powerful DDoS attacks, as reported by bank co-founder Oleg Gorokhovsky.

“They are persistent, no doubt. They really want to take down monobank. But it’s hard. Better take down some online casino,” he wrote.

Clients experienced issues with the mobile app, which either failed to load or froze during transactions.

monobank’s support service urged users to refrain from making payments until the technical issue was resolved.

Telegram, YouTube, and Twitch Ignore RKN Requests to Remove Information

Messenger Telegram failed to remove over 120,000 unlawful materials following demands from Roskomnadzor, reports TASS citing the agency’s press service. 

Similar requests from RKN have so far been ignored by YouTube (60,700 materials) and the platform Twitch (505). 

Under Russian law, hosting or internet resource owners must remove unlawful content within 24 hours of receiving a Roskomnadzor request. Failure to comply can result in fines of up to 20% of annual revenue.

Also on ForkLog:

• A trader lost $68 million due to address spoofing fraud.
• Nigerian fintech companies began blocking clients over cryptocurrencies.
• Tether and Chainalysis to develop a solution for monitoring the secondary market.
• A suspect in ZKasino fraud was arrested in the Netherlands.
• Wasabi Wallet developer to disable CoinJoin anonymization service.
• Elliptic trained AI to detect money laundering through bitcoin.
• Media: Jack Dorsey’s Square and Cash App under scrutiny for suspicious crypto transactions.
• A suspect in STRK airdrop theft was detained in China.
• Pike Finance lost nearly $2 million in two attacks.
• Beribit clients reported fraud by the bitcoin exchange.
• CertiK reported record low cryptocurrency losses in April.
• Report: How Lazarus Group laundered $200 million from 25 crypto attacks.
• The Shiba Inu community warned of scammers and fake tokens.
• Lazarus Group created a fake investor to target the DeFi sector.
• The Optimism team resolved two critical vulnerabilities in the testnet.

Weekend Reading Suggestions

In the educational section “Cryptorium,” we explore how different blockchain protocols solve the Byzantine Generals Problem.