Heroes & Villains, the Aston Villa fanzine
Heroes & Villains => Heroes Discussion => Topic started by: amfy on May 21, 2024, 10:33:58 PM
-
This has come to me via a Villa friend who isn’t on these boards.
I don’t know if people might want to think about changing passwords & stuff?
Not sure what to make of it tbh.
https://cybernews.com/security/aston-villa-fc-security-gaps-expose-fans/
Merge?
-
https://cybernews.com/security/aston-villa-fc-security-gaps-expose-fans/
I’ll try and neaten this post up [wont let me put it as a quote, I give up/ feel free to merge/delete] , but just got this from Amfy, I think via a CDWeebully associate.
Aston Villa’s gates have security gaps: fans exposed
Aston Villa FC
Aston Villa Football Club (AVFC) left a publicly leaking Amazon Web Services (AWS) S3 bucket containing the personally identifiable information of 135,770 individuals. The affected fans are vulnerable to spear phishing, social engineering attacks, and identity theft attempts.
On March 13th, 2024, the Cybernews research team discovered a publicly accessible AWS S3 bucket (cloud storage service). The storage likely belongs to Aston Villa Football Club, as it contained 135,770 member records among 5842 exposed CSV files used for storing data.
The exposed personal information contains the following:
Full names
Dates of Birth
Home addresses
Phone numbers
Email addresses
Membership details
Purchase details (date, method of payment, type of membership purchased).
Cybersecurity researchers warn that “the exposure of personally identifiable information presents a series of severe information security implications and risks to the club’s fans.”
The leaking bucket was labeled “prod” in its name, which suggests it could be used to store and manage data used in AVFC’s operational and production environments.
After responsible disclosure, the bucket is no longer public. Cybernews has reached out to AVFC for additional comments, but we have yet to receive a response.
Therefore, it’s unclear what caused the leak or whether other third parties have compromised the bucket.
Founded in 1874, Aston Villa Football Club is a professional football club based in Aston, Birmingham, England. Villa competes in the Premier League, the highest level of the English football league system, and has recently qualified for next season’s Champions League, Europe’s elite competition.
The AVFC official website has 1.1 million monthly visitors, according to Similarweb.
Many risks ahead
For cybercriminals, the data is a treasure trove that may be used for many financially motivated attacks.
The more data crooks can leverage, the more sophisticated social engineering attacks they can orchestrate.
“Attackers could engage in manipulative tactics aimed at persuading unsuspecting individuals to divulge further sensitive information or undertake actions that compromise their security. This may involve impersonating trusted entities to elicit additional personal or financial information,” researchers warn.
Villa fans should beware that the availability of exposed email addresses and phone numbers can be used for spear phishing campaigns specifically designed for each exposed individual.
Cybercriminals may craft deceptive emails, text messages, or calls purporting to originate from legitimate sources. Such scams often seem genuine, and victims unintentionally fall for them. Avoid clicking on dangerous links, downloading attachments, divulging login information, and follow other good cyber hygiene practices.
“Personal safety and security are seriously threatened when the residential address is made public. Doxxing incidents violate a person’s privacy. The consequences are not limited to cyberspace and could involve other illegal activities that are made easier by knowing exactly where the person lives, such as theft, burglary, or physical incursion,” our research team warns.
Encryption adds an additional security layer
For AVFC, the Cybernews research team recommends retrospectively monitoring access logs to assess whether unauthorized actors have accessed the exposed bucket. Of course, the first step is always to secure the S3 bucket to prevent any further unauthorized access.
Even when storage gets compromised, the encryption of sensitive data would protect it from being accessed by unauthorized parties.
“AWS's server-side encryption tools, such KMS or AWS s3-managed keys, should be used to encrypt sensitive data and modify the bucket’s access settings,” our researchers recommend.
The owner should notify the Data Protection Authorities (ICO) if the bucket has been compromised.
-
That is the trouble with AWS and Azure now. In the old days the data would be on a server with built in access restrictions, but with the cloud based containers and app services, the storage can be left open by the app team to make it easier for applications to talk to it, forgetting that anyone else who stumbles on the IP address could as well.
Could be a big fine though from the ICO if true, especially if the data was accessed as well. Upto £17.5 mil or 4% of turnover.
-
Don’t tell me it’ll hit our FFP as well!!!
-
Mind the gaps!
-
Strange that fans haven't heard anything about this from the club especially as they would have known at least over two months ago. Hopefully it's not a case of too many chiefs and not enough indians. (https://www.avfc.co.uk/news/2023/september/19/villa-announce-appointments-to-senior-leadership-team/)
-
Merged.
-
The club could be in serious trouble if they have left people exposed and have failed to notify potential cyber fraud victims
-
That is the trouble with AWS and Azure now. In the old days the data would be on a server with built in access restrictions, but with the cloud based containers and app services, the storage can be left open by the app team to make it easier for applications to talk to it, forgetting that anyone else who stumbles on the IP address could as well.
Could be a big fine though from the ICO if true, especially if the data was accessed as well. Upto £17.5 mil or 4% of turnover.
Not sure I agree with that (well actually, I’m totally sure, I don’t agree with it) bad security is bad security whether it’s in the cloud or a traditional standalone data centre, and web services have to talk to it, regardless, there’s nothing intrinsically unsafe about data being in the cloud.
It’s still in a data centre.
Knowing what the ip address is also makes no difference - the content running in your browser hits a web service somewhere to be able to do anything. It being on AWS or Azure rather than an independent data centre makes zero difference.
In fact, I’d argue cloud providers probably provide better baked in security in their infrastructure than your average business running its own servers in a dark room at the back of their office somewhere.
-
Hmmm.
-
Check here to see if any of your details are 'out there' :-
https://haveibeenpwned.com/
-
Good job I changed all my online passwords last week from “Athens2024” to “Munich2025”.
-
Check here to see if any of your details are 'out there' :-
https://haveibeenpwned.com/
That’s what a hacker would ask us to do.
-
Has anybody contacted the club?
-
Check here to see if any of your details are 'out there' :-
https://haveibeenpwned.com/
That’s what a hacker would ask us to do.
nearly fell for it just now
-
FFS. Policies and procedures should be in place to make sure that having this open to the public can never happen, even with non-production data. I would be sacked on the spot if I did this in my job. Encrypting the data is also simple and should be mandatory for personally identifiable information. This is basic, schoolboy level, info sec practice. If the logs show a breach they have to report it to the ICO by law. I don't think we do any of these IT functions in house anymore, pretty sure we contracted it out years ago.
-
Check here to see if any of your details are 'out there' :-
https://haveibeenpwned.com/
That’s what a hacker would ask us to do.
nearly fell for it just now
Feel free to do your own checks but I’ve used it before (with startling results) and did again.
I’ve seen some reviews which argue they could make the way email addresses are submitted a bit more secure, and it’s not the only such service, but generally there seems to be a sense it’s a useful tool, I’d be happy if this clearly more ITK could give a more confident assessment . One review pointed out if you are taking the time to check if you are exposed pointed out you should be taking the time to use different passwords on every app/website.
-
Good job I changed all my online passwords last week from “Athens2024” to “Munich2025”.
You sound like a really switched on bloke, I will follow in your footstep and do the same. Munich2025 it is. (nods head and walks away feeing rightly smug)
-
I have gone for a new, longer password with a mixture of upper and lower case, a number, and a special character. This will take centuries to crack
SCORRRRRRrRRRRRRRRRRRRRRRRRRRCHI0OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!
-
If you do your shopping at Morrisons supermarket this has also been hacked.
-
I have gone for a new, longer password with a mixture of upper and lower case, a number, and a special character. This will take centuries to crack
SCORRRRRRrRRRRRRRRRRRRRRRRRRRCHI0OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!
"I'm sorry, you cannot have the same password as another user; this password was used earlier today. Please speak to your internet provider if you require any further information."
-
https://www.avfc.co.uk/news/2024/may/22/club-statement/
Yesterday 22/5
Aston Villa is aware of recent news reports of a publicly accessible AWS S3 bucket which reportedly contains fan data.
First and foremost, Aston Villa takes the privacy and security of its fans’ personal data extremely seriously and is carrying out a full and robust investigation into these reports, led by its Data Protection Officer and supported by the Club’s incident response team.
The Club believes that the reports relate to a vulnerability on one of its service provider’s systems and is working closely with the service provider, who are implementing their own in-depth inquiry.
Aston Villa will continue to communicate any updates from the ongoing investigation in due course but would like to reassure supporters that the Club is seeking a swift and thorough resolution to the matter.
-
Not sure I agree with that (well actually, I’m totally sure, I don’t agree with it) bad security is bad security whether it’s in the cloud or a traditional standalone data centre, and web services have to talk to it, regardless, there’s nothing intrinsically unsafe about data being in the cloud.
It’s still in a data centre.
Knowing what the ip address is also makes no difference - the content running in your browser hits a web service somewhere to be able to do anything. It being on AWS or Azure rather than an independent data centre makes zero difference.
In fact, I’d argue cloud providers probably provide better baked in security in their infrastructure than your average business running its own servers in a dark room at the back of their office somewhere.
It is not the cloud providers specific security I was getting at, just that in the old days when apps were server based and "onsite", the infra teams would/should have setup DMZ's which allowed controlled access to the website, and even more controlled access to the data stores behind it. Not unhackable but at least the control was there.
Nowadays with it all being PaaS driven, and "easier" to create for Developers without infrastructure being in place, you get them firing up storage accounts (Azure) or buckets (AWS) which default to being accessible from anywhere. They can be locked down for private network access or only available from some public addresses (like the webapps), but it relies on the developer knowing how to do this (and encrypting it on read/write etc for added security). And sometimes they forget, or find it too problematic when working with scaling out solutions where the IP addresses accessing can change at a whim.
But anyway, purpletrousers post from the club has me even more concerned. The release seems to be this was something they didn't know about until the link originally posted by Amfy, yet it was first discovered and reported to the club by the website in March. That will really be big no-no from the ICO which needs to be informed of significant breaches of data within 72 hours of the club being alerted. An internal failure of alerting the clubs DPO is not an excuse there as it is up to the organisation to train staff on DPA practices. (And whoever the service provider is also probably needs dropping as well).
-
Not sure I agree with that (well actually, I’m totally sure, I don’t agree with it) bad security is bad security whether it’s in the cloud or a traditional standalone data centre, and web services have to talk to it, regardless, there’s nothing intrinsically unsafe about data being in the cloud.
It’s still in a data centre.
Knowing what the ip address is also makes no difference - the content running in your browser hits a web service somewhere to be able to do anything. It being on AWS or Azure rather than an independent data centre makes zero difference.
In fact, I’d argue cloud providers probably provide better baked in security in their infrastructure than your average business running its own servers in a dark room at the back of their office somewhere.
It is not the cloud providers specific security I was getting at, just that in the old days when apps were server based and "onsite", the infra teams would/should have setup DMZ's which allowed controlled access to the website, and even more controlled access to the data stores behind it. Not unhackable but at least the control was there.
We can have a geek-off in another part of the forum if you want, but I'm with Paulie here. On-site vs cloud makes no difference. Those same "infra teams" you called out should still be doing that same work, just in the cloud now or both if hybrid. If companies are cutting corners on that and assuming the cloud provider will do it all for them, then that is on them.
-
Not sure I agree with that (well actually, I’m totally sure, I don’t agree with it) bad security is bad security whether it’s in the cloud or a traditional standalone data centre, and web services have to talk to it, regardless, there’s nothing intrinsically unsafe about data being in the cloud.
It’s still in a data centre.
Knowing what the ip address is also makes no difference - the content running in your browser hits a web service somewhere to be able to do anything. It being on AWS or Azure rather than an independent data centre makes zero difference.
In fact, I’d argue cloud providers probably provide better baked in security in their infrastructure than your average business running its own servers in a dark room at the back of their office somewhere.
It is not the cloud providers specific security I was getting at, just that in the old days when apps were server based and "onsite", the infra teams would/should have setup DMZ's which allowed controlled access to the website, and even more controlled access to the data stores behind it. Not unhackable but at least the control was there.
We can have a geek-off in another part of the forum if you want, but I'm with Paulie here. On-site vs cloud makes no difference. Those same "infra teams" you called out should still be doing that same work, just in the cloud now or both if hybrid. If companies are cutting corners on that and assuming the cloud provider will do it all for them, then that is on them.
The amount of times a software company has told me they have ISO 27001 certification and it turns out they mean that the hosting company they use has 27001 is ridiculous.
That's the problem, people think solutions are secure because they ought to be, but companies don't have the information security knowledge in place to make sure their suppliers actually are secure.
-
Check here to see if any of your details are 'out there' :-
https://haveibeenpwned.com/
That’s what a hacker would ask us to do.
nearly fell for it just now
Feel free to do your own checks but I’ve used it before (with startling results) and did again.
I’ve seen some reviews which argue they could make the way email addresses are submitted a bit more secure, and it’s not the only such service, but generally there seems to be a sense it’s a useful tool, I’d be happy if this clearly more ITK could give a more confident assessment . One review pointed out if you are taking the time to check if you are exposed pointed out you should be taking the time to use different passwords on every app/website.
The site is safe - I first used it when LinkedIn was had a data breach in 2016.
The email address I used for that site was one of those exposed and so I changed may password.
I periodically check my main email addresses to make sure.
This is what you get if your email address hasn't been compromised:
(https://i.ibb.co/MM3q0YS/not-pwned.png) (https://ibb.co/MM3q0YS)
and if it has - this is the email address i used for LinkedIn - as you can see it was then passed around, fortunately since I'd changed the password the only problem I get now is spam sent to that address.
(https://i.ibb.co/3cftcWS/pwned.png) (https://ibb.co/3cftcWS)
If in doubt - change your password.
-
That’s what a hacker would ask us to do
-
Check here to see if any of your details are 'out there' :-
https://haveibeenpwned.com/
That’s what a hacker would ask us to do.
I hadn’t realised there was a touch of the ‘Who is Dan Bardell?’ To this.
Thanks for the above Weedy. Would rather someone more expert advised others :)
-
The original article about this on the OS has been updated. The club has been informed by the service provider that no password or payment data has been compromised.
-
The original article about this on the OS has been updated. The club has been informed by the service provider that no password or payment data has been compromised.
That's what a hacker would want us to believe.
-
The advice on passwords is that you should use different ones for each site you use. Makes sense, but a few major hacks down the line Googole is cheerily informing you that 132 of your passwords no longer safe. That's an awful lot of changing.
-
The original article about this on the OS has been updated. The club has been informed by the service provider that no password or payment data has been compromised.
Still concerned that the club/ third party was informed about the potential leak opportunity in March and acted on it, but are now acting like the first time they were aware of it was when the news broke 2 months later. The article doesn't mention who they disclosed the bucket to but someone in one of the organisations has certainly dropped the ball on acting properly as defined by the DPA.