WordPress, Apache Struts Attract the Most Bug Exploits

An analysis found these web frameworks to be the most-targeted by cybercriminals in 2019.

WordPress and Apache Struts vulnerabilities were the most-targeted by cybercriminals in web and application frameworks in 2019 – while input-validation bugs edged out cross-site scripting (XSS) as the most-weaponized weakness type.

That’s according to the RiskSense Spotlight Report, which analyzed 1,622 vulnerabilities from 2010 through November of 2019. Web frameworks streamline the development and deployment of applications and websites. Instead of requiring developers to code every line of PHP, HTML, etc., a framework can provide them with ready-made building blocks for many common tasks.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense, in a media statement. “As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

The firm found that WordPress and Apache Struts alone accounted for a combined 57 percent of exploited framework bugs during the year. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.

Also, while WordPress faced a number of different types of bugs over the course of the year, XSS was the most common problem according to the analysis; input validation meanwhile was the biggest risk for the Apache Struts framework.

Their prevalence in WordPress aside, XSS bug flaws overall have fallen in volume in recent years: XSS was the most common vulnerability over the 10-year study period, but it dropped to fifth when analyzed for just the last five years. Meanwhile, input validation accounted for 24 percent of all weaponized vulnerabilities over the past five years, mostly affecting Apache Struts, WordPress and Drupal.

The analysis also found that while the total volume of cybersecurity vulnerabilities in frameworks went down last year, the actual weaponization rate of those bugs went up. That rate jumped to 8.6 percent in 2019, which is more than double the National Vulnerability Database average of 3.9 percent for the same period.

In total, 27.7 percent of WordPress vulnerabilities were weaponized. Apache Struts had the third most-weaponized vulnerabilities and had one of the highest overall weaponization rates across all frameworks, the report found; and, 38.6 percent of all Struts vulnerabilities were weaponized.

“Only Laravel had a higher weaponization rate, but that was based on only four total vulnerabilities,” the report noted.

“It’s no surprise that Apache Struts is one of the most weaponized application frameworks out there,” Mehul Revankar, director of product management at SaltStack, told Threatpost. “It’s a key dependency for a many modern web applications, and it’s not easily known whether it’s in use or not by an application.”

An Apache Struts exploit was behind the infamous 2017 Equifax breach, which affected 147 million people.

Some specific types of bugs also saw a higher rate of weaponization. For instance, SQL injection, code injections and various command injections are sought-after by cyberattackers and saw weaponization rates of more than half in the study, despite being quite rare. Broken down, the top three weaknesses by weaponization rate were command Injection (60 percent weaponized), OS command injection (50 percent weaponized) and code injection (39 percent weaponized).

And, JavaScript and Python frameworks showed the lowest weaponization of vulnerabilities overall. For instance, the JavaScript-based Node.js had a notably higher number of vulnerabilities than other JavaScript frameworks last year, with 56 vulnerabilities – but only one has been weaponized to date, according to the research. Likewise, Django had 66 vulnerabilities, with only one weaponized.

“Web application vulnerabilities have been an increasingly ripe attack vector over the past decade,” said Jack Mannino, CEO at nVisium, speaking to Threatpost. “WordPress and Apache Struts implementations in particular have been notoriously plagued with out of date plugins and library versions. As these systems remain unpatched and not updated for long intervals, their likelihood for exposure is high. Off-the-shelf exploits against these technologies have been prevalent in attacker tooling and will continue to be.”

Adobe Discloses Dozens of Critical Photoshop, Acrobat Reader Flaws

An out-of-band Adobe security update addressed critical flaws in Photoshop, Acrobat Reader and other products.

Adobe has released out-of-band updates addressing critical vulnerabilities in its Photoshop and Acrobat Reader products, which if exploited could allow arbitrary code-execution.

Overall, Adobe on Wednesday patched flaws tied to 41 CVEs across its products, 29 of which were critical in severity. The fixes were released outside of Adobe’s regularly scheduled update day, which was earlier in March (during which, in fact, Adobe had no patches).

In this most recent group, Adobe Photoshop had the most vulnerabilities fixed, with 22 CVEs addressed overall, 16 of which were critical: “Adobe has released updates for Photoshop for Windows and macOS. These updates resolve multiple critical and important vulnerabilities,” according to Adobe’s advisory. “Successful exploitation could lead to arbitrary code-execution in the context of the current user.”

Critical arbitrary execution vulnerabilities include heap corruption (CVE-2020-3783), memory corruptions (CVE-2020-3784, CVE-2020-3785, CVE-2020-3786, CVE-2020-3787, CVE-2020-3788, CVE-2020-3789, CVE-2020-3790), out of bounds writes (CVE-2020-3773, CVE-2020-3779) and buffer errors (CVE-2020-3770, CVE-2020-3772, CVE-2020-3774, CVE-2020-3775, CVE-2020-3776, CVE-2020-3780).

Affected are Photoshop CC 2019 (versions 20.0.8 and earlier) and Photoshop 2020 (21.1 and earlier) for Windows and macOS. Users can update to Photoshop CC 2019 versions 20.0.9 and Photoshop 2020 21.1.1.

Adobe also addressed 13 vulnerabilities in Acrobat and Reader, including nine critical flaws. Critical flaws include out-of-bounds write (CVE-2020-3795), stack based buffer overflow (CVE-2020-3799), use-after-free bugs (CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805), buffer overflow (CVE-2020-3807) and memory corruption (CVE-2020-3797). All of these critical flaws enable arbitrary code execution in the context of the current user, according to Adobe.

Below are the affected versions of Acrobat and Reader; Adobe urges users to update to the fixed versions (2020.006.20042 for Acrobat and Reader DC, 2017.011.30166 for Acrobat and Reader 2017, and 2015.006.30518 for Acrobat and Reader 2015).

adobe acrobat reader

Other vulnerabilities include two critical flaws in Adobe ColdFusion, including a remote file read (CVE-2020-3761) from the ColdFusion install directory; and a critical file inclusion flaw (CVE-2020-3794) enabling arbitrary code execution of files located in the webroot or subdirectory.

Two critical flaws were also rooted out in Adobe Bridge that could enable arbitrary code execution, including an out-of-bounds write flaw (CVE-2020-9551) and heap based buffer overflow glitch (CVE-2020-9552). And, Adobe also patched important severity flaws in its Adobe Genuine Integrity Service and Adobe Experience Manager.

While Adobe had no regularly scheduled updates earlier in March, it did stomp out flaws tied to 42 CVEs in its regularly scheduled February updates, with 35 of those flaws being critical in severity. That well trumped Adobe’s January security update, which addressed just nine vulnerabilities overall, including ones in Adobe Illustrator CC and Adobe Experience Manager.

Convincing Google Impersonation Opens Door to MiTM, Phishing

Using homographic characters is an easy way to execute a convincing fake site.

An attack that uses homographic characters to impersonate domain names and launch convincing but malicious websites takes minutes and a bare modicum of skill — while reaping high rates of success in luring victims, according to an independent researcher.

Researcher Avi Lumelsky set out to see how easy it would be to set up a phishing page that used homographics to impersonate legitimate sites. As he explained in a posting this week, “homographic characters look like ASCII letters, but their encoding is different, in a way that is usually not noticeable for the human eye.”

As an example, this URL uses a homographic character as its first character: “ɢoogle.news.” That can be compared to the legitimate “google.news” font — there’s a barely discernable difference.

Lumelsky noted that a few years ago someone bought the homographic-including “ɢoogle.com” to use it for phishing purposes.

“I wondered to myself: There are new top-level-domains every year. Did the world learn from the ɢoogle.com acquisition? How hard is it to create a good Google phishing website from scratch?”

Setting out to find out, the researcher turned to the main domain registrars – GoDaddy, Namecheap and even Google Domains – to first see if he could snag appropriate URLs. He found the process to be so simple that a basic search resulted in a dozen suggestions for available domain names, including ɢoogle.company; ɢoogle.email; ɢoogle.tv; ɢoogle.life and even ɢoogletranslate.com, all for what Lumelsky said was a “great” price. He purchased a handful of them, using an obviously fake identity that included “Not Google :)” as the company name.

After that, he was able to set up a virtual private server in the cloud to host the domains; and he also requested a LetsEncrypt certificate to “safeguard” traffic to and from the sites – and get around security red flags from browsers. Chrome for instance showed the domains as “Secure” (with a lock icon) thanks to the certificate.

“Now, one can use https:// links to gain trust, while providing malicious content,” Lumelsky said.

The next step was routing the sites’ domain name server (DNS) traffic to the cloud server. DNS translates human-readable website names to machine addresses, which enables most internet interactions between sites, plugins and the like. He also set up a nginx proxy, masking the true destination of any request to the site’s DNS server. And to seal the deception, he also used Google’s JavaScript code from the legitimate site as the code for his own.

“The great thing about using a proxy is that my domain’s links previews, in every single platform, fetches Google Translate’s exact description while pointing to my link,” the researcher explained. “[Also,] Google’s JS runs normally from my domain.”

In all, Lumelsky said that it was a simple affair to set up a very convincing fake domain – it took minutes, with no coding, he explained. Further, “on mobile phones, the ‘ɢ’ in my domain looks like an actual ‘G,’” he said.

From there he completed his trial with some social-engineering forays that he said were successful in luring visitors to the sites, “with very little effort,” he said. He also posted links to the sites in security threads on Reddit and elsewhere to see if security-minded targets would notice the discrepancy in the domain name. That too was successful, he added.

“Eventually, without much work, I ended up with hundreds of unique visitors (excluding the bots and security scanners or the platforms in which I posted),” he explained. “It looks and acts just like any google single-page application.”

The next step in the proof-of-concept was to weaponize the domains. Aside from the obvious route of creating a phishing functionality, it’s also possible to execute a man-in-the-middle attack, the researcher explained.

“I am making the SSL handshake with the user,” he said. “The original Google application is served, it functions an expected, but I am exposed to the user’s traffic with the domain. Therefore, I can change the body of Google’s response.”

This man-in-the-middle (MiTM) attack technique can be used in a few different ways, he said. For instance, with a little effort, it’s possible to extract login credentials or tokens.

“Google uses the domain accounts.google.com for authentication,” Lumelsky explained. “I can, for example, override all the <a> tags in the HTML. Instead of pointing them to a subdomain in google.com (e.g accounts.google.com) we can point them to a custom phishing login page, within ɢoogletranslate.com domain. We can steal the user’s login credentials to Google by overriding the links within the page, and pointing them to [the maliciously registered domain] accounts.ɢoogletranslate.com (The sign-in button’s HTML tag’s href attribute).”

Further, an attacker could inject a malicious <script> tag into the hijacked HTTP body and execute code on a client browser connecting to the fake website.

“A majority of the user agents that visited the links were old browsers that haven’t been updated for a long time,” the researcher concluded. “Many of the Chrome, Firefox and Safari user agents from my access logs are devices which are vulnerable to one-day attacks (including sandbox escape).”

To protect oneself, site surfers should always be suspicious of off letters inside domains in links; and admins should implement rules within their security protocols that flag homographic hosts.

Lumelsky also filed a bug report with Google, identifying all of the places in the kill chain where this attack method could be thwarted. This includes not allowing “ɢoogle” top-level domains to be sold; or, if they are, to at least not allow them to be auto-suggested as they were by the Google Domains registrar. Another weak point the fact that Google’s JavaScript did not check that “(window.location” was a legitimate Google domain before allowing the script to be loaded.

The discussions are ongoing, but Google’s response, the researcher said, was: “Thank you for the considerable material, the thought behind it, as well as the actual money used to secure those domain names in creating this report. Homographic attacks are always interesting in their social-engineering application, but more challenging is deploying an attack that will trick not only the user, but also the infrastructure.”

Threatpost reached out to Google for further comment.

The attack method isn’t limited to Google, of course, and there are other weaknesses that it exploits. For instance, Lumelsky pointed out that people should not be able to request an SSL certificate from LetsEncrypt for homographic domains.

“Until there is a solution out there, every big company or service will have to secure their domains and assets, by spending lots of money on similar domain names,” he said. “The steps to reproduce this kind of attack are pretty simple for anyone with basic Linux and networking knowledge.”

Working from Home: COVID-19’s Constellation of Security Challenges

Organizations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges.

As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.

As organizations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors.

“Working from home or online education programs are not new. However, a large, immediate migration of people from enterprise and university networks that are closely monitored and secured, to largely unmonitored and often unsecure home Wi-Fi networks, creates a very large target of opportunity for cybercriminals,” Chris Hazelton, director of security solutions at Lookout, told Threatpost. “These users are outside the reach of perimeter-based security tools, and will likely have higher exposure to phishing and network attacks.”

Attacks Ramp Up

Researchers say that the first rash of efforts aimed at remote students and workers is likely to play on their fears and concerns about what sent them home to begin with – the coronavirus itself.

The concern is more than theoretical. Already, attackers have been leveraging  coronavirus-themed cyberattacks as panic around the global pandemic continues – including various malware attacks involving Emotet and other threats. An APT for instance was recently spotted spreading a custom and unique remote-access trojan (RAT) that takes screenshots, downloads files and more, in a COVID-19-themed campaign. And, the World Health Organization (WHO) has issued warnings about scammers pretending to be the organization. That activity is expected to expand along with the expanded attack surface, researchers said.

“In general, attackers are looking for a vulnerability to deliver their attack,” Chris Rothe, chief product officer and co-founder of Red Canary, told Threatpost. “In this case, people’s fear over the virus is the vulnerability attackers will look to capitalize on. If an individual is concerned or stressed about the virus they are less likely to remember their security training and will be more likely to, for example, click a link in a phishing email or give their credentials to a malicious web site.”

This forgetfulness when it comes to security can be especially true for those who are not used to working or learning at home: “People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing,” Colin Bastable, CEO of security awareness training company Lucy Security, said in an email interview. “This increases the risks that they can introduce to their employers and colleagues, by clicking on malware links. So now is a great time to warn people to be ultra-cautious, hover over links and take your time.”

Organizations may be distracted as well, leading to increased risk. For instance, Otterbein University in Columbus, Ohio, was hit with a ransomware attack in the past week, just as it was making preparations to switch to online classes. The situation forced the school to extend its spring break for another week as it dealt with the problem, since it was rendered incapable of delivering online education as planned.

University officials told the local ABC station that it’s unclear what the attack’s infection vector was; and that they’re not sure when things will return to normal – both potential indicators of cybersecurity unpreparedness and IT resources stretched thin.

Top Challenges in Remote Working

A lack of IT resources can bite many organizations as they move to enable remote strategies. When workers and students are sent outside the normal perimeter, managing device sprawl, and patching and securing hundreds of thousands of endpoints, becomes a much a bigger challenge.

“As a security team you lose control of the environment in which the user is working,” Red Canary’s Rothe said. “Have they secured their home Wi-Fi? If they’re using a personal computer, what mechanisms do you have to ensure that device isn’t compromised? Essentially, your network perimeter now includes all of your employees’ homes. Some security programs are ready for this, some aren’t.”

In terms of those that aren’t ready, it’s important to remember that there’s a wide swath of companies that don’t normally enable telecommuting, warned Sumir Karayi, CEO and founder of 1E.

“Government, legal, insurance, banking and healthcare are all great examples of industries that are not prepared for this massive influx of remote workers,” Karayi told Threatpost. “Many companies and organizations in these industries are working on legacy systems and are using software that is not patched. Not only does this mean remote work is a security concern, but it makes working a negative, unproductive experience for the employee.”

The challenges are particularly notable for those working in regulated industries, he added, and those that use proprietary or specific software – such as stock traders or airline reservationists.

“Regulated industries pose a significant challenge because they use systems, devices or people not yet approved for remote work,” he said. “Many companies must have secure environments and devices to meet regulations; it is not possible to secure and certify remote work because of security concerns and unauthorized people gaining access. Proprietary or specific software is usually also legacy software. It’s hard to patch and maintain, and rarely able to be accessed remotely.”

Also complicating the picture: Many organizations, including many schools, have proprietary, on-premise software that will require special configurations in order to be made accessible remotely.

“In a world of growing SaaS and cloud adoption this can be very seamless, but if your systems are all on an internal network the challenge is providing users a secure way to access those systems via a VPN or other networking solution,” Rothe noted.

And, adding insult to injury, workers in regulated industries are often stuck with endpoints that have cumbersome security protocols – which ironically can add to the attack surface.

“When they need help from IT, IT often does not have the right tools, so they have to try and take over the machine, which wastes a lot of time and is a security risk,” Karayi noted.

There’s also of course the specter of an increased threat from the mobile sphere. “Students and workers remaining at home, or possibly stranded in a remote locations are going to be heavily dependent on their mobile devices,” Lookout’s Hazelton said. “Mobile attacks are particularly effective because they often trigger immediate responses from recipients – instant communication platforms like SMS, iMessage, WhatsApp, WeChat and others.”

Best Practices for Remote Working and Learning

Fortunately, companies and schools can plan for distance learning and working in order to meet some of these challenges.

“The first step employers should take right now is to conduct a remote-work tabletop exercise with their key executives and line of business leaders,” said Rick Holland, CISO and vice president of strategy at Digital Shadows, speaking to Threatpost. “You need to inventory your business applications and identify the mission-critical ones. For SaaS applications, follow up with your providers and inquire about their business continuity plans. For on-premises applications that require VPN connectivity, test and validate that VPN connectivity for higher utilization than usual.”

Making risk-assessments of remote workers’ computing setups is essential as well, he added. Questions to ask include how they will connect to the company’s systems, and from which devices.

“The staff could connect from company-issued laptops or options like Citrix or Amazon Workspaces that enable staff to work from any device,” Holland said. “It might also be necessary to roll out new VoIP and increase web conferencing services licenses.”

It’s also important to consider the issue of on-premises software, including costs. “You cannot replace legacy on-premises applications overnight, so increasing VPN capacity to accommodate more staff working remotely could be expensive,” Holland said. “One of the unintended consequences of COVID-19 will likely be increased zero trust adoption that further embraces cloud services, eliminates VPNs, and enables employees to work from anywhere.”

And finally, given the social-engineering aspect of most attacks, user education is more important than ever.

“So yes, make sure your employees and students are up-to-speed with the latest info on the coronavirus and that they know how to protect themselves and their families from the virus itself, as well as all the fraud artists following in its wake,” said Eric Howes, principal lab researcher at KnowBe4.

DoppelPaymer Ransomware Used to Steal Data from Supplier to SpaceX, Tesla

Cyber attack at Visser Precision, which builds custom parts for the aerospace and automotive industries, reveals sensitive company data.

A company that provides custom parts to aerospace giants Lockheed Martin, SpaceX and Boeing, has been the target of an attack by an emerging type of ransomware that can both encrypt files and exfiltrate data.

Colorado-based Visser Precision said it was targeted by a “cyber incident” that involved the attacker accessing and stealing company data after a security researcher found some of the company’s stolen files leaked online.

Visser makes what are called “precision” parts for several industries, including automotive and aeronautics, with some high-profile customers that typically require heavy security requirements due to the sensitive and competitive nature of their work

Brett Callow, a threat analyst at anti-malware security firm Emsisoft, discovered the documents—a series of nondisclosure agreements Visser has with companies including SpaceX, Tesla, Honeywell, General Dynamics and others–on a hacker website and began alerting news outlets, according to published reports in Forbes and TechCrunch.

Attackers also tweeted in an account using the name “DoppelPaymer” that more files were on the way, alerting researchers that attackers likely used the DoppelPaymer ransomware in the attack, according to reports.

DoppelPaymer is an emerging type of ransomware that not only locks companies out of their own computer systems by encrypting files—the hallmark of typical ransomware—but also can exfiltrate company data and use it as collateral.

I February report by BleepingComputer noted that DoppelPaymer had shifted its tactics to include not just stealing a victim’s data, but also threatening targets to publish or sell their data if the victim did not pay the ransom.

This new show of sophistication in ransomware makes the tough decision of whether to pay the hackers’ ransom even more difficult for companies, which typically are advised not to pay in such a scenario, said one security expert.

“The evolution of ransomware from simply keeping data unusable, to that plus threatening to release it, is insidious in its premise,” Mike Jordan, vice president of research, Shared Assessments, said in an email to Threatpost. “Deciding whether to pay a ransomware extortionist always involves a financial calculus where you determine whether paying is cheaper than recovering the data on your own.”

The new methods that malware like DoppelPaymer and Maze employ are raising the stakes for victims of ransomware and increases the potential for financial loss if sensitive or classified data is revealed by threat actors, he said.

“If data is regulated, such as personal information, fines get introduced,” Jordan said. “And when the victim is a third party supplier of other companies, the potential loss of revenue from customers that lose faith in their ability to manage cybersecurity threats is also a particularly expensive variable.”

Indeed, some of the companies that appear on the list of revealed documents, such as Lockheed Martin, Boeing, Honeywell and General Dynamics, also have defense contracts with the federal government–which means they also deal in highly classified information. The threat of the release of this type of data definitely raises the stakes for Visser when considering whether to pay attackers, experts noted.

Targeting customer contracts also was a clever tactic by the attackers, as it has the potential to cause long-term damage not only to Visser but the customers affected, Jordan observed.

“Revealing confidentiality agreements threatens the possibility of revealing the contracts behind those agreements,” he said. “Revealing pricing puts the victim at a disadvantage to its competitors now and in the future, as they are still bound to those agreements, whereas competitors could undercut them. Additionally, revealing contracts put victims at risk of breaking confidentiality agreements, allowing customers to lawfully break favorable agreements.”

Of the companies affected in the Visser attack, only officials at Lockheed Martin so far have  publicly acknowledged that they are aware of the situation, according to reports.

Walgreens Mobile App Leaks Prescription Data

A security error in the Walgreens mobile app may have leaked customers’ full names, prescriptions and shipping addresses.

Popular pharmacy chain Walgreens is warning that a bug in its official mobile app may have exposed sensitive data, including customers’ full names and information on prescriptions for medications they are taking.

The security issue stemmed from an “error” in the personal secure messaging feature of Walgreens’ mobile app. The mobile messaging feature is a service for registered customers to receive SMS alerts for prescription refill notifications, deals and coupons. While Walgreens did not detail the technical glitch, it said that the internal application error enabled certain personal messages, stored in a database, to be viewed by other customers who were using the mobile app.

“As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers,” according to a Walgreens data security incident customer notification, filed with the Office of the Attorney General and published Friday. “We believe that you were part of the impacted customer group and that one or more personal messages containing your limited health-related information may have been viewed by another customer on the Walgreens mobile app between January 9, 2020 and January 15, 2020.”

That potentially exposed data includes first and last names of customers, their prescription numbers and drug names, store numbers that customers picked up prescriptions from, and shipping addresses. Walgreens said that financial information and Social Security numbers were not impacted.

After the issue was discovered on Jan. 15, “Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue,” according to the notice. “Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data.”

Fausto Oliveira, principal security architect at Acceptto, said the incident looks like a typical example of a lack of proper testing.

“If the error conditions in the app had been properly tested, this type of issue should have been caught by the quality assurance department and never seen in production,” he told Threatpost. “It is unfortunate that often in the rush to go to market, shortcuts are taken and due-diligence testing is skipped in favor of meeting a release date. It also raises questions as to why wasn’t this information encrypted so that even if it was written to a database it would be unreadable and also how come individuals had access to a copy of the database? A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user.”

Walgreens recommended that customers monitor their prescriptions and medical records. The company did not say how many customers were impacted, and how many actually accessed the exposed information (Threatpost has reached out for further comment). But the potential number of people impacted is vast based on Walgreens’ customer base . The company interacts with approximately 8 million customers in its stores and online each day, and filled 1.2 billion prescriptions on a 30-day adjusted basis in fiscal 2019, according to its website. And, the Walgreens mobile app on the Google Play app marketplace has more than 10 million downloads.

The fact that prescriptions were leaked “is worrying,” said Oliveira, since it discloses health conditions that may be used for malicious attacks like blackmailing. A bad actor who got his hands on this data, for instance, could threaten to make employers aware of victims’ conditions that they may not want to reveal.

“I think the offer from Walgreens to place the customers in several credit-card monitoring companies, is ineffective and does not help at all to address the concerns,” he told Threatpost. “If the information has been leaked, it is out there and credit-card monitoring companies cannot do anything to prevent the information from spreading. This is a situation where preventing this type of events from happening in the first place is the only cure.”

It’s not the first time that Walgreens has dealt with a security issue. In 2013, the company was hit with a $1.4 million penalty for a data breach after a pharmacist in a Walgreens store in Indianapolis inappropriately viewed and shared a woman’s prescription history.