Eduzz, the online course platform, confirmed on Monday (1st) that “it was the victim of a criminal cybersecurity activity”. Since last week, a hacker has been selling data that would have come from the company: he promises to offer almost 12.5 million CPFs and CNPJs with full name, email, encrypted password and cell phone number. In addition, there is a list of customers with partial card numbers.
What’s in the leak?
THE Tecnoblog found that the hacker is currently selling the database for $ 20,000 – before it was $ 50,000, according to the Estadão – with 12,476,181 CPFs and CNPJs that would have come from Eduzz and related companies (Nutror, Alumy, Blinket and Jobzz). We confirm that all of these services use the same single login.
As usual, the seller provided a free sample to ensure that the data is legitimate. THE Tecnoblog had access to the file and contacted some of the affected people: three of them confirm that they are Eduzz customers, while two others believe they have never used Eduzz’s services before.
This is what is in the sample and what can involve 12.5 million accounts:
- full name (or company name)
- CPF or CNPJ
- phone number with area code
- email address
- encrypted password
In addition, the hacker provides a second list with financial data, but does not confirm having card numbers belonging to the above 12.5 million accounts. The total may be less, if part of the customers has chosen another form of payment. This table includes:
- partial card number, in the format 1234 56XX XXXX 7890
- card banner (Visa, Mastercard)
- cardholder name
- gateway that processes the payment (Pagar.me, Adyen)
Leaked card data is “useless”, says Eduzz
Last night, around 7:30 pm, Eduzz sent an email to people who were affected by the leak, warning about the security incident. “The information that was supposedly copied is related to a limited portion of the database and contains personal information such as name, CPF, address and telephone numbers”, states the message.
The company also says that it did not suffer from a credit card leak because these data “are in the possession of our payment partners, who were not the target of the attack”. However, she herself confirms in the email that she stores “parts of the credit card”. This would be necessary for identification with the means of payment.
These parts of the credit card, according to Eduzz, follow the standard 1234 56XX XXXX 7890. This is the same format that appears in the sample released by the hacker; the file does not include full card numbers.
Eduzz claims that these data are “useless” because they are not enough to make payments, since some digits are missing; and because it does not store the CVV, a three-digit code that is not part of the leak.
However, there are social engineering scams that use the last four digits of the card to gain the victim’s trust – a criminal posing as a bank employee, for example.
Are encrypted passwords secure?
According to the Tecnoblog, Eduzz asked some users to change their password. It is worth noting that the passwords in the leak are encrypted: for each customer, there is a sequence of 40 letters and numbers. This is a standard security measure: a cryptographic algorithm is used so that, in the event of a leak, it is not so easy to break into customers’ accounts.
However, the hacker claims that Eduzz uses the SHA1 algorithm, which has been considered “completely insecure” since 2017, when a major flaw was discovered that allows it to decrypt the content with relatively little effort.
The company does not confirm whether it actually uses SHA1, but we found a July 2020 tweet in which it emailed the password, in plain text, to a customer:
The Eduzz announcement
“Eduzz, through an internal and external audit of contracted security, is analyzing all the information and following the standards established by the LGPD (General Data Protection Law)”, says a statement on the official website.
THE Tecnoblog contacted Eduzz, but has not received a response so far. The e-mail sent by the company follows below in full.
Valuing the ethics, responsibility and transparency that permeate all of our relationships, Eduzz announces that it was the victim of a criminal cybersecurity activity orchestrated by groups that act in this type of crime.
By the investigation so far, the information that was supposedly copied is related to a limited portion of the database and contains personal information such as name, CPF, address and telephone numbers.
Due to the dissemination of misleading news, it is worth clarifying that it is not possible that credit card information, subject to payment processing, could have been the object of the alleged attack. The credit card data transacted by Eduzz, are held by our payment partners, who were not the target of the attack.
Eduzz is responsible for storing parts of the credit card that are used only for identification (9999 99XX XXXX 9999) with the payment methods and when requested by the cardholder. In addition to this data being useless for processing any payments, we reinforce that any transaction is only validated using the CVV code, which is the exclusive property of the cardholder and is not even stored in our databases.
Eduzz strongly rejects this action and is conducting an investigation together with consultants specialized in information security and working with internal and external teams to minimize any impacts of this improper and criminal access to data.
For us, protecting the information of our customers, employees and the company itself is paramount.
We will communicate to people who may be affected by this improper and criminal access to data. We take the opportunity to reinforce to all users the following actions and good practices:
- Watch out for fake emails. Make sure the source of these messages;
- Watch out for confirmation code requests in messaging apps;
- If you receive an unsolicited phone call or from a company with which you do not have a relationship, do not provide information. Even for known companies, be sure of the origin of the call and be wary of requests for new information or confirmations received by SMS (Whatsapp Scam).
- Choose reliable sites: just like you do in physical stores, make purchases in virtual and trustworthy stores;
- Check if the website is secure: before placing an order, check that the website has a lock icon in the browser’s address bar;
- Do not save passwords: they are restricted and for personal use. Therefore, avoid saving your passwords on the computer;
- Change your passwords periodically and don’t repeat them on different services: spending too much time with a single password is a common mistake;
- Do not install suspicious software: when in doubt, do not install. Programs of dubious origin may be infected;
- Attention to downloads: just like software, other downloads can also lead to problems;
- Beware of suspicious links: keep your attention high before clicking on something;
- Update your antivirus: it is your defense against internet malware;
- Watch out for fake emails and attachments: watch out for corrupted or suspicious emails in your inbox;
Any questions or clarifications, we are available through the email: firstname.lastname@example.org