Bumble, Panera Bread, Crunchbase, Match hit by cyberattacks
Sign up now: Get ST's newsletters delivered to your inbox
Cybersecurity experts have recently warned about a social engineering campaign targeting American companies.
PHOTO: LIANHE ZAOBAO
SAN FRANCISCO – A wave of cyberattacks has hit Bumble, Panera Bread, Match Group and Crunchbase, as cybersecurity experts warn about a new round of social engineering attacks targeting US companies.
Bumble, parent company of dating apps Bumble, Badoo and BFF, contacted law enforcement after one of its contractor’s accounts “was recently compromised in a phishing incident”, a spokesman said.
The hacker made “a brief unauthorised access to a small portion of our network”, the spokesman said, adding that the company believes the access had ended. The hackers did not get into the company’s member database, member accounts, the Bumble application, direct messages or profiles, he said.
Similarly, Panera Bread said it alerted law enforcement after identifying a cybersecurity incident and took steps to address it. A hacker accessed a software application Panera was using to store data.
“The data involved is contact information,” a spokesman said, without elaborating.
Match also confirmed on Jan 28 that it suffered a cybersecurity incident affecting a “limited amount of user data”, and that it was in the process of notifying customers.
A spokesman said there was no indication that user log-in credentials, financial information or private communications were accessed.
A Crunchbase spokesman said documents on its corporate network were affected, but the company contained the incident.
Match’s system was breached on Jan 16, but Bloomberg News could not determine when the incidents occurred.
Cybersecurity experts recently warned about a social engineering campaign targeting American companies, which has been attributed to a group that refers to itself as ShinyHunters. The group has claimed responsibility for the attacks on Bumble, Panera Bread, Match and Crunchbase, although Bloomberg could not independently verify the claims.
Mandiant, a cybersecurity company owned by Alphabet’s Google, warned last week of the ShinyHunters campaign, saying the group used novel “vishing” techniques to compromise single sign-on credentials from victim organisations and remotely access their systems.
After getting into a computer system, the hackers pivot to software-as-a-service environments to steal sensitive data, Mr Charles Carmakal, chief technology officer at Mandiant, said in a written statement.
A hacker entity that identifies itself as ShinyHunters has approached some of the victims demanding an extortion payment, he added. BLOOMBERG
