Cylance clarifies data breach details, except where the data came from

BlackBerry-owned cybersecurity shop Cylance says the data allegedly belonging to it and being sold on a crime forum doesn't endanger customers, yet it won't say where the information was stored originally.

Saying very little about where the data came from, Cylance says it is related to company marketing between 2015 and 2018, before BlackBerry bought it, and it came from an undisclosed "third-party platform."

A BlackBerry spokesperson told The Register: "We are aware of a post on the 'X' platform reporting that a database for sale on the 'Dark Web' contains Cylance customer, partner, and employee names and email addresses along with marketing data.

"While our investigation is ongoing, BlackBerry Cylance systems and products remain secure and are being closely monitored by our security operations team as part of our ongoing commitment to the security of our customers' data. Based on our investigation to date, we do not believe that BlackBerry data and systems related to our customers, products, and operations have been compromised."

The spokesperson went on to say that at present there is no indication that any current Cylance customers are affected, and the company believes this goes for sensitive information too. 

The Reg knows that the claims of cybercriminals can never be trusted. Even if the data being auctioned off is genuine, that doesn't mean all the other little selling points are to be believed as well.

Just this week we saw one of ransomware's rising stars, RansomHub, have their lofty claim of having stolen data on 500,000 Christie's clients debunked by a regulatory filing pegging the number at less than 10 percent of that. Long-term Reg readers will be all too familiar with these kinds of stories from over the years – they're everywhere.

With that all being said, we can dig into what's potentially on offer here. The alias selling Cylance's data is called "Sp1d3r" and they claim 34 million customer and employee emails are included in the data dump, exposing personal information and other internal documents.

It's supposedly being sold for $750,000, and Sp1d3r also has data up for sale allegedly belonging to Advanced Auto Parts and QuoteWizard, both of which are rumored to be linked to the ongoing breaches of Snowflake customers. Cylance, however, has confirmed to us that it is not a Snowflake customer.

• Snowflake customers not using MFA are not unique – over 165 of them have been compromised
• Christie's confirms RansomHub crooks stole data on 45K clients
• Frontier Communications: 750k people's data stolen in April attack on systems
• London hospitals left in critical condition after ransomware attack

Incident response experts at Mandiant released a report yesterday looking at Snowflake victims, saying it believes the number of compromised organizations stands at 165. It should be pretty reliable data too, given that Mandiant was one of the teams hired by Snowflake itself to investigate the incident.

Mandiant supported Snowflake's early hypothesis that its own systems were not to blame for the breaches – they remain locked down and unaffected. None of the customers being preyed on had seemed to have enabled MFA.

The credentials used in account compromises were also valid and appear to have been aggregated from various infostealers dating back to 2020, suggesting that some victims weren't rotating their creds for years.

Mandiant pinned the activity to a group it tracks as UNC5537, which may have some ties to Scattered Spider, but there isn't enough evidence to say so with any great certainty, we're told. ®