PC streaming service Shadow discloses security breach
By Jay Peters, a news editor who writes about technology, video games, and virtual worlds. He’s submitted several accepted emoji proposals to the Unicode Consortium.
Shadow, which offers services that let you stream a Windows PC, has disclosed a security breach that led an attacker taking some private customer data. The company is sending emails to customers notifying them that a bad actor was able to extract their first and last name, email address, date of birth, billing address, and credit card expiration date.
Shadow’s CEO confirmed the breach in a statement to The Verge. “We were recently the victim of a highly sophisticated social engineering attack which led to the exfiltration of the database of one of our service providers, resulting in the unauthorized exposure of certain customer data,” Eric Sele says. “We have since then taken immediate steps to secure our systems, including reinforcing the security protocols we apply with all our service providers. Most importantly, no passwords or financial data have been compromised.”
Here’s what happened, according to the email sent to customers (which you can see on Reddit):
At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.
Our security team took immediate action. Despite our actions, the attacker was able to exploit one of the stolen cookies to connect to the management interface of one of our SaaS providers. Thanks to this cookie, now deactivated, the attacker was able to extract, via our SaaS
Read more on theverge.com
