The Tokyo 2020 International Communications Team has termed false a report which stated that the Tokyo Olympics ticket portal leaked the user IDs and passwords of several fans, which were then posted on the dark web.
On Wednesday, Kyodo News quoted a government official to claim that user IDs and passwords stored in the Tokyo Olympics ticket portal were accessed by hackers who then posted the data on a dark web forum. The official told Kyodo News that the breach could enable malicious actors to obtain the names, addresses, and bank account details of ticket-bookers. The hackers, according to Kyodo News’ source, used the RedLine malware and other info-stealers to steal the data records.
The government official added that Tokyo Olympics organising body is presently investigating the data breach. The Tokyo 2020 International Communications Team, however, refuted the report altogether. In a statement to ZDNet, a spokesperson from the team said, “We are aware of the incident and, after checking the facts, we can confirm that this was not a leak from Tokyo 2020’s system.
“While we have been liaising with the government and other relevant organisations on a regular basis, we have already taken measures in the form of password resets to limit any damage for the very limited number of IDs detected in this case based on the information supplied by the government,” he added.
Based on the official’s statement, it is now clear that certain user IDs and passwords were certainly exposed to malicious actors and may have been misused, but the breach did not involve the compromise of a system operated by the organisers of Tokyo 2020.
“Any data breach is a big problem for the impacted organisation. Not only is their reputation at stake, but they also need to find out what happened, who is impacted, and notify them so that further issues can be avoided,” says Boris Cipot, a senior security engineer at Synopsys Software Integrity Group.
“It is known that login data, such as user ID and passwords, has been leaked. Although this data may not be considered critical by itself, it can be problematic if the attackers combine use this data to access users’ accounts. In this case, the exposed data extends to user names, passwords, financial data, etc.
“These types of credentials are often used for scamming the user to hand out further data, either with targeted or general phishing attacks. As there are officials amongst the ticket holders, there is the possibility of a targeted attack.
“It would be advisable for Olympic Games ticket holders to change their passwords across all other platforms they use, especially if they have reused the same password for multiple accounts. Another recommendation would be to avoid clicking links in emails, filling out forms, or opening attachments, especially from unknown or untrusted sources he added.