Cyber breaches abound in 2019
https://techcrunch.com/2018/12/26/cyber-breaches-abound-in-2019/
News of high-profile cyber breaches has been uncharacteristically subdued in recent quarters.
Is this a harbinger of a worse hacking landscape in 2019?
The answer is unequivocally yes. No question, cyber breaches have been a gigantic thorn in the global economy for years. But expect them to be even more rampant in this new year 2019 as chronically improving malware will be deployed more aggressively on more fronts. Also data-driven businesses simultaneously move into the “target zone” of cyber attacks.
On the cybersecurity side, a growing number of experts believe that multi-factor authentication will become the standard for all online businesses.
Here are links to some articles that can hopefully help you to handle your cyber security better:
Cybersecurity 101: Why you need to use a password manager
https://techcrunch.com/2018/12/25/cybersecurity-101-guide-password-manager/
Cybersecurity 101: Five simple security guides for protecting your privacy
https://techcrunch.com/2018/12/26/cybersecurity-101-security-guides-protect-privacy/
622 Comments
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/data-breach-at-bank-of-america/
Tomi Engdahl says:
Seller floods hacker forum with data stolen from 14 companies
https://www.bleepingcomputer.com/news/security/seller-floods-hacker-forum-with-data-stolen-from-14-companies/
A data breach broker is selling databases containing user records for
14 different companies he claimed were breached by hackers in 2020.
Tomi Engdahl says:
Facebook says 5,000 app developers got user data after cutoff date
https://www.zdnet.com/article/facebook-says-5000-app-developers-got-user-data-after-cutoff-date/
Social media giant Facebook disclosed on Wednesday a new user privacy
incident. The company said that it continued sharing user data with
approximately 5,000 developers even after their application’s access
expired.
Tomi Engdahl says:
MAZE RANSOMWARE OPERATORS ALLEGEDLY TARGETED NATIONAL HIGHWAYS
AUTHORITY OF INDIA (NHAI) DATA LEAK!!
https://cybleinc.com/2020/07/02/maze-ransomware-operators-allegedly-targeted-national-highways-authority-of-india-nhai-data-leak/
Update as on 07/02/2020: As part of our regular darkweb monitoring,
our researchers came across the data leak of National Highways
Authority of India (NHAI) been published by the Maze ransomware
operators.
Tomi Engdahl says:
Data Breach: Millions of Dating App Records, Messages, and User
Profiles Exposed in Data Leak
https://www.wizcase.com/blog/dating-breaches-research/
WizCases security team has recently uncovered breaches in 5 different
dating site and app databases. These leaks have compromised user data,
including sensitive and confidential information like real names,
billing addresses, email addresses, phone numbers, private messages,
and more. The total number of leaked entries is in the millions. Every
server was easily accessible via the internet and . not password
protected.
Tomi Engdahl says:
Report: Popular Gambling App Exposed Millions of Users in Massive Data
Leak
https://www.vpnmentor.com/blog/report-clubillion-leak/
The breach originated in a technical database built on an
Elasticsearch engine and was recording the daily activities of
millions of Clubillion players around the world.
Tomi Engdahl says:
VPN firm that claims zero logs policy leaks 20 million user logs
https://www.hackread.com/vpn-firm-zero-logs-policy-leaks-20-million-user-logs/
The VPN company in the discussion is a Hong Kong-based UFO VPN owned by Dreamfii HK Limited.
the database of a Hong Kong-based VPN provider called UFO VPN was exposed with more than 20 million users logs.
Discovered by researchers from Comparitech on July 1st, 2020; the exposure occurred due to the database hosted on an Elasticsearch cluster being left without any password.
Worth 894 GB, the data allegedly included plaintext passwords, IP addresses, timestamps of user connections, session tokens, information of the device, and OS being used along with geographical information in the form of tags.
This, as Comparitech has rightly pointed out, goes against the service provider’s privacy policy and the promises of a zero log policy it has communicated to its users:
UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform.
For the future, hence, it remains to see if the firm improves its security practices and how many users jump ship. Users of the provider are suggested to immediately change their account passwords as they may be at risk.
Tomi Engdahl says:
Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet >
Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet
https://www.theregister.com/2020/07/17/ufo_vpn_database/
Maybe it was the old Lionel Hutz play: ‘No-logging VPN? I meant, no! Logging VPN!’
A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.
This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.
It all came to light this week after Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.
Tomi Engdahl says:
VNSPN = Virtual Not So Private Network
Tomi Engdahl says:
‘Unforgivable’: The privacy breach that exposed sensitive details of WA’s virus fight
https://www.brisbanetimes.com.au/national/western-australia/unforgivable-the-privacy-breach-that-exposed-sensitive-details-of-wa-s-virus-fight-20200720-p55dsm.html
Sensitive medical details of scores of West Australians have been compromised in one of the state’s biggest privacy breaches, where thousands of state government communications were published on a public website.
They include details of people in quarantine, including phone numbers and addresses, and how their cases are being managed.
the breach also impacted St John Ambulance, the Department of Fire and Emergency Services and the Department of Justice.
“The breach of confidential data is associated with the use of a third-party pager service,”
“This is an extraordinary and unacceptable breach of privacy and questions the integrity of the coronavirus response in WA,”
A massive data breach in Western Australia has exposed the confidential records of patients and hospital staff online.
“The fact that this is even happening, and presumably there’s been a vulnerability since the get-go of the pandemic, speaks to the design of the response,”
Technology expert Trevor Long said he was stunned to see highly sensitive medical details “flying around” on an unsecured network.
“It’s almost outrageous to think that in this modern age these open and public systems would be used to disseminate this sort of information,” he said.
Tomi Engdahl says:
More than 20 million VPN users warned of massive data breach
https://www.9news.com.au/national/vpn-data-breach-more-than-20-million-users-warned-of-massive-privacy-breach-exclusive/379ac4ca-15d0-4c98-b03c-016f20da6572
It’s estimated around one billion online records have been exposed in a massive data breach, potentially affecting more than 20 million users of free Virtual Private Network (VPN) apps.
In a report provided to 9News, the researchers say the server was “completely open and accessible, exposing private user data for everyone to see”.
Report: No-Log VPNs Exposed Users’ Logs and Personal Details for All to See
https://www.vpnmentor.com/blog/report-free-vpns-leak/
A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see.
Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.
The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies.
Tomi Engdahl says:
Nice to know your ancestry but not nice to have your ancestry data exposed.
Software firm leaks 25GB worth of subscription & Ancestry.com user data
https://www.hackread.com/software-firm-leaks-ancestry-com-user-data/
The data was leaked due to a misconfiguration on an ElasticSearch server.
Researchers at cybersecurity firm WizCase discovered a misconfigured cloud server that exposed exclusive customers data of a US-based tech firm that manages the famous Family Tree Maker software, also called FTM.
approximately 60,000 MacKiev users are reportedly affected
The leaked data included sensitive user details
Remember, cybercriminals hunt for vulnerable systems and exposed databases and demand ransom after taking over them. Earlier this month, 47% (about 22,900) of MongoDB databases were hacked and being used by hackers to demand ransom from their owners.
Tomi Engdahl says:
UFO VPN was caught saving and leaking user logs despite complaining strictly no-log policy.
https://www.hackread.com/hackers-destroy-ufo-vpn-database-meow-attack/
Tomi Engdahl says:
17 million CouchSurfing users’ data for sale on data sharing forum
https://cloudsek.com/threatintelligence/17-million-couchsurfing-users-data-for-sale-on-data-sharing-forum/
CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the information of 16.99 million unique CouchSurfing users.
Tomi Engdahl says:
New breach: Digital banking app “Dave” was breached last month with 7.5M rows (3M email addresses) exposed and publicly shared. Also impacted were physical addresses, encrypted SSNs and bcrypt password hashes. 77% were already in @haveibeenpwned. More: https://t.co/D7fsMkEHyC
Tomi Engdahl says:
Disney, Microsoft, Nintendo and 50 more hit by massive source code leak
https://www.tomsguide.com/news/companies-source-code-leak
More than 50 high-profile companies have had their software source code made freely available online, partly as the result of incorrectly configured infrastructure.
Software source code belonging to household names such as Adobe, Microsoft, Lenovo, Qualcomm, AMD, Motorola, GE Appliances, Nintendo, Disney, Daimler, Roblox and many other companies was collected and placed in an online repository
https://www.bleepingcomputer.com/news/security/source-code-from-dozens-of-companies-leaked-online/
Tomi Engdahl says:
Imagine having SQLi in 2020. Imagine leaking a shitload of GitHub and GitLab OAuth tokens from everyone who installed your dumb developer productivity tracker app.
Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev
https://www.zdnet.com/article/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev/
OAuth tokens have been abused for intrusions at least two other companies, Dave.com and Flood.io.
Waydev, an analytics platform used by software companies, has disclosed a security breach earlier this month.
The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.
HACKERS PIVOTED FROM WAYDEV TO OTHER COMPANIES
Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens.
The hackers then used some of these tokens to pivot to other companies’ codebases and gain access to their source code projects.
GITHUB’S SECURITY TEAM DISCOVERED THE BREACH
Circei says that based on current evidence, the hackers appear to have gained access only to a small subset of its customer codebases.
At the time of writing, two companies have reported security breaches this month and blamed the incident on Waydev — loan app Dave.com and software testing service Flood.io.
Waydev said it also notified US authorities about the security breach.
“Due to GitHub’s privacy policy, they will inform the affected users personally,” Waydev said. “If you were affected by the attackers please contact us at [email protected] in order to connect you with the authorities.”
Tomi Engdahl says:
Alcohol delivery service Drizly confirms data breach
https://techcrunch.com/2020/07/28/drizly-data-breach/?tpcc=ECFB2020
In an email to customers obtained by TechCrunch, the company said that a hacker “obtained” some customer data. The hacker took customer email addresses, date-of-birth, hashed passwords, and in some cases delivery address, the email read.
Drizly did not say when the hack occurred or how many accounts were affected
The company said that no financial data was taken in the breach. But a listing on a dark web marketplace from a well-known seller of stolen data claims otherwise.
Tomi Engdahl says:
Reply-All storm flares as email announcing privacy policy puts 500 addresses in the ‘To’ field, not ‘BCC’
Newsletter-as-a-service outfit Substack does the usual apologising
https://www.theregister.com/2020/07/29/substack_privacy_fail/
Some advice from The Register: when announcing a new privacy policy don’t do so with emails that reveal 500 addresses in the “To” field of the message.
There may be some upside for Substack in the fact that many of the email addresses it exposed belong to people who have senior roles in major corporations, the Trump administration, governments and even a few media outlets that might on their best days be more prestigious than The Register. But while the company can say it has attracted quality readers, it has also ticked them off.
Tomi Engdahl says:
Meanwhile #Ledger has suffered a data breach in which around 1 million email address and other sensitive data has been stolen.
https://www.hackread.com/crypto-wallet-ledger-data-breach-hackers-steal-data/
Tomi Engdahl says:
The treasure trove of information isn’t without controversy
An unprecedented Nintendo leak turns into a moral dilemma for archivists
https://www.theverge.com/2020/7/30/21347074/nintendo-gigaleak-controversy-history-preservation-archives
The treasure trove of information isn’t without controversy
For the past week, Nintendo fans have resembled digital archaeologists. Following a massive leak of source code and other internal documents — appropriately dubbed the gigaleak — previously unknown details from the company’s biggest games have steadily trickled out. Those poring over the code have uncovered a new Animal Crossing villager, early prototypes for games like Pokémon Diamond, cut characters from Star Fox, a very weird Yoshi, and strange titles like a hockey RPG. Perhaps the biggest discovery has been a Luigi character model from Super Mario 64.
From a historical and preservationist perspective, the leak is an incredible find. It’s a rare look into the process and discarded ideas of one of the most influential — and secretive — companies in video games. But for those preservationists digging through the data, that excitement is tainted by a moral dilemma. The origins of the code leak are still largely unknown, but it’s likely that it was obtained illegally. That presents a pertinent question: does the source of the leak tarnish all that historians can learn from it?
Tomi Engdahl says:
people are just too dumb to use e-mail correctly
Shouldn’t have gone with the cheapest contractor?
Glitch leads to leak of more than 170 Hillsborough students’ personal data
https://www.tampabay.com/news/education/2020/07/31/glitch-leads-to-leak-of-more-than-170-hillsborough-students-personal-data/
Dozens of parents who applied for their child to attend the district’s virtual school received slew of emails with links to other students’ application forms.
TAMPA — A coding error resulted in the leak of personal data of 173 Hillsborough County students who have applied to the district’s virtual school, officials acknowledged Friday.
The leak has alarmed parents who saw that their own child’s application was among those sent to dozens of other email addresses. It has led to calls for the district to pay for identity theft protection for affected students.
The emails allowed him to click on a link and view any of the students’ applications. It was not until an hour later that the links were disabled.
“My biggest concern would be that personal information of our son was at least momentarily available for anyone to get,” Wagner said. “If that’s the case, I want to make sure he has some form of identity protection in place so his information and our information remains secure.
School district spokeswoman Tanya Arja said the glitch was a human coding error made by an outside contractor.
“We take this incident very seriously,” Arja said. “As soon as we were notified of the inadvertent disclosure, we disabled the link.
Tomi Engdahl says:
British Dental Association members targeted by hackers
https://www.bbc.com/news/technology-53652254
Dentists’ bank account numbers and correspondence with a trade body are feared to have been stolen by hackers.
The British Dental Association has told its members that it is still not sure exactly what was accessed in a breach on 30 July.
A spokeswoman told the BBC it was possible that information about patients was exposed, but was vague about the potential context.
The BDA’s website has been offline since the attack.
The BDA does not hold full patient records.
“Owing to the sophistication of these criminals, we cannot, as yet, confirm the full extent of information that has been accessed,” he added in the email memo.
Tomi Engdahl says:
https://www.hackread.com/intel-leaks-hacker-posts-intel-source-code-files-online/
Tomi Engdahl says:
Just not even surprised anymore… [https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/](https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/)
Tomi Engdahl says:
10 billion records exposed in unsecured databases, study says
https://www.welivesecurity.com/2020/07/30/10-billion-records-exposed-unsecured-databases/
Researchers have found close to 10.5 billion pieces of consumer data
that has been left sitting in almost 10,000 unsecured internet-facing
databases hosted across 20 countries. The data is said to include
email addresses, passwords, and phone numbers. The study was conducted
by NordPass between June 2019 and June 2020 in cooperation with an
unnamed white hat hacker, who scanned the web for Elasticsearch and
MongoDB libraries in search of misconfigured databases.
Tomi Engdahl says:
Leaky AWS S3 buckets are so common, they’re being found by the
thousands now with lots of buried secrets
https://www.theregister.com/2020/08/03/leaky_s3_buckets/
Misconfigured AWS S3 storage buckets exposing massive amounts of data
to the internet are like an unexploded bomb just waiting to go off,
say experts. The team at Truffle Security said its automated search
tools were able to stumble across some 4,000 open Amazon-hosted S3
buckets that included data companies would not want public things
like login credentials, security keys, and API keys.
Tomi Engdahl says:
Ransomware gang publishes tens of GBs of internal data from LG and
Xerox
https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/
The operators of the Maze ransomware have published today tens of GB
of internal data from the networks of enterprise business giants LG
and Xerox following two failed extortion attempts. The hackers leaked
50.2 GB they claim to have stolen from LG’s internal network, and 25.8
GB of Xerox data. While LG issued a generic statement to ZDNet in
June, neither company wanted to talk about the incident in great depth
today.
Tomi Engdahl says:
Hacker leaks passwords for 900+ enterprise VPN servers
https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/
A hacker has published today a list of plaintext usernames and
passwords, along with IP addresses for more than 900 Pulse Secure VPN
enterprise servers. ZDNet, which obtained a copy of this list with the
help of threat intelligence firm KELA, verified its authenticity with
multiple sources in the cyber-security community.
Tomi Engdahl says:
Canon hit by Maze Ransomware attack, 10TB data allegedly stolen
https://www.bleepingcomputer.com/news/security/canon-hit-by-maze-ransomware-attack-10tb-data-allegedly-stolen/
Canon has suffered a ransomware attack that impacts numerous services,
including Canon’s email, Microsoft Teams, USA website, and other
internal applications. BleepingComputer has been tracking a suspicious
outage on Canon’s image.canon cloud photo and video storage service
resulting in the loss of data for users of their free 10GB storage
feature. The image.canon site suffered an outage on July 30th, 2020,
and over six days, the site would show status updates until it went
back in service yesterday, August 4th.. Also:
https://www.forbes.com/sites/daveywinder/2020/08/05/has-canon-suffered-a-ransomware-attack-10tb-of-data-alleged-stolen-report/
Tomi Engdahl says:
Intel investigating breach after 20GB of internal documents leak
online
https://www.zdnet.com/article/intel-investigating-breach-after-20gb-of-internal-documents-leak-online/
US chipmaker Intel is investigating a security breach after earlier
today 20 GB of internal documents, with some marked “confidential” or
“restricted secret,” were uploaded online on file-sharing site MEGA.
The data was published by Till Kottmann, a Swiss software engineer,
who said he received the files from an anonymous hacker who claimed to
have breached Intel earlier this year.. Also:
https://www.theregister.com/2020/08/06/intel_source_code_leak/
Tomi Engdahl says:
Intel NDA blueprints 20GB of source code, schematics, specs, docs
spill onto web from partners-only vault
https://www.theregister.com/2020/08/06/intel_nda_source_code_leak/
Updated Switzerland-based IT consultant Tillie Kottmann on Thursday
published a trove of confidential Intel technical material, code, and
documents related to various processors and chipsets. “They were given
to me by an anonymous source who breached them earlier this year, more
details about this will be published soon, ” Kottmann wrote on
Twitter, suggesting someone had broken into Intel’s systems and
siphoned off the material. More leaks of secret Intel documents are
promised.. Read also:
https://threatpost.com/hackers-dump-20gb-of-intels-confidential-data-online/158178/.
As well as:
https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
Tomi Engdahl says:
Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/
A campaign called Operation Skeleton Key has stolen source code,
software development kits, chip designs, and more. Read also:
https://www.zdnet.com/article/black-hat-hackers-are-now-using-cobalt-strike-and-skeleton-keys-to-target-semiconductor-firms/
Tomi Engdahl says:
Blackbaud data breach: What you should know
https://www.welivesecurity.com/2020/08/06/blackbaud-data-breach-what-you-should-know/
Blackbaud, a cloud software company, disclosed that they had been the
victim of an attempted ransomware attack. Between their cybersecurity
team, a forensics expert and law enforcement it was successfully
thwarted. Unfortunately, the perpetrator, before being locked out,
copied a subset of data which they then offered to delete for an
undisclosed sum of money. Blackbaud paid the ransom-to-delete and
received confirmation the data had been destroyed. They claim to have
taken this action because “protecting our customers’ data is our top
priority”. Read also: https://www.blackbaud.com/securityincident
Tomi Engdahl says:
An August 10 posting on a cybercrime forum says it is giving away stolen databases, containing a total of 240,000 records from the Utah Gun Exchange, for free. The same hacker is also offering two other smaller stolen databases, one from a hunting site and another from a “kratom” herb site, again with no payment required.
Gun Owners Beware—Hacker Offers 240,000 Stolen Records On Crime Forum: Report
https://www.forbes.com/sites/daveywinder/2020/08/15/gun-owners-beware-hacker-offers-240000-stolen-records-on-dark-web-report-utah-gun-exchange-amazon-cloud/
A Bleeping Computer report has warned that users of a popular gun exchange site may have had their email addresses, usernames and passwords stolen.
An August 10 posting on a cybercrime forum says it is giving away stolen databases, containing a total of 240,000 records from the Utah Gun Exchange, for free. The same hacker is also offering two other smaller stolen databases, one from a hunting site and another from a “kratom” herb site, again with no payment required.
Tomi Engdahl says:
Hackers Stole 1 Terabyte Of Data From Billion-Dollar U.S. Liquor Maker
https://www.forbes.com/sites/leemathews/2020/08/17/brown-forman-hacked-1tb-data-stolen/
The REvil ransomware gang has struck again. This time the victim is
Brown-Forman, the 150-year-old Kentucky-based company behind such
brands as Jack Daniels, Finlandia vodka and Korbel champagne.. see
also
https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/
Tomi Engdahl says:
AI Company Leaks Over 2.5 Million Medical Records
https://it.slashdot.org/story/20/08/18/2115229/ai-company-leaks-over-25-million-medical-records?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Report: AI Company Leaks Over 2.5M Medical Records
https://www.pcmag.com/news/report-ai-company-leaks-over-25m-medical-records
The leaked data relates to car accidents and includes names, insurance records, medical diagnosis notes, and payment records.
Tomi Engdahl says:
UK class action style claim filed over Marriott data breach
https://tcrn.ch/323NPYZ
A class action style suit has been filed in the UK against hotel group Marriott International over a massive data breach that exposed the information of some 500 million guests around the world, including around 30 million residents of the European Union, between July 2014 and September 2018.
Tomi Engdahl says:
LiveAuctioneers data breach: Millions of cracked passwords for sale, say researchers
https://portswigger.net/daily-swig/liveauctioneers-data-breach-millions-of-cracked-passwords-for-sale-say-researchers
LiveAuctioneers, an online antiques marketplace, has revealed that it suffered a data breach that security researchers have claimed includes the personal data and cracked passwords of millions of users.
In a security alert published on Saturday (July 11), LiveAuctioneers said that “encrypted passwords” had been stolen along with names, email addresses, mailing addresses, and phone numbers.
Tomi Engdahl says:
Free photos, graphics site Freepik discloses data breach impacting
8.3m users
https://www.zdnet.com/article/free-photos-graphics-site-freepik-discloses-data-breach-impacting-8-3m-users/
Freepik, a website dedicated to providing access to high-quality free
photos and design graphics, has disclosed today a major security
breach. The company made it official after users started grumbling on
social media this week about receiving shady-looking breach
notification emails in their inboxes.. Also:
https://www.bleepingcomputer.com/news/security/freepik-data-breach-hackers-stole-83m-records-via-sql-injection/
Tomi Engdahl says:
Hackers Leak Alleged Internal Files of Chinese Social Media Monitoring
Firms
https://www.vice.com/en_us/article/dyzewz/hackers-leak-alleged-internal-files-of-chinese-social-media-monitoring-firms
A group of hackers says they have obtained internal files from three
Chinese social media monitoring companies. After leaking some of the
documents, the group was banned by Twitter under its hacked files
policy, however, Motherboard has been unable to confirm the
authenticity of the documents.
Tomi Engdahl says:
350 million decrypted email addresses left exposed on an unsecured
server
https://securityaffairs.co/wordpress/107604/data-breach/email-addresses-data-leak.html
Experts found an unsecured data bucket containing seven gigabytes
worth of unencrypted files that include 350, 000, 000 strings of
unique email addresses. The timeline of uploads might indicate that
these emails have been either stolen or acquired on the black market
back in October 2018, and then gradually decrypted by the owner of the
bucket. The unsecured bucket was located in the US and hosted on an
Amazon S3 server that has been exposed for what seems to be at least
an 18-month period.
Tomi Engdahl says:
Data breach exposes tens of thousands of NSW driver’s licences online
https://www.abc.net.au/news/2020-09-01/nsw-drivers-licence-data-breach-under-investigation/12611918
Tomi Engdahl says:
and amazon is perfectly safe, secure, and protects peoples privacy…..
https://www.abc.net.au/news/2020-09-01/nsw-drivers-licence-data-breach-under-investigation/12611918
Tomi Engdahl says:
US cell carrier Assist Wireless exposed thousands of customer IDs
https://techcrunch.com/2020/09/02/assist-wireless-customer-data-exposed/?tpcc=ECFB2020
Tomi Engdahl says:
Warner Music Group finds hackers compromised its online stores
https://www.bleepingcomputer.com/news/security/warner-music-group-finds-hackers-compromised-its-online-stores/
Warner Music Group (WMG), the third-largest global music recording
company, has disclosed a data breach affecting customers’ personal and
financial information after several of its US-based e-commerce stores
were hacked in April 2020 in what looks like a Magecart attack.
Tomi Engdahl says:
A United Airlines website bug may have exposed about 100,000 customers’ ticket data, a new report claims
https://www.businessinsider.com/united-airlines-website-bug-refund-data-2020-9
A security flaw on United Airlines’ website allowed users to see other traveler’s ticket information, according to a report from TechCrunch.
The flaw, on the page that lets users check the status of refunds, was found by an IT researcher who estimates that 100,000 users’ records were visible.
United said that no sensitive user information was accessed improperly.
United Airlines’ website bug exposed traveler ticket data
http://social.techcrunch.com/2020/09/10/united-website-bug-tickets/
A bug in United Airlines’ website let anyone access the ticket information for travelers who requested a refund.
The airline’s website lets users check their refund status by entering their ticket number and last name. But the website wasn’t validating the last name, making it possible to access other travelers’ refund information by changing the ticket number.
Tomi Engdahl says:
Razer Gaming Fans Caught Up in Data Leak
https://threatpost.com/razer-gaming-fans-data-leak/159147/
A cloud misconfiguration at the gaming-gear merchant potentially
exposed 100,000 customers to phishing and fraud.
Tomi Engdahl says:
Leaky server exposes users of dating site network
https://www.zdnet.com/article/leaky-server-exposes-users-of-dating-site-network/
Personal details of hundreds of thousands of dating site users were
temporarily exposed online earlier this month.
Tomi Engdahl says:
A bug in Joe Biden’s campaign app gave anyone access to millions of voter files
The bug is now fixed.
https://techcrunch.com/2020/09/14/biden-app-voter-files/?tpcc=ECFB2020