Cyber breaches abound in 2019

Cyber breaches abound in 2019
https://techcrunch.com/2018/12/26/cyber-breaches-abound-in-2019/

News of high-profile cyber breaches has been uncharacteristically subdued in recent quarters.

Is this a harbinger of a worse hacking landscape in 2019?

The answer is unequivocally yes. No question, cyber breaches have been a gigantic thorn in the global economy for years. But expect them to be even more rampant in this new year 2019 as chronically improving malware will be deployed more aggressively on more fronts. Also  data-driven businesses simultaneously move into the “target zone” of cyber attacks.

On the cybersecurity side, a growing number of experts believe that multi-factor authentication will become the standard for all online businesses.

Here are links to some articles that can hopefully help you to handle your cyber security better:

Cybersecurity 101: Why you need to use a password manager
https://techcrunch.com/2018/12/25/cybersecurity-101-guide-password-manager/

Cybersecurity 101: Five simple security guides for protecting your privacy
https://techcrunch.com/2018/12/26/cybersecurity-101-security-guides-protect-privacy/

622 Comments

  1. Tomi Engdahl says:

    Seller floods hacker forum with data stolen from 14 companies
    https://www.bleepingcomputer.com/news/security/seller-floods-hacker-forum-with-data-stolen-from-14-companies/
    A data breach broker is selling databases containing user records for
    14 different companies he claimed were breached by hackers in 2020.

    Reply
  2. Tomi Engdahl says:

    Facebook says 5,000 app developers got user data after cutoff date
    https://www.zdnet.com/article/facebook-says-5000-app-developers-got-user-data-after-cutoff-date/
    Social media giant Facebook disclosed on Wednesday a new user privacy
    incident. The company said that it continued sharing user data with
    approximately 5,000 developers even after their application’s access
    expired.

    Reply
  3. Tomi Engdahl says:

    MAZE RANSOMWARE OPERATORS ALLEGEDLY TARGETED NATIONAL HIGHWAYS
    AUTHORITY OF INDIA (NHAI) DATA LEAK!!
    https://cybleinc.com/2020/07/02/maze-ransomware-operators-allegedly-targeted-national-highways-authority-of-india-nhai-data-leak/
    Update as on 07/02/2020: As part of our regular darkweb monitoring,
    our researchers came across the data leak of National Highways
    Authority of India (NHAI) been published by the Maze ransomware
    operators.

    Reply
  4. Tomi Engdahl says:

    Data Breach: Millions of Dating App Records, Messages, and User
    Profiles Exposed in Data Leak
    https://www.wizcase.com/blog/dating-breaches-research/
    WizCases security team has recently uncovered breaches in 5 different
    dating site and app databases. These leaks have compromised user data,
    including sensitive and confidential information like real names,
    billing addresses, email addresses, phone numbers, private messages,
    and more. The total number of leaked entries is in the millions. Every
    server was easily accessible via the internet and . not password
    protected.

    Reply
  5. Tomi Engdahl says:

    Report: Popular Gambling App Exposed Millions of Users in Massive Data
    Leak
    https://www.vpnmentor.com/blog/report-clubillion-leak/
    The breach originated in a technical database built on an
    Elasticsearch engine and was recording the daily activities of
    millions of Clubillion players around the world.

    Reply
  6. Tomi Engdahl says:

    VPN firm that claims zero logs policy leaks 20 million user logs
    https://www.hackread.com/vpn-firm-zero-logs-policy-leaks-20-million-user-logs/

    The VPN company in the discussion is a Hong Kong-based UFO VPN owned by Dreamfii HK Limited.

    the database of a Hong Kong-based VPN provider called UFO VPN was exposed with more than 20 million users logs.

    Discovered by researchers from Comparitech on July 1st, 2020; the exposure occurred due to the database hosted on an Elasticsearch cluster being left without any password.

    Worth 894 GB, the data allegedly included plaintext passwords, IP addresses, timestamps of user connections, session tokens, information of the device, and OS being used along with geographical information in the form of tags.

    This, as Comparitech has rightly pointed out, goes against the service provider’s privacy policy and the promises of a zero log policy it has communicated to its users:

    UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform.

    For the future, hence, it remains to see if the firm improves its security practices and how many users jump ship. Users of the provider are suggested to immediately change their account passwords as they may be at risk.

    Reply
  7. Tomi Engdahl says:

    Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet >

    Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet
    https://www.theregister.com/2020/07/17/ufo_vpn_database/

    Maybe it was the old Lionel Hutz play: ‘No-logging VPN? I meant, no! Logging VPN!’

    A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.

    This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.

    It all came to light this week after Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.

    Reply
  8. Tomi Engdahl says:

    VNSPN = Virtual Not So Private Network

    Reply
  9. Tomi Engdahl says:

    ‘Unforgivable’: The privacy breach that exposed sensitive details of WA’s virus fight
    https://www.brisbanetimes.com.au/national/western-australia/unforgivable-the-privacy-breach-that-exposed-sensitive-details-of-wa-s-virus-fight-20200720-p55dsm.html

    Sensitive medical details of scores of West Australians have been compromised in one of the state’s biggest privacy breaches, where thousands of state government communications were published on a public website.

    They include details of people in quarantine, including phone numbers and addresses, and how their cases are being managed.

    the breach also impacted St John Ambulance, the Department of Fire and Emergency Services and the Department of Justice.

    “The breach of confidential data is associated with the use of a third-party pager service,”

    “This is an extraordinary and unacceptable breach of privacy and questions the integrity of the coronavirus response in WA,”

    A massive data breach in Western Australia has exposed the confidential records of patients and hospital staff online.

    “The fact that this is even happening, and presumably there’s been a vulnerability since the get-go of the pandemic, speaks to the design of the response,”

    Technology expert Trevor Long said he was stunned to see highly sensitive medical details “flying around” on an unsecured network.

    “It’s almost outrageous to think that in this modern age these open and public systems would be used to disseminate this sort of information,” he said.

    Reply
  10. Tomi Engdahl says:

    More than 20 million VPN users warned of massive data breach
    https://www.9news.com.au/national/vpn-data-breach-more-than-20-million-users-warned-of-massive-privacy-breach-exclusive/379ac4ca-15d0-4c98-b03c-016f20da6572

    It’s estimated around one billion online records have been exposed in a massive data breach, potentially affecting more than 20 million users of free Virtual Private Network (VPN) apps.

    In a report provided to 9News, the researchers say the server was “completely open and accessible, exposing private user data for everyone to see”.

    Report: No-Log VPNs Exposed Users’ Logs and Personal Details for All to See
    https://www.vpnmentor.com/blog/report-free-vpns-leak/

    A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see.

    Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.

    The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies.

    Reply
  11. Tomi Engdahl says:

    Nice to know your ancestry but not nice to have your ancestry data exposed.

    Software firm leaks 25GB worth of subscription & Ancestry.com user data
    https://www.hackread.com/software-firm-leaks-ancestry-com-user-data/

    The data was leaked due to a misconfiguration on an ElasticSearch server.

    Researchers at cybersecurity firm WizCase discovered a misconfigured cloud server that exposed exclusive customers data of a US-based tech firm that manages the famous Family Tree Maker software, also called FTM.

    approximately 60,000 MacKiev users are reportedly affected

    The leaked data included sensitive user details

    Remember, cybercriminals hunt for vulnerable systems and exposed databases and demand ransom after taking over them. Earlier this month, 47% (about 22,900) of MongoDB databases were hacked and being used by hackers to demand ransom from their owners.

    Reply
  12. Tomi Engdahl says:

    UFO VPN was caught saving and leaking user logs despite complaining strictly no-log policy.
    https://www.hackread.com/hackers-destroy-ufo-vpn-database-meow-attack/

    Reply
  13. Tomi Engdahl says:

    17 million CouchSurfing users’ data for sale on data sharing forum
    https://cloudsek.com/threatintelligence/17-million-couchsurfing-users-data-for-sale-on-data-sharing-forum/

    CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the information of 16.99 million unique CouchSurfing users.

    Reply
  14. Tomi Engdahl says:

    New breach: Digital banking app “Dave” was breached last month with 7.5M rows (3M email addresses) exposed and publicly shared. Also impacted were physical addresses, encrypted SSNs and bcrypt password hashes. 77% were already in @haveibeenpwned. More: https://t.co/D7fsMkEHyC

    Reply
  15. Tomi Engdahl says:

    Disney, Microsoft, Nintendo and 50 more hit by massive source code leak
    https://www.tomsguide.com/news/companies-source-code-leak

    More than 50 high-profile companies have had their software source code made freely available online, partly as the result of incorrectly configured infrastructure.

    Software source code belonging to household names such as Adobe, Microsoft, Lenovo, Qualcomm, AMD, Motorola, GE Appliances, Nintendo, Disney, Daimler, Roblox and many other companies was collected and placed in an online repository

    https://www.bleepingcomputer.com/news/security/source-code-from-dozens-of-companies-leaked-online/

    Reply
  16. Tomi Engdahl says:

    Imagine having SQLi in 2020. Imagine leaking a shitload of GitHub and GitLab OAuth tokens from everyone who installed your dumb developer productivity tracker app.

    Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev
    https://www.zdnet.com/article/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev/

    OAuth tokens have been abused for intrusions at least two other companies, Dave.com and Flood.io.

    Waydev, an analytics platform used by software companies, has disclosed a security breach earlier this month.

    The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.

    HACKERS PIVOTED FROM WAYDEV TO OTHER COMPANIES

    Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens.

    The hackers then used some of these tokens to pivot to other companies’ codebases and gain access to their source code projects.

    GITHUB’S SECURITY TEAM DISCOVERED THE BREACH

    Circei says that based on current evidence, the hackers appear to have gained access only to a small subset of its customer codebases.

    At the time of writing, two companies have reported security breaches this month and blamed the incident on Waydev — loan app Dave.com and software testing service Flood.io.

    Waydev said it also notified US authorities about the security breach.

    “Due to GitHub’s privacy policy, they will inform the affected users personally,” Waydev said. “If you were affected by the attackers please contact us at [email protected] in order to connect you with the authorities.”

    Reply
  17. Tomi Engdahl says:

    Alcohol delivery service Drizly confirms data breach
    https://techcrunch.com/2020/07/28/drizly-data-breach/?tpcc=ECFB2020

    In an email to customers obtained by TechCrunch, the company said that a hacker “obtained” some customer data. The hacker took customer email addresses, date-of-birth, hashed passwords, and in some cases delivery address, the email read.

    Drizly did not say when the hack occurred or how many accounts were affected

    The company said that no financial data was taken in the breach. But a listing on a dark web marketplace from a well-known seller of stolen data claims otherwise.

    Reply
  18. Tomi Engdahl says:

    Reply-All storm flares as email announcing privacy policy puts 500 addresses in the ‘To’ field, not ‘BCC’
    Newsletter-as-a-service outfit Substack does the usual apologising
    https://www.theregister.com/2020/07/29/substack_privacy_fail/

    Some advice from The Register: when announcing a new privacy policy don’t do so with emails that reveal 500 addresses in the “To” field of the message.

    There may be some upside for Substack in the fact that many of the email addresses it exposed belong to people who have senior roles in major corporations, the Trump administration, governments and even a few media outlets that might on their best days be more prestigious than The Register. But while the company can say it has attracted quality readers, it has also ticked them off.

    Reply
  19. Tomi Engdahl says:

    Meanwhile #Ledger has suffered a data breach in which around 1 million email address and other sensitive data has been stolen.

    https://www.hackread.com/crypto-wallet-ledger-data-breach-hackers-steal-data/

    Reply
  20. Tomi Engdahl says:

    The treasure trove of information isn’t without controversy

    An unprecedented Nintendo leak turns into a moral dilemma for archivists
    https://www.theverge.com/2020/7/30/21347074/nintendo-gigaleak-controversy-history-preservation-archives

    The treasure trove of information isn’t without controversy

    For the past week, Nintendo fans have resembled digital archaeologists. Following a massive leak of source code and other internal documents — appropriately dubbed the gigaleak — previously unknown details from the company’s biggest games have steadily trickled out. Those poring over the code have uncovered a new Animal Crossing villager, early prototypes for games like Pokémon Diamond, cut characters from Star Fox, a very weird Yoshi, and strange titles like a hockey RPG. Perhaps the biggest discovery has been a Luigi character model from Super Mario 64.

    From a historical and preservationist perspective, the leak is an incredible find. It’s a rare look into the process and discarded ideas of one of the most influential — and secretive — companies in video games. But for those preservationists digging through the data, that excitement is tainted by a moral dilemma. The origins of the code leak are still largely unknown, but it’s likely that it was obtained illegally. That presents a pertinent question: does the source of the leak tarnish all that historians can learn from it?

    Reply
  21. Tomi Engdahl says:

    people are just too dumb to use e-mail correctly

    Shouldn’t have gone with the cheapest contractor?

    Glitch leads to leak of more than 170 Hillsborough students’ personal data
    https://www.tampabay.com/news/education/2020/07/31/glitch-leads-to-leak-of-more-than-170-hillsborough-students-personal-data/

    Dozens of parents who applied for their child to attend the district’s virtual school received slew of emails with links to other students’ application forms.

    TAMPA — A coding error resulted in the leak of personal data of 173 Hillsborough County students who have applied to the district’s virtual school, officials acknowledged Friday.

    The leak has alarmed parents who saw that their own child’s application was among those sent to dozens of other email addresses. It has led to calls for the district to pay for identity theft protection for affected students.

    The emails allowed him to click on a link and view any of the students’ applications. It was not until an hour later that the links were disabled.

    “My biggest concern would be that personal information of our son was at least momentarily available for anyone to get,” Wagner said. “If that’s the case, I want to make sure he has some form of identity protection in place so his information and our information remains secure.

    School district spokeswoman Tanya Arja said the glitch was a human coding error made by an outside contractor.

    “We take this incident very seriously,” Arja said. “As soon as we were notified of the inadvertent disclosure, we disabled the link.

    Reply
  22. Tomi Engdahl says:

    British Dental Association members targeted by hackers
    https://www.bbc.com/news/technology-53652254

    Dentists’ bank account numbers and correspondence with a trade body are feared to have been stolen by hackers.

    The British Dental Association has told its members that it is still not sure exactly what was accessed in a breach on 30 July.

    A spokeswoman told the BBC it was possible that information about patients was exposed, but was vague about the potential context.

    The BDA’s website has been offline since the attack.

    The BDA does not hold full patient records.

    “Owing to the sophistication of these criminals, we cannot, as yet, confirm the full extent of information that has been accessed,” he added in the email memo.

    Reply
  23. Tomi Engdahl says:

    Just not even surprised anymore… [https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/](https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/)

    Reply
  24. Tomi Engdahl says:

    10 billion records exposed in unsecured databases, study says
    https://www.welivesecurity.com/2020/07/30/10-billion-records-exposed-unsecured-databases/
    Researchers have found close to 10.5 billion pieces of consumer data
    that has been left sitting in almost 10,000 unsecured internet-facing
    databases hosted across 20 countries. The data is said to include
    email addresses, passwords, and phone numbers. The study was conducted
    by NordPass between June 2019 and June 2020 in cooperation with an
    unnamed white hat hacker, who scanned the web for Elasticsearch and
    MongoDB libraries in search of misconfigured databases.

    Reply
  25. Tomi Engdahl says:

    Leaky AWS S3 buckets are so common, they’re being found by the
    thousands now with lots of buried secrets
    https://www.theregister.com/2020/08/03/leaky_s3_buckets/
    Misconfigured AWS S3 storage buckets exposing massive amounts of data
    to the internet are like an unexploded bomb just waiting to go off,
    say experts. The team at Truffle Security said its automated search
    tools were able to stumble across some 4,000 open Amazon-hosted S3
    buckets that included data companies would not want public things
    like login credentials, security keys, and API keys.

    Reply
  26. Tomi Engdahl says:

    Ransomware gang publishes tens of GBs of internal data from LG and
    Xerox
    https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/
    The operators of the Maze ransomware have published today tens of GB
    of internal data from the networks of enterprise business giants LG
    and Xerox following two failed extortion attempts. The hackers leaked
    50.2 GB they claim to have stolen from LG’s internal network, and 25.8
    GB of Xerox data. While LG issued a generic statement to ZDNet in
    June, neither company wanted to talk about the incident in great depth
    today.

    Reply
  27. Tomi Engdahl says:

    Hacker leaks passwords for 900+ enterprise VPN servers
    https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/
    A hacker has published today a list of plaintext usernames and
    passwords, along with IP addresses for more than 900 Pulse Secure VPN
    enterprise servers. ZDNet, which obtained a copy of this list with the
    help of threat intelligence firm KELA, verified its authenticity with
    multiple sources in the cyber-security community.

    Reply
  28. Tomi Engdahl says:

    Canon hit by Maze Ransomware attack, 10TB data allegedly stolen
    https://www.bleepingcomputer.com/news/security/canon-hit-by-maze-ransomware-attack-10tb-data-allegedly-stolen/
    Canon has suffered a ransomware attack that impacts numerous services,
    including Canon’s email, Microsoft Teams, USA website, and other
    internal applications. BleepingComputer has been tracking a suspicious
    outage on Canon’s image.canon cloud photo and video storage service
    resulting in the loss of data for users of their free 10GB storage
    feature. The image.canon site suffered an outage on July 30th, 2020,
    and over six days, the site would show status updates until it went
    back in service yesterday, August 4th.. Also:
    https://www.forbes.com/sites/daveywinder/2020/08/05/has-canon-suffered-a-ransomware-attack-10tb-of-data-alleged-stolen-report/

    Reply
  29. Tomi Engdahl says:

    Intel investigating breach after 20GB of internal documents leak
    online
    https://www.zdnet.com/article/intel-investigating-breach-after-20gb-of-internal-documents-leak-online/
    US chipmaker Intel is investigating a security breach after earlier
    today 20 GB of internal documents, with some marked “confidential” or
    “restricted secret,” were uploaded online on file-sharing site MEGA.
    The data was published by Till Kottmann, a Swiss software engineer,
    who said he received the files from an anonymous hacker who claimed to
    have breached Intel earlier this year.. Also:
    https://www.theregister.com/2020/08/06/intel_source_code_leak/

    Reply
  30. Tomi Engdahl says:

    Intel NDA blueprints 20GB of source code, schematics, specs, docs
    spill onto web from partners-only vault
    https://www.theregister.com/2020/08/06/intel_nda_source_code_leak/
    Updated Switzerland-based IT consultant Tillie Kottmann on Thursday
    published a trove of confidential Intel technical material, code, and
    documents related to various processors and chipsets. “They were given
    to me by an anonymous source who breached them earlier this year, more
    details about this will be published soon, ” Kottmann wrote on
    Twitter, suggesting someone had broken into Intel’s systems and
    siphoned off the material. More leaks of secret Intel documents are
    promised.. Read also:
    https://threatpost.com/hackers-dump-20gb-of-intels-confidential-data-online/158178/.
    As well as:
    https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/

    Reply
  31. Tomi Engdahl says:

    Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry
    https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/
    A campaign called Operation Skeleton Key has stolen source code,
    software development kits, chip designs, and more. Read also:
    https://www.zdnet.com/article/black-hat-hackers-are-now-using-cobalt-strike-and-skeleton-keys-to-target-semiconductor-firms/

    Reply
  32. Tomi Engdahl says:

    Blackbaud data breach: What you should know
    https://www.welivesecurity.com/2020/08/06/blackbaud-data-breach-what-you-should-know/
    Blackbaud, a cloud software company, disclosed that they had been the
    victim of an attempted ransomware attack. Between their cybersecurity
    team, a forensics expert and law enforcement it was successfully
    thwarted. Unfortunately, the perpetrator, before being locked out,
    copied a subset of data which they then offered to delete for an
    undisclosed sum of money. Blackbaud paid the ransom-to-delete and
    received confirmation the data had been destroyed. They claim to have
    taken this action because “protecting our customers’ data is our top
    priority”. Read also: https://www.blackbaud.com/securityincident

    Reply
  33. Tomi Engdahl says:

    An August 10 posting on a cybercrime forum says it is giving away stolen databases, containing a total of 240,000 records from the Utah Gun Exchange, for free. The same hacker is also offering two other smaller stolen databases, one from a hunting site and another from a “kratom” herb site, again with no payment required.

    Gun Owners Beware—Hacker Offers 240,000 Stolen Records On Crime Forum: Report
    https://www.forbes.com/sites/daveywinder/2020/08/15/gun-owners-beware-hacker-offers-240000-stolen-records-on-dark-web-report-utah-gun-exchange-amazon-cloud/

    A Bleeping Computer report has warned that users of a popular gun exchange site may have had their email addresses, usernames and passwords stolen.

    An August 10 posting on a cybercrime forum says it is giving away stolen databases, containing a total of 240,000 records from the Utah Gun Exchange, for free. The same hacker is also offering two other smaller stolen databases, one from a hunting site and another from a “kratom” herb site, again with no payment required.

    Reply
  34. Tomi Engdahl says:

    Hackers Stole 1 Terabyte Of Data From Billion-Dollar U.S. Liquor Maker
    https://www.forbes.com/sites/leemathews/2020/08/17/brown-forman-hacked-1tb-data-stolen/
    The REvil ransomware gang has struck again. This time the victim is
    Brown-Forman, the 150-year-old Kentucky-based company behind such
    brands as Jack Daniels, Finlandia vodka and Korbel champagne.. see
    also
    https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/

    Reply
  35. Tomi Engdahl says:

    AI Company Leaks Over 2.5 Million Medical Records
    https://it.slashdot.org/story/20/08/18/2115229/ai-company-leaks-over-25-million-medical-records?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Report: AI Company Leaks Over 2.5M Medical Records
    https://www.pcmag.com/news/report-ai-company-leaks-over-25m-medical-records

    The leaked data relates to car accidents and includes names, insurance records, medical diagnosis notes, and payment records.

    Reply
  36. Tomi Engdahl says:

    UK class action style claim filed over Marriott data breach
    https://tcrn.ch/323NPYZ

    A class action style suit has been filed in the UK against hotel group Marriott International over a massive data breach that exposed the information of some 500 million guests around the world, including around 30 million residents of the European Union, between July 2014 and September 2018.

    Reply
  37. Tomi Engdahl says:

    LiveAuctioneers data breach: Millions of cracked passwords for sale, say researchers
    https://portswigger.net/daily-swig/liveauctioneers-data-breach-millions-of-cracked-passwords-for-sale-say-researchers

    LiveAuctioneers, an online antiques marketplace, has revealed that it suffered a data breach that security researchers have claimed includes the personal data and cracked passwords of millions of users.

    In a security alert published on Saturday (July 11), LiveAuctioneers said that “encrypted passwords” had been stolen along with names, email addresses, mailing addresses, and phone numbers.

    Reply
  38. Tomi Engdahl says:

    Free photos, graphics site Freepik discloses data breach impacting
    8.3m users
    https://www.zdnet.com/article/free-photos-graphics-site-freepik-discloses-data-breach-impacting-8-3m-users/
    Freepik, a website dedicated to providing access to high-quality free
    photos and design graphics, has disclosed today a major security
    breach. The company made it official after users started grumbling on
    social media this week about receiving shady-looking breach
    notification emails in their inboxes.. Also:
    https://www.bleepingcomputer.com/news/security/freepik-data-breach-hackers-stole-83m-records-via-sql-injection/

    Reply
  39. Tomi Engdahl says:

    Hackers Leak Alleged Internal Files of Chinese Social Media Monitoring
    Firms
    https://www.vice.com/en_us/article/dyzewz/hackers-leak-alleged-internal-files-of-chinese-social-media-monitoring-firms
    A group of hackers says they have obtained internal files from three
    Chinese social media monitoring companies. After leaking some of the
    documents, the group was banned by Twitter under its hacked files
    policy, however, Motherboard has been unable to confirm the
    authenticity of the documents.

    Reply
  40. Tomi Engdahl says:

    350 million decrypted email addresses left exposed on an unsecured
    server
    https://securityaffairs.co/wordpress/107604/data-breach/email-addresses-data-leak.html
    Experts found an unsecured data bucket containing seven gigabytes
    worth of unencrypted files that include 350, 000, 000 strings of
    unique email addresses. The timeline of uploads might indicate that
    these emails have been either stolen or acquired on the black market
    back in October 2018, and then gradually decrypted by the owner of the
    bucket. The unsecured bucket was located in the US and hosted on an
    Amazon S3 server that has been exposed for what seems to be at least
    an 18-month period.

    Reply
  41. Tomi Engdahl says:

    Warner Music Group finds hackers compromised its online stores
    https://www.bleepingcomputer.com/news/security/warner-music-group-finds-hackers-compromised-its-online-stores/
    Warner Music Group (WMG), the third-largest global music recording
    company, has disclosed a data breach affecting customers’ personal and
    financial information after several of its US-based e-commerce stores
    were hacked in April 2020 in what looks like a Magecart attack.

    Reply
  42. Tomi Engdahl says:

    A United Airlines website bug may have exposed about 100,000 customers’ ticket data, a new report claims
    https://www.businessinsider.com/united-airlines-website-bug-refund-data-2020-9

    A security flaw on United Airlines’ website allowed users to see other traveler’s ticket information, according to a report from TechCrunch.

    The flaw, on the page that lets users check the status of refunds, was found by an IT researcher who estimates that 100,000 users’ records were visible.

    United said that no sensitive user information was accessed improperly.

    United Airlines’ website bug exposed traveler ticket data
    http://social.techcrunch.com/2020/09/10/united-website-bug-tickets/

    A bug in United Airlines’ website let anyone access the ticket information for travelers who requested a refund.

    The airline’s website lets users check their refund status by entering their ticket number and last name. But the website wasn’t validating the last name, making it possible to access other travelers’ refund information by changing the ticket number.

    Reply
  43. Tomi Engdahl says:

    Razer Gaming Fans Caught Up in Data Leak
    https://threatpost.com/razer-gaming-fans-data-leak/159147/
    A cloud misconfiguration at the gaming-gear merchant potentially
    exposed 100,000 customers to phishing and fraud.

    Reply
  44. Tomi Engdahl says:

    Leaky server exposes users of dating site network
    https://www.zdnet.com/article/leaky-server-exposes-users-of-dating-site-network/
    Personal details of hundreds of thousands of dating site users were
    temporarily exposed online earlier this month.

    Reply
  45. Tomi Engdahl says:

    A bug in Joe Biden’s campaign app gave anyone access to millions of voter files
    The bug is now fixed.

    https://techcrunch.com/2020/09/14/biden-app-voter-files/?tpcc=ECFB2020

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*