Cyber breaches abound in 2019
https://techcrunch.com/2018/12/26/cyber-breaches-abound-in-2019/
News of high-profile cyber breaches has been uncharacteristically subdued in recent quarters.
Is this a harbinger of a worse hacking landscape in 2019?
The answer is unequivocally yes. No question, cyber breaches have been a gigantic thorn in the global economy for years. But expect them to be even more rampant in this new year 2019 as chronically improving malware will be deployed more aggressively on more fronts. Also data-driven businesses simultaneously move into the “target zone” of cyber attacks.
On the cybersecurity side, a growing number of experts believe that multi-factor authentication will become the standard for all online businesses.
Here are links to some articles that can hopefully help you to handle your cyber security better:
Cybersecurity 101: Why you need to use a password manager
https://techcrunch.com/2018/12/25/cybersecurity-101-guide-password-manager/
Cybersecurity 101: Five simple security guides for protecting your privacy
https://techcrunch.com/2018/12/26/cybersecurity-101-security-guides-protect-privacy/
622 Comments
Tomi Engdahl says:
China database lists ‘breedready’ status of 1.8 million women
https://www.theguardian.com/world/2019/mar/11/china-database-lists-breedready-status-of-18-million-women
Dutch researcher finds cache of information including phone numbers, addresses and ages
Tomi Engdahl says:
Facebook’s Data Deals Are Under Criminal Investigation
https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-investigation.html#click=https://t.co/q4p5Ubs8FE
Federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest technology companies, intensifying scrutiny of the social media giant’s business practices as it seeks to rebound from a year of scandal and setbacks.
Facebook was already facing scrutiny by the Federal Trade Commission and the Securities and Exchange Commission. And the Justice Department’s securities fraud unit began investigating it after reports that Cambridge Analytica, a political consulting firm, had improperly obtained the Facebook data of 87 million people and used it to build tools that helped President Trump’s election campaign.
Tomi Engdahl says:
Colin Lecher / The Verge:
ACLU releases documents showing ICE lets over 9,200 employees access a controversial license plate database with little oversight — The ACLU published the emails today — Immigration and Customs Enforcement allows thousands of employees to access a controversial license plate database …
Thousands of ICE employees can access license plate reader data, emails show
The ACLU published the emails today
https://www.theverge.com/2019/3/13/18262141/ice-license-plate-reader-database-aclu-emails
Tomi Engdahl says:
Adam Vaughan / New Scientist:
FamilyTreeDNA will let users block law enforcement from accessing data after report found the company gave the FBI access; EU users are automatically opted out — One of the biggest home DNA-testing companies seems to have bowed to a backlash over its decision to allow the FBI access to its database …
Home DNA-testing firm will let users block FBI access to their data
https://www.newscientist.com/article/2196433-home-dna-testing-firm-will-let-users-block-fbi-access-to-their-data/
Tomi Engdahl says:
Report – Gearbest Hack: Hundreds of Thousands Affected Daily by Huge Data Breach
https://www.vpnmentor.com/blog/gearbest-hack/
VPNMentor’s research team discovered a major security breach in Gearbest.
With hundreds of thousands of sales every day, Gearbest is a highly successful Chinese e-commerce company.
vpnMentor can exclusively reveal that Gearbest’s database is completely unsecured – as are those belonging to its sister companies.
Our hackers could access different parts of Gearbest’s database, including:
Orders database
Data includes products purchased; shipping address and postcode; customer name; email address; phone number
Payments and invoices database
Data includes order number; payment type; payment information; email address; name; IP address
Members database
Data includes name; address; date of birth; phone number; email address; IP address; national ID and passport information; account passwords
We accessed these databases in March 2019, and discovered 1.5+ million records.
Tomi Engdahl says:
Report – Dalil Data Breach: 5+ Million Users’ Data Exposed by Unsecured App
https://www.vpnmentor.com/blog/dalil-data-breach/
Dalil is the biggest phone directory in Saudi Arabia.
With more than 5 million downloads, Dalil is the 13th most popular communications app in the Kingdom. For context, this is where Viber and Telegram rank in the US. 96% of its users are in Saudi Arabia; the remainder are in Egypt and other Arab countries.
Dalil’s Database is Unsecured
However suspicious some permissions may seem, they are not the root cause of Dalil’s security issues.
All the user data gathered by the app is stored in an unsecured and unmonitored MongoDB database. It’s reachable without authentication, giving hackers password-free access to millions of people’s data.
As well as the application log, this database includes both harvested and voluntarily-submitted personal information.
Tomi Engdahl says:
Gearbest security lapse exposed millions of shopping orders
https://techcrunch.com/2019/03/14/gearbest-orders-exposed/
Tomi Engdahl says:
Ad Network Sizmek Probes Account Breach
https://krebsonsecurity.com/2019/03/ad-network-sizmek-probes-account-breach/
Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.
In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Researchers find unsecured database of Chinese online shopping giant Gearbest exposing 1.5M+ records, including customer data, orders, and payments
Gearbest security lapse exposed millions of shopping orders
https://techcrunch.com/2019/03/14/gearbest-orders-exposed/
Tomi Engdahl says:
Ransomware Attack on Vendor Affects 600,000
Healthcare Billing Services Vendor Notifying Individuals of Potential Data Exposure
https://www.inforisktoday.com/ransomware-attack-on-vendor-affects-600000-a-12164
A ransomware attack last fall on a company that provides billing and other business services to health plans and hospitals resulted in a breach affecting more than 600,000 individuals, according to Michigan state officials.
The incident highlights the difficulty some organizations have in determining whether to report ransomware attacks as breaches to comply with the HIPAA Breach Notification Rule.
More than 600,000 Michigan residents may have had their information compromised in the breach at Detroit-based Wolverine Solutions Group, according to a statement from Michigan Attorney General Dana Nessel and Anita Fox, director of the state’s department of insurance and financial services.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Medical records management software provider Meditab had an unsecured fax server, leaking thousands of faxes, with info like doctor’s notes on patients, daily
A huge trove of medical records and prescriptions found exposed
Thousands of health records and doctor’s notes were exposed daily
https://techcrunch.com/2019/03/17/medical-health-data-leak/
A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password.
The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies.
But that fax server wasn’t properly secured, according to the security company that discovered the data.
Tomi Engdahl says:
Fourth Major Credential Spill in a Month Hits DreamMarket
https://threatpost.com/fourth-credential-spill-dreammarket/142901/
Gnosticplayers has released about 26 million records from what he said are breaches of six new companies.
The hacker behind more than 840 million account records appearing for sale on the Dark Web in February (in dumps collectively known as Collections 1-3) is back with 26.42 more records from six companies.
The adversary, who goes by the handle Gnosticplayers, is asking just 1.2431 in Bitcoin (roughly $4,940), according to ZDnet, which spotted the records for sale on DreamMarket over the weekend.
Tomi Engdahl says:
HERE’S WHAT IT’S LIKE TO ACCIDENTALLY EXPOSE THE DATA OF 230M PEOPLE
https://www.wired.com/story/exactis-data-leak-fallout/
STEVE HARDIGREE HADN’T even gotten to the office yet and his day was already a waking nightmare.
As he Googled his company’s name that morning last June, Hardigree found a growing list of headlines pointing to the 10-person marketing firm he’d founded three years earlier, Exactis, as the source of a leak of the personal records of nearly everyone in the United States.
Using the scanning tool Shodan, Troia identified a misconfigured Amazon ElasticSearch server that contained the database, and then downloaded it. There he found 230 million personal records and another 110 million related to businesses—more than two terabytes of information in total.
MARKETING FIRM EXACTIS LEAKED A PERSONAL INFO DATABASE WITH 340 MILLION RECORDS
https://www.wired.com/story/exactis-database-leak-340-million-records/
YOU’VE PROBABLY NEVER heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there’s also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look.
Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.
Tomi Engdahl says:
E-Commerce Company Gearbest Leaked User Information
https://www.securityweek.com/e-commerce-company-gearbest-leaked-user-information
Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.
Highly successful, Gearbest sells electronics and appliances, clothing, accessories, and homeware. Owned by Chinese conglomerate Globalegrow, the company ships to most countries around the world and operates several internationally successful sites.
Tomi Engdahl says:
Round 4 — Hacker Puts 26 Million New Accounts Up For Sale On Dark Web
https://thehackernews.com/2019/03/data-breach-security.html
A hacker who was selling details of nearly 890 million online accounts stolen from 32 popular websites in three separate rounds has now put up a fourth batch of millions of records originating from 6 other sites for sale on the dark web.
Tomi Engdahl says:
257K Legal Documents Leaked By Unprotected Elasticsearch Server
https://www.bleepingcomputer.com/news/security/257k-legal-documents-leaked-by-unprotected-elasticsearch-server/
An unprotected 4.7 GB Elasticsearch cluster found on a US-based Amazon AWS server exposed 257,287 sensitive legal documents that came with a “not designated for publication” label.
Security researcher Bob Diachenko who discovered the passwordless Elasticsearch server told BleepingComputer that he “analyzed 250-sampled extract, docs are compiled based on ‘type’ (which is ‘opinion’). Cases are from the 2002-2010 era, from all over the United States.”
The exposed database of legal documents was uncovered as part of a greater scale initiative designed to discover misconfigured noSql databases (i.e., MongoDB, CouchDB, Elasticsearch) and report the findings to the organizations responsible to secure them.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Medical records management software provider Meditab had an unsecured fax server, leaking thousands of faxes, with info like doctor’s notes on patients, daily
A huge trove of medical records and prescriptions found exposed
https://techcrunch.com/2019/03/17/medical-health-data-leak/
Tomi Engdahl says:
Education and Science Giant Elsevier Left Users’ Passwords Exposed Online
Due a to a misconfigured server, a researcher found a constant stream of Elsevier users’ passwords.
https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online
Elsevier, the company behind scientific journals such as The Lancet, left a server open to the public internet, exposing user email addresses and passwords. The impacted users include people from universities and educational institutions from across the world.
It’s not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials.
“Most users are .edu [educational institute] accounts, either students or teachers,” Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. “They could be using the same password for their emails, iCloud, etc.”
Elsevier is controversial, after acquiring a number of platforms that distributed academic material for free. Profit-driven Elsevier’s legal threats against other sites that openly host millions of scientific papers have forced them to go into the digital underground, and distribute their material with the protection of the Tor anonymity network. Some universities have boycotted Elsevier.
Tomi Engdahl says:
Kaiser Health News:
Report: US has spent $36B digitizing health records, which has risked patient safety with thousands of reports of deaths and injuries tied to software glitches
Death By 1,000 Clicks: Where Electronic Health Records Went Wrong
https://khn.org/news/death-by-a-thousand-clicks/
The U.S. government claimed that turning American medical charts into electronic records would make health care better, safer, and cheaper. Ten years and $36 billion later, the system is an unholy mess. Inside a digital revolution that took a bad turn.
Tomi Engdahl says:
Consumers May Lose Sleep Over These Two New Magecart Breaches
https://www.riskiq.com/blog/labs/magecart-mypillow-amerisleep/
We’ve now seen Magecart conduct numerous high-profile digital credit card-skimming attacks against major international companies to win unprecedented attention. Alongside British Airways, these attacks affected other brand names like Ticketmaster and Newegg.
In this blog, we’ll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep. One has been resolved but was never disclosed,
Tomi Engdahl says:
Facebook Stored Passwords of Hundreds of Millions Users in Plain Text
https://www.securityweek.com/facebook-stored-passwords-hundreds-millions-users-plain-text
Facebook today admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
A consumer spyware vendor has left a server with 95K+ images and 25K+ audio recordings exposed, and has not fixed the leak yet, despite being warned weeks ago
This Spyware Data Leak Is So Bad We Can’t Even Tell You About It
https://motherboard.vice.com/en_us/article/j573k3/spyware-data-leak-pictures-audio-recordings
A consumer spyware vendor left a lot of incredibly sensitive and private data, including intimate pictures and private call recordings, for all to see on a server freely accessible over the internet. And it still hasn’t taken the data down.
A company that sells consumer-grade software that lets customers spy on other people’s calls, messages, and anything they do on their cell phones left more than 95,000 images and more than 25,000 audio recordings on a database exposed and publicly accessible to anyone on the internet. The exposed server contains two folders with everything from intimate pictures to recordings of phone calls, given that the app markets itself mostly to parents.
This breach is just the latest in a seemingly endless series of exposures or leaks of incredibly sensitive data collected by companies that promise to provide services for parents to keep children safe, monitor employees, or spy on spouses. In the last two years, there have been 12 stalkerware companies that have either been breached or left data exposed online: Retina-X (twice), FlexiSpy, Mobistealth, Spy Master Pro, SpyHuman, Spyfone, TheTruthSpy, Family Orbit, mSpy, Copy9, and Xnore.
Tomi Engdahl says:
Over 20,000 Facebook employees had access to 600 million user passwords
https://www.engadget.com/2019/03/21/facebook-user-passwords-plain-text/?sr_source=Facebook&fbclid=IwAR2yAnc826Zaz_ECjms2WFK27tm7wtXb_gFCIIJZSf4t0vNKEyDQSDd0vqI&guccounter=1
It will notify hundreds of millions of users after discovering credentials were stored in plain text.
Tomi Engdahl says:
A family tracking app was leaking real-time location data
https://techcrunch.com/2019/03/23/family-tracking-location-leak/
A popular family tracking app was leaking the real-time locations of more than 238,000 users for weeks after the developer left a server exposed without a password.
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time
the backend MongoDB database was left unprotected and accessible by anyone who knew where to look.
Based on a review of the database, each account record contained a user’s name, email address, profile photo and their plaintext passwords. Each account also kept a record of their own and other family members’ real-time locations precise to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them — such as “home” or “work.”
None of the data was encrypted.
Tomi Engdahl says:
https://www.wired.com/story/fema-leaked-the-data-2-million-disaster-survivors/?utm_source=twitter&utm_medium=social&utm_social-type=owned&utm_campaign=wired&mbid=social_twitter&utm_brand=wired
Tomi Engdahl says:
Washington Post:
DHS watchdog report says FEMA exposed personal info of ~2.3M US disaster survivors, including some personal addresses and banking info, to a federal contractor
FEMA ‘major privacy incident’ reveals data from 2.5 million disaster survivors
https://www.washingtonpost.com/national/health-science/fema-data-breach-hits-25-million-disaster-survivors/2019/03/22/3e2c6232-4cec-11e9-93d0-64dbcf38ba41_story.html?utm_term=.9c278e0ea024
The Federal Emergency Management Agency shared personal addresses and banking information of more than 2 million U.S. disaster survivors in what the agency acknowledged Friday was a “major privacy incident.”
The data mishap, discovered recently and the subject of a report by the Department of Homeland Security’s Office of Inspector General, occurred when the agency shared sensitive, personally identifiable information of disaster survivors who used FEMA’S Transitional Sheltering Assistance program, according to officials at FEMA. Those affected included the victims of California wildfires in 2017 and Hurricanes Harvey, Irma and Maria, the report said.
In a statement, Lizzie Litzow, FEMA’s press secretary, said, “FEMA provided more information than was necessary” while transferring disaster survivor information to a contractor.
Tomi Engdahl says:
Industry Reactions to Norsk Hydro Breach: Feedback Friday
https://www.securityweek.com/industry-reactions-norsk-hydro-breach-feedback-friday
Norwegian aluminum giant Norsk Hydro has been hit by a serious ransomware attack that caused disruptions at some of its plants and forced the company to turn to manual processes to fulfill customer orders.
The attack appears to have involved file-encrypting ransomware known as LockerGoga. However, Norsk Hydro claims it has good backups in place that should help it restore compromised files without having to pay the ransom.
Cybersecurity expert Kevin Beaumont (blog post on his thoughts and analysis of the attack):
“Hydro started the best incident representation response plan I’ve ever seen — they had a temporary website up, they told the press, they told their staff, they apparently didn’t hide any details — they even had daily webcasts with the most senior staff talking through what was happening, and answering questions.
In contrast to some other incidents, their stock price actually went up — despite a difficult trading period for past 2 years involving some major business setbacks, they have actually gained in value.
Ray Walsh, digital privacy expert, BestVPN.com:
“The surge in the price of aluminum since the cyber attack on the Norwegian producer Norsk Hydro is a stark reminder of the possible ramifications of targeted cyber attacks. Anytime that a large firm has a strong direct influence on the production of a material, it is possible that a large attack of this nature could disrupt distribution levels and therefore affect prices.
Malcolm Taylor, Director Cyber Advisory, ITC Secure:
“Supply chain risk through cyberattack has come to the fore recently. Not, I believe, because it’s become a greater issue or because of attacks like this which are highlighting it, but simply because there is a growing understanding of the inter-connected nature of modern commercial activity and just in time production, and crucially how empowered that is by technology. It may also be a factor, though I think sadly a smaller one, that as firms mature their cyber security, they have the wherewithal, in terms of understanding, time and budget, to begin to get to grips with the problem of their suppliers, which has made the issue gain prominence.
Tyler Moffitt, Security Analyst, Webroot:
“LockerGoga is a new ransomware variant that appears to be targeting European companies. So far, the notable victims have been Altran in France on Jan. 25 and Norsk Hydro in Norway in the past 24 hours. The encryption process used by LockerGoga is slow because it creates a new process each times it encrypts a new file and also exhibits no detection evasion techniques, showing a lack of sophistication. LockerGoga was signed using a valid Digital Certificate which has since been revoked.”
Dean Weber, CTO, Mocana:
“The Norsk Hydro attack goes to show that the reliance of operational technology (OT) systems on information technology (IT) platforms means that any attack is likely to impact both in industrial environments. By targeting and disabling IT systems, adversaries are able to cause a variety of subsequent issues affecting OT input/output, storage, data recorders, ICS/SCADA platforms and more. Why is the impact so widespread? Professionals are forced to disconnect IT systems for either protection purposes or for remediation activities.
Tomi Engdahl says:
Watchdog: FEMA Wrongly Released Personal Data of Victims
https://www.securityweek.com/watchdog-fema-wrongly-released-personal-data-victims
The Federal Emergency Management Agency wrongly released to a contractor the personal information of 2.3 million survivors of devastating 2017 hurricanes and wildfires, potentially exposing the victims to identity fraud and theft, a government watchdog reported Friday.
Tomi Engdahl says:
Glitch Exposes the Passwords of Roughly Half Billion Facebook and Instagram Users
https://www.pandasecurity.com/mediacenter/social-media/glitch-facebook-instagram/
Facebook exposed millions of user passwords to employees
https://www.welivesecurity.com/2019/03/22/facebook-exposed-millions-passwords-employees/
The social network says that the passwords were never exposed externally and that it found no abuse of the glitch
Tomi Engdahl says:
Facebook stored millions of passwords in plain text
By Sead Fadilpašić 2019-03-22T12:30:09Z Security
https://www.itproportal.com/news/facebook-stored-millions-of-passwords-in-plain-text/
Facebook employees have had access to the database, but apparently have not abused it.
Tomi Engdahl says:
Nokia phones may have breached user data
And may have sent it to the Chinese.
https://www.itproportal.com/news/nokia-phones-may-have-breached-user-data/
Reports are coming in that a certain Nokia phone model may have leaked personal information to a Chinese server, and Finnish authorities are moving in to investigate.
The news was confirmed by Reuters recently, which confirmed that Finland’s data protection ombudsman would investigate the matter.
Ombudsman Reijo Aarnio told Reuters he’d look into any potential breaches that involved “personal information and if there has been a legal justification for this.”
According to local media, the device in question is the Nokia 7 Plus. The company that makes these phones, HMD Global, said that an “unspecified number” of these devices sent data to a Chinese server.
Nokia, the company, didn’t want to comment.
NRK:n paljastukset jatkuvat – Nokia 2 ja 7 Plus -mallien lisäksi myös kahdessa muussa mallissa on sovellus, joka välittää tietoja Kiinaan
https://yle.fi/uutiset/3-10701507
Yksityishenkilön mukaan Nokia 2 -puhelinmalli olisi välittänyt tietoja kiinalaispalvelimelle vähintään yhdeksän kuukauden ajan. NRK testasi kahta muutakin Nokia-puhelinta, ja löysi niistä lähes saman sovelluksen kuin Plus 7 -mallissa.
Tomi Engdahl says:
A family tracking app was leaking real-time location data
https://techcrunch.com/2019/03/23/family-tracking-location-leak/
Tomi Engdahl says:
Family tracking app leaked real-time location data for weeks
It would have let intruders spy on a child’s whereabouts.
https://www.engadget.com/2019/03/24/family-tracking-app-leaked-real-time-location-data/
Family tracking apps can be very helpful if you’re worried about your kids or spouse, but they can be nightmarish if that data falls into the wrong hands. Security researcher Sanyam Jain has revealed to TechCrunch that React Apps’ Family Locator left real-time location data (plus other sensitive personal info) for over 238,000 people exposed for weeks in an insecure database. It showed positions within a few feet, and even showed the names for the geofenced areas used to provide alerts. You could tell if parents left home or a child arrived at school, for instance.
Tomi Engdahl says:
Kaksi suomalaispalvelua murrettiin – yli 300 000:lle kehotus vaihtaa salasana
https://www.is.fi/digitoday/tietoturva/art-2000006044515.html
Taloyhtio.Info- ja Tallier.Info-palvelut ovat joutuneet tietomurron kohteeksi. Teleoperaattori Telian omistaman Nebulan palvelimille päässeet murtautujat ovat saattaneet saada haltuunsa käyttäjien sähköpostiosoitteet, nimet ja salasanat.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/suomalaispalveluun-tehtiin-tietomurto-yli-300-000-kayttajaa-suositellaan-vaihtamaan-salasanansa-6761887
Taloyhtiöiden asukkaiden elämää helpottavaan Taloyhtio.info -palveluun on tehty tietomurto. Yksityiskohdat ovat vielä enimmäkseen hämärän peitossa, mutta kaikkia käyttäjiä kehotetaan vaihtamaan salasanansa.
Tomi Engdahl says:
Over 100,000 GitHub repos have leaked API or cryptographic keys
Thousands of new API or cryptographic keys leak via GitHub projects every day.
https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/
A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis.
Tomi Engdahl says:
This Spyware Data Leak Is So Bad We Can’t Even Tell You About It
https://motherboard.vice.com/en_us/article/j573k3/spyware-data-leak-pictures-audio-recordings
A consumer spyware vendor left a lot of incredibly sensitive and private data, including intimate pictures and private call recordings, for all to see on a server freely accessible over the internet. And it still hasn’t taken the data down.
Tomi Engdahl says:
2 Million Emails of 350K+ Clients Possibly Exposed in Oregon DHS Data Breach
https://www.bleepingcomputer.com/news/security/2-million-emails-of-350k-clients-possibly-exposed-in-oregon-dhs-data-breach/
The Oregon Department of Human Services (DHS) announced that roughly 2 million emails with Protected Health Information (PHI) from more than 350,000 customers have been potentially exposed after 9 employee mailboxes were compromised in a spear phishing attack.
According to the Oregon DHS, its Enterprise Security Office Cyber Security team was the one which determined that the email boxes were breached on January 28, 2019.
Tomi Engdahl says:
Unnamed stalkerware company has left gigabytes of sensitive personal info unprotected on the web and can’t be reached to fix it
https://boingboing.net/2019/03/22/jfc-srsly-jfc.html
Security researcher Cian Heasley discovered an unprotected online storage folder accessible via the web that contains all the data that stalkers and snoops took from their victims’ devices via a commercial program that steals photos and recordings from their devices.
Included in the leak are 3.7GB of MP3 recordings (25,000 in total) of personal phone calls and 16GB of images (95,000 in total), including very sensitive and personal images.
Both Heasley and Motherboard have repeatedly contacted the stalkerware company to alert them to the breach, but they have not received a response, despite multiple attempts. Out of an abundance of caution, Motherboard has not named the company while its customers’ victims’ date is exposed.
Tomi Engdahl says:
Mar 19
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9269-datavuoto-on-nokialle-iso-imagotappio
Tomi Engdahl says:
Asus was warned of hacking risks months ago, thanks to leaky passwords
https://techcrunch.com/2019/03/27/asus-hacking-risk/
A security researcher warned Asus two months ago that employees were improperly publishing passwords in their GitHub repositories that could be used to access the company’s corporate network.
“Companies have no clue what their programmers do with their code on GitHub,” said the researcher.
Granted, this isn’t an issue limited to Asus. Other companies have been put at risk by exposed and leaked credentials or hardcoded secret keys. Last week, academics found more than 100,000 public repos storing cryptographic keys and other secrets.
Tomi Engdahl says:
How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories
https://www.ndss-symposium.org/ndss-paper/how-bad-can-it-git-characterizing-secret-leakage-in-public-github-repositories/
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Rela, a popular Chinese lesbian dating app, exposed data on 5M users, including dates of birth, height and weight, and sexual preferences, since June 2018
Rela, a Chinese lesbian dating app, exposed 5 million user profiles
https://techcrunch.com/2019/03/27/rela-data-exposed/
Rela (热拉), a popular dating app for gay and queer women, has exposed millions of user profiles and private data because a server wasn’t protected with a password.
Victor Gevers, a security researcher at the GDI Foundation, found the exposed database this week, he told TechCrunch, containing more than 5.3 million app users.
It’s believed the database had been exposed since June 2018
“The privacy of five-plus million LGBTQ+ people face a lot of social challenges in China because there are no laws protecting them from discrimination,” said Gevers. “This data leak that has been open for years makes it even more damaging for the people involved who were exposed.”
Tomi Engdahl says:
How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories
https://www.ndss-symposium.org/ndss-paper/how-bad-can-it-git-characterizing-secret-leakage-in-public-github-repositories/
GitHub and similar platforms have made public collaborative development of software commonplace. However, a problem arises when this public code must manage authentication secrets, such as API keys or cryptographic secrets. These secrets must be kept private for security, yet common development practices like adding these secrets to code make accidental leakage frequent.
Tomi Engdahl says:
Nearly a Billion People’s Private Data Leaked in ‘BIGGEST BREACH
https://sputniknews.com/amp/business/201903291073670978-biggest-breach-private-data-leaked/?__twitter_impression=true
The breach was spotted accidentally when a security expert logged into an “email validation” firm’s website, and, having passed the verification stage, woke up to the fact that he had gained access to unknown people’s personal details.
Security researchers have discovered that the email addresses of roughly 982 million people have been leaked
While it is not yet known whether the breached data was accessed by any criminals, there is one positive thing about the whole matter: no passwords or credit card details were leaked on the database
800+ Million Emails Leaked Online by Email Verification Service
https://www.linkedin.com/pulse/800-million-emails-leaked-online-email-verification-bob-diachenko
On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection.
Tomi Engdahl says:
https://haveibeenpwned.com/PwnedWebsites#VerificationsIO
Verifications.io
In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Earl of Sandwich and Planet Hollywood restaurant franchise owner admits a breach of its PoS systems where 2M+ credit and debit card details may have been stolen
A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach
https://krebsonsecurity.com/2019/03/a-month-after-2-million-customer-cards-sold-online-buca-di-beppo-parent-admits-breach/
On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems
Tomi Engdahl says:
Millions of Toyota Customers in Japan Hit by Data Breach
https://www.securityweek.com/millions-toyota-customers-japan-hit-data-breach
Personal information belonging to millions of Toyota customers in Japan may have been compromised as a result of a breach suffered by a Toyota Motor Corporation (TMC) sales subsidiary and its affiliates.
Tomi Engdahl says:
Bezos Investigation Finds the Saudis Obtained His Private Data
The National Enquirer’s lawyer tried to get me to say there was no hacking.
https://www.thedailybeast.com/jeff-bezos-investigation-finds-the-saudis-obtained-his-private-information?ref=home