Jump to content

Search the Community

Showing results for tags 'data leak'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 23 results

  1. Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data. The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online after NVIDIA refused to negotiate with them. Lapsus$ messages about the NVIDIA attack The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables. A code-signing certificate allows developers to digitally sign executables and drivers so that Windows and end-users can verify the file's owner and whether they have been tampered with by a third party. To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed before the operating system will load them. NVIDIA certificates used to sign malware After Lapsus$ leaked NVIDIA's code-signing certificates, security researchers quickly found that the certificates were being used to sign malware and other tools used by threat actors. According to samples uploaded to the VirusTotal malware scanning service, the stolen certificates were used to sign various malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans. For example, one threat actor used the certificate to sign a Quasar remote access trojan [VirusTotal], while someone else used the certificate to sign a Windows driver [VirusTotal]. Quasar RAT signed by NVIDIA certificate Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers: 43BB437D609866286DD839E1D00309F5 14781bc862e8dc503a559346f5dcc518 Some of the files were likely uploaded to VirusTotal by security researchers but others appear to be used by threat actors for malware campaigns [1, 2]. While both stolen NVIDIA certificates are expired, Windows will still allow a driver signed with the certificates to be loaded in the operating system. Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows. Signed Quasar RAT sample To prevent known vulnerable drivers from being loaded in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to control what NVIDIA drivers can be loaded. However, using WDAC is not an easy task, especially for non-IT Windows users. Due to the potential for abuse, it is hoped that the stolen certificates will be added to Microsoft's certificate revocation list in the future to prevent malicious drivers from loading in Windows. However, doing so will cause legitimate NVIDIA drivers to be blocked as well, so we will likely not see this happening soon. Malware now using stolen NVIDIA code signing certificates
  2. Have I Been Pwned says the hackers cracked Nvidia employees’ emails Nvidia never denied that it got hacked. The GPU giant just didn’t say all that much about what happened, either. But now — as we wait to see whether the hackers make good on their threat to dump hundreds of gigabytes of proprietary Nvidia data on the web, including details about future graphics chips, by an unspecified Friday deadline — the compromised email alert website Have I Been Pwned suggests that the scope of the hack includes a staggering 71,000 employee emails and hashes that may have allowed the hackers to crack their passwords (via TechCrunch). It’s not clear how Have I Been Pwned obtained this info, and Nvidia won’t say. Nvidia would not confirm or deny to The Verge whether 71,000 employee credentials have been compromised, and it would not say whether it plans to comply with any of the hackers’ demands. It is worth noting that Nvidia has far fewer than 71,000 employees — its last annual report lists 18,975 employees across 29 countries, though it’s possible the compromised email addresses include prior employees and aliases for groups of employees. (Companies that rely heavily on email often have a lot of mailing lists.) The Telegraph’s initial report suggested that the company’s internal systems, including email, had been “completely compromised,” and a leak of 71,000 employee credentials would line up with that. Here is all that Nvidia is actually saying today, via spokesperson Hector Marinez: On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement. We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident. Security is a continuous process that we take very seriously at NVIDIA – and we invest in the protection and quality of our code and products daily. That’s what we’d heard previously, and Nvidia’s cybersecurity incident response page hasn’t been updated since March 1st, either. The LAPSUS$ hacking group, which has taken credit for the breach, had an unusually populist demand: it stated that it wants Nvidia to open source its GPU drivers forever and remove its Ethereum cryptocurrency mining nerf from all Nvidia 30-series GPUs (such as newer models of the RTX 3080) rather than directly asking for cash. But they clearly want cash, too. The hackers have also publicly stated that they’ll sell a bypass for the crypto nerf for $1 million, and this morning, they briefly posted a message suggesting that today’s leak would be delayed while they discussed terms with a would-be buyer of Nvidia’s source code. If Nvidia does pay up, something that’s not unheard of in these data ransom situations, I wouldn’t necessarily expect to hear about it anytime soon. It won’t necessarily be in either party’s best interests to say so. But if Nvidia doesn’t pay or comply and LAPSUS$ does have the data it claims, things might be about to get interesting. As Nvidia hacker deadline looms, 71,000 employee accounts have reportedly been exposed
  3. The Lapsus$ data extortion group leaked today a huge collection of confidential data they claim to be from Samsung Electronics, the South Korean giant consumer electronics company. The leak comes less than a week after Lapsus$ released a 20GB document archive from 1TB of data stolen from Nvidia GPU designer. Gang teases Samsung data leak In a note posted earlier today, the extortion gang teased about releasing Samsung data with a snapshot of C/C++ directives in Samsung software. Shortly after teasing their followers, Lapsus$ published a description of the upcoming leak, saying that it contains “confidential Samsung source code” originating from a breach. source code for every Trusted Applet (TA) installed in Samsung’s TrustZone environment used for sensitive operations (e.g. hardware cryptography, binary encryption, access control) algorithms for all biometric unlock operations bootloader source code for all recent Samsung devices confidential source code from Qualcomm source code for Samsung’s activation servers full source code for technology used for authorizing and authenticating Samsung accounts, including APIs and services If the details above are accurate, Samsung has suffered a major data breach that could cause huge damage to the company. Lapsus$ split the leaked data in three compressed files that add to almost 190GB and made them available in a torrent that appears to be highly popular, with more than 400 peers sharing the content. The extortion group also said that it would deploy more servers to increase the download speed. Included in the torrent is also a brief description for the content available in each of the three archives: Part 1 contains a dump of source code and related data about Security/Defense/Knox/Bootloader/TrustedApps and various other items Part 2 contains a dump of source code and related data about device security and encryption Part 3 contains various repositories from Samsung Github: mobile defense engineering, Samsung account backend, Samsung pass backend/frontend, and SES (Bixby, Smartthings, store) It is unclear if Lapsus$ contacted Samsung for a ransom, as they claimed in the case of Nvidia. BleepingComputer has contacted Samsung for a statement about the Lapsus$ data leak and will update the article when the company replies. This is developing story Hackers leak 190GB of alleged Samsung data, source code
  4. ‘Chqbook.com’ Data Leak Exposes 2 Million Credit Score Reports The data from the suspected and officially denied ‘Chqbook’ breach is now freely shared online. The details included in the dataset are very sensitive, with names, credit card details, and Aadhaar numbers being present. The shared pack also has an “Easter Egg,” which is METRO Cash & Carry client details. ‘Chqbook.com,’ an India-based online banking service that offers credit card, loan, and insurance management services for small businesses and merchants, has suffered a data breach. The incident has severely exposed 2.5 million Indians, who had their bank balance, PAN number, passport number, Aadhaar number, credit score, credit card outstanding, voter ID, email address, date of birth, and even their card PIN leaked. The discovery of the dataset that has appeared online now comes from researcher Rajshekhar Rajaharia, who tipped us off and shared the details. Source: Rajshekhar Rajaharia With the help of KELA, the cyber-intelligence experts, we were able to find the first evidence of the particular dataset appearing on the dark web for sale on December 25, 2020. ‘Chqbook’ initially denied having suffered a data breach, but the dataset is now freely shared on hacker forums, so the game of rebuttal cannot be played anymore. Still, there have been no official announcements yet, but we guess that these shouldn’t take much longer to appear now. Source: KELA Apart from the aforementioned details, the dataset also includes METRO Cash & Carry data, as Chqbook.com partnered with the retail giant back in July 2018. METRO has been in India since 2003, operating twenty-five wholesale distribution centers across the country. The company hasn’t made a statement about the security incident either, but Rajaharia has confirmed that the data leak affects them directly. Credits: Rajshekhar Rajaharia In general, the leaked data opens up the potential for phishing, scamming, and even impersonation and banking fraud. Be very vigilant with how you treat incoming communications of the entire spectrum. Since phone numbers, email addresses, and physical addresses have been exposed, crooks have all channels wide open. Finally, pay close attention to your bank account and credit card statements and immediately report any transactions that you don’t recognize to the issuer. Ideally, you should ask for a card invalidation and replacement now. Unfortunately, the ID and passport are not as straight-forward to replace, and the Aadhaar number isn’t resettable in India, so you’ll have to live with the fact that those have leaked. Source: ‘Chqbook.com’ Data Leak Exposes 2 Million Credit Score Reports
  5. GitHub Arctic Vault likely has leaked MedData patient records GitHub Arctic Code Vault has likely captured sensitive patient medical records from multiple healthcare facilities in a data leak attributed to MedData. The private data was leaked on GitHub repositories last year whose contributors carry the "Arctic Code Vault" badge. This means, these repositories could now be a part of a huge open-source repo collection bound to last a 1,000 years. Although in the gray area of international copyright law and regulations pertaining to protection of patients' personally identifiable information (PII), the archived data might be a bit of a daunting task for anyone to extract and remove. Leaked patient medical data to sit for 1,000 years in the Vault Last year, GitHub came out with an archival initiative titled Arctic Code Vault that focused on preserving the vast majority of open-source artifacts published on the website, by porting these onto physical media that could stand the test of time. To preserve the open-source community's contributions over the last few decades, billions of lines of code from GitHub repositories, current as of February 2nd, 2020, were printed on a hardened film designed to last for a thousand years. These rolls of films were then shipped off to the GitHub Arctic Code Vault, situated in a remote coal mine, deep under an Arctic mountain in Svalbard, Norway, which is relatively close to the North Pole. But, given its popularity and vast adoption rate, GitHub has been used in all kinds of situations: from developers storing legitimate software code, to attackers abusing GitHub for hosting malware like Gitpaste-12, to repositories that were later found to be leaking passwords and API keys that shouldn't have made their way on GitHub to begin with. Should these artifacts also get their place in the history? In an ironic twist of fate, a Dutch researcher Jelle Ursem, in collaboration with Dissent Doe of DataBreaches.net, discovered this could be the case with patient medical records associated with the MedData data leak. This week, multiple medical facilities including Memorial Hermann, University of Chicago, Aspirus, OSF Healthcare, King’s Daughters and SCL Health have come forward, issuing privacy incident and HIPAA breach notices related to the MedData PII leak. According to these notices, confidential patient records kept by MedData, a national provider of healthcare revenue cycle management solutions, were uploaded by one of their former employees to GitHub during or before September 2019. Although the files were removed by GitHub on December 17th, 2020, considering the Arctic Vault archive was finalized on February 2nd, 2020, the data very likely made its way into the historic collection: Contributor(s) of GitHub repository with patient data have the Arctic Code Vault Contributor badge Source: Databreaches.net In August 2020, Ursem and Doe had jointly published details on the nine healthcare data leaks on GitHub that impacted medical records of 150,000 to 200,000 patients. The researchers shortly identified another data leak from on GitHub which they traced to MedData. They then informed MedData of this leak on December 10, 2020. But it wasn't until now that impacted patients have been notified by the company: "Impacted covered entities whose patient's data was affected were notified on February 8, 2021. Letters were mailed to impacted individuals and applicable regulatory agencies on March 31, 2021," states MedData in an incident notice, which continues: From our investigation, it appears that impacted information may have included individuals’ names, in combination with one or more of the following data elements: physical address, date of birth, Social Security number, diagnosis, condition, claim information, date of service, subscriber ID (subscriber IDs may be Social Security numbers), medical procedure codes, provider name, and health insurance policy number. MedData asks GitHub to remove data from vault Last year, when Ursem had informed MedData of this data leak, and the possibility that this data had slipped into GitHub's Arctic Vault, MedData further contacted GitHub asking for logs of the vault, and to discuss removal of such data from the vault, say the researchers. "We do not know what transpired after that, although there had been some muttering that MedData might sue GitHub to get the logs," say Ursem and Doe in a report published April 1st, which the researchers wished was an April Fools' Day joke. Ursem had asked GitHub in 2020, what would happen if a repository containing PII or other sensitive data had made its way into the Arctic Code Vault. He wondered, if GitHub could just go in and extract a single repository or would someone's medical data now be a part of the 1,000-year strong collection? The researcher told BleepingComputer: "GitHub indeed didn't get back to me, possibly for legal reasons. I don't even think anyone had remotely considered this might happen." "This is actually the first occurrence of something that I noticed may have ended up in the vault, but there's no telling how much more data that's not supposed to be there is in there, because there is no public way to verify this unfortunately." "Imagine if a current day researcher stumbled upon an archive from a thousand years ago today that detailed people's medical issues from an era, described so thoroughly." "They would have a field day," Ursem told BleepingComputer in an email interview. Although realistically, nobody might go through the trouble of getting to the grand Vault to retrieve leaked materials now purged from GitHub, it does open up a question for what course of action exists for GitHub and companies when incidents such as this recent MedData leak take place. Regulations around the world such as HIPAA, UK Data Protection Act, and GDPR strictly dictate how healthcare records and patient PII data are supposed to be handled, and the steps that need to be taken in the event of a data breach. Last year, GitHub removed the YouTube-DL source code following a report of DMCA (copyright) violation, only to reinstate it later. But, this code being fairly old very likely got archived in the Arctic Code Vault, according to the criteria specified by GitHub on what repositories get archived. The Arctic Code Vault FAQ also states that repositories deleted from GitHub, may not be deleted from all warm storage partners: "Keeping a historic view is an important part of each archive. If you have a concern about your repository continuing to be a part of the archive, please contact the archives." "For the GitHub Arctic Code Vault, we are unable to remove data that has already been stored." But, according to GitHub, archives have a special status under GDPR, giving them some safe harbor: "Warm storage contains more thorough information, but archives have a special legal status under GDPR which protects them. GitHub’s Legal Team has approved the Archive Program," states the FAQ section. This indicates copyrighted works or otherwise legally objectionable material, although removed from GitHub, could continue to sit in the remote Vault for a millennium. "We hope that GitHub cooperated with MedData, but we raise the issue here because we will bet you that many developers and firms have never even considered what might happen that could go so very wrong," the researchers concluded in their latest report. Update 7:46 AM ET: Changed the headline and parts of the article to make it clear it is likely patient records from the MetData leak have been archived in the Vault. Source: GitHub Arctic Vault likely has leaked MedData patient records
  6. Verizon has been leaking customers’ personal information for days (at least) A bug in a customer chat feature shows transcripts of other people's chats. Enlarge / A Verizon FiOS truck in Manhattan on September 15, 2017. Getty Images | Smith Collection | Gado 28 with 26 posters participating Verizon is struggling to fix a glitch that has been leaking customers’ addresses, phone numbers, account numbers, and other personal information through a chat system that helps prospective subscribers figure out if Fios services are available in their location. The personal details appear when people click on a link to chat with a Verizon representative. When the chat window opens, it contains transcripts of conversations that other customers, either prospective or current, have had. The transcripts include full names, addresses, phone numbers, account numbers (in the event they already have an account), and various other information. Some of the transcripts viewed by Ars date back to June. A separate Window included customers' addresses, although it wasn't clear who those addresses belonged to. “Hi—I’m looking to get the teacher discount for Fios,” one person wrote on November 29. Below are redacted screenshots of some of what has been available. First image of article image gallery. Please visit the source link to see all images. Ars learned of the leak on Monday afternoon and alerted Verizon representatives immediately. The plan was to report the leak only after it had been fixed. As this post went live, the leak was still occurring, although the number of exposed chats had lessened. Ars decided to report the leak to alert people who may use the service that this data is being exposed. It’s not clear when Verizon began leaking the data. With some of the chats dating back to June, it’s possible that the leak has been occurring for months. In a statement issued Thursday morning, Verizon said: We're looking into an issue involving our online chat system that assists individuals who are checking on the availability of Fios services. We believe a small number of users may have seen a name, phone number, and/or a home or building address from an unrelated individual who had previously used this chat system to enter that information. Since the issue was brought to our attention, we've identified and isolated the problem and are working to have it resolved as quickly as possible. It’s not the first time Verizon has spilled customer information. In 2016, a database of more than 1.5 million Verizon Enterprise Solutions customers was put up for sale on an online crime forum. Verizon said at the time that a “security flaw in its site [had] permitted hackers to steal customer contact information,” according to KrebsOnSecurity, which broke the news. Verizon was also one of four US cellphone carriers caught selling customers’ real-time locations to services that catered to law enforcement. One of the services made subscriber locations available to anyone who took the time to exploit an easily spotted bug in a free trial feature. For the time being, it makes sense to avoid using Verizon’s Fios availability chat feature. This post will be updated once Verizon says the glitch has been fully fixed. Verizon has been leaking customers’ personal information for days (at least) (To view the article's image gallery, please visit the above link)
  7. Blood Testing Lab Data Leaked After Apparent Ransomware Attack, Patient Information Posted Apex Laboratory, a Farmingdale, New York-based blood testing facility, is notifying patients about the leak of their information, including test results. The security incident - which appears to have involved ransomware - happened in July. Apex reports that certain systems and files within its network initially were no longer accessible or were encrypted. A forensics firm helped to restore network access, according to a notification recently posted on Apex's website. And while the initial investigation did not reveal that data was missing or compromised, Apex found on Dec. 15 that hackers had started posting patient information online, Apex says. "Upon learning of the data that was taken, Apex, along with the assistance of forensic specialists, conducted a review of the files to determine what information was impacted and ensured that the data was removed from the hacker's blog," according to the Apex data breach notification. "It is believed that this information may have been acquired from Apex's systems between July 21, 2020 and July 25, 2020." The additional investigation revealed that the compromised data includes patient names, dates of birth, test results and for some individuals, Social Security numbers as well as phone numbers, according to the breach notice. Apex did not specify the amount of data compromised, but the company says it's not aware of misuse of the information for identity theft or other malicious activity. "Apex is continuing to investigate this incident," Apex notes. "As part of our ongoing commitment to the security of information, we notified law enforcement and are reviewing and enhancing existing policies and procedures to reduce the likelihood of a similar future event." Ransomware Responsible? The security blog DataBreaches.net reports that the DoppelPaymer ransomware gang carried out the attack and has posted about 10,000 files on its darknet leak site. The FBI warned in December of increased activity by the operators behind DoppelPaymer (see: FBI Warns of DoppelPaymer Ransomware Attack Surge). Saryu Nayyar, CEO at security firm Gurucul, says that the apparent ransomware attack against Apex systems follows a familiar pattern of the dual-extortion racket: The attackers get in and disrupt systems. The victim manages to recover their encrypted files and return to operation, but the gang then releases some confidential information stolen during the attack. "The disturbing part is the delay between the initial breach in July 2020 and the notification coming months later in December," Nayyar says. "The stolen data would be quite useful for attackers looking to stage spear-phishing or targeted social engineering attacks or to simply leverage the stolen data to conduct identity theft. The fact that their initial investigation revealed no evidence of confidential patient data theft, with the attackers revealing the fact that they had acquired confidential data, is of additional concern." Privacy attorney David Holtzman, principal of the consulting firm HITprivacy, says the delay between the initial detection of the incident and the notification that Apex posted on Dec. 31 would likely draw the attention of healthcare regulators. "The HIPAA Security Rule requires covered entities and business associates to implement technical safeguards for monitoring access and alerting organizations to inappropriate activity and identifying potential threats in the network," Holtzman says. "It took over six months for Apex to learn that the hacker had scanned the system for valuable data and had extracted sensitive patient information about individuals, all of which had gone undetected. I would expect that the failure to discover that patient had been disclosed without authorization will be a focus of regulators investigating this breach." Healthcare Security James McQuiggan, a security awareness advocate at security firm KnowBe4, expects that in 2021, the trend of ransomware gangs exfiltrating data from victims will continue until more organizations improve their data security. "These activities are why organizations must have a multilevel security model to protect, monitor and respond promptly to any attacks. These tactics include technical controls and security awareness training, as many ransomware attacks are successful due to phishing," McQuiggan says. Hacking incidents, including ransomware and phishing attacks, as well as security incidents involving vendors dominated the federal tally of major health data breaches in 2020, according to the Department of Health and Human Service's HIPAA Breach Reporting Tool website (see: Analysis: 2020 Health Data Breach Trends). A report released this week by Check Point Software Technologies found that ransomware and other cyberattacks on healthcare entities globally have increased by about 45% in the last two months (see: Ransomware Attacks in Healthcare Surging). Source: Blood Testing Lab Data Leaked
  8. Millions of Social Profiles Leaked by Chinese Data-Scrapers A cloud misconfig by SocialArks exposed 318 million records gleaned from Facebook, Instagram and LinkedIn. More than 400GB of public and private profile data for 214 million social-media users from around the world has been exposed to the internet – including details for celebrities and social-media influencers in the U.S. and elsewhere. The leak stems from a misconfigured ElasticSearch database owned by Chinese social-media management company SocialArks, which contained personally identifiable information (PII) from users of Facebook, Instagram, LinkedIn and other platforms, according to researchers at Safety Detectives. The server was found to be publicly exposed without password protection or encryption during routine IP-address checks on potentially unsecured databases, researchers said. It contained more than 318 million records in total. SocialArks’ data-management platform is used for programmatic advertising and marketing. It bills itself as a “cross-border social-media management company dedicated to solving the current problems of brand building, marketing, marketing, social customer management in China’s foreign trade industry.” The data included reams of North American users’ information. Source: Security Detectives. The affected server, hosted by Tencent, was segmented into indices in order to store data obtained from each social-media source, which allowed researchers to look into the data further. “Our research team was able to determine that the entirety of the leaked data was ‘scraped’ from social-media platforms, which is both unethical and a violation of Facebook’s, Instagram’s and LinkedIn’s terms of service,” researchers said, in a Monday blog post. The scraped profiles included 11,651,162 Instagram user profiles; 66,117,839 LinkedIn user profiles; 81,551,567 Facebook user profiles; and 55,300,000 Facebook profiles that were deleted within a few hours after the open server was discovered. The public profile data included biographies, profile pictures, follower totals, location settings, contact details such as email addresses and phone numbers, number of followers, number of comments, frequently used hashtags, company names, employment position and more. “Social media data scraped for marketing purposes will inevitably include sensitive information,” Jack Mannino, CEO at nVisium, told Threatpost. “For every privacy-conscious person using social media, there is an exponentially greater number of people publicly sharing intimate details about their private lives. To protect yourself, restrict public access to your profile and media assets, be sensible about what you post online, and be careful what permissions you grant to applications that may abuse, misuse or steal your information.” However, in addition to the collating of publicly available data, the database also included, inexplicably, private data for social-media users. “SocialArks’ database stored personal data for Instagram and LinkedIn users such as private phone numbers and email addresses for users that did not divulge such information publicly on their accounts,” researchers said. “How SocialArks could possibly have access to such data in the first place remains unknown…It remains unclear how the company managed to obtain private data from multiple secure sources…Moreover, the company’s server had insufficient security and was left completely unsecured.” Threatpost has reached out to SocialArks for more information. The database was secured by SocialArks the same day that Security Detectives alerted the company to the issue. SocialArks suffered a similar data breach in August, which affected 66 million LinkedIn users, 11.6 million Instagram accounts and 81.5 million Facebook accounts – about 150 million in all. The information exposed also consisted of scraped, publicly available data such as full names, country of residence, place of work, position, subscriber data and contact information, as well as direct links to profiles. Having a central repository for such information opens the door to high-volume, automated social-engineering attacks, experts warned. “Most data scraping is completely innocuous and carried out by web developers, business intelligence analysts, honest businesses such as travel booker sites, as well as being done for market research purposes online,” the researchers said. “However, even if such data is obtained legally – if it is stored without adequate cybersecurity, large leaks affecting millions of people can occur. When private information including phone numbers, email addresses and birth information is extracted and/or leaked, criminals are empowered to commit heinous acts including identity theft and financial fraud.” Dirk Schrader, global vice president at New Net Technologies, said that the fact the scraping took place at all – public or private information – is in itself of interest. “Public profiles have been scraped before and the giants in that space usually try to block mass scraping attempts as the intention behind is to get access to their ‘oil,'” he told Threatpost. “Why it hasn’t worked in this case would be an interesting fact to know. As a likely affected LinkedIn user, my choices are limited. Either I accept that scraping will happen, or I can reduce my profile which limits my ability to make business connections to a certain extent. How much information a user provides is their choice. Scraping itself, especially when the data collected is so badly secured, increases the likelihood to be targeted with specific attacks and unwanted emails.” Source: Millions of Social Profiles Leaked by Chinese Data-Scrapers
  9. Hacker reveals massive Parler data leak: ALL users’ messages, location info and even driver’s licenses may have been exposed © Getty Images / spyarm; © AFP / Olivier DOULIERY Recently shutdown social media app Parler is at the center of a yet another controversy, after allegations surfaced that the totality of its users' personal data was leaked in the wake of the network going offline. Parler, a social network popular with conservative audiences, was removed from the internet on Monday, after Amazon kicked the site off its hosting service, citing"a steady increase in this violent content" in the wake of Wednesday's riot at the US Capitol. The decision to pull support came after Apple and Google blocked the social network from their online marketplaces over the weekend. Shortly before Amazon's move, a self-described hacker from Austria, going by 'Donk Enby' on Twitter, claimed to have gained access to all of the "unprocessed, raw" video files uploaded to Parler "with all associated metadata." The hacker even included a link to the file library in order to prove that the data leak was real. These are the original, unprocessed, raw files as uploaded to Parler with all associated metadata. — crash override (@donk_enby) January 10, 2021 The development agitated the social network's audience, especially since it occurred around the same time as Parler's shutdown. News of the apparent leak quickly spread online, leaving some to wonder how the hacker could have snagged the entirety of one of the network's file libraries. A Reddit user named 'BlueMountainDace' claimed to have the answer, and they posted it in the group 'ParlerWatch,' which appears to have been created to monitor some of the perceived extreme views of the platform's users. According to 'BlueMountainDace', it was not just the videos, but the entirety of Parler's users' data that was exposed. In their viral post, the Redditor asserted that one of Parler's hosting platforms, Twilio, accidentally exposed the app's security authentications via a press release. This in turn could have allowed any person to create a blank administrator account and access all of Parler's private content, which, besides message history and geo data, might have included users' driver's license photos, which were used to create a verified account. Currently it is unclear which press release by Twilio might have led to the Parler data being exposed. Remember how people were dunking on Parler for being built on WordPress? Well, through a plug-in exploit, literally all the user data (including photos of verified state id cards) has been retrieved by hackers and is being posted online. Lmao ♾️https://t.co/w1yexoUOxqpic.twitter.com/h2Mf7Fn1Sc — Classic Bird Respecter (@BirdRespecter) January 11, 2021 According to tech writer Matthew Sheffield, the breach was possible due to Parler's long-criticized lax security standards. Specifically, Sheffield blames the potential leak on the app "never actually deleting anything its users posted," while keeping the data accessible to administrator users. Parler never actually deleted anything its users posted. And, stupidly, they also kept it accessible to admin users.This meant that anyone with admin access could still download it. — Matthew Sheffield (@mattsheffield) January 11, 2021 However, Sheffield notes that it will likely "take a little while" for such amounts of data to be processed in order for it to end up in an accessible "WikiLeaks-style data dump." It's going to take a little while for this data to end up at a permanent central repository but once it's done, it'll be a Wikileaks style data dump of Parler users, where they were, what they posted, what they tied to delete. Lots of #MAGATerrorist types are gonna get doxed. — Matthew Sheffield (@mattsheffield) January 11, 2021 Parler and Twilio have yet to comment on the allegations. Source: Hacker reveals massive Parler data leak: ALL users’ messages, location info and even driver’s licenses may have been exposed
  10. Experian challenged over massive data leak in Brazil Consumer rights body criticizes explanations from the credit bureau in relation to the data exposure of over 220 million citizens. After receiving feedback from Experian over a massive data leak in Brazil, São Paulo state consumer rights foundation Procon described the company's explanations as "insufficient" and said it is likely that the incident was initiated in a corporate environment. Procon notified the credit information multinational following the emergence of a leak that exposed the personal data of more than 220 million citizens and companies, which is being offered for sale in the dark web. Security firm PSafe discovered the incident, which exposed all manner of personal details, including information from Mosaic, a consumer segmentation model used by Serasa, Experian's Brazilian subsidiary. Following the emergence of the leak in January, Procon notified the credit bureau, and asked the company for a confirmation of the incident, and an explanation of the reasons that caused the leak, the steps taken to contain it, how it will repair the damage to consumers impacted and the measures taken to prevent it from happening again. "No hypothesis has been ruled out, and at the moment we consider it is more likely that the leak came from inside companies rather than hackers," said Procon's executive director Fernando Capez, adding that Experian's feedback prompts more questions than answers. The explanations from the company will be analyzed by the board of the consumer rights body, and a fine may be applicable if any wrongdoing becomes evident. According to Procon, Experian informed that all its activities that involve personal data comply with the Brazilian data protection regulations, and that processing of such data can legally serve several purposes. That part of the answer was insufficient, the consumer rights body said, since "there is no legal basis for the treatment and use of data in an indiscriminate manner" and that includes data of deceased individuals, also exposed in the leak. In addition, Procon noted that Serasa Experian did not specify the technical and organizational measures adopted to implement its data protection policy. Moreover, the company reinforced what it had said in a statement released last week in its response to the notification, that there is no evidence that credit data has been illegally obtained from its Brazilian subsidiary. The company also argued that there is no evidence that its technology systems had been compromised. In relation to Serasa Experian's risk mitigation policy that may occur in such circumstances, Procon said the company only stated that a "comprehensive information security program" is currently in place. Regarding damage repair to consumers, Serasa Experian stated that its website has instructions on what to do in case of fraud. Procon's stance is that this is a preventive measure rather than a reparative action. Contacted by ZDNet, Serasa Experian did not answer to requests for comment on Procon's response to its feedback. The agency's demands for answers follow calls from the Brazilian Institute for Consumer Protection (IDEC) for urgent measures to investigate and punish those responsible for exposing the population's data, as well as improved citizen information and transparency. Source: Experian challenged over massive data leak in Brazil
  11. MIllions of VPN users have personal details stolen Databases of three top Android VPN tools were left exposed with default authentication information (Image credit: Shutterstock) The user databases of three popular Android VPN services have reportedly been hacked, with millions of user records now put up for sale online. Databases purportedly from SuperVPN, GeckoVPN, and ChatVPN, together containing a total of twenty one million user records, apparently include sensitive details such as the user’s authentication credentials, according to new research from CyberNews. If the leaked databases are genuine, what’s even more worrying about the leak is the amount of information that these services log about their users, despite claiming not to do so in their respective privacy policies. Besides the authentication information, the databases also include email addresses, payment-related data along with the expiration date of the premium accounts. Reportedly, the threat actor is also offering to sort the data by country for potential buyers. Pervasive data logging The team of researchers at CyberNews saw snippets from the databases and reveal that the leak also contains information about the user’s devices, and argue that with the right know-how these can be exploited to launch man-in-the-middle (MITM) attacks on the unsuspecting users. “We reached out to SuperVPN, GeckoVPN, and ChatVPN and asked the providers if they could confirm that the leak was genuine but we have received no responses at the time of writing this report,” the site said. If one takes the word of the hacker on face value, the databases were publicly accessible and the companies didn’t even follow the basic security procedure of disabling the default database credentials. The news is bound to have serious industry-wide repercussions especially considering the fact that the targeted providers are some of the most popular VPN vendors. Via: CyberNews MIllions of VPN users have personal details stolen
  12. “Mentally ill demon hackers” blamed for massive Gab data leak Far-right service allegedly breached via SQL injection vulnerability More than 40 million posts, messages, profiles, and hashed passwords compromised Gab, the Twitter-like social networking service known for its far-right userbase, has reportedly been hacked – putting more than 40 million public and private posts, messages, as well as user profiles and hashed passwords, at risk of exposure. The 70 GB leak of data fell into the hands of activist group Distributed Denial of Secrets (also known as DDoSecrets) – which was banned from Twitter last year after it published sensitive data stolen from US law enforcement agencies. However, DDoSecrets says it did not exfiltrate the data itself but received it via a hacker called “JaXpArO.” DDoSecrets claims that the compromised data – which it has dubbed “GabLeaks” – is “an important sociological resource. In 2021, it’s also a record of the culture and the exact statements surrounding not only an increase in extremist views and actions, but an attempted coup.” Recognising the sensitive nature of the contents of private messages (some of which contains personal identifiable information) and the presence of passwords, DDoSecrets says the data is “currently only being offered to journalists and researchers.” The first media outlet to gain access to the data was Wired, to whom DDoSecrets cofounder Emma Best described the haul as “another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon and everything surrounding January 6.” As you would imagine, Gab is not terribly happy with the news. In a blog post, Gab CEO Andrew Torba acknowledged that there had been a SQL injection security vulnerability on the Gab website, which they claimed to have patched last month. However, Torba initially downplayed the seriousness of the alleged data breach at Gab, preferring to shoot the messenger instead: “Today we received an inquiry from reporters about an alleged data breach. We have searched high and low for chatter on the breach on the Internet and can find nothing. We can only presume the reporters, who write for a publication that has written many hit pieces on Gab in the past, are in direct contact with the hacker and are essentially assisting the hacker in his efforts to smear our business and hurt you, our users.” Later, Torba shared that the hashed passwords for his and Donald Trump’s accounts had been compromised, describing those who attacked the site as “mentally ill tranny demon hackers”: If a vulnerability existed that would allow one hacker to exfiltrate sensitive data from a site like Gab, then that same vulnerability could have been exploited by others. JaXpArO and DDoSecrets may or may not have plans to exploit the compromised data maliciously, but it’s not possible to say with any certainty that anyone else who might have exploited the security hole will feel the same way. With Gab acting as something of a haven for neo-Nazis, white supremacists, and QAnon conspiracy theorists expelled from other social networking sites, there is a very real possibility that they might continue to be a target for hackers in the future. Source: “Mentally ill demon hackers” blamed for massive Gab data leak
  13. Office Depot Configuration Error Exposes One Million Records A misconfigured Elasticsearch server belonging to a popular office supplies store chain was found leaking nearly one million records including customers’ personal information, it has emerged. The non-password protected database was discovered by a Website Planet team led by Jeremiah Fowler on March 3. They quickly traced it back to Office Depot Europe, which operates across the region with bricks-and-mortar stores and online under the Office Depot and Viking brands. Among the 974,000 unencrypted records found in the database were customer names, phone numbers, home and office addresses, @members.ebay addresses, marketplace logs, order histories and hashed passwords. Fowler warned that such data could have been used by cyber-criminals to perform convincing phishing attacks. “Let’s hypothetically say a criminal calls the customer and they validate the recent order. Next the criminal says something is wrong with your billing information, can you please provide me with the credit card number used for your purchase?” he explained. “The customer would have no reason to doubt this because the caller can validate real details that only the retailer would know. This is how a social engineering attack works and it is one of the most common forms of fraud used today.” Although Office Depot Europe secured the database within hours of notification, thanking the researchers for bringing it to their attention, Fowler claimed it may have been exposed for up to 10 days. This would have put it at risk not only from data-hunting fraudsters but automated ransomware scripts and other tools which scour the internet for misconfigured databases like this. Alongside the customer information was data on middleware, IP addresses, ports, pathways and storage systems used by the organization which Fowler said could have been exploited to target the Office Depot corporate network. Source: Office Depot Configuration Error Exposes One Million Records
  14. Engineer reports data leak to Apperta, hears from the police A security engineer and ex-contributor to an open systems non-profit organization recently reported a data leak to the organization. In return, he first got thanked for his responsible reporting, but later heard from their lawyers and the police. Apperta Foundation is a UK-based non-profit, supported by NHS England and NHS Digital, that promotes open systems and standards in the digital health and social care space. GitHub repository exposed passwords, keys, database This week, a British cloud security engineer Rob Dyke spoke out on how an instance of ethically reporting a data leak landed him in legal trouble. Earlier this month, Dyke had discovered an exposed GitHub repository exposing passwords, API keys, and sensitive financial records which belonged to Apperta Foundation. On discovering this GitHub repository which, the engineer says, was public since at least 2019, the engineer privately reported it to Apperta, and got thanked by them. On March 9th, however, he received legal correspondence from Apperta's lawyers, leading him to hire his own solicitors to represent him. Furthermore, an email followed yesterday from a Northumbria Police cyber investigator in relation to a report of "Computer Misuse." Security engineer Rob Dyke receives an email from Northumbria Police Source: Twitter In a phone interview with BleepingComputer, Dyke told us that having worked with Apperta in the past [1, 2, 3] and as someone currently working in the IT sector, he's very familiar with both Apperta's established mechanism and the industry practices when it comes to responsibly reporting security vulnerabilities to vendors. When he came across the data leak, Dyke had immediately reported it to Apperta. To have a record of what he had reported, however, the researcher encrypted the data he had come across and securely stored it aside for 90 days, as a part of the coordinated disclosure process. "I knew how I was supposed to report it to them. So I reported it to them, via their established procedure," the engineer told BleepingComputer further adding that he had received a reply from Apperta with the representative thanking him, and stating they'll get the issue sorted. "And I didn't really think any more about it," Dyke continued. A little over a week later, a letter arrived from Apperta's lawyers stating that they considered Dyke's actions as "unlawful" and demanded a written undertaking that any data the engineer had come across was deleted. This left the engineer surprised especially considering that Apperta team members knew him from his past contributions. In emails seen by BleepingComputer, Dyke further clarified to Apperta's lawyers that the information he came across was being leaked on GitHub publicly for over two years, rather than proprietary data obtained as a part of unlawful hacking activity. The details gathered by the engineer as a part of the responsible disclosure was done so from openly accessible public URLs published by Apperta on the internet. Dyke further issued a written affirmation that he will destroy any copy of the repository obtained from the public web service (GitHub) and provide a certificate of destruction. Yesterday, another letter arrived from the Northumbria Police station inquiring more details about what the police refers to a report of "Computer Misuse (Act)." The engineer told BleepingComputer he believes the police investigation is linked to the Apperta incident, given that Northumbria Police oversees the jurisdiction where Apperta's offices are located. "I don't think this is the way to go about it for an organization that's promoting openness, and, all of the things that go with that; transparency, accountability, and responsibility." "Since I've found this leak, and helped them out, this is simply not the way to go about it. I gave [them] assurance that the data will be deleted, and it has been deleted," Dyke further explained to BleepingComputer. UK Computer Misuse Act scares away 80% of infosec professionals This is not the first time an information security engineer has allegedly stepped into the legal gray area of UK's Computer Misuse Act (CMA). The Register has repeatedly [1, 2, 3] tracked developments on Computer Misuse Act and why time and time again both British infosec. firms and academics have urged that aspects of the dated law be reformed. A study conducted by the CyberUp campaign stated that 80% of security professionals were scared of falling foul of Computer Misuse Act during course of their routine professional activities. The provisions of the UK Computer Misuse Act of 1990 are vast and extensive and may even consider simply coming across a data leak as an "offence." Even work activities of UK-based threat intelligence providers probing foreign systems may be considered illegal under the Act. BleepingComputer reached out to Apperta Foundation multiple times and Northumbria Police well in advance for comment, but we have not heard back. Source: Engineer reports data leak to Apperta, hears from the police
  15. Password resets are being forced following a leak of account credentials. The Poloniex cryptocurrency exchange has enforced a password reset for account holders following a data leak across social media. A very common form of scam is known as phishing, in which fraudsters will send fraudulent emails while disguising themselves as legitimate companies. These messages are often crafted to lure would-be victims into visiting malicious domains, and in order to prompt them to do so, scammers may claim there has been suspicious activity detected in an account -- and therefore the recipient needs to visit the website and change their password. Once submitted, these credentials can then be used by fraudsters to hijack accounts, potentially steal data, and in the case of cryptocurrency exchanges, siphon away virtual funds. In light of this trend, cryptocurrency holders need to verify password reset emails as legitimate before proceeding -- and an email blasted to Poloniex users last week was recently confirmed as authentic over Twitter. A Twitter user under the handle @charlysatoshi posted a screenshot of an email they received, purporting to be from Poloniex, warning of the "scam" message. The email said that a list of leaked email addresses and passwords had been discovered on the microblogging platform, spreading with the claim that the credentials could be used to access Poloniex accounts. "While almost all of the email addresses listed do not belong to Poloniex accounts, we are forcing a password reset on any email addresses that do have an account with us, including yours," the email reads. While the user originally believed the message was a phishing attempt, the cryptocurrency exchange's support team responded on December 30, saying, "This is a real email! Please reset your password for account security." It is not certain at this time how far the data leak extends, or whether the forced password reset only involves email addresses on the list. The source of the security incident and how this information was obtained is also unclear. On the same day, the cryptocurrency exchange also published a guide for setting up two-factor authentication (2FA) on accounts, which can provide an additional layer of security through a mobile device should basic username and password combinations become compromised. The data leak brings to mind November's incident involving BitMEX, a cryptocurrency trading post. An email was sent en masse to users informing them of upcoming changes to indices weighting, but due to human error, the email addresses of other users were included in the "To" field. While the failure to properly mask recipients may not seem like a massive issue, when combined with the fact that many of us reuse passwords and the availability of data dumps online, this may have exposed users to the risk of compromise. BitMEX has also recommended that users secure their accounts with 2FA. The BitMEX Twitter account was also accessed by an external individual, but the company says this second problem was "unrelated." ZDNet has reached out to Poloniex with additional queries and will update if we hear back. Source
  16. Communications and Multimedia Minister Gobind Singh Deo said a clear message needs to be delivered on the importance of securing user data in the digital space. Gobind added that as his ministry is looking into tightening and strengthening the current Personal Data Protection Act 2010 (PDPA), he is aware of concerns about the number of data breach incidents reported in Malaysia so far. "This matter definitely has my attention and I'm putting major focus on it. My ministry is in the process of tightening the law so we can give out a clear signal that data security needs to be guaranteed," he said during an interview at the Maxis Business Spark Summit in Kuala Lumpur today. Gobind believes that if there are any issues related to a data breach, stern action needs to be taken. "We have to show that we are serious about preventing data breaches and we have to be strict about enforcing the law." According to Gobind, data security and protection should be guaranteed for Malaysians as the country moves toward the digital era. "If we want to ask more Malaysians to be a part of digital technology such as e-commerce and so on, we have to encourage them to use the Internet to expand their business. We also have to give them guarantee that their data will be safe. We are paying attention to that." In October, a series of data breach incidents involving a public university and two different ministries has been reported in the media. Gobind declined to comment further on any specific cases as he is still awaiting a full report on the matter. "The matter is still under investigation. I don't want to comment until I have all the facts," Gobind said, adding that he will make an announcement on PDPA amendments later. Source: Gobind: Ministry needs to send out clear signal on the importance of data safety (via The Star Online)
  17. Thursday, 17 Oct 2019 | 1:15 PM MYT By Angelin Yeoh The Petrol Subsidy Programme microsite, which went live on Oct 15, is for users to find out if they are eligible for petrol subsidy, as announced in Budget 2020. The Domestic Trade and Consumer Affairs Ministry (KPDNHEP) has suspended the newly-launched Petrol Subsidy Programme microsite after a tech portal reported that it exposed users’ bank account details. KPDNHEP head of corporate communication, Yunus Tasim, said the ministry is aware and investigating the issue. "Once we got the news, we decided to put the website on hold because we don't want to risk anything. We don't want users to be sceptical about our system,” he said. He added that once the issue is rectified, the ministry will restore the system. Lowyat had reported that once a person’s MyKad number is entered in the portal, it will reveal the last four digits of the user’s bank account number. However, when it looked into the source code, the full account number was visible. Yunus said the ministry will be in touch with Lowyat for more information. “We would like to thank all the users for their patience and feedback given to us," he said. Cybersecurity company LGMS director Fong Choong Fook said the security flaw is mostly likely due to the ministry rushing to launch the microsite. The Petrol Subsidy Programme microsite, which went live on Oct 15, is for users to find out if they are eligible for petrol subsidy, as announced in Budget 2020. “The bigger concern now is if someone can use the website as a tool to phish out information, just imagine what that person can do with the details,” Fong said. “They could impersonate a bank officer and call a victim for extortion. A lot of exploitation can be done here." Dr Aswami Fadillah Mohd Ariffin, president of Protem Digital Forensics Research Society (DFRS), said web-based development should go through security auditing at the staging level before production to avoid any security issues when the site goes online. He said that the website developer must ensure secure coding and infrastructure design are followed before giving the go ahead for the launch. Once the ministry rectifies the issue and rechecks again, it can give users access to the website, he added. Fong said the issue can be rectified with a "quick fix on the coding side". Source: KPDNHEP suspends Petrol Subsidy Programme microsite which exposed users’ bank account details (via TheStar Online)
  18. Many Malaysians may have noticed an uptick of marketing and scam calls in recent years where the caller even have your personal details such as MyKad number. This came as no surprise when the personal data of most mobile phone users were leaked from the very system contracted by the Malaysian Communications and Multimedia Commission (MCMC) to protect such users in 2017. The government has since ended its contract with the contractor, Nuemera (M) Sdn Bhd, and criminal investigations on the matter were handed over to the Attorney-General's Chambers. This was confirmed in a written reply from the Communications and Multimedia Ministry to Lembah Pantai MP Fahmi Fadzil (above) today. Fahmi had asked how was it possible that Nuemera, which was contracted to manage MCMC's Public Cellular Blocking Service (PCBS), could fail to protect the personal data of 46.2 million mobile phone accounts leading to the leak and what actions have been taken against the company. The PCBS, launched in February 2014, was an initiative by the MCMC to provide a service that allowed stolen phones to be blocked from making calls, texting or accessing the Internet - even if the sim card is changed. For this purpose, the Malaysian Central Equipment Identity Register (MCEIR) was created, which is a database of International Mobile Equipment Identity (IMEI) number, a unique serial that can identify every mobile phone in the country. All major telcos in the country had surrendered the IMEI number as well as other personal data, such as names, mobile phone number, home address and MyKad number for the system. The written reply was scarce on details of how the leak happened but said action has been taken against Nuemera following an investigation by the MCMC, Personal Data Protection Department (JPDP) and police. "Following the investigation, on Jan 26, 2018, MCMC had suspended Nuemera's appointment as it was found that the company breached basic provisions in the contract between MCMC and Nuemera. "On May 21, 2018, MCMC issued a notice to Nuemera informing of MCMC's decision not to renew the PCBS agreement for another five years as provided as an option in the contract agreement," it said. On the criminal investigation front, the ministry said JPDP had investigated the matter under Section 9 of the Personal Data Protection Act 2010. Section 9 states that "A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction...". The ministry said the matter was also investigated under Section 130 of the same act which concerns the unlawful collection of personal data as well as Section 4 of the Computer Crimes 1997 which concerns unauthorised access with intent to commit or facilitate the commission of a further offence. "The investigation papers have been completed and was sent to the Attorney-General's Chambers for action," it said. In November 2017, Malaysiakini reviewed the leaked data and found evidence that it was linked to the PCBS under the MCMC which outsources it to Nuemera. Source: Putrajaya ends contract with firm over one of country's largest data leak (via Malaysiakini)
  19. Indian supply-chain giant Bizongo exposed 643GB of sensitive data Bizongo did not respond to the researchers when contacted about the data leak. Bizongo, an online packaging marketplace has suffered a data leak in which the company left highly sensitive customer information unsecured and potentially exposed to hackers and other malicious individuals. The reason behind the incident is the company’s misconfigured AWS S3 data bucket. The data leak was discovered by researchers at Website Planet security as of late December 2020, but the details of it have also been shared now. According to researchers, they immediately contacted Bizongo regarding the incident but received no response. What and how much data was exposed? However, on 8th January 2021, the team checked the bucket again and the breach was found to be closed. During this time period, approximately 2,532,610 files were exposed, equating to 643GB of data. It is worth noting that Bizongo exposed its AWS S3 data bucket to the public allowing anyone to access the treasure trove of data without any password or even the simplest form of security authentication. According to Website Planet’s report, the exposed bucket included PII and payment data of Bizongo’s Bizongo. These included the following: Full names Phone numbers Billing addresses Delivery Addresses Shipping and tracking numbers Billing details with clients’ financial details Sample files in the data leak Image: Website Planet How big exactly is Bizongo? Bizongo is an online packaging marketplace with a vast network of over 400 clients spanning a multitude of industries and has delivered more than 860 million packages to date. Considering the size of the breach, there could be over a thousand businesses affected, along with hundreds of thousands of people who would be at risk of identity theft and fraud, scams, business espionage, and theft. India and cybersecurity India is home to large corporations and top cybersecurity professionals however like any other country companies seem to go easy on their online security. For instance, in the last few months, Upstox, MobiKwik, Airtel, IIMJobs, Dunzo, Indiabulls, and Bharat Interface for Money (BHIM) are among the list of top firms to suffer data breaches. It is time for companies to take their online security seriously, hire cybersecurity companies or professionals to conduct in-depth scans of their network and vulnerability assessment. This will help them identify and close any loophole that can expose their data or exploited by threat actors to steal sensitive information. Source: Indian supply-chain giant Bizongo exposed 643GB of sensitive data
  20. Threat Actor Leaks Personal Records of 250 Million American Households on Hacking Forum A threat actor named Pompompurin has posted a treasure trove of 250 million personal records belonging to US residents. The database containing 263 GB of personally identifiable information (PII) and household-related data was leaked on a popular hacking forum last week. According to an analysis done by Hackread.com, the records contain 1255 CSV sub-files, each with 200,000 listings that include: Full names, phone numbers, and email addresses Date of birth, marital status, and gender House cost, home rent, home built year ZIP codes, home addresses, and Geolocation Credit capacity and political affiliation Salary, income details, and number of owned vehicles Number of children in the household Number of owned pets For the moment, the owner or origin of the database remains unclear. “This was dumped by me,” the threat actor said in his post description. “Took a few days to export data fully, so enjoy. Feel free to ask any questions about the data. There are 59 million unique emails in this. All data on people living in the US.” He also makes sure to specify that “there are no passwords in this leak.” Check if your personal info has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool. Digital and physical security risks for victims Given the sheer number of leaked information on individuals and their households, malicious actors can exploit the data in many ways. By combining the info, cybercriminals can deploy compelling social engineering attacks that may lead to account takeover, identify theft and fraud. In addition to these digital threats, criminals can single out specific victims based on their income details, the number of owned vehicles and home address. Victims should closely monitor their online interactions and inboxes. They need to be fully aware that cybercriminals and scammers can target them via any social media platform or use phone numbers to make unsolicited calls or send malicious or fraudulent links via text. Source: Threat Actor Leaks Personal Records of 250 Million American Households on Hacking Forum
  21. Robocall Legal Advocate Leaks Customer Data A California company that helps telemarketing firms avoid getting sued for violating a federal law that seeks to curb robocalls has leaked the phone numbers, email addresses and passwords of all its customers, as well as the mobile phone numbers and other data on people who have hired lawyers to go after telemarketers. The Blacklist Alliance provides technologies and services to marketing firms concerned about lawsuits under the Telephone Consumer Protection Act (TCPA), a 1991 law that restricts the making of telemarketing calls through the use of automatic telephone dialing systems and artificial or prerecorded voice messages. The TCPA prohibits contact with consumers — even via text messages — unless the company has “prior express consent” to contact the consumer. With statutory damages of $500 to $1,500 per call, the TCPA has prompted a flood of lawsuits over the years. From the telemarketer’s perspective, the TCPA can present something of a legal minefield in certain situations, such as when a phone number belonging to someone who’d previously given consent gets reassigned to another subscriber. Enter The Blacklist Alliance, which promises to help marketers avoid TCPA legal snares set by “professional plaintiffs and class action attorneys seeking to cash in on the TCPA.” According to the Blacklist, one of the “dirty tricks” used by TCPA “frequent filers” includes “phone flipping,” or registering multiple prepaid cell phone numbers to receive calls intended for the person to whom a number was previously registered. Lawyers representing TCPA claimants typically redact their clients’ personal information from legal filings to protect them from retaliation and to keep their contact information private. The Blacklist Alliance researches TCPA cases to uncover the phone numbers of plaintiffs and sells this data in the form of list-scrubbing services to telemarketers. “TCPA predators operate like malware,” The Blacklist explains on its website. “Our Litigation Firewall isolates the infection and protects you from harm. Scrub against active plaintiffs, pre litigation complainers, active attorneys, attorney associates, and more. Use our robust API to seamlessly scrub these high-risk numbers from your outbound campaigns and inbound calls, or adjust your suppression settings to fit your individual requirements and appetite for risk.” Unfortunately for the Blacklist paying customers and for people represented by attorneys filing TCPA lawsuits, the Blacklist’s own Web site until late last week leaked reams of data to anyone with a Web browser. Thousands of documents, emails, spreadsheets, images and the names tied to countless mobile phone numbers all could be viewed or downloaded without authentication from the domain theblacklist.click. The directory also included all 388 Blacklist customer API keys, as well as each customer’s phone number, employer, username and password (scrambled with the relatively weak MD5 password hashing algorithm). The leaked Blacklist customer database points to various companies you might expect to see using automated calling systems to generate business, including real estate and life insurance providers, credit repair companies and a long list of online advertising firms and individual digital marketing specialists. The very first account in the leaked Blacklist user database corresponds to its CEO Seth Heyman, an attorney in southern California. Mr. Heyman did not respond to multiple requests for comment, although The Blacklist stopped leaking its database not long after that contact request. Two other accounts marked as administrators were among the third and sixth registered users in the database; those correspond to two individuals at Riip Digital, a California-based email marketing concern that serves a diverse range of clients in the lead generation business, from debt relief and timeshare companies, to real estate firms and CBD vendors. Riip Digital did not respond to requests for comment. But According to Spamhaus, an anti-spam group relied upon by many Internet service providers (ISPs) to block unsolicited junk email, the company has a storied history of so-called “snowshoe spamming,” which involves junk email purveyors who try to avoid spam filters and blacklists by spreading their spam-sending systems across a broad swath of domains and Internet addresses. The irony of this data leak is that marketers who constantly scrape the Web for consumer contact data may not realize the source of the information, and end up feeding it into automated systems that peddle dubious wares and services via automated phone calls and text messages. To the extent this data is used to generate sales leads that are then sold to others, such a leak could end up causing more legal problems for The Blacklist’s customers. The Blacklist and their clients talk a lot about technologies that they say separate automated telephonic communications from dime-a-dozen robocalls, such as software that delivers recorded statements that are manually selected by a live agent. But for your average person, this is likely a distinction without a difference. Robocalls are permitted for political candidates, but beyond that if the recording is a sales message and you haven’t given your written permission to get calls from the company on the other end, the call is illegal. According to the Federal Trade Commission (FTC), companies are using auto-dialers to send out thousands of phone calls every minute for an incredibly low cost. In fiscal year 2019, the FTC received 3.78 million complaints about robocalls. Readers may be able to avoid some marketing calls by registering their mobile number with the Do Not Call registry, but the list appears to do little to deter all automated calls — particularly scam calls that spoof their real number. If and when you do receive robocalls, consider reporting them to the FTC. Some wireless providers now offer additional services and features to help block automated calls. For example, AT&T offers wireless customers its free Call Protect app, which screens incoming calls and flags those that are likely spam calls. See the FCC’s robocall resource page for links to resources at your mobile provider. In addition, there are a number of third-party mobile apps designed to block spammy calls, such as Nomorobo and TrueCaller. Obviously, not all telemarketing is spammy or scammy. I have friends and relatives who’ve worked at non-profits that rely a great deal on fundraising over the phone. Nevertheless, readers who are fed up with telemarketing calls may find some catharsis in the Jolly Roger Telephone Company, which offers subscribers a choice of automated bots that keep telemarketers engaged for several minutes. The service lets subscribers choose which callers should get the bot treatment, and then records the result. For my part, the volume of automated calls hitting my mobile number got so bad that I recently enabled a setting on my smart phone to simply send to voicemail all calls from numbers that aren’t already in my contacts list. This may not be a solution for everyone, but since then I haven’t received a single spammy jingle. Robocall Legal Advocate Leaks Customer Data
  22. More than 20GB of Intel source code and proprietary data dumped online "Exconfidential Lake" leak includes docs Intel provided under NDA as recently as May. Enlarge Tillie Kottman 71 with 59 posters participating, including story author Intel is investigating the purported leak of more than 20 gigabytes of its proprietary data and source code that a security researcher said came from a data breach earlier this year. The data—which at the time this post went live was publicly available on BitTorrent feeds—contains data Intel makes available to partners and customers under NDA, a company spokeswoman said. Speaking on background, she said Intel officials don’t believe the data came from a network breach. She also said the company is still trying to determine how current the material is and that, so far, there is no signs the data includes any customer or personal information. “We are investigating this situation,” company officials said in a statement. “The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data.” Exconfidential Lake The data was published by Tillie Kottmann, a Swiss software engineer who offered barebones details on Twitter. Kottmann has dubbed the leak “exconfidential Lake,” with Lake being a reference to the Intel insider name for its 10 nanometer chip platform. They said they obtained the data from a source who breached Intel earlier this year and that today's installment would be followed by others in the future. “Most of the things here have NOT been published ANYWHERE before and are classified as confidential, under NDA or Intel Restricted Secret,” Kottmann wrote. They said some of the contents included: Intel ME Bringup guides + (flash) tooling + samples for various platforms Kabylake (Purley Platform) BIOS Reference Code and Sample Code + Initialization code (some of it as exported git repos with full history) Intel CEFDK (Consumer Electronics Firmware Development Kit (Bootloader stuff)) SOURCES Silicon / FSP source code packages for various platforms Various Intel Development and Debugging Tools Simics Simulation for Rocket Lake S and potentially other platforms Various roadmaps and other documents Binaries for Camera drivers Intel made for SpaceX Schematics, Docs, Tools + Firmware for the unreleased Tiger Lake platform (very horrible) Kabylake FDK training videos Intel Trace Hub + decoder files for various Intel ME versions Elkhart Lake Silicon Reference and Platform Sample Code Some Verilog stuff for various Xeon Platforms, unsure what it is exactly. Debug BIOS/TXE builds for various Platforms Bootguard SDK (encrypted zip) Intel Snowridge / Snowfish Process Simulator ADK Various schematics Intel Marketing Material Templates (InDesign) Lots of other things Material as recent as May A quick review of the leaked material shows that it consists of confidential materials that Intel customers need to design motherboards, BIOS, or other things that work with CPUs and other chips Intel makes. Although we’re still analyzing the contents, we’re seeing design and test documents, source code, and presentations ranging from as early to Q4 2018 to just a couple of months ago. Most of these documents and source code packages apply to Intel CPU platforms, like Kaby Lake or the upcoming Tiger Lake, although there is a smattering of other documents relating to other products, such as a sensor package Intel developed for SpaceX. There is also a folder dedicated to the Intel Management Engine, but its contents, too, aren’t anything Intel integrators don’t already know. They’re test code and recommendations for when and how often to run those automated tests while designing systems that include an Intel CPU with the Intel ME. One of the dump’s newer bits included “Whitley/Cedar Island Platform Message of the Week,” dated May 5. Cedar Island is the motherboard architecture that lies beneath both Cooper Lake and Ice Lake Xeon CPUs. Some of those chips were released earlier this year, while some have yet to become generally available. Whitley is the dual-socket architecture for both Cooper Lake (14nm) and Ice Lake (10nm) Xeons. Cedar Island is for Cooper Lake only The contents include plenty of diagrams and graphics like the one below: Enlarge Some contents provide a cryptic reference to voltage failures in some Ice Lake samples. It’s not clear if the failures apply to actual hardware delivered to customers or if they’re happening on reference boards Intel provided to OEMs for use in designing their own boards. How done it? While Intel said it doesn’t believe the documents were obtained through a network breach, a screenshot of the conversation Kottmann had with the source provided an alternate explanation. The source said that the documents were hosted on an unsecured server hosted on Akamai’s content delivery network. The source claimed to have identified the server using the nmap port-scanning tool and from there, used a python script to guess default passwords. Here’s the conversation: source: They have a server hosted online by Akami CDN that wasn't properly secure. After an internet wide nmap scan I found my target port open and went through a list of 370 possible servers based on details that nmap provided with an NSE script. source: I used a python script I made to probe different aspects of the server including username defaults and unsecure file/folder access. source: The folders were just lying open if you could guess the name of one. Then when you were in the folder you could go back to root and just click into the other folders that you didn't know the name of. deletescape: holy shit that's incredibly funny source: Best of all, due to another misconfiguration, I could masqurade as any of their employees or make my own user. deletescape: LOL source: Another funny thing is that on the zip files you may find password protected. Most of them use the password Intel123 or a lowercase intel123 source: Security at it's finest. Kottmann said they didn’t know the source well but based on the apparent authenticity of the material, there's no reason to doubt the source's account of how it was obtained. The Intel spokeswoman didn’t immediately provide a response to the claim. Many onlookers have expressed alarm that the source code has comments containing the word “backdoor.” Kottmann told Ars that the word appeared two times in the source code associated with Intel’s Purely Refresh chipset for Xeon CPUs. So far, there are no known analyses of the source code that have found any covert methods for bypassing authentication, encryption, or other security protections. Besides, the term backdoor in coding can sometimes refer to debugging functions or have other benign meanings. People are also lampooning the use of the passwords Intel123 and intel123. These are no doubt weak passwords, but it’s unlikely their purpose was to secure the contents of the archive files from unauthorized people. More than 20GB of Intel source code and proprietary data dumped online
  23. Private data gone public: Razer leaks 100,000+ gamers’ personal info No need to breach any systems when the vendor gives the data away for free. Enlarge / This redacted sample record from the leaked Elasticsearch data shows someone's June 24 purchase of a $2,600 gaming laptop. Volodymyr Dianchenko 89 with 68 posters participating, including story author In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers' PII (Personal Identifiable Information). The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you'd expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines. Diachenko reported the misconfigured cluster—which contained roughly 100,000 users' data—to Razer immediately, but the report bounced from support rep to support rep for over three weeks before being fixed. Razer offered the following public statement concerning the leak: We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed. The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public. We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensure the digital safety and security of all our customers. We also reached out to Razer for comment. Shortly after this article published, a Razer representative confirmed the already published statement, and added that concerned customers may send questions to [email protected] Razer and the cloud Enlarge / This screenshot of Synapse 3's interface shows a user configuring the RGB backlighting on all of their Razer gear. Razer One of the things Razer is well-known for—aside from their hardware itself—is requiring a cloud login for just about anything related to that hardware. The company offers a unified configuration program, Synapse, which uses one interface to control all of a user's Razer gear. Until last year, Synapse would not function—and users could not configure their Razer gear, for example change mouse resolution or keyboard backlighting—without logging in to a cloud account. Current versions of Synapse allow locally stored profiles for off-Internet use and what the company refers to as "Guest mode" to bypass the cloud login. Many gamers are annoyed by the insistence on a cloud account for hardware configuration that doesn't seem to really be enhanced by its presence. Their pique is understandable, because the pervasive cloud functionality comes with cloud vulnerabilities. Over the last year, Razer awarded a single HackerOne user, s3cr3tsdn, 28 separate bounties. We applaud Razer for offering and paying bug bounties, of course, but it's difficult to forget that those vulnerabilities wouldn't have been there (and globally exploitable), if Razer hadn't tied their device functionality so thoroughly to the cloud in the first place. Why leaks like this matter It's easy to respond dismissively to data leaks like this. The information exposed by Razer's misconfigured Elastisearch cluster is private—but unlike similar data exposed in the Ashley Madison breach five years ago, the purchases involved are probably not going to end anyone's marriage. There are no passwords in the transaction data leaked, either. But leaks like this do matter. Attackers can and do use data like that leaked here to heighten the effectiveness of phishing scams. Armed with accurate details of customers' recent orders and physical and email addresses, attackers have a good shot at impersonating Razer employees and social engineering those customers into giving up passwords and/or credit card details. In addition to the usual email phishing scenario—a message that looks like official communication from Razer, along with a link to a fake login page—attackers might cherry-pick the leaked database for high-value transactions and call those customers by phone. "Hello, $your_name, I'm calling from Razer. You ordered a Razer Blade 15 Base Edition at $2,599.99 on $order_date..." is an effective lead-in to fraudulently getting the customer's actual credit card number on the same call. Leaks and breaches aren't going away Enlarge / We do not advise betting that an entire day will go by without public report of a data breach. Identity Theft Resource Center According to the Identity Theft Resource Center, publicly reported data breaches and leaks are down thirty-three percent so far, year over year. (IDTRC somewhat misleadingly classifies leaks like Razer's as breaches "caused by human or system error.") This sounds like good news—until you realize that still means several breaches per day, every day. While the number of breaches is down this year—most likely, according to IDTRC, due to security hyper-vigilance by companies suddenly faced with remote work needs at unprecedented scale—the number of scams are not. Attackers reuse breached or leaked data for semi-targeted phishing and credential stuffing attacks for years after the actual compromise. Minimizing your threat profile As a consumer, there is unfortunately little you can do about companies losing control of your data once they have it. Instead, you should focus on minimizing how much of your data companies have in the first place— for example, no one company should have a password that can be used with your name or email address to log in to an account at another company. You might also strongly consider whether you really need to create new, cloud-based accounts containing personally identifiable information in the first place. Finally, be aware of how phishing and social engineering attacks work and how to guard against them. Avoid clicking links in email, particularly links that demand that you log in. Be aware of where those links go—most email clients, whether programs or Web-based, will allow you to see where a URL goes by hovering over it without clicking. Similarly, keep an eye on the address bar in your browser—a login page to MyFictitiousBank, however legitimate-seeming, is bad news if the URL in the address bar is DougsDogWashing.biz. Private data gone public: Razer leaks 100,000+ gamers’ personal info
×
×
  • Create New...