AI-powered property tech breach impacts US bank customers.
09 September 2024A total of 27 breaches
were found and analysed resulting in 36,605,520 leaked accounts
containing a total of 32 different data types
. The breaches found publicly and freely available included MindJolt, MyKukun, Factual, Passions Network and Dominos - Belgium. Sign in to view the full
BreachAware
Breach Index which includes, where available, reference articles relating to
each breach.
SPOTLIGHT
A well-known AI-powered property technology platform for homeowners and real estate investors recently suffered a data breach. The leaked data appeared on a well-known Russian hacking forum. Founded in 2014, the company has grown significantly, attracting millions of customers worldwide. However, a notorious threat actor exploited their database and dumped it online. A large portion of the affected customers were from a prominent American bank, and the exposed data included full names, physical addresses, and more.
In another case, a security researcher is in trouble following a ransomware attack on the city of Columbus, Ohio, by the Russian ransomware group Rhysida. Shortly after the breach, the mayor issued a statement claiming that no sensitive data had been exposed, and what the hackers stole was either encrypted or corrupted.
It seemed all was well—until a security researcher visited the gang's domain, downloaded the data, and quickly discovered that the information was neither encrypted nor corrupted. Instead, it contained highly sensitive details, including the names and social security numbers of domestic crime victims, suspects, and subpoenaed officers. The breach exposed information on 215,372 defendants. The researcher contacted the local media to reveal the true extent of the exposure.
Now, the city is facing a class-action lawsuit, and to complicate matters further, they are attempting to prosecute the researcher for uncovering their attempt to downplay the hack. The city has hired a lawyer, accusing the researcher of breaking the law by downloading the data and alerting the public to the severity of the breach. This unfolding story is both troubling and bizarre, and we will keep you updated as it develops.
Meanwhile, Transport for London (TfL) is also facing challenges after a recent cyberattack. TfL has limited access to some live travel information services, though they assure the public that there has been no impact on transport services and no evidence of compromised customer data. We will continue to monitor the situation for further updates.
VULNERABILITY CHAT
Cisco has alerted customers to critical vulnerabilities in its Smart Licensing Utility product and is urging them to apply software updates to safeguard against potential attacks. The two vulnerabilities, while independent of each other, could allow an unauthenticated, remote attacker to collect sensitive information or manage the Smart Licensing Utility services on a system during operation. Since there are no available workarounds for these issues, customers must install the updates provided by Cisco to prevent exploitation.
Progress Software has released an emergency patch for a vulnerability affecting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. This vulnerability enables attackers to remotely execute commands on the device. LoadMaster, an application delivery controller (ADC) and load balancing solution, is used by large organisations to optimise application performance, manage network traffic, and ensure high service availability.
A side-channel attack called "Eucleak" has been discovered, which allows the cloning of YubiKey security keys due to a vulnerability in a third-party cryptographic library. NinjaLab, a company specialising in cryptographic security, demonstrated the attack. In response, Yubico, the developer of YubiKey, has issued a security advisory addressing the issue.
Veeam Software, a prominent provider of backup, recovery, and data management solutions, has identified and resolved several critical and high-severity vulnerabilities across multiple products. Users are strongly advised to update to the latest versions to mitigate these security risks.
Apache has patched a critical vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) applications, also used as a Java-based web framework for web application development.
3 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including DrayTek (VigorConnect). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 522 vulnerabilities last week, making the 2024 total 27,002. For more information visit https://nvd.nist.gov/vuln/search/
INFORMATION PRIVACY HEADLINES
Chinese police have reportedly detained five current and former AstraZeneca employees as part of an investigation into possible data privacy breaches and the importation of unlicensed medications. The investigation, led by police in Shenzhen, is also examining whether AstraZeneca's methods of collecting patient data violated China’s privacy laws.
The Dutch Data Protection Authority (DPA) has fined Clearview AI €30.5 million for illegally creating a database containing over 30 billion photos. Clearview AI, a US-based company providing facial recognition services to law enforcement and intelligence agencies, collected these photos without consent, violating the General Data Protection Regulation (GDPR), according to the DPA.
Court proceedings initiated by the Irish Data Protection Commission (DPC) against social media platform X have concluded. As of Wednesday, 4 September, the company has agreed to permanently stop processing certain personal data collected in the EU for training artificial intelligence (AI).
Meanwhile, Meta has begun notifying users in Brazil about how their personal data is being used to train generative AI, following a request from the country’s data protection authority. Starting on Tuesday, 3 September, Meta users in Brazil have received notifications via email and on Facebook and Instagram. Meta has also given users the option to decline the use of their personal data for AI training, as stated in a company announcement.
Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan
DATA CATEGORIES DISCOVERED
Socia-Demographic Data, Contact Data, Technical Data, Communications Data, Financial Data, Transactional Data, Locational Data, Usage Data, Documentary Data, Social Relationships Data.