A total of 35 breaches were found and analysed resulting in 7,110,820 leaked accounts containing a total of 29 different data types. The breaches found publicly and freely available included Sport 2000, Legendas.TV [2], Cash To You, Parking Pay and Brand New Tube [3]. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

ZachXBT, the renowned blockchain detective and scam hunter, has once again delivered results. Two months ago, an individual had $243 million worth of Bitcoin stolen. A few days ago, law enforcement arrested the two individuals responsible for the theft. XV Underground summarised ZachXBT's contribution, stating, "He gave law enforcement everything they needed on a silver platter. He got them busted in less than 2 months."

We previously wrote about ZachXBT nearly a year ago when successful crypto thieves, flaunting their wealth with champagne and escorts, had his name displayed on elite music club screens in Canada. The messages read “F**k ZachXBT” and “ZachXBT is watching." ZachXBT has now released a PDF detailing the case, showcasing some of the OSINT (open-source intelligence) work he gathered. The thieves' poor operational security (OPSEC) was astonishing, considering they had just stolen $243 million. One of the culprits brazenly displayed their lifestyle all over social media, even renting a club where his nickname was projected on the screens. Their mistakes were numerous, including mixing stolen money with clean funds. One of the criminals accidentally deposited funds from a wallet connected to his identity into the dirty wallet, directly linking him to the crime.

Last Tuesday, the world’s largest industrial machinery and equipment company suffered a major data breach. The stolen data was swiftly posted on a Russian-speaking dark web cybercrime forum. The group responsible, ZeroSevenGroup, provided screenshots as proof of the authenticity of the breach, which exposed 80 GB of sensitive information, including projects, employee details, customer data, and financial records. In their post, they issued a chilling message to the company: “We told you ‘redacted$’ that we never joke; we've been on your network for a long time. You have to bear the consequences.”

In yet another week of law enforcement victories, an “encrypted” messaging app designed for criminals has been seized, and its creators arrested. The app, called Ghost, was created by an Australian man and marketed to criminals as “unhackable.” Law enforcement agencies from nine different countries collaborated to take down the app, which had servers in Iceland and France. So far, 51 suspects have been arrested. The app used three types of encryption methods and was allegedly used to facilitate serious crimes, including drug trafficking and money laundering.

VULNERABILITY CHAT

Huntress, a U.S. cybersecurity firm, has identified an "emerging threat" affecting users of Foundation Software. John Hammond, Principal Security Researcher at Huntress, explained: "The affected companies were using default credentials at the time of the intrusion. These are usernames and passwords that come with the software and are meant to be changed upon installation."

A high-severity vulnerability has been discovered in the FreeBSD hypervisor, bhyve, allowing malicious software running in a guest virtual machine (VM) to potentially execute arbitrary code on the host system. Users are advised to upgrade to a supported FreeBSD stable or release/security branch dated after the correction to address this issue.

Ivanti has disclosed that a critical security flaw in its Cloud Service Appliance (CSA) is being actively exploited. The "Path Traversal" vulnerability in Ivanti CSA versions before 4.6 Patch 519 allows remote, unauthenticated attackers to access restricted functionality. Ivanti has confirmed it is aware of a limited number of customers who have been exploited through this vulnerability, which was disclosed as CVE-2024-8190.

Google has released version 129 of Chrome, fixing nine security vulnerabilities. Users are urged to update as soon as possible. Google highlighted six of the vulnerabilities, with one classified as high-severity. The update brings the Chrome version to 129.0.6668.58 or 129.0.6668.59 for Windows and Mac users, and 129.0.6668.58 for Linux users.

Broadcom has resolved two VMware vCenter Server vulnerabilities that could allow remote code execution or privilege escalation. Both were discovered during a Chinese competition focused on identifying zero-day vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a "Secure by Design" alert, urging senior executives and business leaders to address and eliminate cross-site scripting (XSS) vulnerabilities in their products. The alert emphasises following the three principles outlined in the joint guidance available at https://www.cisa.gov/resources-tools/resources/secure-by-design

11 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Adobe (Flash Player). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 635 vulnerabilities last week, making the 2024 total 28,352. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

The U.K. Information Commissioner's Office (ICO) has confirmed that LinkedIn has suspended the processing of users' data in the country to train its artificial intelligence (AI) models. This action follows LinkedIn’s admission that it had used users' data to train its AI without explicit consent, as outlined in a privacy policy update that took effect on September 18, 2024.

Apple has released iOS 18, addressing 32 security vulnerabilities across various components of its operating system. Some of these vulnerabilities were particularly concerning due to their potential impact on user privacy and security.

A group of companies, including Meta and Spotify, criticised the European Union on Thursday for its “fragmented and inconsistent” approach to data privacy and artificial intelligence (AI) regulation. The signatories called for "harmonised, consistent, quick, and clear decisions" from EU data privacy regulators to allow European data to be used in AI training for the benefit of European citizens.

The U.S. Federal Trade Commission (FTC) has criticised the data protection practices of social media platforms and video streaming services. In an 84-page report published on September 11, along with 31 pages of appendices, the FTC warned that these platforms’ data collection methods pose serious privacy and security risks, especially to children, labelling the practices as "vast surveillance."

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan