Weekly Summary

SPOTLIGHT, VULNERABILITY CHAT & PRIVACY HEADLINES
Share this analysis
News Breach Exposure Monitoring

Company backed by Facebook co-founder suffers large data breach.

10 June 2024
BREACHAWARE HQ

A total of 30 breaches were found and analysed resulting in 7,203,587 leaked accounts containing a total of 29 different data types. The breaches found publicly and freely available included 51, Zadig and Voltaire, Stealer Log 0465, T Bank and Danto. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A well-known technology news company based in Asia, backed by the co-founder of Facebook, has suffered a significant data breach. A known threat actor in the community exploited several flaws in the company's API, leading to the breach a few days ago. Although user passwords were not exposed, unique email addresses and full names were among the data types compromised. The breached data appeared on the infamous Breach Forums, which have resumed operations after the FBI's recent intervention.

Last week, we covered Microsoft's controversial new feature, Recall, which has drawn substantial criticism from privacy experts. Recall takes screenshots of everything noteworthy a user experiences on Windows 11. In response to the backlash, Microsoft has released updates to address these concerns, summarised by VX Underground:
- Users can now choose whether or not to activate Recall during installation.
- Recall is no longer active by default. "Windows Hello" enrolment is now required to enable Recall.
- A "proof-of-presence" is required to view and search Recall data.

Additional layers of protection have been implemented:
- Data is decrypted in real-time with Windows Hello Enhanced Sign-in Security (ESS).
- Data is only decrypted when a user authenticates it.
- The search index is fully encrypted.

Despite these updates, questions remain about whether these measures are sufficient to address privacy concerns.

In a surprising turn of events, an unknown threat actor has bricked over 600,000 routers issued by Windstream, an American internet service provider. This issue has affected several different router models. Although the incident occurred in October, it has only now come to light. Bricking refers to a device becoming completely inoperative due to a software issue. Security research team Lumin discovered that the bricking was caused by a bad firmware update. All the compromised routers were infected by the Chalubo Botnet, which is designed to use routers in DDoS attacks, ultimately rendering them useless.

VULNERABILITY CHAT

SolarWinds has announced patches for multiple high-severity vulnerabilities in its Serv-U and SolarWinds Platform, including a bug reported by a penetration tester working with NATO. The patches also address two security defects in the web console, a race condition vulnerability, and a stored cross-site scripting (XSS) flaw that requires high privileges and user interaction for successful exploitation.

Two proof-of-concept exploits for a remote command execution bug in Apache HugeGraph have been made public. Apache HugeGraph, used in Java 8 and Java 11 environments, allows developers to build applications based on graph databases. In late April, the Apache Software Foundation disclosed a critical vulnerability affecting versions of HugeGraph-Server 1.0.0 before the 1.3.0 release.

Prompt injection vulnerabilities have been discovered in EmailGPT, an API service and Google Chrome extension that assists users in writing email messages in Gmail using OpenAI’s GPT models. The Synopsys Cybersecurity Research Center (CyRC) reported that the vulnerability allows malicious users to inject harmful prompts and take over the service logic. Attackers can force the AI service to leak hard-coded system prompts or execute unwanted prompts, potentially exposing sensitive information.

Threat actors are exploiting a critical Progress Telerik Report Server vulnerability that allows attackers to execute malicious code on targeted systems. Exploitation attempts began just two days after Sina Kheirkhah posted a proof of concept for the exploit chain on GitHub. The Shadowserver Foundation, a cybersecurity nonprofit organisation, observed exploitation attempts starting on June 5. As of June 6, exploitation primarily affected users in the U.S. and U.K.

Google has started rolling out the June 2024 monthly security updates for Android, addressing 37 vulnerabilities, including multiple high-severity elevation of privilege bugs. Google noted in its advisory that "the most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed."

1 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Oracle (WebLogic Server). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 741 vulnerabilities last week, making the 2024 total 18,171. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Over the past few days, Meta has informed millions of Europeans that its privacy policy is changing once again. Meta argues that it has a legitimate interest that overrides the fundamental right to data protection and privacy of European users. Once their data is in the system, users seem to have no option to remove it ("right to be forgotten"). NOYB has now filed complaints in 11 European countries, asking the authorities to launch an urgency procedure to stop this change immediately before it comes into force on June 26, 2024.

Microsoft has been accused of likely tracking the data of hundreds of thousands of European schoolchildren through its education software deployed in schools across the continent, according to advocacy group NOYB. The two complaints to the Austrian privacy watchdog focus on Microsoft’s 365 Education suite for students, which includes Word, Excel, Microsoft Teams, PowerPoint, and Outlook.

Google Ads has emailed advertisers in the United States about upcoming compliance changes in response to privacy law provisions coming into effect in Florida, Texas, Oregon, Montana, and Colorado. The Colorado Privacy Act (CPA) will begin enforcing its Universal Opt-Out Mechanism (UOOM) provisions, which require businesses to comply with consumers' opt-out requests.

The Spanish data watchdog announced that Worldcoin has legally agreed not to resume its activity in Spain until the end of the year. The Spanish Agency for Data Protection (AEPD) stated that Tools for Humanity Corporation, the company behind the human identity and financial network Worldcoin, will not collect or process data until the end of 2024 or until final resolutions of an ongoing investigation. Currently, the data protection authority of Bavaria, Germany, Bayerische Landesamt für Datenschutzaufsicht (BayLDA), is investigating the organisation regarding its treatment of personal user data.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan

DATA CATEGORIES DISCOVERED

Socia-Demographic Data, Contact Data, Technical Data, Locational Data, Financial Data, Usage Data, Documentary Data, Social Relationships Data, Communications Data, Transactional Data, Special Category.

  • Key Statistics
  • Breaches Discovered
    0
  • ACCOUNTS DISCOVERED
    0
  • DATA TYPES DISCOVERED
    0