A total of 21 breaches were found and analysed resulting in 30,573,656 leaked accounts containing a total of 30 different data types. The breaches found publicly and freely available included Tianya Club, Stealer log 0487, Stealer Log 0488, Stealer log 0486 and GetCarrier. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A Nigerian bank may have recently experienced a data breach, though there has been no official disclosure yet. One of our team members discovered the leaked data a few days ago on a dubious section of the Dark Net. Given the sensitive nature of the information in the exposed files, we believe the bank should inform its customers. The breach contains a variety of data types, including particularly concerning debt and credit information, alongside full names and addresses.

In another development, a Russian bulletproof hosting provider appears to have been compromised. Bulletproof hosting providers are notorious for hosting anything without adhering to abuse complaints from authorities or individuals, typically operating in regions outside the control of entities like Five Eyes or Europol. Even if they are within such jurisdictions, they often obscure the locations of their servers.

A few months ago, VX Underground, a well-known malware analysis group, was contacted by an individual claiming access to the backend of this hosting provider. Last week, the same individual reached out again, offering further proof of continued access, including screenshots. They claim to have successfully exfiltrated all customer information from the provider. However, it's worth noting that much of this customer information may be falsified, as those who use bulletproof hosting services typically have something to hide.

Meanwhile, Meta has faced continued scrutiny regarding how it stored user data back in 2019. The Irish Data Protection Commission first reported in April 2019 that Facebook had discovered that hundreds of millions of user passwords from Facebook, Facebook Lite, and Instagram were stored in plaintext on its internal servers. This issue has culminated in Meta being fined €91 million for storing user passwords without encryption—a costly end to a major oversight.

VULNERABILITY CHAT

Apple has released updates to address two security issues. One of the issues allowed VoiceOver, an assistive technology, to read aloud saved passwords. Apple resolved this vulnerability with improved validation.

Forescout Research has identified 14 new vulnerabilities across 24 models of DrayTek’s Vigor routers, affecting around 785,000 devices globally. These vulnerabilities pose a significant risk to Wi-Fi network security.

Zimbra urges administrators to update their systems to patch a security vulnerability fixed in September. The company recommends checking the Zimbra Security Center and setting up RSS feeds for future alerts.

A security vulnerability known as CosmicSting has impacted 5% of all Adobe Commerce and Magento stores. Dutch firm Sansec reports that these stores are being compromised at a rate of three to five per hour, marking this as the most severe issue in two years.

A high-severity flaw has been found in the LiteSpeed Cache plugin for WordPress, which allows the execution of arbitrary JavaScript code. This issue has been fixed in version 6.5.1 following a disclosure by Patchstack researcher TaiYou.

2 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Ivanti (Endpoint Manager EPM). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 674 vulnerabilities last week, making the 2024 total 28,819. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

SimpleX, a privacy-focused messaging app, has been gaining traction, especially after securing over $1 million in funding with support from Jack Dorsey. Unlike Telegram, SimpleX does not require user authentication via phone numbers or emails, which significantly enhances privacy protection.

The Court of Justice of the European Union ruled that Meta cannot use public data related to a user's sexual orientation for targeted advertising. This ruling came after Max Schrems filed a complaint about Meta’s practices under the EU’s strict data privacy laws.

Despite the rise in ransomware data breaches in the UK, the Information Commissioner’s Office (ICO) has drastically reduced the number of investigations. Last year, fewer than 7% of incidents reported to the ICO were investigated, with only 5% of cases reviewed in the first half of this year.

Two third-party contractors from India stole frequent-flyer points and possibly accessed customers' passport details in a cyber theft involving the Qantas’s ground-handling services.

Ireland's Data Protection Commissioner has launched a probe into Ryanair's use of facial recognition technology, investigating whether it breaches EU privacy regulations when verifying customers who book through third-party websites.

The Korea Communications Commission (KCC) plans to investigate TikTok for possible violations of the Information and Communications Network Act, raising concerns about the app’s compliance with South Korea’s privacy regulations.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan