"Fast and honest" legal funding company has suffered a data breach.

A total of 41 breach events were found and analysed resulting in 128,269,951 exposed accounts containing a total of 26 different data types of personal datum . The breaches found publicly and freely available included Canva [2], Truth Finder, Boat Owners Database - USA, Coin Gecko and Gelbeseiten. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

Canva, a major graphic design platform, was compromised for a second time. As a platform with millions of creative professionals and business users, breaches here can expose usernames, emails, and hashed passwords, threatening both personal and professional accounts, particularly where password reuse occurs.

TruthFinder, a people-search engine that aggregates vast amounts of personal data, adds another layer of risk. Breaches of such services can reveal highly detailed records, names, locations, contact information, and possibly sensitive demographic or background data, making them a valuable target for identity fraud, stalking, or targeted scams.

The Boat Owners Database - USA appears to involve personal records related to marine vessel registrations. The nature of such a dataset suggests an overlap with higher-income individuals or businesses, making exposed details potentially lucrative for phishing or fraud schemes aimed at asset owners.

CoinGecko, a well-known cryptocurrency market tracker, serves users deeply embedded in the digital asset space. A breach here could expose crypto enthusiasts to targeted scams or social engineering attempts, especially if login or contact information is repurposed in impersonation attempts across other crypto platforms.

Finally, Gelbeseiten, Germany’s equivalent of the Yellow Pages, represents a more traditional directory service. While seemingly less sensitive, such datasets can still be abused for spam campaigns or mapping relationships between individuals and businesses.

Spotlight

A legal funding company based in the US that promises fast, honest funding with no surprises has unfortunately been targeted by threat actors and suffered a data breach. The company has been running for the past 8 years and has some amazing reviews along the bottom of the page. Either they are really good or these gushing reviews are more like something you find in a field full of cows. A large number of datasets were among the data, including property information about each individual.

There’s a leaked database that's consistent with people who have traded on a Forex trading platform (foreign exchange market). Either there’s a third party out there collecting information on who has recently deposited or someone has created this manually by consolidating multiple databases together. Either way, I would want to know if I was in there. Among several datasets, the unique email addresses were in the millions, making this a nice, tasty download for a threat actor on a Friday.

The Bank of India suffered a data breach when a cyber gang broke into their secure systems and stole a range of data. They then dumped it on an up-and-coming underground forum; either they only exfiltrated a small amount of the data or they chose to share a small amount for now. That's because the breach itself is very small in terms of actual credentials, but as a wise man once said, a breach is a breach! Pictures of employees along with employee data, such as physical addresses and full names, are just a small portion of what was found while analysing the data.

Sticking with South Asia, an Indian delivery company that specialises in parcel delivery from overseas has been breached. When signing up with the company, you are assigned your own international address, for instance, in the US, to which you can deliver US products (via Amazon, etc.) and then the company will ship them back to India. This type of breach could easily affect supply chain issues for individuals importing US goods into India. The usual data types apply, as well as over ten thousand unique email addresses.

Vulnerability Chat

Mastodon, the decentralised social network with over 14 million users across 20,000 instances has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. The flaw centres around the media attachments feature, creating and overwriting files in any location the software could access on the instance.

Medtronic has released an update for a vulnerability that could be exploited to steal, delete or modify cardiac device data or to gain network access. Whilst CISCO has advised customers should disable ACI multi-site encryption while a fix is found for the Nexus 900 series switch vulnerability.

Whilst no active exploitations have been discovered yet, attackers could leverage the new StackRot vulnerability in the Linux kernel to facilitate privilege escalation in targeted hosts. Linux versions 6.1 to 6.4 are effected and have been addressed in versions 6.1.37 and 6.4.1 released this month.

Information Privacy Headlines

Seams the popularity of Meta's threads has been halted in the EU where privacy concerns have put its release on pause (supposedly Thread's hasn't been actively blocked by Irelands Data Protection Commission (DPC) yet). If you didn't know, like with Facebook and Messenger, you can't reverse a thread account without also deleting Instagram.

The Swedish Authority for Privacy Protection (IMY) issues fines against two companies using Google's analytics tool and issued warnings to other companies, due to the risks posed by US government surveillance.

Smarter Privacy Starts with Awareness
Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan