A total of 24 breaches were found and analysed resulting in 5,663,215 leaked accounts containing a total of 33 different data types. The breaches found publicly and freely available included Metro Cash & Carry, Blue Ocean Gaming, Golem Network, Stealer Log 0500 and Grey Star Jewellery. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

The admin of a well-known file hosting service, frequently used in dubious corners of the internet, has been doxxed. The doxxing was triggered by the accidental exposure of a personal email address linked to the service's GitHub. While this admin had been doxxed previously, the current breach has revealed far more personal details. Known for harbouring harmful content under the guise of anonymity, the admin is accused of allowing large amounts of CSAM and loli porn to be hosted on the platform, refusing to take it down. The site also gained infamy for hosting significant data breaches, including the U.S. citizen database and 800 GB of content from the Breach Forums content delivery network.

The site went offline a few weeks ago, either due to federal intervention or internal collapse. Some threat actors have since attempted to raise funds for the admin, claiming they were unaware of the CSAM content. Adding to the chaos, the service’s Telegram channel was recently hijacked, with the attacker publicly branding the admin a "pedo."

Sections of the dark web community—often referred to as “Com” by the media—are in turmoil. Infighting and escalating drama have created a climate of instability. Younger users on forums (redacted) have been aggressively doxxing each other, much to the delight of law enforcement, which is benefitting from the community’s self-destruction.

Meanwhile, the U.S. District Court of Hammond, Indiana, is processing charges against Guan Tianfeng, a China-based threat actor accused of running a sophisticated cybercrime operation. Guan allegedly exploited a zero-day vulnerability in Sophos software to compromise thousands of systems and conduct covert surveillance. He is believed to have operated a front company, Sichuan Silence Information Technology Co. Ltd., which reportedly has ties to the Chinese Communist Party.

Additionally, a major Israeli hotel booking platform, widely regarded as the oldest and largest in its industry, has suffered a significant data breach. This attack is part of an ongoing wave targeting Israeli sites and services since October 8, 2023. With over 20 datasets leaked, the breach offers a wealth of material for open-source intelligence. Data breaches across multiple platforms are occurring at an alarming pace, contributing to a broader cybersecurity crisis.

VULNERABILITY CHAT

Cleo has issued a security advisory addressing an unrestricted file upload and download vulnerability in its software. The company warned that exploitation of the flaw could lead to remote code execution and urged customers to upgrade to the patched version. Max Rogers, from Huntress' threat operations centre, flagged ongoing exploitation in a post on X, noting that some affected systems appeared to be “patched.”

A security flaw has been disclosed in OpenWrt's Attended Sysupgrade (ASU) feature, which could have been abused to distribute malicious firmware packages. RyotaK, who provided a technical analysis of the issue, noted that the vulnerability has existed for some time, though it remains unclear if it was ever exploited in the wild.

Details have also emerged about a security vulnerability in Apple's iOS and macOS that could bypass the Transparency, Consent, and Control (TCC) framework. If exploited, the flaw would allow unauthorised access to sensitive information. Jamf Threat Labs, which discovered the vulnerability, warned that a rogue app installed on a system could leverage this bypass to access sensitive data without the user's knowledge.

Ivanti has alerted customers to a maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution. The company has also patched several medium, high, and critical vulnerabilities across its product suite, including Desktop and Server Management (DSM), Connect Secure and Policy Secure, Sentry, and Patch SDK. However, Ivanti stated in its security advisory that there is no evidence of these vulnerabilities being exploited in the wild.

Meanwhile, cybersecurity experts from JPMorgan Chase have criticised the Common Vulnerability Scoring System (CVSS), arguing that the severity of some vulnerabilities is being underestimated. According to their analysis, around 10% of vulnerabilities may be underrated, with insufficient weight given to privacy concerns when calculating CVSS scores. This, they argue, risks misleading the cybersecurity community about the true impact of certain vulnerabilities.

2 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Cleo (Multiple Products). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,259 vulnerabilities last week, making the 2024 total 38,618. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

A class action lawsuit appeal filed by law firm Mishcon de Reya against Google and DeepMind has been dismissed. The lawsuit alleged that the two companies misused UK patients’ medical records during their collaboration with London’s Royal Free Hospital.

The Information Commissioner's Office (ICO) plans to release new guidance in spring 2025 following a report by consumer group Which?. The report revealed that some air fryers, smart TVs, and smartwatches have been collecting personal data from their owners.

BeReal, the selfie-sharing app recently acquired by French mobile games publisher Voodoo, is facing allegations of violating European data protection regulations. A privacy complaint filed by Noyb, accuses the app of using manipulative "dark patterns" to pressure users into consenting to ad tracking, a potential breach of the General Data Protection Regulation (GDPR).

The U.S. Patent Office has published Apple’s patent application titled Temporal Reasoning. The patent outlines a system for generating life events to create a comprehensive mapping of users’ routine and extraordinary activities. This technology aims to enable personalised applications and services in areas such as behaviour analysis, health management, and targeted advertising.

El Salvador’s newly approved cybersecurity and data protection laws have raised concerns from Human Rights Watch. The organisation claims the laws contain provisions that threaten media freedom and privacy rights. Additionally, the Organisation of American States’ special rapporteur for freedom of expression has warned that El Salvador’s “right to be forgotten” laws could undermine freedom of expression.

The Office of the Australian Information Commissioner (OAIC) has released a guide to assessing privacy risks associated with facial recognition technology (FRT) in commercial settings. The guidance distinguishes between facial verification and facial identification and emphasises key principles to ensure compliance with the Privacy Act and the Australian Privacy Principles (APP) when using sensitive information.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan