A total of 31 breaches were found and analysed resulting in 8,514,163 leaked accounts containing a total of 24 different data types. The breaches found publicly and freely available included Piping Rock, Locally, Havenly, Bodog and Ragazzo Delivery. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A large American health supplement manufacturer, which also operates an online store, experienced a data breach several months ago. The threat actor responsible for exfiltrating the data claimed that "the management suddenly just stopped in the middle of negotiations," leaving them no choice but to sell the data on the dark web. Despite this, the company failed to notify its three million customers of the breach. Customer reviews suggest that many realised their data had been compromised after receiving phishing emails disguised to look like they were from the company. The company’s reputation has suffered greatly due to its lack of transparency. When questioned, the supplement manufacturer could not confirm whether the breach was legitimate.

In the biggest prisoner exchange between the U.S. and Russia since the Cold War, the U.S. swapped eight prisoners in exchange for 16. Among the eight were two notorious cybercriminals. One of them, Roman Seleznev, was arrested and sentenced in 2017 to 27 years in prison. Seleznev had built a lucrative career by hacking into retail payment systems, infecting them with malware, and collecting vast amounts of credit card data. He then sold the stolen data on carding marketplaces he operated. Seleznev was arrested in 2015 while on holiday in the Maldives, a country that doesn’t typically allow U.S. extradition.

The second cybercriminal, Vladislav Klyushin, was sentenced to nine years in prison just last year for his role in an insider trading scheme. Klyushin hacked into accounting firms used by large corporations to access confidential earnings reports, which he then used to make stock trades before the companies released their earnings. By the time he was sentenced, Klyushin had amassed a net worth of $34 million. He also ran a cybersecurity pen-testing company that worked with the Russian government.

VULNERABILITY CHAT

Security firm iVerify has published a blog detailing its report on a vulnerability affecting a significant percentage of Pixel phones shipped since 2017. This vulnerability makes the devices "susceptible to man-in-the-middle (MITM) attacks," potentially allowing cybercriminals to inject malicious code and spyware.

Microsoft has disclosed 90 flaws in its products, with six already being exploited and four others publicly known. Among these is a severe zero-click, wormable remote code execution vulnerability in Windows that can be exploited using IPv6 packets without any need for authentication. This vulnerability is particularly concerning, receiving a 9.8 out of 10 on the CVSS severity scale.

SolarWinds has issued patches to fix a critical security vulnerability in its Web Help Desk software. This vulnerability, identified as a Java deserialisation remote code execution flaw, could allow attackers to execute arbitrary commands on the host machine. SolarWinds provided this information in a recent advisory.

Adobe has released patches for at least 72 security vulnerabilities across multiple products. These vulnerabilities put Windows and macOS users at risk of code execution, memory leaks, and denial-of-service attacks.

A newly discovered attack vector in GitHub Actions artefacts, named ArtiPACKED, could be exploited to take over repositories and gain access to organisations' cloud environments. Palo Alto Networks Unit 42 researcher Yaron Avital reported that a combination of misconfigurations and security flaws can cause artefacts to leak tokens, including those for third-party cloud services and GitHub, making them accessible to anyone with read access to the repository.

Meanwhile, GitHub has launched Copilot Autofix, an AI-powered tool designed to identify and remediate software vulnerabilities. During beta testing, GitHub reported that Copilot Autofix reduced the median time to fix vulnerabilities from 90 minutes with manual fixes to just 28 minutes using this AI tool.

7 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Microsoft (Project). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 896 vulnerabilities last week, making the 2024 total 25,310. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

The City of Muncie is notifying hundreds of employees about a data breach that exposed their personal information, including W2 documents. In a letter dated August 8, Mayor Dan Ridenour informed city workers of a "data privacy incident" that occurred on July 12. According to the letter, "We discovered that certain W2 documents had been inadvertently emailed to an unintended recipient due to a sophisticated social engineering scheme. As a result, your W2 information may have been subject to unauthorised access."

Carriers indemnifying Illinois biometric information privacy lawsuits may see reduced settlement amounts following a recent change in state law. On August 2, Governor J.B. Pritzker signed Senate Bill 2979 into law, which took effect immediately. Previously, under the Biometric Information Privacy Act (BIPA), each violation was considered separately, allowing plaintiffs to seek damages for every instance their personal information was disclosed. However, the new legislation changes this approach, limiting plaintiffs to a single recovery for multiple violations by the same entity, treating each instance as part of a single violation, according to a report from AM Best.

State attorneys general from New York, Connecticut, and New Jersey have issued a $4.5 million penalty to Enzo Biochem, Inc. following a 2023 ransomware attack that exposed vulnerabilities in its health data security. According to the AG offices, Enzo, a provider of diagnostic testing, failed to adequately protect patient information, making it susceptible to the attack. Alleged deficiencies in Enzo’s data security included the use of shared employee login credentials, a lack of multi-factor authentication (MFA), failure to encrypt sensitive patient information, insufficient monitoring of user activity on its network, and the absence of risk management analyses and security testing.

In Germany, researchers achieved a significant milestone in quantum communication, marking a major step toward a secure quantum internet. The experiment was led by Professor Fei Ding from Leibniz University of Hannover, Professor Stefan Kück from the Physikalisch-Technische Bundesanstalt (PTB), and Professor Peter Michler from the University of Stuttgart, along with their team of researchers. At the heart of the experiment are semiconductor quantum dots (QDs), often referred to as "artificial atoms." These tiny structures hold great promise in the quantum realm, particularly in quantum information technologies. The researchers successfully achieved positive secret key rates (SKRs) over distances of up to 144 kilometres, corresponding to a 28.11 dB loss in a controlled laboratory setting.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan