A total of 36 breaches were found and analysed resulting in 9,251,596 leaked accounts containing a total of 37 different data types. The breaches found publicly and freely available included Guardian Industries, Ptt HGS, PPL Electric Utilities, Emias and Excellanto. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

Allstate, the American car insurance giant, and Arity, a U.S.-based tech company specialising in mobility data solutions, have found themselves at the centre of controversy. Texas Attorney General Ken Paxton is suing the two companies for allegedly spying on 45 million Americans through three popular apps: Life360, Routely, and GasBuddy.

Life360 is a family location-sharing app, GasBuddy helps users find the cheapest fuel prices, and Routely tracks driving habits to provide feedback—a virtual backseat driver, if you will. According to the lawsuit, Allstate paid Arity millions of dollars to embed tracking code in these apps, collecting data from users’ phones every 15 seconds. This data reportedly included precise geolocation, accelerometer, and gyroscopic information.

The purpose of this data collection? To create detailed driving profiles and ostensibly optimise users’ insurance policies. However, the tracking code lacked the ability to distinguish between drivers and passengers, leading to potential inaccuracies. Imagine an Uber passenger’s premium being impacted by a renegade driver breaking traffic laws—that’s the kind of issue this technology reportedly caused.

The allegations don’t stop there. After collecting this data, Allstate allegedly resold it to other insurers. According to Attorney General Paxton, this conduct violated the Texas Data Privacy and Security Act (TDPSA), which mandates clear notice and informed consent before collecting or selling sensitive data like precise geolocation.

“Allstate never provided notice or obtained Texans’ consent to collect or sell their sensitive data,” Paxton said in a statement.

VULNERABILITY CHAT

Security researchers have identified a side-channel vulnerability in YubiKey two-factor authentication tokens, potentially enabling attackers to clone the devices. Yubico has rated the vulnerability's severity as "moderate," citing its challenging exploitation due to the dual-layered security model of something users possess and know. However, the unmodifiable firmware of YubiKey devices means all YubiKey 5 versions prior to 5.7 will remain permanently vulnerable.

Truffle Security researchers have uncovered a flaw in Google’s OAuth "Sign in with Google" feature. The vulnerability exposes sensitive information when linked to abandoned domains, potentially leaving businesses that have ceased operations susceptible to data breaches.

Google security researchers have disclosed critical vulnerabilities in the Ubuntu rsync package, affecting both server and client components. Left unpatched, these flaws can lead to remote code execution. Furthermore, vulnerabilities in the client enable malicious servers to access files, create unsafe symlinks, and potentially overwrite files.

SynACKTIV researchers have released a proof-of-concept (PoC) for a vulnerability in Microsoft Configuration Manager (ConfigMgr). The exploit allows attackers to execute arbitrary SQL queries on the ConfigMgr database with sysadmin privileges, further enabling remote code execution (RCE) by activating the `xp_cmdshell` procedure.

ESET researchers have discovered a vulnerability that bypasses UEFI Secure Boot, impacting most UEFI-based systems. This flaw stems from using a custom PE loader instead of the standard UEFI functions. Consequently, any UEFI binary, including unsigned files, can be loaded during system start, regardless of the Secure Boot state.

HPE Aruba Network products, including AOS Controllers, Gateways, and Mobility Conductor, have been found vulnerable to multiple issues. These flaws affect various ArubaOS versions, enabling attackers to execute arbitrary code and commands remotely.

7 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Aviatrix (Controllers). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,283 vulnerabilities last week, making the 2025 total 2,708. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Noyb, a privacy-focused advocacy group, has filed a complaint against six Chinese companies, alleging they unlawfully transferred EU user data to China. Named in the complaint are TikTok, Shein, Xiaomi, AliExpress, Temu, and Tencent's WeChat. Noyb states that while some companies admitted to sending data to China, others disclosed transfers to unspecified "third countries," likely China.

As RedNote gains traction among Americans seeking alternatives to TikTok, cybersecurity expert Adrianus Warmenhoven from NordVPN has raised concerns: “RedNote might seem like a quick fix for TikTok fans ahead of its potential US ban, but it comes with serious cybersecurity and privacy risks."

The European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) has endorsed Bruno Gencarelli as the European Data Protection Supervisor (EDPS) for a five-year term. Gencarelli will oversee the EU institutions’ compliance with data protection regulations, playing a pivotal role in shaping privacy standards across the region.

Cognosphere, the distributor of Genshin Impact, has responded to allegations by the FTC that it violated children’s privacy laws and misled users about the costs of rare loot box prizes. While disputing the claims as "inaccurate," the company has agreed to a $20 million settlement, affirming its "commitment to transparency for our players."

General Motors has agreed to a settlement with the US Federal Trade Commission (FTC), barring it for five years from sharing sensitive geolocation and driving behaviour data with consumer reporting agencies. This follows allegations that GM’s OnStar and discontinued Smart Driver programs collected and sold such data without explicit user consent.

In one of his final acts as President, Joe Biden has signed an executive order aimed at enhancing national cybersecurity. The order encourages federal grant agencies to support state development of mobile driver’s licenses (mDLs), stipulating that the credentials must prevent surveillance or tracking of user interactions.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan