A total of 35 breaches were found and analysed resulting in 9,841,487 leaked accounts containing a total of 24 different data types. The breaches found publicly and freely available included Stealer Log 0442, Kral Bros Garage, Stealer Log 0444, Stealer Log 0446 and DataCamp. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

The Biden Administration's initiative, the U.S. Cyber Trust Mark, aimed at enhancing the security of common IoT devices, has reached its final ruling and is set to come into effect. This policy, proposed by the Federal Communications Commission, seeks to provide consumers with more information when purchasing IoT devices, excluding smartphones, computers, and internet-enabled medical equipment. While this move is welcomed by the industry, concerns persist about the prevalence of insecure IoT devices in the market.

Kali Linux, a popular operating system among cybersecurity professionals, issued a concerning statement on Twitter regarding a backdoor discovered in the xz package versions 5.6.0 to 5.6.1. Users who updated their Kali installations between March 26th and March 29th are urged to apply the latest updates immediately.

A US company specialising in coding education and AI training faced a security breach, affecting 2,500 companies and potentially compromising sensitive data. The company serves as a platform for individuals and businesses to enhance their coding skills and partners with well-known organisations.

VULNERABILITY CHAT

The State of WordPress Security whitepaper by Patchstack has highlighted an increase in high and critical severity vulnerabilities, with cross-site scripting (XSS) being the most common. Additionally, security researchers uncovered a vulnerability in Saflok hotel guest room door locks, allowing hackers to create master keycards using RFID read-write devices.

4 Common Vulnerabilities and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Nice (Linear eMerge E3-Series) and Ivanti (Endpoint Manager Cloud Service Appliance (EPM CSA)). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 994 vulnerabilities last week, making the 2024 total 8,722. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Temu, a Chinese e-commerce giant, is offering cash incentives to users who sign up and share their personal data for promotional purposes. Users must agree for Temu to use and publish their "photo, name, likeness, voice, opinions, statements, biographical information, and/or hometown and state for promotional or advertising purposes in any media worldwide". They also stress that users will not be notified in advance of their data being used.

An investigation has found that the European Union breached data protection rules through its use of Microsoft 365, “The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” the data supervisor, Wojciech Wiewiorowski, wrote.