A total of 20 breaches were found and analysed resulting in 5,576,986 leaked accounts containing a total of 20 different data types. The breaches found publicly and freely available included JPoint, Rina Orc, Blogigo, Tolgel88 and Stealer Log 0412. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A prominent luxury clothing company based in Hong Kong fell victim to a massive data breach. Despite being only four years old, the company gained popularity through extensive advertising on social media platforms like TikTok. Threat actors exploited a bug in the company's API, leading to the exposure of individuals' personal information, including typical data found on shopping sites.

A widely sought-after business-to-business (B2B) lead database, previously breached a couple of years ago, has resurfaced online. This database, used by over 18,000 companies across 63 countries and headquartered in the USA, contains over 18 million unique email addresses and various data types, including physical attributes. The data, once touted as a unique selling proposition (USP), is now freely available on multiple platforms.

The global internet police encountered embarrassment as a small number of employee names, email addresses, and a portal login were leaked on a popular cybercrime forum. The source of the portal login breach is unknown, but unauthorised access was confirmed. The leaked information pertained to users based in Argentina.

In Georgia, authorities are grappling with the accidental release of a 30-year-old murder suspect. The incident follows reported cyberattacks that disrupted normal communications and affected county phones, courts, and tax systems. The release of the murder suspect raises questions about the potential impact of the cyber attack on the county's systems.

VULNERABILITY CHAT

Security researchers demonstrated a software supply-chain attack that could have allowed them to backdoor the codebase of Bazel, an open-source tool developed by Google for automating software building and testing. The attack exploited vulnerabilities in a custom GitHub Action used by the project in its workflows, emphasising the potential security risks inherited from third-party dependencies.

Snyk discovered a vulnerability in all versions of runc <=1.1.11, used by containerisation technologies like Docker and Kubernetes. Exploitation of this vulnerability could result in container escape to the underlying host OS. Snyk recommends immediate action following the runc advisory to mitigate this security risk.

2 Common Vulnerabilities and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Ivanti (Connect Secure, Policy Secure, and Neurons). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

INFORMATION PRIVACY HEADLINES

The UK government is proposing amendments to the Investigatory Powers Act (IPA) 2016, drawing concern from Apple. In a statement, Apple expressed deep concern that the proposed amendments could jeopardise users' privacy and security. The existing Act, known as a "snoopers charter," has faced criticism, and Apple has previously opposed proposals to broaden its scope.

Publishers are expressing dissatisfaction with Google's handling of the impending death of third-party cookies in Chrome. The Privacy Sandbox, Google's alternative, has left publishers feeling excluded from the conversation. The focus is particularly on the Protected Audiences API, crucial for retargeting without relying on cookies.