A total of 19 breaches were found and analysed resulting in 6,573,110 leaked accounts containing a total of 22 different data types. The breaches found publicly and freely available included Rendez-Vous, Stealer Log 0454, boAt Lifestyle, Expandia and Intergroup Gold. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A major cyber attack has targeted a prominent French clothing retailer, resulting in the release of their entire user database online for free. Established over a decade ago by influential figures in the fashion industry, the company originated in Toulouse, France, and has since gained widespread popularity. However, recent events have exposed millions of unique email addresses and various data types through an online database.

Meanwhile, a reputable audio consumer electronics supplier based in the USA, operating since the mid-90s, faced a significant security breach when a large SQL file from their website's backend surfaced on a dark web forum. Despite being a smaller independent supplier, the company's compromised data has begun circulating on dubious platforms.

In response to growing cybersecurity concerns, the United Kingdom has enacted new legislation aimed at addressing the widespread use of weak passwords. The law mandates that manufacturers of internet-connected devices, including mobile phones and IoT devices, must refrain from using insecure default passwords like "admin" or "123456". Instead, all devices must meet minimum security standards to enhance consumer protection. This legislative action acknowledges the substantial number of consumers, particularly those lacking technical expertise, who unknowingly use IoT devices with default passwords throughout their homes. The government's initiative is a positive step towards mitigating easily avoidable security risks.

Additionally, cyber security professionals have exposed an Indian antivirus software called Guptiminer for engaging in malicious activities. It has been discovered that the software not only spreads viruses but also installs crypto mining software on victims' computers. Under the guise of antivirus protection, Guptiminer aims to infiltrate corporate networks by distributing backdoors. Once installed, the software further exploits systems by scanning for crypto wallets and shared private keys.

VULNERABILITY CHAT

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly issued a new security alert, urging software developers to prioritize the mitigation of path traversal vulnerabilities in their software products. Path traversal, also known as directory traversal or directory climbing, poses a significant security risk as it allows threat actors to access sensitive files and directories.

This vulnerability typically arises in web applications or systems that dynamically generate file paths based on user input without proper validation or sanitisation. Despite being a well-documented issue with effective mitigation strategies available for over two decades, path traversal remains a persistent class of defect in software products.

Microsoft recently uncovered a pattern of path traversal-related vulnerabilities in multiple popular Android applications. Exploiting these vulnerabilities could allow a malicious application to overwrite files in the vulnerable application's home directory, leading to potential consequences such as arbitrary code execution and token theft. Arbitrary code execution grants threat actors full control over an application's behaviour, while token theft enables access to user accounts and sensitive data.

Furthermore, Oversecured, a company specialising in mobile app security scanning, has identified more than two dozen vulnerabilities in Android apps from smartphone manufacturer Xiaomi and Google's Android Open Source Project (AOSP) over the past few years.

2 Common Vulnerabilities and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including GitLab (GitLab CE/EE). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,731 vulnerabilities last week, making the 2024 total 13,959. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

According to DataGrail's 2024 Privacy Trends Report, Data Subject Requests (DSRs), which are formal requests made by individuals to access, delete, or opt out of the sale or sharing of their personal data held by a company, saw a significant increase of 32% from 2022 to 2023. As a result, businesses are now allocating 36% more resources to meet this surge in requests. The manual processing of DSRs is estimated to have cost businesses over $881,000 per year per million requests in 2023, compared to $648,000 in 2022.

Meanwhile, the Australian privacy commissioner has issued a warning highlighting the vulnerability of third-party suppliers in safeguarding customer privacy. This caution follows a recent data breach where the personal details of Australian users were compromised due to a leak of supplier data held by clubs in New South Wales (NSW) and the Australian Capital Territory (ACT). Over 1 million individuals had their information, including names, addresses, and driver's license details, exposed after data collected by IT provider Outabox was leaked online. Outabox's clientele included numerous clubs in NSW, including the well-known hospitality company Merivale.