A total of 41 breaches were found and analysed resulting in 128,269,951 leaked accounts containing a total of 26 different data types. The breaches found publicly and freely available included Canva [2], Truth Finder, Boat Owners Database - USA, Coin Gecko and Gelbeseiten. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A legal funding company based in the US that promises fast, honest funding with no surprises has unfortunately been targeted by threat actors and suffered a data breach. The company has been running for the past 8 years and has some amazing reviews along the bottom of the page. Either they are really good or these gushing reviews are more like something you find in a field full of cows. A large number of datasets were among the data, including property information about each individual.

There’s a leaked database that's consistent with people who have traded on a Forex trading platform (foreign exchange market). Either there’s a third party out there collecting information on who has recently deposited or someone has created this manually by consolidating multiple databases together. Either way, I would want to know if I was in there. Among several datasets, the unique email addresses were in the millions, making this a nice, tasty download for a threat actor on a Friday.

The Bank of India suffered a data breach when a cyber gang broke into their secure systems and stole a range of data. They then dumped it on an up-and-coming underground forum; either they only exfiltrated a small amount of the data or they chose to share a small amount for now. That's because the breach itself is very small in terms of actual credentials, but as a wise man once said, a breach is a breach! Pictures of employees along with employee data, such as physical addresses and full names, are just a small portion of what was found while analysing the data.

Sticking with South Asia, an Indian delivery company that specialises in parcel delivery from overseas has been breached. When signing up with the company, you are assigned your own international address, for instance, in the US, to which you can deliver US products (via Amazon, etc.) and then the company will ship them back to India. This type of breach could easily affect supply chain issues for individuals importing US goods into India. The usual data types apply, as well as over ten thousand unique email addresses.

VULNERABILITY CHAT

Mastodon, the decentralised social network with over 14 million users across 20,000 instances has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. The flaw centres around the media attachments feature, creating and overwriting files in any location the software could access on the instance.

Medtronic has released an update for a vulnerability that could be exploited to steal, delete or modify cardiac device data or to gain network access. Whilst CISCO has advised customers should disable ACI multi-site encryption while a fix is found for the Nexus 900 series switch vulnerability.

Whilst no active exploitations have been discovered yet, attackers could leverage the new StackRot vulnerability in the Linux kernel to facilitate privilege escalation in targeted hosts. Linux versions 6.1 to 6.4 are effected and have been addressed in versions 6.1.37 and 6.4.1 released this month.

INFORMATION PRIVACY HEADLINES

Seams the popularity of Meta's threads has been halted in the EU where privacy concerns have put its release on pause (supposedly Thread's hasn't been actively blocked by Irelands Data Protection Commission (DPC) yet). If you didn't know, like with Facebook and Messenger, you can't reverse a thread account without also deleting Instagram.

The Swedish Authority for Privacy Protection (IMY) issues fines against two companies using Google's analytics tool and issued warnings to other companies, due to the risks posed by US government surveillance.