A total of 36 breaches were found and analysed resulting in 8,839,927 leaked accounts containing a total of 24 different data types. The breaches found publicly and freely available included Alpha Bank, Kredit Plus, Stealer Log 0406, The ACE Card Club and RCZ Bike Shop. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

McDonald’s GitHub repository suffered a breach at the hands of a threat actor known as "The McFlurry Bandit" late last week. The compromised data, posted on a cybercrime forum, exposed McDonald’s Single Sign-On (SSO) service, a critical component utilised by the company for secure authentication.

In another noteworthy development, a member of the notorious cybercrime group Shiny Hunters has been sentenced to three years in prison and ordered to repay five million dollars in damages. Moroccan authorities apprehended the individual after the FBI issued an arrest request in May 2022. The French citizen, a former computer science student, managed to secure a reduced sentence through a plea deal for electronic fraud and aggravated identity theft, avoiding a potential 116-year prison term. Shiny Hunters, responsible for compromising over 60 companies, including Tokopedia, Chatbooks, and the Brazilian partner of Mastercard, has been linked to the theft of 1 million user credentials from the US newspaper StarTribune. The hacker was arrested at the age of 19.

PomPompurin, the former administrator of Breach Forums, was arrested again after violating bond conditions. Released on a $300,000 bond with stringent conditions, including the use of FBI monitoring software on any computer he accesses, PomPompurin allegedly breached these terms by using a computer without the required monitoring. Facing potential imprisonment for up to 30 years, the details of how the FBI discovered the violation remain undisclosed.

VULNERABILITY CHAT

GitLab, a DevOps software package facilitating software development, security, and operations, has released updates to address vulnerabilities, including one stemming from a bug in the email verification process. This vulnerability could be exploited to take over accounts without necessitating user interaction.

Researchers from Gotham Security discovered and reported a high-security vulnerability in ConnectWise Control (formerly ScreenConnect), a self-hosted remote desktop software application. This vulnerability exposes endpoints to potential attacks.

9 Common Vulnerabilities and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Joomla!(Joomla!), Apple (Multiple Products) and Microsoft (SharePoint Server). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

INFORMATION PRIVACY HEADLINES

Carta, a California-based technology company specialising in capitalisation table management and valuation software, is shutting down part of its business amidst allegations of staff using confidential information to solicit investors in startups, selling their stakes in the secondary market without consent.

Baroness Randerson of the UK's House of Lords addressed concerns about the storage of journey data from automated taxis in relation to the new Automated Vehicles Bill. She emphasised the necessity of Amendment 36, involving the Information Commissioner's Office (ICO) in establishing rules and standards for data handling in this evolving landscape.