A total of 23 breaches were found and analysed resulting in 1,710,241 leaked accounts containing a total of 23 different data types. The breaches found publicly and freely available included Zarina, Ministero della Giustizia, Reg Me, Stealer - RedLine 0336 and University of La Guajira. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

An industry leader in summer camps focussed on teaching and encouraging kids to get into STEM (science, technology, engineering, and mathematics), experienced a data breach early this year and has seen the data reappearing in circulation for free. The company in question, which started out in 1999 with their very own tech camp for kids and teens, has grown from a very small couple of hundred students per year to now over fifty thousand students a year participating online and in person.

The STEM camp is most certainly aimed at middle class families, however the company still remains quiet on the breached data - even though over 400K unique email addresses complete with plain text passwords make up a section of the database. A range of other data types were also exposed within the data. This breach will have threat actors chomping at the bit because almost every individual is likely to be a high value target.

Startling footage posted by a threat actor group named the “Cyber Av3ngersags," who appeared on a hacking channel several days ago, showing CCTV images inside one of Israel's water infrastructure plants. The short clip shows a couple of different angles of the water refinery, with text appearing on the bottom of the screen: “The worst is yet to come.” The group claims to have access to all sites in Israel and is a stark reminder of the importance of security when infrastructure like this is susceptible to attack.

While we’re on the subject of the Middle East, another group, this time affiliated with Israel, has released images of its attack on an Iranian steel company. The images show a busy factory floor with large machinery in use, whilst the second image situated in the same place, shows the machinery on fire. It’s extremely unsettling that a factory thousands of miles away from a command and control centre can be hijacked and perilously set on fire.

1,710,241 leaked accounts were analysed by the BreachAware® Research Team last week.

VULNERABILITY CHAT

For October, Microsoft has reportedly addressed 103 flaws (13 critical and 90 important severity) for its Patch Tuesday update. Microsoft has also announced that Visual Basic Script is being deprecated, adding "in future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system."

Following viral reports alleging a Signal zero day vulnerability, Signal (the encrypted messaging service) have released a Public Service Announcement on X stating "we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels."

5 Common Vulnerabilities and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including WordPad and Skype for Business (Microsoft), IOS and IOS XE (Cisco) and Acrobat and Reader (Adobe).

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

INFORMATION PRIVACY HEADLINES

Sony Pictures Entertainment has agreed to settle a class action lawsuit for $16 million. The suit accused its Crunchyroll (anime and manga streaming) service of illegally violating users privacy by disclosing subscribers personally identifiable information to Meta's Facebook among others without consent.

Yandex, the search engine and web portal (Russian multinational technology company) is in discussions with the Dutch Data Protection Agency to prove its taxi app Yango, is not breaking European data transfer regulations nor does it threaten any fundamental rights or liberties of European users.