A total of 20 breaches were found and analysed resulting in 3,005,349 leaked accounts containing a total of 26 different data types. The breaches found publicly and freely available included Dymocks, Dolly, XM, VN Game Forum and Clara Hair. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A French programming and web development website has recently suffered a data breach. Threat actors gained access to the database and managed to dump a small amount of the user base online. Data types, including hashed BCrypt passwords and more were exposed. The blog covers security techniques such as 2FA, encryption, and hashing. Even though the site hasn’t disclosed that they have been breached, at least their password hashing is up to scratch.

This next breach is probably one of the oldest companies we have covered here at BreachAware. The bookshop, which opened its doors in 1879 in Sydney, Australia, has announced it suffered a data breach a couple of weeks ago. The data is already in circulation for free on various underground forums and channels. The bookshop, which has expanded since 1879, now sells a range of goods such as stationery, games, and puzzles, as well as the usual trinkets found on such sites, such as bags and mugs.

The owner of a dark web forum that was scammed a couple of months ago has been doxed! The Dox happened several days ago on a rival forum. It was fairly large, exposing information such as the threat actor's full name, physical address, and Bulgarian social security number. When we talk about data types such as these on the weekly insight, it's always bad news when members of the public have such datasets exposed online. However, when a threat actor has essentially mugged off a bunch of other threat actors, These data types are definitely going to be used against them, and without a doubt, harassment will follow.

The dark web forum encouraged users to purchase a premium service, and after sufficient funds were accumulated, he was scammed. Information included in the dox also covered previous sites he had run and apparently he had been running dark web markets and exit scamming them since 2014, quite a career. The exit scammer should take his safety seriously if, in the past, he interrupted or stole money from an organised crime gang using a market place he provided things to that could be interesting for him.

VULNERABILITY CHAT

Popular browsers from Google, Mozilla, Microsoft and Brave have issued critical security patches following vulnerability classified as severe by NIST. The vulnerability could allow a threat actor to gain access to or run malicious code on the target computer.

Akamai has discovered a high severity vulnerability in Kubernetes (an open-source container orchestration system for automating software deployment, scaling, and management). A threat actor with 'apply' privileges could inject code to be executed on Windows machines within the Kubernetes cluster with system privileges.

N-Able's (IT Management Solutions Company) Take Control Agent has been patched following the disclosure of a high security flaw that could be exploited by a local unprivileged threat actor to gain system privileges.

A GitHub vulnerability could allow a threat actor to exploit a race condition within GitHub's repository creation and username renaming operations. The flaw could have exposed thousands of repositories at risk of repojacking attacks.

INFORMATION PRIVACY HEADLINES

Ireland's Data Protection Regulator (DPC) has fined TikTok 345 million Euro's after it found TikTok had not been transparent enough with children about its privacy settings, and raised questions about how their data was processed.

Phillips Latombe, a French MEP has gained support from Germany for his two lawsuits filed with the EU Court of Justice, seeking to overturn the most recent edition of the transatlantic data protection agreement between the European Union and the US. The EU has struck down two previous agreements, Safe Harbour and Privacy Shield, for failing to guarantee EU data protections standards in the US.