A total of 24 breaches were found and analysed resulting in 5,543,572 leaked accounts containing a total of 15 different data types. The breaches found publicly and freely available included Pleer, Foam Store, Clash of Olympus, Ramailo and Jivo. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

In a recent security incident, a luxury pet boarding website based in the United States fell victim to a data breach. Renowned for providing upscale day care and stress-free pet boarding services, the company has earned the distinction of being the premier doggy daycare provider in Louisiana. Regrettably, a substantial SQL database from the company has surfaced on a cybercrime forum. The compromised data encompasses details about the pets involved, including their genetics. Let's hope none of these innocent animals are subject to identity theft, we're sure there are some furries out there who are capable of this.

In another intriguing development, following the seizure of a well-known ransomware gang's dark web site, victim data has emerged. The gang's administrator engaged in a conversation on a Russian hacking forum with a successful competitor in the illicit realm of ransomware. Amidst exchanging pleasantries, the administrators delved into the prospect of forming a ransomware cartel. The rationale behind this initiative is a collective defence against global law enforcement agencies, with one administrator emphasising the need for unity to counter the collaborative efforts of international authorities. This notion of ransomware gangs contemplating unionisation presents a unique and somewhat unexpected perspective on the dynamics within the cybercriminal underworld.

VULNERABILITY CHAT

A security researcher uncovered a new exploit on Twitter that, despite not meeting the criteria for Twitter's bug bounty program, raised significant concerns. The researcher, after being brushed off by Twitter's bug bounty team, publicly disclosed that the exploit allowed for the execution of a payload, potentially facilitating an account takeover for any Twitter account. The incident underscored challenges in the coordination between security researchers and platform operators, with Twitter fixing the bug but withholding credit to the researcher.

MongoDB Atlas issued a warning to users after confirming unauthorised access to systems. United Healthcare reported data exposure resulting from a third-party supplier, Welltok, being affected by a software vulnerability. Additionally, Comcast's xfinity experienced customer data exposure following the exploitation of a known vulnerability previously confirmed by Citrix.

2 Common Vulnerabilities and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week: VioStor NVR OS Command Injection Vulnerability (QNAP) & AE1021, AE1021PE OS Command Injection Vulnerability (FXC). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

INFORMATION PRIVACY HEADLINES

A nuanced analysis by Jingyuan Shi of Regulation Asia delves into the confusion surrounding the terminology of China's Personal Information Protection Law (PIPL), particularly concerning data exported outside of China. The analysis raises concerns about PIPL's potential limitations on domestic economic growth in its current form.

Meanwhile, the House Committee on Energy and Commerce in the United States has issued a letter to Shein, seeking more information about its relationship with China and its data privacy protections as the company approaches a US IPO. Similar letters have been dispatched to Temu, TikTok, and Alibaba.