A total of 30 breaches were found and analysed resulting in 2,590,682 leaked accounts containing a total of 22 different data types. The breaches found publicly and freely available included Vita Express, Top Say, JD Group, Astron Game Club and Day Without Turnstiles. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

Data from an insurance company that you’ve probably never heard of has hit the web. After analysing the data, it seems to be slightly incomplete, but incomplete doesn't mean small - millions of unique email addresses are exposed, along with a staggering array of data types including financial investments, family structure and education levels. The full data breach is being offered for sale, however the free copy floating around the darker parts of the internet will be ideal for script kids and security researchers.

A leading platform for trusted crypto products and security information has recently been hit with a data breach. The site was founded in 2017 in New York by crypto enthusiasts, early mining adopters and investors. The company talks about their "crypto security obsession" with some big client names stuck on the bottom of the page. Users of the site should be on the lookout for targeted phishing campaigns because, more than likely, if a person is exposed in the data, they’ve purchased a crypto hardware wallet for an investor, meaning they’ve got cash assets to steal.

A new hacking forum that has hit the underground community has been hacked by a rival forum. The forum was up for several days until users logged in and saw a fake seizure notice with the name of the official forum plastered at the top of the page. The admin managed to sort out the issue and the forum is now back on track. However, an SQL file has been dumped online and is now being shared on the actual forum, yes the one that was hacked!

VULNERABILITY CHAT

Admins running hidden services (websites that run on the Tor network) have some worrying news. Recently, a number of threat actors have been posting the real IP addresses of hidden services online. The whole point of Tor network is meant to anonymise users and websites. But either a bug or bad configuration is leading to these IP leaks. For example BBC has a site on Tor which probably wouldn’t make too much of a difference but what will are sites such as dark web market places and government departments who are trying to hide who they are.

A free VPN service with no sign-up or registration required has been acting strangely. To be honest, anyone using a free VPN should have their head examined. Why is it free? Whose servers is your traffic being routed through? After installing the VPN on a mobile device, whether Android or Apple, it sends specific requests to sites the user has never visited, about every ten seconds. It seems that this VPN is using its users as a botnet. The operators could be selling DDoS as a service on the dark web?

INFORMATION PRIVACY HEADLINES

Austrian privacy advocacy group NOYB has claimed TeleSign, through its former Belgium parent BICS, secretly collected data from mobile users around the world. Telesign are accused of processing the personal information using automated tools and in the US, without the owners knowledge, to generate 'reputation scores.' TeleSign customers include TikTok, Salesforce, Microsoft and AWS.

A formal complaint previously made by Privacy International and NOYB against French advertising technology giant Criteo has had its fine revised to £35 million (reduced). The complaint revolves around how Criteo used various tracking and data processing techniques for behavioural retargeting - with the complainants asserting Criteo has no legal basis for this tracking.