A total of 6 breaches were found and analysed resulting in 309,638 leaked accounts containing a total of 14 different data types. The breaches found publicly and freely available included EPL Diamond, DICO DF Furniture, Gezonderwinkelen, Zeosys Co., Ltd and Cars World. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

The world's most popular language learning app, which is available on iOS and Android, has suffered a huge loss of its entire user base. The scrape happened back in January this year when a threat actor took advantage of a vulnerable API, resulting in 2.6 million users having their data exposed. The app was founded in 2011 and offers over 40 different language courses. People caught up in the breach should be on the lookout for phishing emails. A user on a thread where the data was posted has already said that he or she will be messaging everyone in the data to "confuse and annoy people."

Another failed BreachForums clone has had its database and backend files dumped. The forum, which only lasted a few days before getting shut down with less than 50 users, was one of the first in an attempt to grab power in the space that filled BreachForums.

The Tor (The Onion Router) service has been under attack via a serious denial of service (DoS) campaign that has gone on for the past year or more. The Tor Project has released details of its new attempt to block the attacks, called proof-or-work defence for onion services. They say it will "prioritise verified network traffic as a deterrent against denial of service attacks. Users of the network will notice nothing and the defence mechanism will "remain dormant" until an onion service is under stress. Then it will kick in and prompt incoming connections to perform various complex operations to determine the legitimacy of the connection attempt. If the complex operations are successful, the connection will be prioritised; the more operations successfully completed by the client, as demonstrated by the client, the more legitimate the connection.

It's using a client puzzle protocol (CPP), which is a computer algorithm that will run in the background in the browser and should keep the user's experience seamless. However, websites could take longer to load, but it's not a captcha the user will have to solve. Anyone trying to obtain a more private online experience will be happy to hear that captcha's are important against DoS attacks but can still be very frustrating.

VULNERABILITY CHAT

The Lazarus Group are thought to be exploiting the ManageEngine vulnerability to deploy QuiteRAT (Remote Access Trojan) in an attempt to target infrastructure and healthcare institutions in Europe and the US.

A vulnerability in the WinRAR utility could be exploited to achieve remote code execution on Windows systems. Successful exploitation requires user interaction, in other words the target must be lured into visiting a malicious page or by opening a booby trapped archive file.

The DeFi (Decentralised Finance) protocol 'Balancer' has been exploited to the tune of $900K following its disclosure of a vulnerability affecting its boosted liquidity pools. Balancer said in a statement "mitigation procedures have drastically reduced risks, but are unable to pause affected pools."

INFORMATION PRIVACY HEADLINES

Norway's data regulator has told a court Meta is breaking European data privacy laws in Norway. Meta is being fined approximately $95K per day since August 14th for breaching users' privacy by harvesting user data and using it to target advertising to them. Meta is seeking a temporary injunction against the order, which imposes the daily fine for 3 months.

The Brazilian Data Protection Authority (ANPD) has issued its first fine against a small organisation operating in the telemarketing sector. This follows the activity of offering data of thousands of citizens of São Paulo to political candidates for the mass transmission of political campaigns in 2020.