A total of 29 breaches were found and analysed resulting in 62,500,213 leaked accounts containing a total of 23 different data types. The breaches found publicly and freely available included Naz.API, Elephant Insurance Services, Klarna [2] (URL Redirected), Stealer Log 0410 and Vecer. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

In July, a prominent American car insurance company, recognised by Forbes as the best car insurance company of 2023, fell victim to a significant data breach. Established in 2009 as an offshoot of the UK's Admiral Group, the company operates across several major states in the United States. The dumped online database, stemming from the breach, contains a diverse array of data types typical of information held by an insurance company.

Trezor, a leading cryptocurrency hardware wallet provider, issued a warning to users about a well-crafted phishing email targeting its customers. The deceptive email, appearing as an official communication, claims that users must urgently upgrade their hardware wallets to avoid potential loss of funds. The email directs recipients to a fake domain named "suite-app-trezor," where they are prompted to enter their 12 or 24-word recovery seed.

The Naz.api collection of stealer logs has garnered attention in the media due to its substantial impact. This collection encompasses around 1 billion credentials, including email addresses, plaintext passwords, and associated site URLs for logins. Initially believed to be a fake posting on a file hosting site, the real version surfaced online last week, leading to heightened activity among threat actors, researchers, and potentially law enforcement agencies downloading and analyzing the data.

Threat actors, researchers, and most likely law enforcement have been frantically downloading the data. The data is stretched over three hundred files and is 103 GB in size. Realistically, the majority of these stealer logs have been floating around the internet for a while; however, now they are very easy for individuals to download and spoon through. Malware is designed to steal a wide amount of data types when it infects a host, and the log it outputs to the threat actors running the malware has a range of hardware and device information, as well as what usual data types suspect.

VULNERABILITY CHAT

In February 2023, the UK government initiated efforts to strengthen the software supply chain and prevent high-impact incidents targeting the country's infrastructure. A set of voluntary rules is now under consideration, urging software vendors to responsibly disclose vulnerabilities in their systems. This move comes amid criticism of the government's handling of legacy infrastructure.

Apple addressed multiple vulnerabilities across its ecosystem through a series of patches. Notably, a critical zero-day vulnerability was discovered in the open-source WebKit browser engine, the foundation of the Safari web browser. The comprehensive patch covers various Apple devices, including iPhones, iPads, Macs, and Apple TVs.

3 Common Vulnerabilities and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Apple (Multiple Products) and Atlassian (Confluence Data Center and Server). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

INFORMATION PRIVACY HEADLINES

The Bank of England and HM Treasury have responded to the consultation on a digital pound (central bank digital currency or CBDC) initiated in February 2023. While no final decision has been made on implementing a digital pound, the response affirms that, if introduced, primary legislation would ensure users' privacy and control. Users would have the freedom to spend their digital pounds without the Bank and the Government accessing any personal data.