A total of 37 breaches were found and analysed resulting in 5,982,905 leaked accounts containing a total of 21 different data types. The breaches found publicly and freely available included Escapada Rural, Oxfam - Australia, Stealer - Mixed Logs 0304, Stealer - Mixed Logs 0239 and Institute of Chartered Accountants, India. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A 'public' records search service that allows users to privately peruse records of individuals has had its 2019 breached data shared publicly (free) for the first time. Searches return sensitive personal information including special category data for example criminal records. The records are limited to people in the United States of America. The company is based in San Diego and has terrible reviews on Trust Pilot; one comment left by a user said it was a "great resource for stalkers!" and others reported that the data was wrong or very vague. However, that hasn’t stopped over 11 million 'stalkers' from signing up to their website who are now at risk.

A rural Spanish travel getaway company has recently suffered a data breach. The company has been running since 2007 and has the largest rural accommodation search engine throughout Spain and Portugal. Located in Barcelona, with a monthly average user base of almost 1.5 million and such a lovely, sleek website, along with their common vulnerabilities made them a prime target for threat actors.

The Mayor in the state or Georgia seems to be playing an interesting game. What appears to be ransomware attack on his city has left government services almost ground to a halt. The Mayor denies that they were being ransomed for $50 million by a well known ransomware gang even though the data is being leaked online.

VULNERABILITY CHAT

A zero-day exploit was posted online for $500K, which could allow anyone to compromise a qTox account by sending a friend request. qTox is widely used by privacy advocates; however, a large number of ransomware gangs and unsavoury types on the internet use it. A comment from the Lockbit Ransomware Group administrative staff said, "Now how am I going to make new friends? Don't message me on qTox; I only have old friends." The other person has to accept the friend request. This is definitely sending the heeby jeebies up threat actors world wide.

Two researchers have found a technique, dubbed BrutePrint, that gives attackers the ability to potentially bypass smartphone authentication by achieving unlimited authentication attempts on Android and 10 additional attempts on iOS. The researchers said this technique enables a "hardware approach to do man-in-the-middle attacks for fingerprint image hijacking."

INFORMATION PRIVACY HEADLINES

Since Google outlined plans (July, 2022) to automatically delete select location data from visits to places such as abortion clinics, domestic violence shelters and other sensitive locations, it turns out, according to the Washington Post, Google is still storing exact information for these type of facilities. This has prompted 10 US Senators to pen a letter to Google asking for answers about its location data and privacy practices.

Secure messaging apps may become a thing of the past in the UK if the proposed 250+ page online safety bill is passed without an amicable resolution between end to end secure messaging providers like WhatsApp and Signal with UK government. The coalition of providers say "the bill provides no explicit protection for encryption" without which could empower Ofcom to try to force proactive scanning of private messages, nullifying encryption and compromising privacy of all users.