Weekly Summary

SPOTLIGHT, VULNERABILITY CHAT & PRIVACY HEADLINES
Share this analysis
Combined Breach Exposure Monitoring

Threat actor merges 3.3 billion unique email addresses from public data breaches.

30 September 2024
BREACHAWARE HQ

A total of 29 breaches were found and analysed resulting in 3,822,233 leaked accounts containing a total of 34 different data types. The breaches found publicly and freely available included Central Tickets, Anonymous Spanish Data Archive, 2 Invoice, Tiendup and YPOK. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A well-known threat actor has taken some time to merge a large amount of public data breaches from a popular hacking forum into a single file. This 75 GB file contains 3.3 billion unique email addresses. However, it’s essentially a massive spam list, as the data includes only email addresses.

Recently, a team member discovered an interesting database dump. The threat actor responsible for the breach explained that they were not ready to disclose the name of the company the data was stolen from, but stated that the data is very fresh. The database contains 1.8 million rows of information, including names, phone numbers, and document ID numbers. It’s unusual for a threat actor to avoid taking credit for a successful breach, raising questions about whether the data is as valuable as claimed or if they want to avoid attracting law enforcement attention.

A large British ticket-selling and seat-filling company has also been breached. The stolen data is now widely available across various hacking platforms and channels. The company, which has been operational since 2017, offers over 100 seat-filling shows each week, helping poorly advertised shows sell discounted tickets. It also collaborates with charities like "NHS Charities Together." The breach exposed 2.3 million unique email addresses, along with typical personal information such as names.

In another case, a new cybercrime forum that launched a few months ago suffered a data breach soon after opening, leading to its abandonment. The forum then relaunched under the name of a former hacking site. Recently, one of the admins was involved in an internal scam, and ownership of the forum has changed hands again. The situation has led to chaos and finger-pointing within the small hacker community, with more developments likely to come. We’ll keep you updated on this unfolding drama.

VULNERABILITY CHAT

A group of independent security researchers has discovered a flaw in Kia’s web portal that allowed them to reassign control of the internet-connected features of most modern Kia vehicles. This flaw affected dozens of Kia models, representing millions of cars on the road. By exploiting the vulnerability, the researchers built a custom app that let them take over a car’s features—from tracking its location to unlocking doors, honking the horn, or even starting the ignition—by simply scanning the car's license plate and issuing commands from their own phone or computer.

In other news, a new Chrome security warning has been issued for 3 billion users across Windows, Mac, Linux, and Android platforms. Four high-severity vulnerabilities have been confirmed, although iOS Chrome users appear to be unaffected. While the iOS browser was updated, no security alerts are currently in place for that platform.

A series of four critical flaws has been uncovered in the Common Unix Printing System (CUPS), which is widely used across most GNU/Linux distributions, including Debian, Red Hat, and SUSE, as well as macOS and Google Chrome/Chromium. The vulnerabilities were discovered by researcher Simone Margaritelli, also known as evilsocket. These issues pose a significant concern for security professionals due to their potential scope and widespread use of CUPS.

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has issued a warning about a stack-based overflow vulnerability in the Microchip Advanced Software Framework (ASF). The flaw, linked to the tinydhcp server implementation, could allow attackers to execute remote code through the Microchip software.

NVIDIA’s Container Toolkit and GPU Operator were found to have a critical Time-of-Check Time-of-Use (TOCTOU) vulnerability, which allowed threat actors access to the underlying host’s file system. This flaw was discovered and reported by cybersecurity researchers at Wiz.

WhatsUp Gold, a popular network monitoring tool, has identified six critical vulnerabilities that could grant attackers unauthorised access to networks. Users running versions below 24.0.1 are advised to update immediately to safeguard their systems.

Bitsight TRACE researchers, along with the Cybersecurity and Infrastructure Security Agency (CISA), have disclosed 10 vulnerabilities affecting five vendors. These flaws, if exploited, could provide hackers with full administrative access to tank management systems used in large fuel storage facilities.

Lastly, a critical vulnerability has been found in VLC Media Player, enabling attackers to execute malicious code on users’ computers. This flaw could allow a third party to crash VLC or run arbitrary code with the same privileges as the user, posing a serious threat to security.

1 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Ivanti (Virtual Traffic Manager). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 467 vulnerabilities last week, making the 2024 total 28,919. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Meta has been fined €91 million by the Irish Data Protection Authority for failing to protect users' passwords. The fine was announced on September 27, following an investigation launched in April 2019 when Meta reported that it had inadvertently stored some social media users' passwords in plaintext—unencrypted—on its internal systems.

In a separate case, a federal judge has narrowed a lawsuit accusing Apple of violating the privacy of iPhone, iPad, and Apple Watch users. The lawsuit alleges that Apple collected personal data through its proprietary apps, such as the App Store, Apple Music, and Apple TV, without user consent. The case is one of many targeting tech companies like Apple, Google, and Meta for unauthorised data collection.

The European data privacy advocacy group, None of Your Business (noyb), has filed a complaint against Mozilla, the maker of the Firefox browser. The complaint accuses Mozilla of quietly altering its privacy features to track users’ web activities without their consent.

Colorado has become the first U.S. state to regulate neurotechnology by amending its Colorado Privacy Act to safeguard biological and neural data. This groundbreaking legislation addresses privacy, security, and ethical concerns related to brain-computer interfaces and other emerging neurotechnology.

Germany is proposing revisions to its Federal Data Protection Act (BDSG) that would allow automated credit scoring, which is widely practiced in the EU but currently faces legal uncertainty. Under the General Data Protection Regulation (GDPR), fully automated decisions that significantly impact a data subject are banned, but automated credit scoring is still common. In December, the EU’s Court of Justice ruled that automatically generating credit reports could be considered an illegal automated decision under certain conditions.

Meanwhile, the Vietnamese government has released the first draft of a new Law on Personal Data Protection (PDPL). Set to take effect on January 1, 2026, this draft law marks a significant step forward in Vietnam’s efforts to establish a strong framework for personal data protection.

Check out all the BreachAware analysis here: https://breachaware.com/research

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan

DATA CATEGORIES DISCOVERED

Contact Data, Transactional Data, Technical Data, Communications Data, Socia-Demographic Data, Financial Data, Social Relationships Data, Locational Data, Usage Data, Documentary Data, National Identifiers, Special Category.

  • Key Statistics
  • Breaches Discovered
    0
  • ACCOUNTS DISCOVERED
    0
  • DATA TYPES DISCOVERED
    0