The US government expressed concerns about Facebook’s recently revealed data-sharing relationships with Chinese companies, including Huawei, Lenovo, Oppo and TCL. To read more: https://techcrunch.com/2018/06/05/facebook-huawei-data-sharing-congress/
MyHeritage
A security researcher found a file on the internet containing passwords for more than 92 million users of an Israeli-based genealogy and DNA-testing company. MyHeritage is urging all its clients to change their passwords. To read more: https://krebsonsecurity.com/2018/06/researcher-finds-credentials-for-92-million-users-of-dna-testing-firm-myheritage/
Drupalgeddon 2.0
More than 115,000 sites are still vulnerable to this Drupal bug, even though a patch was released three months ago. To read more: https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/
Trello
Researchers found that a large number of government agencies, marketing firms, healthcare organizations and IT-support companies are publishing private credentials on public Trello boards. To read more: https://krebsonsecurity.com/2018/06/further-down-the-trello-rabbit-hole/
PageUp
This human-resources firm revealed that it had found unusual activity on its IT infrastructure, and said that client data “may have” been compromised. To read more: https://www.zdnet.com/article/malware-hits-hr-software-firm-pageup-with-possible-data-compromise/
Transamerica
This US insurance and investment company said that its systems were breached between March 2017 and January 2018. The hacker stole names, addresses, SSN, DOB, financial account information and employment details of people holding Transamerica retirement-solution accounts. To read more: https://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/
Bitfinex
This large cryptocurrency exchange was knocked offline Tuesday morning by a DDoS attack. To read more: http://www.businessinsider.com/bitfinex-hit-by-cyber-attack-2018-6
WARDroid
Researchers at Texas A&M university created a framework that crawls applications to uncover inconsistencies in the types of HTTP requests they will accept. An analysis of 10,000 mobile apps found that many are open to web-API hijacking. To read more: https://threatpost.com/wardroid-uncovers-mobile-threats-to-millions-of-users-worldwide/132525/
Zip Slip
Snyk, a security firm, uncovered a critical flaw, dubbed Zip Slip, in the archive file-extraction libraries of thousands of open-source web-application projects. The flaw allows attackers to reach the root directory, and from there enable remote command execution. To read more: https://www.zdnet.com/article/open-source-security-zip-slip-critical-flaw-hits-thousands-of-projects-update-now/
BlueBorne
Nine months after researchers warned of the remote code execution bug BlueBorne, Lenovo has finally made a patch available. The vulnerability could enable an attacker to take over devices and spread malware. To read more: https://threatpost.com/lenovo-finally-patches-ancient-blueborne-bugs-in-tab-and-yoga-tablets/132703/
Adobe Flash
A zero-day vulnerability was recently exposed in the wild in targeted attacks against Windows users in the Middle East. The vulnerability was a stack-based buffer-overflow bug in Flash that could enable arbitrary code execution. To read more: https://threatpost.com/zero-day-flash-exploit-targeting-middle-east/132659/
Frontier
A bug in the account-password reset function of this large US cable and internet provider enabled anyone to take over user accounts. To read more: https://www.zdnet.com/article/password-reset-flaw-at-frontier-allowed-account-takeovers/
Spiral Toys CloudPets
Major retailers are removing CloudPets internet-enabled soft toys from their shelves because of severe security and privacy issues that Spiral Toys has failed to fix a year after they were revealed?—?and long after the firm claimed to have resolved the problems. To read more: https://www.bitdefender.com/box/blog/family/creepy-cloudpets-pulled-stores-security-fears/
Sign up below and receive weekly breach reports directly in your inbox.