Knuddels
The German government imposed its first General Data Protection
Regulation (GDPR) fine on an in-region flirting and chat service
known as Knuddels. A cyberattack on the company had exposed more
than 1.8 million usernames and passwords, along with 808,000 email
addresses. To read more: https://threatpost.com/knuddels-flirt-app-slapped-with-hefty-fine-after-data-breach/139384/
Phishing
New research shows that about half of all phishing scams are hosted
on websites that have a “padlocked” URL that starts with
“https://”. This is up 25% from just a year ago and still climbing.
To read more: https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
Dell
Dell announced a cybersecurity incident and is encouraging its
users to change their passwords. On November 9th, “unauthorized
activity was detected on Dell’s network that attempted to extract
customer information.” To read more: https://www.dell.com/customerupdate
Android apps
Eight Android apps were accused of taking part in an ad-fraud
scheme that stole millions of dollars from advertisers. The apps
misused user permissions to track downloads and then exploited the
data to hijack app-install bounties. The apps have been downloaded
about two billion times on the Google Play Store. To read more:
https://thehackernews.com/2018/11/android-click-ad-fraud.html
Dunkin Donuts
Dunkin Donuts was exploited through a credential-stuffing attack
that compromised customers’ personal information. The company
believes that the hacker accessed usernames and passwords from
security breaches at other companies, and then used them to break
into its system. To read more: https://threatpost.com/hackers-breach-dunkin-donuts-accounts-in-credential-stuffing-attack/139472/
Marriott International
Marriott disclosed a four-year data breach that exposed the
personal and financial information of half a billion customers who
made reservations at any of its Starwood properties. The hackers
accessed a database containing guest information tied to
reservations at the properties. To read more: https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
LinkedIn
Regulators in Europe have accused LinkedIn of violating GDPR rules
by misusing 18 million email addresses. The investigation
originated from a 2017 complaint regarding LinkedIn’s
information-collecting practices of people who are not members of
its work-focused social network. To read more: https://techcrunch.com/2018/11/24/linkedin-ireland-data-protection/
Atrium Health
Atrium Health has revealed a data breach that exposed the
information of 2.65 million patients. Between September 22nd and
29th a hacker was able to gain access to databases containing
records such as names, home addresses and dates of birth. To read
more: https://www.zdnet.com/article/atrium-health-data-breach-exposed-2-65-million-patient-records/
Urban
A massage app known as Urban accidentally left a database
containing 309,000 customer profiles exposed on the web without a
password. The exposed information included data on clients who were
accused of sexual misconduct. To read more: https://nypost.com/2018/11/28/massage-app-data-breach-reveals-which-clients-asked-for-sexual-favors/
ScamClub
A cyber-criminal group known as ScamClub hijacked more than 300
million browser sessions in a 48-hour period to redirect users to
gift-card scams. To read more: https://www.zdnet.com/article/us-ios-users-targeted-by-massive-malvertising-campaign/
Routers
More than 45,000 internet routers were compromised by a campaign
using the EternalBlue exploit. The new attack exploits routers with
“vulnerable implementations of Universal Plug and Play to force
connected devices to open ports 139 and 445”. Due to the flaw,
almost two million devices connected to the routers are reachable
via the ports. To read more: https://arstechnica.com/information-technology/2018/11/mass-router-hack-exposes-millions-of-devices-to-potent-nsa-exploit/
BitPay
A hacker injected malicious code into a popular JavaScript library
in order to steal Bitcoin and Bitcoin Cash stored inside the
“Copay” wallet apps of BitPay, a Bitcoin payment service.
Researchers found that the malicious code lays dormant until it is
used inside the source code of Copay to steal users’ wallet
information. To read more: https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/
Apple
DropBox unveiled three critical vulnerabilities it found in Apple’s
MacOS after an internal penetration test of its systems. If
exploited, the bugs could enable a remote attacker to execute
malicious code on a computer. To read more: https://thehackernews.com/2018/11/apple-macos-zeroday.html
Microsoft and Sennheiser
Microsoft warned users that HeadSetup and HeadSetup Pro, two apps
made by Sennheiser, a German audio company, accidentally installed
two root certificates on users’ computers and then leaked the
private keys. The software is used to set up and manage softphones,
which make calls via the internet. To read more: https://www.zdnet.com/article/microsoft-warns-about-two-apps-that-installed-root-certificates-then-leaked-the-private-keys/
Sign up below and receive these reports and more directly in your inbox.