Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Worst Data Breaches of 2018
Were you wondering which breaches were the worst of 2018? Fortune magazine compiled a list of last year’s most significant breaches and vulnerabilities, ranked by the number of people who were affected. To read more: http://fortune.com/2019/01/04/worst-data-breaches-of-2018/

Weather Forecast — World Weather Accurate Radar
A weather app built by a Chinese company is collecting massive amounts of data and attempting to subscribe some users to paid services without their permission. The app collects data on users’ geographic locations, email addresses and unique International Mobile Equipment Identity numbers on a server in China. To read more: https://www.wsj.com/articles/popular-weather-app-collects-too-much-user-data-security-experts-say-11546428914

Twinning App
A photo-matching app called Twinning experienced a data leak that exposed photos for its entire user base. The photos can be publicly accessed via a storage bucket hosted on AWS. Popsugar, the app creator, has since made the bucket private. To read more: https://www.dailymail.co.uk/sciencetech/article-6543031/Popsugar-app-matches-selfies-celebrities-exposed-personal-photos-report-claims.html

Singapore Airlines
A software glitch caused a data breach that impacted 285 frequent flyer members of Singapore Airlines. The bug compromised various personal details including passport and flight information. To read more: https://www.zdnet.com/article/singapore-airlines-data-breach-affects-284-accounts-exposes-travel-details/

Dataresolution.net
Cloud-hosting provider dataresolution.net is trying to bring its systems back online after suffering a ransomware attack on Christmas Eve. The attackers exploited a compromised login account and infected servers with Ryuk ransomware. To read more: https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/

Chromecasts & smart TVs
A hacker duo claims to have hijacked exposed Chromecasts, smart TVs and Google Home devices. This is the second hack that was executed to urge users to subscribe to PewDiePie’s Youtube channel. To read more: https://www.zdnet.com/article/hacker-hijacks-thousands-of-chromecasts-and-smart-tvs-to-play-pewdiepie-ad/

German Politicians
A group of hackers leaked highly sensitive personal information for more than 100 German politicians including Chancellor Angela Merkel on Twitter. The data includes phone numbers, email addresses, private chats, bills and more. To read more: https://thehackernews.com/2019/01/germany-politicians-hacked.html

Town of Salem
A hacker stole the personal details of 7.6 million users of the online game the “Town of Salem.” Someone sent a copy of the stolen data to DeHashed, a service similar to Have I Been Pwned. The compromised servers were finally secured this week. To read more: https://www.zdnet.com/article/town-of-salem-game-suffers-data-breach-exposing-7-6-million-user-details/

Marriott
Marriott has announced that its guest-reservation system was hacked and that the personal information of almost 500 million guests was potentially exposed. The hack affects the Starwood reservation database, which the hackers apparently first gained access to in 2014. To read more: https://www.cnn.com/2018/11/30/tech/marriott-hotels-hacked/index.html

Luas
Hackers are holding Luas, a tram system in Dublin, Ireland, hostage with a potential leak of private data should the company fail to pay a Bitcoin ransom. The firm’s website was compromised, and a malicious message posted on the homepage. The site is still offline. To read more: https://www.zdnet.com/article/dublins-luas-tram-system-threatened-with-private-data-leak/

Spectre and Meltdown
Intel is still working to clean up the problems caused by the Spectre and Meltdown vulnerabilities that were disclosed a year ago. To read more: https://www.wired.com/story/intel-meltdown-spectre-storm/

Blur
The company behind the Blur password manager revealed that it had experienced a data breach impacting almost 2.4 million users. To read more: https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/

Reported Vulnerabilities

Sednit APT
Researchers found the first-ever successful instance of a rootkit targeting the Windows Unified Extensible Firmware Interface. The rootkit is called LoJax, which is a modified version of Absolute Software’s LoJack recovery software. To read more: https://threatpost.com/uefi-rootkit-sednit/140420/

Adobe
Adobe has issued patches for two critical vulnerabilities outside its usual security-update cycle. The vulnerabilities allow privilege escalation and arbitrary code execution, and affect both MacOS and Windows. To read more: https://thehackernews.com/2019/01/adobe-reader-vulnerabilities.html

Apple phishing
A new phishing scam spoofs the legitimate Apple support page and phone number. What is most concerning is that if the recipient of the scam call is an iPhone user, the fake call gets indexed in the phone’s recent calls list as a call from the legitimate Apple Support line. To read more: https://krebsonsecurity.com/2019/01/apple-phone-phishing-scams-getting-better/

Android
Google patched a privacy vulnerability in the Chrome web browser for Android that could enable remote attackers to identify unpatched devices and exploit other vulnerabilities. A security researcher initially reported the issue to Google three years ago. To read more: https://thehackernews.com/2019/01/google-chrome-android-privacy.html

Golduck malware
Security researchers found more than a dozen iPhone apps communicating with a Golduck malware server. The malware has been around for over a year but was previously specific to Android. To read more: https://techcrunch.com/2019/01/05/dozen-iphone-apps-linked-to-golduck-malware

ReCAPTCHA
Researchers have managed to fool Google’s reCAPTCHA with a 90% success rate. To read more: https://motherboard.vice.com/en_us/article/pa55z8/researchers-fool-recaptcha-with-googles-own-speech-to-text-service

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.