Polyverse Weekly Breach Report

breach_report

A snapshot look at the breaches and reported vulnerabilities of last week

Initial coin offerings

Hackers have stolen $400 million in cryptocurrencies by targeting initial coin offerings (ICOs). According to research by Ernst & Young, more than 10% of all funds changing hands during ICOs are lost or stolen. To read more: http://www.zdnet.com/article/hackers-steal-almost-400-million-from-cryptocurrency-icos/

UK law firms

Researchers discovered file dumps on the Dark Web containing 1.2 million email addresses and credentials from top UK law firms. The information discovered represents an average of 2,000 compromised credentials per company. To read more: http://www.zdnet.com/article/uk-top-500-legal-firms-credentials-leaked-on-the-dark-web/

Intel

Intel has halted patching for Spectre and Meltdown vulnerabilities in the Broadwell and Haswell microprocessors because of reboot issues. To read more: https://threatpost.com/intel-halts-spectre-meltdown-patching-for-broadwell-and-haswell-systems/129615/

Bell Canada

The telecom company is alerting customers after hackers illegally accessed the personal information of up to 100,000 customers. The breach happened eight months after 1.9 million of the company’s customer emails were stolen by hackers. To read more: http://www.cbc.ca/news/business/bell-canada-data-breach-1.4500156

ATM jackpotting

The United States Secret Service began warning banks that jackpotting attacks are now targeting cash machines in the US. To carry out the attack, thieves must gain physical access to an ATM and then use malware to control it. Such attacks have been a major pain point in Europe and Asia, but this is the first time they have been spotted in the US. To read more: https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Reported Vulnerabilities

Tinder

Security flaws in Tinder could enable hackers to see images downloaded by users and whether they swiped left or right. The vulnerability is based on the use of an HTTP connection and a predictable HTTPS response size. To read more: http://www.zdnet.com/article/snoopers-could-eavesdrop-on-tinder-photos-and-swipes-says-security-company/

Sonic the Hedgehog

A security company discovered that three Sonic the Hedgehog Android games were leaking user-location and device information. The leaks could impact up to 600 million users. To read more: http://www.zdnet.com/article/sega-investigating-claims-android-sonic-games-are-leaking-data/

Wearsafe and Revolar

Flaws in personal-protection devices made by the two firms could render the devices useless. To read more: http://www.zdnet.com/article/security-flaws-found-in-popular-personal-panic-buttons/

Electron

A critical vulnerability is affecting Electron desktop apps that use custom protocol handlers. The vulnerability CVE-2018–1000006 is present in apps that register themselves as the default handler for a protocol. To read more: http://www.zdnet.com/article/electron-critical-vulnerability-strikes-app-developers/

Libcurl

The command-line tool and library for transferring data with URLs can leak authentication data. The bug has been present since 1999. To read more: https://www.theregister.co.uk/2018/01/25/curl_carried_auth_leak_bug_practically_forever/

Lenovo ThinkPad

ThinkPad owners should update their machines after its Fingerprint Manger Pro software was found to contain security vulnerabilities. The main flaw is a hardcoded password in the fingerprint scanner software for Windows. To read more: https://www.theregister.co.uk/2018/01/26/lenovo_thinkpad_fingerprint_manager_vulnerability/

Want to learn more?

Sign up below and receive weekly breach reports directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.