Polyverse Weekly Breach Report

breach_report

A snapshot look at the breaches and reported vulnerabilities of last week

Facebook

The US government expressed concerns about Facebook’s recently revealed data-sharing relationships with Chinese companies, including Huawei, Lenovo, Oppo and TCL. To read more: https://techcrunch.com/2018/06/05/facebook-huawei-data-sharing-congress/

MyHeritage

A security researcher found a file on the internet containing passwords for more than 92 million users of an Israeli-based genealogy and DNA-testing company. MyHeritage is urging all its clients to change their passwords. To read more: https://krebsonsecurity.com/2018/06/researcher-finds-credentials-for-92-million-users-of-dna-testing-firm-myheritage/

Drupalgeddon 2.0

More than 115,000 sites are still vulnerable to this Drupal bug, even though a patch was released three months ago. To read more: https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/

Trello

Researchers found that a large number of government agencies, marketing firms, healthcare organizations and IT-support companies are publishing private credentials on public Trello boards. To read more: https://krebsonsecurity.com/2018/06/further-down-the-trello-rabbit-hole/

PageUp

This human-resources firm revealed that it had found unusual activity on its IT infrastructure, and said that client data “may have” been compromised. To read more: https://www.zdnet.com/article/malware-hits-hr-software-firm-pageup-with-possible-data-compromise/

Transamerica

This US insurance and investment company said that its systems were breached between March 2017 and January 2018. The hacker stole names, addresses, SSN, DOB, financial account information and employment details of people holding Transamerica retirement-solution accounts. To read more: https://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/

Bitfinex

This large cryptocurrency exchange was knocked offline Tuesday morning by a DDoS attack. To read more: http://www.businessinsider.com/bitfinex-hit-by-cyber-attack-2018-6

Reported Vulnerabilities

WARDroid

Researchers at Texas A&M university created a framework that crawls applications to uncover inconsistencies in the types of HTTP requests they will accept. An analysis of 10,000 mobile apps found that many are open to web-API hijacking. To read more: https://threatpost.com/wardroid-uncovers-mobile-threats-to-millions-of-users-worldwide/132525/

Zip Slip

Snyk, a security firm, uncovered a critical flaw, dubbed Zip Slip, in the archive file-extraction libraries of thousands of open-source web-application projects. The flaw allows attackers to reach the root directory, and from there enable remote command execution. To read more: https://www.zdnet.com/article/open-source-security-zip-slip-critical-flaw-hits-thousands-of-projects-update-now/

BlueBorne

Nine months after researchers warned of the remote code execution bug BlueBorne, Lenovo has finally made a patch available. The vulnerability could enable an attacker to take over devices and spread malware. To read more: https://threatpost.com/lenovo-finally-patches-ancient-blueborne-bugs-in-tab-and-yoga-tablets/132703/

Adobe Flash

A zero-day vulnerability was recently exposed in the wild in targeted attacks against Windows users in the Middle East. The vulnerability was a stack-based buffer-overflow bug in Flash that could enable arbitrary code execution. To read more: https://threatpost.com/zero-day-flash-exploit-targeting-middle-east/132659/

Frontier

A bug in the account-password reset function of this large US cable and internet provider enabled anyone to take over user accounts. To read more: https://www.zdnet.com/article/password-reset-flaw-at-frontier-allowed-account-takeovers/

Spiral Toys CloudPets

Major retailers are removing CloudPets internet-enabled soft toys from their shelves because of severe security and privacy issues that Spiral Toys has failed to fix a year after they were revealed — and long after the firm claimed to have resolved the problems. To read more: https://www.bitdefender.com/box/blog/family/creepy-cloudpets-pulled-stores-security-fears/

Want to learn more?

Sign up below and receive weekly breach reports directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.