Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported breaches and vulnerabilities

Knuddels
The German government imposed its first General Data Protection Regulation (GDPR) fine on an in-region flirting and chat service known as Knuddels. A cyberattack on the company had exposed more than 1.8 million usernames and passwords, along with 808,000 email addresses. To read more: https://threatpost.com/knuddels-flirt-app-slapped-with-hefty-fine-after-data-breach/139384/

Phishing
New research shows that about half of all phishing scams are hosted on websites that have a “padlocked” URL that starts with “https://”. This is up 25% from just a year ago and still climbing. To read more: https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/

Dell
Dell announced a cybersecurity incident and is encouraging its users to change their passwords. On November 9th, “unauthorized activity was detected on Dell’s network that attempted to extract customer information.” To read more: https://www.dell.com/customerupdate

Android apps
Eight Android apps were accused of taking part in an ad-fraud scheme that stole millions of dollars from advertisers. The apps misused user permissions to track downloads and then exploited the data to hijack app-install bounties. The apps have been downloaded about two billion times on the Google Play Store. To read more: https://thehackernews.com/2018/11/android-click-ad-fraud.html

Dunkin Donuts
Dunkin Donuts was exploited through a credential-stuffing attack that compromised customers’ personal information. The company believes that the hacker accessed usernames and passwords from security breaches at other companies, and then used them to break into its system. To read more: https://threatpost.com/hackers-breach-dunkin-donuts-accounts-in-credential-stuffing-attack/139472/

Marriott International
Marriott disclosed a four-year data breach that exposed the personal and financial information of half a billion customers who made reservations at any of its Starwood properties. The hackers accessed a database containing guest information tied to reservations at the properties. To read more: https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/

LinkedIn
Regulators in Europe have accused LinkedIn of violating GDPR rules by misusing 18 million email addresses. The investigation originated from a 2017 complaint regarding LinkedIn’s information-collecting practices of people who are not members of its work-focused social network. To read more: https://techcrunch.com/2018/11/24/linkedin-ireland-data-protection/

Atrium Health
Atrium Health has revealed a data breach that exposed the information of 2.65 million patients. Between September 22nd and 29th a hacker was able to gain access to databases containing records such as names, home addresses and dates of birth. To read more: https://www.zdnet.com/article/atrium-health-data-breach-exposed-2-65-million-patient-records/

Urban
A massage app known as Urban accidentally left a database containing 309,000 customer profiles exposed on the web without a password. The exposed information included data on clients who were accused of sexual misconduct. To read more: https://nypost.com/2018/11/28/massage-app-data-breach-reveals-which-clients-asked-for-sexual-favors/

ScamClub
A cyber-criminal group known as ScamClub hijacked more than 300 million browser sessions in a 48-hour period to redirect users to gift-card scams. To read more: https://www.zdnet.com/article/us-ios-users-targeted-by-massive-malvertising-campaign/

Routers
More than 45,000 internet routers were compromised by a campaign using the EternalBlue exploit. The new attack exploits routers with “vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445”. Due to the flaw, almost two million devices connected to the routers are reachable via the ports. To read more: https://arstechnica.com/information-technology/2018/11/mass-router-hack-exposes-millions-of-devices-to-potent-nsa-exploit/

Reported Vulnerabilities

BitPay
A hacker injected malicious code into a popular JavaScript library in order to steal Bitcoin and Bitcoin Cash stored inside the “Copay” wallet apps of BitPay, a Bitcoin payment service. Researchers found that the malicious code lays dormant until it is used inside the source code of Copay to steal users’ wallet information. To read more: https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

Apple
DropBox unveiled three critical vulnerabilities it found in Apple’s MacOS after an internal penetration test of its systems. If exploited, the bugs could enable a remote attacker to execute malicious code on a computer. To read more: https://thehackernews.com/2018/11/apple-macos-zeroday.html

Microsoft and Sennheiser
Microsoft warned users that HeadSetup and HeadSetup Pro, two apps made by Sennheiser, a German audio company, accidentally installed two root certificates on users’ computers and then leaked the private keys. The software is used to set up and manage softphones, which make calls via the internet. To read more: https://www.zdnet.com/article/microsoft-warns-about-two-apps-that-installed-root-certificates-then-leaked-the-private-keys/

Want to learn more?

Sign up below and receive these reports and more directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.