Polyverse Weekly Breach Report

breach_report

A snapshot look at the breaches and reported vulnerabilities of last week

Timehop

Timehop disclosed a security breach that compromised the personal data of 21 million users, which is almost the entire user base. The startup’s service plugs into users’ social media accounts and resurfaces posts and photos they may have forgotten about. To read more: https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breach-affecting-21-million/?utm_medium=TCnewsletter

Monzo

A digital only bank called Monzo, generated news for its role in spotting the Ticketmaster breach. However, the company has since fallen victim to a data breach, after an attacker lifted customer details from a Typeform survey. Around 20,000 customers were affected. To read more: https://www.finextra.com/newsarticle/32336/from-data-security-darling-to-cyber-fall-guy-monzo-experiences-a-breach-of-its-own/retail

Humana

Humana is notifying an undisclosed number of members that their health information might have been compromised after the discovery of a spoofing attack on two websites. Humana discovered the attack after detecting a large number of failed logins using foreign IP addresses, which attempted to access Humana.com and Go365.com. To read more: https://www.beckershospitalreview.com/payer-issues/humana-suffers-spoofing-cyberattack-on-2-of-its-websites.html

Gmail

Google published a response to a story from The Wall Street Journal that detailed how it’s common for third-party app developers the ability to read and analyze the contents of a user’s Gmail message. Google re-outlined the measures users and businesses can do to protect their privacy and security and reiterated its commitment to privacy and security. While the WSJ story did not find any wrongdoing, it shines a light on the data security practices of large companies. To read more: https://www.theverge.com/2018/7/3/17533108/google-gmail-privacy-read-email-messages-response

Polar

A popular fitness app that tracks the activity data of its users has inadvertently revealed the locations of personnel working at military bases and intelligence locations. Polar Flow allows anyone to access a user’s fitness activities over several years. This is not the first time a fitness app has revealed the locations of personnel at sensitive locations, the most previous app to share the same information was Strava. To read more: https://www.zdnet.com/article/fitness-app-polar-exposed-locations-of-spies-and-military-personnel/

Reported Vulnerabilities

Huawei

Huawei sent patches to various enterprise and broadcast products in order to fix a cryptography bug. The flaw could allow a person-in-the-middle to decrypt a session and recover content. To read more: https://www.theregister.co.uk/2018/07/04/huawei_enterprise_comms_kit_has_tls_crypto_bug/

Stylish extension

Google and Mozilla have removed a popular extension from their catalogues because of complaints that the program collects data about users’ website visits. To read more: https://www.zdnet.com/article/use-this-popular-chrome-firefox-add-on-google-mozilla-just-banished-it/

Smoke Loader

A malware called SmokeLoader, can be used to distribute Trojans, ransomware and cryptocurrency mining software has recently been updated with a new technique. Smoke Loader is now using an injection technique known as PROPagate, which abuses the SetWindowsSubclass function. It can be used to modify the properties of windows running in the same session. To read more: https://www.zdnet.com/article/this-password-stealing-malware-just-added-a-new-way-to-infect-your-pc/

ADB (Advanced Digital Broadcast)

Two years after being reported, a set of critical vulnerabilities in ADB equipment have now received patches. The vulnerabilities impact a range of firmware versions; however, the risk of compromise depends on connected ISPs. To read more: https://www.zdnet.com/article/critical-year-old-adb-router-modem-vulnerabilities-finally-fixed/

ExxonMobil

ExxonMobil recently mailed letters to its rewards card members stating that the points program was being updated and replaced. Unfortunately, the letter included a confusing toll-free number and a parked website that tried to put web browser extensions on visitors who went to the URL. To read more: https://krebsonsecurity.com/2018/07/exxonmobil-bungles-rewards-card-debut/

HPE iLO4

Exploit code was published for a severe vulnerability which affects HPE Integrated Lights-Out (iLO) 4 servers. The iLO cards allow sysadmins to install firmware remotely, reset servers, provide access to a remote console and more. To read more: https://www.bleepingcomputer.com/news/security/you-can-bypass-authentication-on-hpe-ilo4-servers-with-29-a-characters/

Want to learn more?

Sign up below and receive weekly breach reports directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.