Breaches and leaks

It's been a busy week :-/

  • Voxox: SMS provider, had a database with tens of millions of text messages publicly accessible, with a handy Elasticsearch/Kibana interface for easy search. New text messages streamed in real-time, including juicy stuff like 2fa codes.
  • US Postal Service: an API used for tracking information had no proper access control, letting anyone search postal details of over 60 million users.
  • Vision Direct: a contact lens vendor, had full credit card details of 16.300 customers stolen, including CVV codes. They were read from the checkout page through a malicious script.
  • High Tail Hall: adult video game website, had personal data of over 400.000 subscribers stolen.
  • Instagram: passwords were leaked in plain text when you used the "download your data" tool.
  • Make-A-Wish Foundation: a cryptojacking script was installed on their website, which was still vulnerable to the Drupalgeddon2 exploit.
  • Hospital in Texas: had a ransomware infection impacting 40.000 individuals, although they don't think any data was actually leaked. Data was restored from backups.
Dieter Van der Stock