Some breaches deserve their own dedicated item, this is one of them.
The hotel group, known from Sheraton, Le Méridien and others, found out that attackers had access to their database since 2014, impacting personal data of a whopping 500 million guests. And apparently they're fudging up the aftermath too with easily spoof-able domains and other PR failures.
Another get-your-own-item winner! An attacker had access to 100 million names, emails, hashed passwords, direct messages and more.
Other breaches and leaks
The rest goes into a list. Hey, we can't all be special.
- Sotheby's: the auction house reported that one of it's e-commerce portals was infected with a Magecart credit-card stealing script. While only recently discovered, the script itself was on the site at least since March 2017.
- 1-800-Flowers: the Canadian version of the flower shop reported that credit card data was breached, from as early as August 2014 till September of this year. It's unclear how many customers are impacted.
- eBay Japan: no personal data leak, thankfully. But a researcher found that they exposed their Git repo, and was able to download the entire code base, including database passwords, logs, and more.
- Bethesda: the game maker had "an issue" with their support system. Multiple users were able to see support tickets from other players, including sensitive information like name, address and purchase information.
- National Republican Congressional Committee (NRCC): attackers had access to the e-mail accounts of four senior aides for several months.
The vulnerability allows anyone to get admin privileges on the Kubernetes nodes. It's easy to exploit and requires no user interaction. If you run k8s, make sure to install the patch.
Fantastic post that dives deeper in last week's news of how the event-stream library was modified to target the Copay Bitcoin wallet. It's pretty scary to see how well the attack was executed, and how hard it is to detect.
It looks like Microsoft will halt efforts on Edge and its EdgeHTML browser engine and instead will launch a new Chromium-based browser under the codename Anaheim.
The malicious apps asked to scan your fingerprint, and then quickly popped up a payment request while your finger was on the Touch ID button. They've been taken out of the App Store since.
A sextortion ring was being operated from South Carolina prisons, targeting specifically U.S. military service members. A total of 442 people were catfished, extorting more than $500.000.
Someone went to the Shodan search engine, found 800.000 vulnerable printers, and made a chunk of them print out a PewDiePie-related message. Quite unsettling too is that he claims to have done it, start to finish, in half an hour.
I'll let the article explain this facepalm moment.
Fun article about a large hacker group in Dallas, Texas. Apparently the call for cybersecurity experts is even bigger there than in Silicon Valley.
Once and a while I'll do a cross-promote with another newsletter. It's great to cross-polinate our subscriber bases :-) If you're in to Swift development, definitely check them out!