Breaches and leaks

It's official. I now spend more time on this one segment than on the rest of the newsletter. Plenty of security work left to do people.

  • Gator smartwatches for kids: they exposed real-time location information on 35.000 children. One could trivially get admin privileges in their backend, showing you all other accounts.
  • Singapore's Ministry of Health: a database with information on 14.000 HIV patients was leaked, by someone who had apparently stolen that data himself.
  • Ascension: a financial analytics firm, had an unsecured Elasticsearch instance with over 24 million documents related to people's loans and mortgages.
  • B&Q: DIY retail store, had an exposed Elasticsearch database with the information of 70.000 identified or suspected shoplifters.
  • Airbus: had a security breach involving employee data. There's not a lot of further detail about the breach though.
  • Discover cards: customers of the Discover credit cards are getting replacements because of a possible data breach. No details are available, except that they say the breach didn't originate with them.
  • LocalBitcoins: peer-to-peer crypto exchange portal. Several users got their credentials phished, including 2fa codes.
  • Dailymotion: no real breach it seems, but they detected a credential stuffing attack (where attackers try to brute-force using passwords gained in other breaches). They stopped the attack and initiated password resets.
  • Not really a leak, but leak-related: someone found that an "[email protected]" backdoor account exists in many of the publicly leaked databases. Russia requires access to financial systems, I guess this is that? I hope they don't re-use passwords. link.
Dieter Van der Stock