Leaks and breaches
There were a few, so I'm grouping them here:
- 150 million MyFitnessPal accounts have been compromised. Most passwords were hashed with bcrypt, but unfortunately some with SHA-1. The company does get kudos for a quick and clear disclosure process: link
- Panera Bread, a food chain with over 2000 stores, gets less kudos for having all their customer names, physical addresses and four digits of their credit cards exposed on their website for eight months before fixing it: link
- The US retail stores Saks and Lord & Taylor reported that 5 million credit card records where stolen: link
Similar to Google's 18.104.22.168 and IBM's Quad-9. But with the explicit promise of privacy, audited by KPMG. Kudos to Cloudflare, it's a really cool project.
You'll want to update fast. It's a remote code execution vulnerability in the Smart Install system, getting a severity rating (CVSS) of 9.8/10. It seems to boil down to: if you have a Cisco device that is listening on port 4786, you're a target. At least 250.000 vulnerable devices are already found to be publicly accessible.
The built-in QR code scanner can make it seem like you're about to open one page, but actually take you to another, because of incorrect URL parsing. Apple hasn't provided a fix yet.
There's a campaign underway to brute-force Magento stores, with at least 1000 stores already compromised. If you run one, make sure to check up on it.
Or how lucrative a single targeted phishing attack can be. The attackers claimed they represented Feyenoord and asked for release of funds related to a player transfer.
The program will run through the month of April, and targets the Defense Travel Systems responsible for all travel-related logistics in the DoD.
Apple released updates across their products, fixing a number of security issues. For example: fixing a problem where a thief could disable your Find My iPhone feature without needing an iCloud password. They also include privacy-related features explaining what data is collected and why.
Interesting concept: fingerprinting documents with invisible characters so you can identify data leaks. There's also a Chrome extension that detects when this happens.
I usually try and shield you guys from 'stats articles', i.e. "x% of companies has had a ransomware attack", because they're not very actionable nor very educational. But this is a pretty impressive roundup of various statistics that's easy to read. So have at it :-)
When you have indeed been pwned, 1Password will be shown as a recommendation on what to do next. Troy explains his reasoning for the partnership very well in the article. Pro's and cons are discussed on Hackernews here.