390.000 public .git directories. Best selling App Store utility stole user information. Minimal mode.  15th September 2018

Minimal mode

Unfortunately I couldn't spend as much time on this issue as usual, because my wife and daughter fell ill this week. It's all hands on deck here, family comes first :-)

I included the most interesting links, but with less filtering and summarizing than usual. I hope you still get value out of it!

Breaches and leaks

• British Airways: personal and payment information of 380.000 customers was stolen. Likely executed by the Magecart group, through a malicious Javascript include. More details here.
• Feedify: customer engagement service. It seems that the Javascript they ask their customers to include was infected with credit card stealing code, again by the Magecart group.
• Veeam: data management and disaster recovery firm (ow, the irony). Exposed more than 440 million names and e-mails of a marketing database.
• FOIA.gov: US government site that deals with data transparency requests. After a site upgrade it started showing sensitive personal data, like social security numbers, that were previously masked.
• mSpy: another spyware maker, leaking millions of call logs, screenshots, location information and what have you.
• Schneider Electric: shipped USB's infected with malware with some of its products.
• NPower: energy company, sent personal and payment information of 5.000 customers to the wrong people.

Updates

• Microsoft had its Patch Tuesday, fixing 61 vulnerabilities, 17 of which are critical remote-code execution bugs.
• Cisco released a host of fixes for critical vulnerabilities.
• Adobe pushed security updates for Flash and Coldfusion.
• Mozilla patched nine security issues in Firefox 62, including one arbitrary code execution bug.