Ticketcounter leaks data for millions of people, didn’t delete sensitive data and was outed

Data of visitors to Diergaarde Blijdorp, Apenheul, Dierenpark Amersfoort and dozens of other theme parks are on the street. Ticket seller Ticketcounter is also extorted for 3 tons. An employee accidentally posted data online where they didn’t have to. As a result, the data could be found there for months (from 5 August 2020 to Read more about Ticketcounter leaks data for millions of people, didn’t delete sensitive data and was outed[…]

1Password has none, KeePass has none… So why are there seven embedded trackers in the LastPass Android app?

A security researcher has recommended against using the LastPass password manager Android app after noting seven embedded trackers. The software’s maker says users can opt out if they want. […] The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as Read more about 1Password has none, KeePass has none… So why are there seven embedded trackers in the LastPass Android app?[…]

Half a million stolen French medical records, lab results, feeble excuses

[…] Here in France, we’ve just experienced the country’s biggest ever data breach of customer records, involving some half a million medical patients. Worse, the data wasn’t even sold or held to ransom by dark web criminals: it was just given away so that anyone could download it. Up to 60 fields of personal data Read more about Half a million stolen French medical records, lab results, feeble excuses[…]

Why You Should Switch From LastPass to Bitward’s Password Manager

Whether you’re looking to make a change in your password management just because, or you’re a LastPass user annoyed with the service’s recent changes to its free tier, switching to the much-loved (and free) Bitwarden service is a good choice. Bitwarden is now the best free password manager for most people—since it works across all Read more about Why You Should Switch From LastPass to Bitward’s Password Manager[…]

France has been suffering A Very ‘Solar Winds’-Like Cyberattack since 2017

As the U.S. continues to chart the damage from the sweeping “SolarWinds” hack, France has announced that it too has suffered a large supply chain cyberattack. The news comes via a recently released technical report published by the Agence Nationale de la sécurité des systèmes d’information—or simply ANSSI—the French government’s chief cybersecurity agency. Like the Read more about France has been suffering A Very ‘Solar Winds’-Like Cyberattack since 2017[…]

Apple new M1 chip specific Malware Has Arrived

Now that Apple has officially begun the transition to Apple Silicon, so has malware. Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Read more about Apple new M1 chip specific Malware Has Arrived[…]

Brazil’s Health Ministry’s Website Data Leak Exposed 243 Million Medical Records for More Than 6 Months

Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website. The data leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access. The incident was the second reported by Brazilian Read more about Brazil’s Health Ministry’s Website Data Leak Exposed 243 Million Medical Records for More Than 6 Months[…]

Researchers Say Favicons Can Track You Across the Web

German software designer Jonas Strehle has published a proof of concept on GitHub that he says demonstrates a method in which the favicon’s cache can be used to store a unique identifier for a user that is readable “in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or Read more about Researchers Say Favicons Can Track You Across the Web[…]

Firefox 85 removes support for Flash and adds protection against supercookies

Mozilla has released Firefox 85 ending support for Adobe Flash Player plugin and has brought in ways to block supercookies to enhance a user’s privacy. Mozilla, in a blog post, noted that supercookies are store user identifiers, and are much more difficult to delete and block. It further noted that the changes it is making Read more about Firefox 85 removes support for Flash and adds protection against supercookies[…]

Decade-old bug in Linux world’s sudo can be abused by any logged-in user to gain root privileges

Security researchers from Qualys have identified a critical heap buffer overflow vulnerability in sudo that can be exploited by rogue users to take over the host system. Sudo is an open-source command-line utility widely used on Linux and other Unix-flavored operating systems. It is designed to give selected, trusted users administrative control when needed. The Read more about Decade-old bug in Linux world’s sudo can be abused by any logged-in user to gain root privileges[…]

Dutch COVID-19 patient and testing data sold on the criminal underground

Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground. The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr. The ads consisted of Read more about Dutch COVID-19 patient and testing data sold on the criminal underground[…]

DNSPOOQ breaks dnsmasq allowing for cache poisoning, remote code execution and more

The JSOF research labs are reporting 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and we have identified approximately 40 vendors whom we believe use dnsmasq in their products, as well as major Linux distributions. The DNS protocol has a history of vulnerabilities dating back to Read more about DNSPOOQ breaks dnsmasq allowing for cache poisoning, remote code execution and more[…]

WhatsApp Private Groups + user phone numbers Were Accessible Again to Anyone Searching on Google – a yearly event now

WhatsApp groups are showing up on Google search yet again. As a result, anyone could discover and join a private WhatsApp group by simply searching on Google. This was first discovered in 2019, and was apparently fixed last year after becoming public. Another old issue, which also appeared to have been fixed but seems to Read more about WhatsApp Private Groups + user phone numbers Were Accessible Again to Anyone Searching on Google – a yearly event now[…]

Socialarcs 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users. Again.

High-flying and rapidly growing Chinese social media management company Socialarks has suffered a huge data leak leading to the exposure of over 400GB of personal data including several high-profile celebrities and social media influencers. The company’s unsecured ElasticSearch database contained personally identifiable information (PII) from at least 214 million social media users from around the Read more about Socialarcs 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users. Again.[…]

Amazon Ring Neighbors App Left User Data Exposed, incl addresses, lat + long

Ring, the Amazon-owned friend to nosy police departments everywhere, has suffered another embarrassing security stumble. The surveillance company’s Neighbors app—which was launched in 2018 as a kind of “neighborhood watch” feature—apparently left users exact geographical data and home address information exposed to the internet. Neighbors is Ring’s online forum where users can share public safety Read more about Amazon Ring Neighbors App Left User Data Exposed, incl addresses, lat + long[…]

Zyxel products have a hardcoded root user you can access from internet

TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. You can find the full list of affected devices here and the Zyxel advisory here. Zyxel is a popular brand for firewalls that are marketed towards small and medium businesses. Their Unified Security Read more about Zyxel products have a hardcoded root user you can access from internet[…]

Spotify resets passwords after a security bug exposed users’ private account information – for 6 months

Spotify said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners. In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred Read more about Spotify resets passwords after a security bug exposed users’ private account information – for 6 months[…]

Data of 243 million Brazilians exposed online via govt website source code

The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health’s website for at least six months. The security snafu was discovered by reporters from Brazilian newspaper Estadao, Read more about Data of 243 million Brazilians exposed online via govt website source code[…]

Bumble Left Daters’ Location Data Up For Grabs For Over Six Months

Bumble, the dating app behemoth that’s allegedly headed to a major IPO as soon as next year, apparently took over half a year to deal with major security flaws that left sensitive information its millions of users vulnerable. That’s according to new research posted over the weekend by cybersecurity firm Independent Security Evaluators (ISE) detailing Read more about Bumble Left Daters’ Location Data Up For Grabs For Over Six Months[…]

Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs

Microsoft researchers have found evidence that Russian and North Korean hackers have systematically attacked covid-19 labs and vaccine makers in an effort to steal data and initiate ransomware attacks. “Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials, clinical research organization involved in trials, and one Read more about Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs[…]

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped

In a blog post, Alex Weinert, director of identity security at Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population. At the same time, he argues people should avoid relying on SMS messages Read more about Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped[…]

Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years

Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed. The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US Read more about Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years[…]

EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that’s not how they put it. They say they just want “lawful access” to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new “Draft Council Resolution Read more about EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.[…]