Flipboard hacked and open for 9 months – fortunately passwords properly salted and encrypted so not much damage

In a series of emails seen by ZDNet that the company sent out to impacted users, Flipboard said hackers gained access to databases the company was using to store customer information. Most passwords are secure Flipboard said these databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails Read more about Flipboard hacked and open for 9 months – fortunately passwords properly salted and encrypted so not much damage[…]

Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online

On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and a majority of the users appear to be Americans based on their user IP and geolocations. I also noticed Chinese Read more about Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online[…]

First American Financial Corp. Leaked 885 Million Title Insurance Records

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction Read more about First American Financial Corp. Leaked 885 Million Title Insurance Records[…]

G Suite passwords stored unhashed creds since 2005, and other passwords in plain text for 14 days for troubleshooting

Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form. Administrators of accounts affected by the security blunder were warned via email that, in certain circumstances, passwords had not been hashed. Hashing is a standard industry practice that protects credentials by Read more about G Suite passwords stored unhashed creds since 2005, and other passwords in plain text for 14 days for troubleshooting[…]

Android and iOS devices impacted by new sensor calibration attack – it’s easy to follow your device everywhere online

A new device fingerprinting technique can track Android and iOS devices across the Internet by using factory-set sensor calibration details that any app or website can obtain without special permissions. This new technique — called a calibration fingerprinting attack, or SensorID — works by using calibration details from gyroscope and magnetometer sensors on iOS; and Read more about Android and iOS devices impacted by new sensor calibration attack – it’s easy to follow your device everywhere online[…]

Over 25,000 Linksys Smart Wi-Fi routers kept info on who connected to them and are now leaking this

Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including: MAC address of every device that’s ever connected to it (full historical record, not just active devices) Device name (such as “TROY-PC” or “Mat’s MacBook Pro”) Operating system (such as “Windows Read more about Over 25,000 Linksys Smart Wi-Fi routers kept info on who connected to them and are now leaking this[…]

Millions of Instagram influencers had their private contact data scraped and exposed on AWS

A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online. The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by Read more about Millions of Instagram influencers had their private contact data scraped and exposed on AWS[…]

Adobe: If You Use Old Apps, You May Be Violating Third-Party Copyrights, highlighting the problem that you don’t own anything in the Cloud

Last week, Adobe said that older versions of Creative Cloud apps—including Photoshop and Lightroom—would no longer be available to subscribers. This week, some users are getting messages from Adobe warning they could be at “risk of potential claims of infringement by third parties” should they continue to use outdated versions of their apps. The new Read more about Adobe: If You Use Old Apps, You May Be Violating Third-Party Copyrights, highlighting the problem that you don’t own anything in the Cloud[…]

It’s 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware

A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims’ smartphones: all a snoop needs to do is make a booby-trapped voice call to a target’s number, and they’re in. The victim doesn’t need to do a thing other than leave their phone on. The Facebook-owned software suffers from Read more about It’s 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware[…]

New Intel firmware boot verification bypass enables low-level persistent backdoors

Researchers have found a new way to defeat the boot verification process for some Intel-based systems, but the technique can also impact other platforms and can be used to compromise machines in a stealthy and persistent way. Researchers Peter Bosch and Trammell Hudson presented a time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Read more about New Intel firmware boot verification bypass enables low-level persistent backdoors[…]

Over 275 Million Indian Personal Records Exposed by Unsecured MongoDB Database

A huge MongoDB database exposing 275,265,298 records of Indian citizens containing detailed personally identifiable information (PII) was left unprotected on the Internet for more than two weeks. Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache Read more about Over 275 Million Indian Personal Records Exposed by Unsecured MongoDB Database[…]

Hacker Finds He Can Remotely Kill Car Engines, take location and personal data After Breaking Into Fleet GPS Tracking Apps, because default account password is 123456

The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, Read more about Hacker Finds He Can Remotely Kill Car Engines, take location and personal data After Breaking Into Fleet GPS Tracking Apps, because default account password is 123456[…]

Unsecured MS cloud database removed after exposing details on 80 million US households

the addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud, independent security researchers have found. The details included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify Read more about Unsecured MS cloud database removed after exposing details on 80 million US households[…]

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again

Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy on people. This comes immediately after panic this week over a hidden Telnet-based diagnostic interface was found in Huawei gateways. Although that vulnerability was real, irritating, Read more about Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again[…]

Dell laptops and computers vulnerable to remote hijacks via Dell admin tool

A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems. Dell has released a patch for this security flaw on April 23; however, many Read more about Dell laptops and computers vulnerable to remote hijacks via Dell admin tool[…]

‘Millions’ of Instagram Passwords Were Exposed to Facebook Employees In Plaintext

On Thursday, at just about the same time as the most highly anticipated government document of the decade was released in Washington D.C., Facebook updated a month-old blog post to note that actually a security incident impacted “millions” of Instagram users and not “tens of thousands” as they said at first. Last month, Facebook announced Read more about ‘Millions’ of Instagram Passwords Were Exposed to Facebook Employees In Plaintext[…]

Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned

Microsoft says miscreants accessed some of its customers’ webmail inboxes and account data after a support rep’s administrative account was hijacked. The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep’s account was compromised by hackers who would have subsequently gained “limited access” to certain parts Read more about Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned[…]

Internet Explorer exploit is trouble even if you never use the browser

Finally stopped using Internet Explorer? Good! But, now it’s time to completely delete it from your computer, too. Security researcher John Page has discovered a new security flaw that allows hackers to steal Windows users’ data thanks to Internet Explorer. The craziest part: Windows users don’t ever even have to open the now-obsolete web browser Read more about Internet Explorer exploit is trouble even if you never use the browser[…]

Two out of three hotels accidentally leak guests’ personal data to third parties

Two out of three hotel websites inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers and analytics companies, according to research released by Symantec Corp on Wednesday. The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Read more about Two out of three hotels accidentally leak guests’ personal data to third parties[…]

Serious flaws found in WPA3’s wifi Handshake

because WPA2 is more than 14 years old, the Wi-Fi Alliance recently announced the new and more secure WPA3 protocol. One of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it’s near impossible to crack the password of a network. Unfortunately, we found that even with WPA3, an attacker within Read more about Serious flaws found in WPA3’s wifi Handshake[…]

540 Million Facebook User Records Exposed Online, Plus Passwords, Comments, and More

Researchers at the cybersecurity firm UpGuard on Wednesday said they had discovered the existence of two datasets together containing the personal data of hundreds of millions of Facebook users. Both were left publicly accessible. In a blog post, UpGuard connected one of the leaky databases to a Mexico-based media company called Cultura Colectiva. The data Read more about 540 Million Facebook User Records Exposed Online, Plus Passwords, Comments, and More[…]

A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole

Apache HTTP Server has been given a patch to address a potentially serious elevation of privilege vulnerability. Designated CVE-2019-0211, the flaw allows a “worker” process to change its privileges when the host server resets itself, potentially allowing anyone with a local account to run commands with root clearance, essentially giving them complete control over the Read more about A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole[…]

Hackers Hijacked ASUS Software Updates to Install Backdoors on half a million Computers

Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to Read more about Hackers Hijacked ASUS Software Updates to Install Backdoors on half a million Computers[…]

FEMA Breach Exposes Personal Data and Banking Information of 2.3 Million Disaster Survivors

The Federal Emergency Management Agency may have put the personally identifying information of millions of disaster survivors at risk of fraud and identity theft, according to a recent report from the Department of Homeland Security’s Office of Inspector General. The March 15 report said that during an audit of FEMA’s Transitional Sheltering Assistance program, it Read more about FEMA Breach Exposes Personal Data and Banking Information of 2.3 Million Disaster Survivors[…]

Nokia phones caught spewing device IDs to China, software blunder blamed

An undisclosed number of Nokia 7 Plus smartphones have been caught sending their identification numbers to a domain owned by a Chinese telecom firm. The handsets spaffed the data in clear text over the internet to a server behind the domain vnet.cn, which appears to be owned by China Telecom. The HTTP POST requests from Read more about Nokia phones caught spewing device IDs to China, software blunder blamed[…]