Dec. 10, 2018
Two months after disclosing an error that exposed the private profile data of almost 500,000 Google+ users, Google on Monday revealed a new leak that affects more than 52 million people. The programming interface bug allowed developers to access names, ages, email addresses, occupations, and a wealth of other personal details even when they were set to be nonpublic. The bug was introduced in a release that went live at an undisclosed date in November and was fixed a week later, Google officials said in a blog post.
Sep. 30, 2018
Nearly 50m Facebook accounts were compromised by an attack that gave hackers the ability to take over users’ accounts, Facebook revealed on Friday. The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday. Users whose accounts were affected will be notified by Facebook.
Those users will be logged out of their accounts and required to log back in. The security breach is believed to be the largest in Facebook’s history and is particularly severe because the attackers stole “access tokens”, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.
Sep. 29, 2018
This morning, news broke that a massive data breach has exposed the personal information of 50 million Facebook users to hackers. A company blog reports that nearly 90 million users were forced to log out out of their accounts as a security precaution and provided little detail on what personal information attackers were able to access. Shortly after, reports began to circulate on Twitter that Facebook was blocking a Guardian story about the breach from being posted on its platform: Within minutes, additional reports began to circulate that an Associated Press story about the breach was being blocked as well: Internet users and journalists struggled to make sense of why Facebook was censoring this massive news story for over an hour until reports once again surfaced on Twitter suggesting that the block had been resolved: While it appears as though Facebookâs effort to block the story was an anti-SPAM glitch, itâs hard to imagine how this day could have gone much worse for Facebook.
Sep. 27, 2018
The breach, revealed last year, granted hackers access to the personal information of 57 million riders and drivers. Uber paid the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident. Uber has agreed to pay $148 million in connection with a 2016 data breach and subsequent cover-up, according to the California Attorney General’s office.
Sep. 20, 2018
While the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their work, hitting yet another large merchant: Newegg. Last week we published details on the British Airways compromise immediately after the company made its first advisory public linking the breach of customer credit card information to Magecart. We were able to disclose these details based on our years of tracking the activities and infrastructure of the umbrella of Magecart groups performing digital credit card skimming campaigns.
Jul. 13, 2018
The following is intended to provide technical details for those with interest in the specifics of the information security incident Timehop has experienced. It is also to be transparent about what has happened, and correct some earlier inaccuracies. There are still some highly specific details we are withholding about an incident that remains the subject of ongoing investigations.
Source: timehop.com
Jun. 29, 2018
Ticketmaster has warned customers that their personal information may have been compromised, after malicious code was discovered running on its website. Up to 40,000 UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 are thought to be affected. In addition, international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018 may also be at risk.
Jun. 29, 2018
A little-known Florida company may have exposed the personal data of nearly every American adult, according to a new report. Wired reported Wednesday that Exactis, a Palm Coast, Fla.-based marketing and data-aggregation company, had exposed a database containing almost 2 terabytes of data, containing nearly 340 million individual records, on a public server. That included records of 230 million consumers and 110 million businesses.
Jun. 29, 2018
The company says it became aware of the breach on Tuesday, June 26, when it learned that an unauthorized party was claiming to have acquired the details of Adidas customers. The company said it’s still investigating the breach with law enforcement and security firms. The sportswear company did not include a tally of affected customers, but some news outlets like CBS, the Wall Street Journal, and Bloomberg reported citing inside sources that ‘a few millions’ of Adidas customers might be impacted.
Jun. 14, 2018
Dixons Carphone has admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records. It is investigating the hacking attempt, which began in July last year. Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach.
There was ‘an attempt to compromise’ 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked, it said. The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said. Dixons Carphone shares were down more than 3% in early afternoon trading.
Jun. 6, 2018
Family genealogy and DNA testing site MyHeritage announced on Monday a security breach during which an attacker made off with account details for over 92 million MyHeritage users. The incident came to light after a security researcher found an archive on a third-party server containing the personal details of 92,283,889 MyHeritage users. The archive contained only emails and hashed passwords, but not payment card details or DNA test results.
Jun. 2, 2018
A hacker briefly took over Ticketfly’s website, defacing it with a picture of the V for Vendetta character and a claim of responsibility. The hacker also sent Motherboard files of what they say is employee and customer information taken from Ticketfly’s database. Ticketfly, which is owned by Eventbrite, took down the site and posted a message saying that the company had been “the target of a cyber incident.”
May. 29, 2018
Two Canadian banks warned Monday they have been targeted by hackers, and that the personal information of tens of thousands of customers may have been stolen — something that appeared to be confirmed in a letter to the media from someone who said they were demanding a $1-million ransom from the banks. CIBC-ownedSimplii Financial was the first to warn on Monday morningthat hackers had accessed thepersonal and account information of more than 40,000 of the bank’s customers. The bank said it received a tip over the weekend that hackers had obtained the data, and after a preliminary investigation decided to go public on Monday.
May. 14, 2018
If you booked train tickets for a European getaway in the past few months, you might want to check your bank statements. Rail Europe, a site used by Americans to buy train tickets in Europe, has revealed a three-month data breach of credit cards and debit cards. The announcement came in a letter filed with the California attorney general, in which the company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018.
May. 14, 2018
Malware has harvested payment card details from some Chili’s restaurants, Brinker International, the company behind the restaurant chain announced on Friday. Brinker says it detected the malware on Friday, May 11, the same day it made the announcement. The company said it is still investigating the incident together with law enforcement and third-party forensic experts.
Based on the current details it was able to gather, the company said the malware appears to have infected some of its payment systems from where it gathered credit or debit card numbers and cardholder names. The company did not publish a list of Chili’s restaurants on whose network it found the malware but said the evidence suggests the malware was only active between March and April 2018. Brinker also didn’t provide an approximate number of affected customers but promised to publish more details as the investigation goes forward.
May. 8, 2018
Equifax has published yet more detail on the data lost in its now-infamous 2017 data breach. 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) breached, the company says, there were also 38,000 US drivers’ licenses and 3,200 passport details.
Source: co.uk
Apr. 22, 2018
Last week, Uber and the FTC finally settled on a revised consent agreement that now covers both the 2014 and 2016 breaches. The new agreement includes even more comprehensive security and privacy risk assessments, covering the security of Uber’s software development environment and use of the bug bounty.
Source: ieee.org
Apr. 12, 2018
Great Western Rail is urging all customers to change their passwords after identifying a successful attack to access GWR.com accounts over the last week.
Source: co.uk
Apr. 10, 2018
Sodexo food services and facilities management company notified a number of customers that it was the victim of a targeted attack on its cinema vouchers platform Sodexo Filmology.
Source: securityaffairs.co
Apr. 6, 2018
Last week, on March 28, Delta was notified by [24]7.ai, a company that provides online chat services for Delta and many other companies, that [24]7.ai had been involved in a cyber incident. It is our understanding that the incident occurred at [24]7.ai from Sept. 26 to Oct. 12, 2017, and that during this time certain customer payment information for [24]7.ai clients, including Delta, may have been accessed – but no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.