Table of Contents

  1. Breaches
    1. Kreditplus - 768,890 breached accounts
    2. TrueFire - 599,667 breached accounts
    3. 199 websites breached, Cyble’s data breach alerts as of August 3, 2020 – 4.1 million accounts at risk
    4. Havenly discloses data breach after 1.3M accounts leaked online
    5. 집꾸미기 - 1,298,651 breached accounts
    6. Confirmed: Garmin received decryptor for WastedLocker ransomware
    7. Ransomware attack on MSP failed, but attackers exfiltrated some data
    8. Sheldon ISD notifies current and former staff and students of network breach
    9. Morgan Stanley Hit with Class Lawsuit Over Alleged Data Breaches
  2. Crime
    1. Malware writer pleads guilty to helping $568 million cybercrime ring
  3. Privacy
    1. The Panopticon Is Already Here
    2. Google victory in German top court over right to be forgotten
    3. New Ontario law requiring personal info for dining in prompts privacy concerns Social Sharing
    4. Data isn't just being collected from your phone, it's being used to score you
    5. Why a Data Breach at a Genealogy Site Has Privacy Experts Worried
    6. Singapore to make travelers wear electronic tags to enforce quarantine
  4. Vulnerabilities
    1. New ‘Unpatchable’ Exploit Found in Apple’s Secure Enclave Chip
  5. Misc
    1. US Travel firm $4.5m ransom negotiation open chat
    2. Phishing campaigns, from first to last victim, take 21h on average

Breaches

Kreditplus - 768,890 breached accounts

In June 2020, the Indonesian credit service Kreditplus suffered a data breach which exposed 896k records containing 769k unique email addresses. The breach exposed extensive personal information including names, family makeup, information on spouses, income and expenses, religions and employment information.

TrueFire - 599,667 breached accounts

In February 2020, the guitar tuition website TrueFire suffered a data breach which impacted 600k members. The breach exposed extensive personal information including names, email and physical addresses, account balances and unsalted MD5 password hashes.

199 websites breached, Cyble’s data breach alerts as of August 3, 2020 – 4.1 million accounts at risk

Cyble has detected 199 data breaches on various websites and companies. Due to these data breaches, supposedly 4.1 million user accounts are at risk.

Havenly discloses data breach after 1.3M accounts leaked online

Havenly, a US-based interior design web site, has disclosed a data breach after a hacker posted a database containing 1.3 million user records for free on a hacker forum. Havenly is an online interior design and home decoration site where users can get help designing a room in their house from certified designers. Last week, BleepingComputer reported that the ShinyHunters hacking group had leaked the databases for 18 companies on a hacker forum for free. These databases contained a combined total of 386 million user records. One of the leaked databases contained 1.3 million user records for Havenly.com.

집꾸미기 - 1,298,651 breached accounts

In March 2020, the Korean interior decoration website 집꾸미기 (Decorating the House) suffered a data breach which impacted almost 1.3 million members. Served via the URL ggumim.co.kr, the exposed data included email addresses, names, usernames and phone numbers, all of which was subsequently shared extensively throughout online hacking communities.

Confirmed: Garmin received decryptor for WastedLocker ransomware

BleepingComputer can confirm that Garmin has received the decryption key to recover their files encrypted in the WastedLocker Ransomware attack. On July 23rd, 2020, Garmin suffered a worldwide outage where customers could not access their connected services, including the Garmin Connect, flyGarmin, Strava, inReach solutions. BleepingComputer was the first to confirm that they suffered a cyberattack by the WastedLocker Ransomware operators after employees shared photos of encrypted workstations, and we found a sample of the ransomware utilized in the attack.

Ransomware attack on MSP failed, but attackers exfiltrated some data

Canadian managed service provider Pivot Technology Solutions was the victim of a ransomware attack in June. The good news is that the ransomware did not encrypt their systems. The bad news is that the attack resulted in some data of U.S. employees and consultants being exfiltrated. The firm issued a statement earlier in July that noted that their quick response and defenses had prevented the ransomware from doing much more damage.

Sheldon ISD notifies current and former staff and students of network breach

Sheldon ISD in Houston, Texas posted a notification on July 24 concerning a cyberattack. The impacted information differs for current and former students and across individuals, but generally included information such as: a student's name; year in school; school name; teacher name; sex; race; test scores; and English language proficiency. The documents did not contain Social Security Numbers or any other similarly sensitive personal information for current or former students.

Morgan Stanley Hit with Class Lawsuit Over Alleged Data Breaches

Former and current Morgan Stanley customers have filed a putative class-action lawsuit alleging negligence and invasion of privacy over the firm's failure to properly scrub decommissioned hardware of personal information such as social security numbers, account numbers and other personal data. Morgan Stanley earlier this month began notifying brokers and customers that some client information remained on hardware from two data centers that were closed in 2016.

Crime

Malware writer pleads guilty to helping $568 million cybercrime ring

Another key member of the massive Infraud cybercrime ring is likely heading to prison. Software writer Valerian Chiochiu has pleaded guilty to RICO conspiracy for helping Infraud Organization develop and use FastPOS malware that helped the group steal massive amounts of data. Infraud is now believed to have stolen enough identities, payment cards and other sensitive data to produce $568 million in losses. As for Chiochiu's creation, the FastPOS malware was first discovered by Trend Micro in 2016. In a PDF report released at the time, Trend Micro said the malware had three main components: (1) a memory scrapper that collected payment card data from the computer's RAM; (2) a keylogger for recording user key strokes; and (3) a self-updating mechanism.

Privacy

The Panopticon Is Already Here

Xi Jinping is using artificial intelligence to enhance his government's totalitarian control - and he's exporting this technology to regimes around the globe.

Google victory in German top court over right to be forgotten

A German court has sided with Google and rejected requests to wipe entries from search results. The cases hinged on whether the right to be forgotten outweighed the public's right to know.

New Ontario law requiring personal info for dining in prompts privacy concerns Social Sharing

Patrons in Ontario looking to dine out at restaurants, bars and even boat tours will soon need to provide their names and contact information under a new law intended to improve COVID-19 contact tracing, raising some concerns with a privacy expert. The regulations come into effect next Friday and require everyone remain seated unless they're picking up food or going to the washroom. Their names and contact information will also have to be kept on file for 30 days.

Data isn't just being collected from your phone, it's being used to score you

Operating in the shadows of the online marketplace, specialized tech companies you've likely never heard of are tapping vast troves of our personal data to generate secret "surveillance scores" - digital mug shots of millions of Americans - that supposedly predict our future behavior. The firms sell their scoring services to major businesses across the U.S. economy. CoreLogic and TransUnion say that scores they peddle to landlords can predict whether a potential tenant will pay the rent on time, be able to "absorb rent increases," or break a lease. Large employers use HireVue, a firm that generates an "employability" score about candidates by analyzing "tens of thousands of factors," including a person's facial expressions and voice intonations. Other employers use Cornerstone's score, which considers where a job prospect lives and which web browser they use to judge how successful they will be at a job.

Why a Data Breach at a Genealogy Site Has Privacy Experts Worried

Heather Murphy reports that a data security incident involving GEDmatch has people worried. GEDmatch already had privacy advocates worried because of the data it has shared with law enforcement

Singapore to make travelers wear electronic tags to enforce quarantine

Singapore will make some incoming travelers wear an electronic monitoring device to ensure that they comply with coronavirus quarantines as the city-state gradually reopens its borders, authorities said Monday. From August 11, the devices will be given to incoming travelers, including citizens and residents, from a select group of countries who will be allowed to isolate at home rather than at a state-appointed facility. Similar measures using electronic wristbands to track peoples' movements during quarantine have been used in Hong Kong and South Korea.

Vulnerabilities

New ‘Unpatchable’ Exploit Found in Apple’s Secure Enclave Chip

One of the major security enhancements Apple has brought to its devices over the years is the Secure Enclave chip, which encrypts and protects all sensitive data stored on the devices. Last month, however, hackers claimed they found a permanent vulnerability in the Secure Enclave, which could put data from iPhone, iPad, and even Mac users at risk. Now, Chinese hackers from the Pangu Team have reportedly found an "unpatchable" exploit on Apple's Secure Enclave chip that could lead to breaking the encryption of private security keys. An unpatchable exploit means that the vulnerability was found in the hardware and not the software, so there's probably nothing Apple can do to fix it on devices that have already been shipped. We still don't have further details on what exactly hackers can do with this specific vulnerability, but having full access to the Security Enclave could also mean having access to passwords, credit cards, and much more. The only thing we know so far is that this vulnerability in Secure Enclave affects all Apple chips between the A7 and A11 Bionic, similar to the checkm8 exploit that allows jailbreak for almost all iOS devices up to iPhone X.

Misc

US Travel firm $4.5m ransom negotiation open chat

An interesting thing happened on the internet with week. U.S. travel management firm was hit with Ragnar Locker ransomware. The company agreed to pay and handed over $4.5 mln in bitcoin. But the online chat room where the ransom negotiations took place was left online, giving a rare and incredibly interesting insight into how these things actually go down.

Phishing campaigns, from first to last victim, take 21h on average

A mixed team of security researchers from Google, PayPal, Samsung, and Arizona State University has spent an entire year analyzing the phishing landscape and how users interact with phishing pages. In a mammoth project that involved analyzing 22,553,707 user visits to 404,628 phishing pages, the research team has been able to gather some of the deepest insights into how phishing campaigns work. "We find that the average phishing attack spans 21 hours between the first and last victim visit, and that the detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit," the research team wrote in a report they are scheduled to present at the USENIX security conference this month. "Once detected, a further seven hours elapse prior to peak mitigation by browser-based warnings."