Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label User Privacy. Show all posts
Virtual Credit Card
Cyber Security Financial Security Online Scam User Privacy Virtual Credit Card

Here's The Ultimate Guide to Virtual Credit Card in Safeguarding Online Privacy

 

Virtual credit cards are digital versions of physical credit cards. They generate a unique credit card number that you can use instead of your physical card number, avoiding the merchant from storing your credit card data and making your financial data more safe. 

With security breaches in the news, using a virtual card adds an extra degree of security. Several major credit card issuers provide virtual cards, although there are several outliers. Virtual credit cards provide more than just security. A virtual credit card allows you to utilise a newly created account before the physical card arrives, allowing you to collect rewards right away or make progress towards a welcome bonus. 

Are virtual cards safer than physical cards? 

Virtual cards provide an additional layer of security over physical cards by safeguarding your real credit card information. This makes them safer than physical cards in various aspects: 

  • Virtual credit cards might have spending caps and be restricted to specific merchants. They can also be configured for single use, deactivating automatically after the very first transaction. These restrictions provide extra fraud protection compared to a standard credit card.
  • Unlike conventional credit cards, virtual cards cannot be stolen or misplaced. If you carry a physical credit card and it is stolen, you may be susceptible to scam. Virtual cards are stored in your digital wallet, keeping you secure from fraud.
  • Virtual credit cards must adhere to the Payment Card Industry Data Security Standard (PCI DSS), which includes standards and guidelines aimed at safeguarding credit and debit transactions and preventing the exploitation of cardholder data. 

Benefits and drawbacks 

Virtual credit cards have many benefits, but there are a few drawbacks. Here are some of the advantages and disadvantages of virtual cards.

Pros: 

Enhanced security: Using virtual cards to make online transactions safeguards your actual credit card information and adds an extra layer of security over physical credit cards. Flexibility: Without changing your actual credit card, you can choose which vendors you want to use the card with, set up expiration dates, and create specific spending limitations.

Convenience: Virtual credit cards are generated instantly and can be utilised immediately for online purchases and contactless payments. Cons: Not always able to utilise them in-store: Not every retailer accepts contactless methods like Apple Pay or Google Pay. When it comes to in-store stores, you can be constrained, even though virtual cards are perfect for internet buying. 

Cons:

Refunds could be difficult: Every retailer has different regulations, and some could only give refunds for the original payment method. If you utilised a virtual credit card number that is no longer active, this can be an issue. Instead, you may get a cheque, a gift card or store credit in this situation.

Unsuitable for reservations: It may be challenging to match your payment method at check-in if you use a virtual card to make a hotel reservation. Since hotels usually need a physical card when you check in, using a virtual card can need further verification, such as getting in touch with your bank.
Read more »
User Privacy
Data Breach Data Leak Healthcare Hack Medical Data User Privacy

Community Health Centre Data Breach Impacts Over 1 Million Patients

 

Over a million people have been notified of a recent data breach by Community Health Centre, a nonprofit healthcare organisation based in Middletown, Connecticut. On January 2, 2025, unauthorised activity was detected in its computer systems, and external cybersecurity specialists were hired to help with the investigation and establish the nature and scale of the unauthorised activity. 

The investigation revealed that an online criminal gained access to its computer systems and stole data from the network. The Community Health Centre did not confirm whether a ransom demand was made; however, it did state that no data was deleted from its network and no files were encrypted, therefore the incident had no effect on its daily operations.

In the statement to the Attorney General of Maine, Community Health Centre explained that "there is no current threat to our systems, and we believe we stopped the criminal hacker's access within hours." The breach initially occurred on October 14, 2024, according to the breach notice from the Maine Attorney General.

The file review is now concluded, and the Community Health Centre has confirmed that the following data may have been compromised: names, addresses, phone numbers, email addresses, dates of birth, diagnoses, test results, treatment information, health insurance information, and Social Security numbers.

Up to 1,060,936 people have been impacted, including paediatric patients, their parents, and guardians. Some of the affected individuals passed away, and notifications are being given to their nearest of kin. While the majority of affected patients are likely from Connecticut, the California Attorney General has also been notified of the data leak. 

With over 1 million records, this is the most significant healthcare data breach revealed this year. Employees at Moses-Weitzman Health System were also impacted.

According to Community Health Centre, software has been put in place to keep an eye on its systems for suspicious activity, and security has been reinforced. Community Health Centre has provided the impacted individuals with free identity theft protection services for a period of 24 months, even though there are currently no signs that any of the stolen data has been compromised.
Read more »
User Privacy
Business Security Cyber Security Data Leak Insider Threat User Privacy

Three Ways To Prevent Insider Threat Driven Data Leaks

 

The United States is poised to undergo a period of highly disruptive transformation. The incoming administration has promised to make significant changes, including forming a new body, the Department of Governmental Efficiency (DOGE), with the aim of substantially reducing the size of the government. 

Many people in our hugely polarised society are unhappy with the upcoming changes. Some will even refuse to "go down without a fight" and attempt to sabotage the shift or the new administration's prospects for success. How? One popular disruption method is to leak bits and pieces of insider information in order to distract, provoke opposition, and ultimately stall the changes.

While insider leaks can occur at any organisation and at any moment, a controversial move can be a major driver for such threats. We don't need to look far back for examples of this. After Donald Trump was elected to his first term, someone explicitly got a job as an IRS contractor so that he could leak the tax returns of key leaders, including President Trump. There was also information disclosed concerning a Trump cabinet pick. 

It's possible that this behaviour will worsen significantly. Agencies and organisations can take proactive measures to prepare for this. 

Launch an insider threat program: Nearly 80% of organisations have noticed an increase in insider threat activity since 2019, and just 30% believe they have the ability to deal with the situation. While external threats are frequently addressed, according to IBM's Cost of a Data Breach report, breaches by people within an organisation were the most costly, averaging just shy of $5 million.

Having a formal security strategy in place can safeguard sensitive data, maintain operational integrity, and ensure that your organization's communication links remain open and secure. Start by assessing your risk, establishing guidelines for data sharing and management, and installing technologies to monitor user activity, detect irregularities, and notify security teams of potential risks. 

Individualize information: Organisations can also explore using steganographic technologies to personalise the information they send to their employees. Forensic watermarking technology allows sensitive information to be shared in such a way that each employee receives a completely unique copy that is undetectable to the human eye. With this technology in place, employees are more likely to think twice before giving a secret presentation on future strategy. If a leak still occurs, the organisation can easily identify the source.

Avoid sharing files: The world must shift away from using files to share personal information. At first glance, it may appear impossible, yet changing the way organisations share information might help them preserve their most valuable information. File sharing is more than a risk factor; it is also a threat vector, as files are the source of the majority of data exfiltration risks. As a result, deleting them would naturally eliminate the threat. What are the alternatives? Using SaaS applications in which no one can download anything. This strategy also helps to safeguard against external attacks.
Read more »
Vulnerabilities and Exploits
Cloudfare Discord Signal User Privacy Vulnerabilities and Exploits

Cloudflare CDN Vulnerability Exposes User Locations on Signal, Discord

 

A threat analyst identified a vulnerability in Cloudflare's content delivery network (CDN) which could expose someone's whereabouts just by sending them an image via platforms such as Signal and Discord. While the attack's geolocation capability is limited for street-level tracking, it can provide enough information to determine a person's regional region and track their activities. 

Daniel's discovery is especially alarming for individuals who are really concerned regarding their privacy, such as journalists, activists, dissidents, and even cybercriminals. This flaw, however, can help investigators by giving them further details about the state or nation where a suspect might be. 

Covert zero-click monitoring

Daniel, a security researcher, found three months ago that Cloudflare speeds up load times by caching media resources at the data centre closest to the user. 

"3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius," explained Daniel. "With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.” 

To carry out the information-disclosure assault, the researcher would transmit a message to an individual including a unique image, such as a screenshot or a profile avatar, stored on Cloudflare's CDN. 

Subsequently, he exploited a flaw in Cloudflare Workers to force queries through specific data centres via a new tool called Cloudflare Teleport. This arbitrary routing is typically prohibited by Cloudflare's default security limitations, which require that each request be routed from the nearest data centre. 

By enumerating cached replies from multiple Cloudflare data centres for the sent image, the researcher was able to map users' geographical locations based on the CDN returning the closest airport code to their data centre.

Furthermore, since many apps, like Signal and Discord, automatically download images for push notifications, an attacker can monitor a target without requiring user engagement, resulting in a zero-click attack. Tracking accuracy extends from 50 to 300 miles, depending on the location and the number of Cloudflare data centers nearby.
Read more »
User Privacy
Cyber Fraud India Online Scam TRAI User Privacy

TRAI Calling: Fraudsters Are Now Employing Novel Strategy to Target Mobile Users

 

As the government intensifies efforts to raise awareness about digital arrests and online financial fraud, fraudsters have shifted their strategies to stay ahead. A concerning trend has emerged where these individuals pose as representatives of the Telecom Regulatory Authority of India (TRAI). Exploiting the credibility associated with the regulatory body, they attempt to deceive unsuspecting users.

These fraudsters often initiate contact by mimicking official government alert messages that warn the public about scams. The tone and language of their communication are crafted to appear authoritative and urgent, persuading recipients to trust the information. In many cases, the messages aim to extract sensitive data, such as personal identification numbers, bank account details, or login credentials, under the guise of preventing fraud.

Such scams highlight the need for individuals to remain vigilant and verify the authenticity of any unsolicited messages or calls claiming to be from regulatory authorities. It is essential to cross-check the source of the communication, avoid sharing sensitive information over the phone or through unverified links, and report suspicious activities to the appropriate authorities.

By staying informed and adopting proactive measures, users can protect themselves from becoming victims of these evolving schemes, contributing to a safer digital environment for all.


Read more »
User Privacy
App security Data Breach Gravy Analytics Location data User Privacy

Global Apps Exploited to Harvest Sensitive Location Data

 


Rogue actors within the advertising industry are reportedly exploiting major global apps to collect sensitive user location data on a massive scale. This data is then funneled to a location data firm whose subsidiary has previously sold global tracking information to U.S. law enforcement agencies. 
 
Hacked files from the location data company Gravy Analytics reveal that numerous popular apps are involved in this data collection. These apps span across categories, including games like Candy Crush, dating platforms such as Tinder, pregnancy tracking tools, and religious prayer apps available on both Android and iOS. Since this data gathering occurs through the advertising ecosystem rather than direct app development, users — and even app developers — are likely unaware of these invasive practices. 

How the Data Collection Works 
 
Zach Edwards, a senior threat analyst at cybersecurity firm Silent Push, analyzed the data and shared with 404 Media, “For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream,” rather than through embedded app code. This discovery offers rare insight into the shadowy world of real-time bidding (RTB). Historically, location data providers paid app developers to integrate tracking code that harvested user data. However, many companies now exploit the advertising ecosystem, where firms bid to place ads in apps. Data brokers can tap into this system, silently collecting users' mobile phone locations without consent. “This is a nightmare scenario for privacy,” Edwards added. “Not only does this data breach involve data scraped from RTB systems, but there’s a company out there acting recklessly, collecting and using every piece of data it encounters.” 

The compromised data from Gravy Analytics includes tens of millions of cellphone location points from users in the United States, Russia, and Europe. Some files also list specific apps associated with each data point. Upon reviewing the leaked files, 404 Media identified a wide range of popular apps implicated in this breach, including:
  • Dating Apps: Tinder, Grindr
  • Mobile Games: Candy Crush, Temple Run, Subway Surfers, Harry Potter: Puzzles & Spells
  • Transit App: Moovit
  • Health & Fitness: My Period Calendar & Tracker, MyFitnessPal
  • Social Media: Tumblr
  • Email Services: Yahoo Mail
  • Productivity Tools: Microsoft 365
  • Travel Apps: Flightradar24
  • Religious Apps: Muslim prayer apps, Christian Bible apps
  • Privacy Tools: Various VPN apps
Ironically, some users turned to VPN apps to protect their privacy, only to have their location data compromised. 

This breach highlights a dangerous loophole in the advertising ecosystem, where sensitive user data can be harvested without clear consent or awareness. The involvement of a company with a history of selling data to government agencies raises serious concerns about surveillance and misuse. As the digital world grows increasingly interconnected, this incident serves as a stark reminder of the urgent need for stronger data privacy regulations and more transparent data practices. 

Can Users Trust Their Apps Anymore? 
 
With popular and widely trusted apps implicated in this data collection scheme, users are left questioning whether their privacy is truly protected. Stronger privacy safeguards and greater accountability in digital advertising are now more critical than ever. 
Read more »
User Privacy
Data Leak Location data Mobile App Breach Mobile Security User Privacy

Millions of People's 'Intimate' Location Data Compromised in Apparent Hack

 

Major apps worldwide are potentially being exploited by rogue members within the advertising sector to collect sensitive location data extensively, which subsequently is transferred to a location data firm whose subsidiary has previously sold global location data to US law enforcement agencies. 

The thousands of apps discovered in hacked files from location data firm Gravy Analytics range from games like Candy Crush to dating apps like Tinder, pregnancy tracking, and religious prayer apps for both Android and iOS. Because much of the data collection occurs through the advertising ecosystem rather than code developed by app creators themselves, it is likely that users or even app developers are unaware of it. 

After examining some of the data, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and an avid follower of the location data space, tells 404 Media, "For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream," instead of code embedded in the apps themselves. 

The data offers a rare peek into the realm of real-time bidding. Historically, location data providers compensated app developers to incorporate bundles of code that collected their users' location data. Numerous companies have instead moved to the advertising ecosystem, where firms bid to place ads within apps, to obtain location information. However, data brokers can listen in on that procedure and gather the location of people's mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards added. 

The hacked Gravy data includes tens of millions of mobile phone coordinates from devices in the United States, Russia, and Europe. Some of those files additionally list an app next to each piece of location data. 404 Media extracted the app names and created a list of mentioned apps. 

The list includes dating sites Tinder and Grindr; massive games like Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with over 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also includes a number of religious-focused apps, such as Muslim prayer and Christian Bible apps, as well as numerous pregnancy trackers and VPN apps, which some users may download, ironically, in order to safeguard their privacy.
Read more »
User Privacy
Cyber Security Data Brokers Data Sale Private Data User Privacy

Here's How to Safeguard Your Data From Data Brokers

 

Privacy concerns have grown as more of our private data is being gathered online. We share intimate details with just a few clicks. The majority of people, however, are ignorant of how extensively their data is shared. 

Behind the scenes, there is a whole data broker industry that makes money off of our digital traces. Businesses or individuals known as data brokers gather and resell personal data, such as phone numbers and online surfing behaviour. In this piece, we'll look at how data brokers work and some important steps we can take to safeguard our personal data. 

Data collection 

Data brokers collect data from a variety of public and commercial sources. They can simply gather data from websites and applications without your knowledge by paying app developers to embed SDKs (software development kits) in their apps. The data broker's SDKs can then record the various rights provided to apps, such as access to contacts and location. They can even pay app owners directly for the information rather than installing the software kits. 

Another source of data include public records, such as voter registration, birth certificates, marriage licenses, census data, and divorce records. The Internet is also a valuable source of information. The Internet is also a valuable source of information. Data brokers can acquire personal information from things like social media postings or interactions, online quizzes, virtual contests, or websites browsed. 

Data usage 

Customer data is utilised in a variety of ways, including targeting online adverts based on purchase history to make them more relevant. Data brokers may tell advertisers what brands a person has purchased and when they may require more, enabling timed adverts. Customer data is also used to detect fraud, such as cross-referencing loan applications with background information obtained from data brokers. 

This allows lenders to validate facts such as income and debts mentioned. Loan and insurance businesses purchase data to view a person's debts, loans, payments, income, employment history, and assets. People search sites also rely on data brokers to display names, addresses, ages, and other information when consumers search for someone. 

Privacy tips 

Numerous reputable firms can assist you in removing your information from data broker websites. They search the internet for your information on sites such as data brokers and search engines, and then make requests to have it removed. Make sure you select the correct service provider and read through user reviews. Reliable organisations, such as DeleteMe, are supported by real testimonials; you can read DeleteMe reviews here.

You should also limit what you post online. Share only the essential information, and avoid disclosing sensitive information such as your address and phone number. You can also use VPNs and encrypted browsers. A VPN conceals your IP address and encrypts your connection, avoiding internet tracking that brokers rely on. Secure browsers disable trackers and fingerprints, ensuring that your activity is not traced to you.

Additionally, consider deleting unused and online apps. Be aware of the privacy settings on your devices, apps, and social media profiles, and make sure they are set to maximum privacy. Avoid consenting to privacy policies or terms of service without thoroughly reading them, particularly the fine print.
Read more »
User Privacy
Amazon Web Services Christmas Scam Cyber Fraud Data Leak US Citizens User Privacy

Massive Data Breach Puts Millions at Risk During Christmas Season

 

As the Christmas season approaches, millions of U.S. citizens could face a potential holiday nightmare after a major data breach exposed 5 million unique credit and debit card details online. The leak threatens to compromise countless transactions during the festive shopping spree.

Security experts from Leakd.com revealed that 5 gigabytes of private screenshots were found in an unsecured Amazon S3 bucket, a cloud storage service provided by Amazon Web Services. These screenshots depict unsuspecting consumers entering sensitive data into fraudulent promotional forms, lured by offers that seem "too good to be true," such as free iPhones or heavily discounted holiday products.

The scam operates by enticing consumers with exclusive holiday gifts or significant discounts, requiring them to make a small payment or subscription to claim the offer. These offers often include a countdown timer to create a sense of urgency, pressuring individuals to act quickly without scrutinizing the details.

However, the promised items never arrive. Instead, the fraudsters steal sensitive data and store it on an unsecured server, where it can be accessed by anyone. This poses a heightened risk during the holiday season when shoppers are more vulnerable due to increased spending, making it easier for malicious actors to carry out unauthorized transactions unnoticed.

What to Do If You’re Affected

If you recently filled out a form promising an unbelievable offer, there’s a strong chance your privacy may have been compromised. Here’s what you should do:

  • Contact Your Bank: Inform your bank immediately and request a card replacement to prevent unauthorized transactions.
  • Monitor Bank Statements: Keep a close eye on your statements for any suspicious transactions. Report anything you don’t recognize.
  • Dispute Fraudulent Charges: If you notice unauthorized charges, contact your bank to dispute them and explore options for reimbursement.

The Growing Threat of Christmas Scams

Unfortunately, credit card theft isn’t the only scam cybercriminals are leveraging this holiday season. Security researchers have reported an increase in text-based scams impersonating delivery services. These scams target online shoppers, exploiting the busy season to steal sensitive information or money.

Examples of such scams include fake delivery notifications requesting payment for a package and inks leading to phishing websites that steal personal or payment information.

How to Protect Yourself

To safeguard yourself during the holiday season:

  • Verify Offers: Avoid offers that seem too good to be true, especially those requiring personal or payment details.
  • Check Sender Legitimacy: Double-check emails or texts claiming to be from delivery companies. Visit the official website directly rather than clicking on links.
  • Enable Fraud Alerts: Activate alerts with your bank to be notified of any unusual transactions.
  • Educate Family Members: Warn loved ones about these scams, especially those who may be less tech-savvy.

The holiday season should be a time of joy, not stress caused by data breaches and scams. By staying vigilant and taking proactive measures, you can protect yourself and your finances from cybercriminals looking to exploit this festive time of year.

Read more »
User Privacy
AWS Credentials Data Breach Data Leak Data Sale User Privacy

Misconfigured AWS Cloud Instances Lead to Sensitive Data Breaches

 

Misconfigured cloud instances have once again enabled cybercriminals to steal sensitive data, including credentials, API keys, and proprietary source code. This time, numerous Amazon Web Services (AWS) users fell victim, highlighting a lack of understanding regarding the shared responsibility model in cloud infrastructure.

Discovery of Vulnerabilities

Independent security researchers Noam Rotem and Ran Loncar uncovered open flaws in public websites in August 2024. These flaws could be exploited to access sensitive customer data, infrastructure credentials, and proprietary source code.

Data Exploitation and Sale on Telegram

Further investigation revealed that French-speaking threat actors, potentially linked to hacker groups Nemesis and ShinyHunters, scanned "millions of websites" for vulnerabilities. By exploiting these flaws, they harvested an array of sensitive information, including:

  • AWS customer keys and secrets
  • Database credentials and data
  • Git repository data and source code
  • SMTP credentials for email sending
  • API keys for services like Twilio, Binance, and SendGrid
  • SSH credentials
  • Cryptocurrency-related keys and mnemonics
  • Other sensitive access data

The stolen data was sold via a private Telegram channel, reportedly earning "hundreds of euros per breach." Investigators noted that the perpetrators might need the funds for legal defense once apprehended.

Investigation and Response

Rotem and Loncar traced the incident to specific individuals and reported their findings to Israel's Cyber Directorate and AWS Security. The researchers stated: "Our investigation has identified the names and contact information of several individuals behind this incident. This could help in further actions against the perpetrators."

AWS promptly took action to mitigate risks and emphasized that the vulnerability stemmed from user-side misconfigurations rather than AWS systems: "The AWS Security team emphasized that this operation does not pose a security issue for AWS, but rather is on the customer side of the shared responsibility model – a statement we fully agree with," vpnMentor reported.

The Shared Responsibility Model

The shared responsibility model in cloud computing divides security responsibilities between the cloud service provider and the customer. AWS ensures the security of its infrastructure, while customers are responsible for securely configuring and managing their data and applications.

Irony in Misconfiguration

Ironically, the stolen data was discovered in an unprotected AWS S3 bucket—another misconfiguration. According to the researchers: "The data collected from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by the owner. The S3 bucket was used as a 'shared disk' between the members of the attack group, based on the source code of the tools they used."

Lessons for Cloud Security

Cybersecurity experts emphasize that cloud misconfigurations remain a leading cause of data breaches. Organizations must take proactive steps to secure their cloud environments:

  • Implement strict access controls and regular audits of cloud configurations.
  • Use tools to detect misconfigurations and vulnerabilities in real-time.
  • Educate employees about the shared responsibility model and best practices for cloud security.

This incident underscores the critical need for customers to take their share of responsibility in safeguarding sensitive data and highlights the risks of negligence in cloud security practices.

Read more »
User Privacy
23andMe Data Breach Data Leak DNA Analysis Firm User Privacy

What’s Happening with 23andMe? Data Privacy and Uncertain Future

 

23andMe, a DNA analysis company, has been in turmoil lately. This September, the entire board of directors left due to differences with the CEO, and data was compromised in a 2023 hack.

Anne Wojcicki, the CEO, had previously stated that she was open to third-party acquisition ideas; however, she altered her stance this week. The company is not currently for sale, but nothing looks promising—and it's unclear what will happen to consumer data if the company fails.

Is 23andMe Data Being Sold?

So far, there has been no official indication on whether the company will be sold with or without its data. However, it is realistic to expect the company to be sold and the data to be inherited by the new owner. Something similar occurred when MyHeritage acquired Promethease, another DNA analysis company, in 2020.

Your data may already be shared with other parties. If you signed up for research projects through 23andMe, "de-identified" data about you (including genetic data) was most likely shared with research institutes and pharmaceutical firms. For example, 23andMe has a data licensing deal with GSK (formerly GlaxoSmithKline) to utilize the 23andMe database to "conduct drug target discovery and other research.”

This is not a hypothetical future scenario, but rather the existing state of the firm. These types of licensing agreements account for a significant portion of 23andMe's revenue—or plans to make money. Alternatively, they may have made money previously. They're not making much money these days.

How to Download Your Data and Delete Your Account

If you want to retain any of your data, start by logging into your account and going to your user settings page. There, you can also choose not to participate in studies. On the 23andMe Data card, click View.

To validate your identity, you’ll need to enter your date of birth. In theory, this is where you can download your data, but issues may arise. For instance, I have a 23andMe account, but I must have given the firm a false date of birth years ago. The page simply directs me to call Customer Care. This seems like a significant impediment, but here we are.

According to a Reddit user, Customer Care may request a copy of your ID for verification. This process could be problematic if you used a fake date of birth. Nonetheless, the company’s documentation indicates that if you can get past this step, you can download your data and cancel your subscription. Good luck!

Read more »
User Privacy
Google Mobile Security RCS Threat Landscape User Privacy

Here's Why You Need A New App After Google RCS Issue

 

Google Messages has suddenly gone haywire. After years of campaigning, the "seamless messaging" dream was finally realised, but it vanished as quickly as it arrived. Currently, the question is whether it has any prospect of ever returning. 

Like a slow-motion train crash, Google quickly appreciated Apple for its long-awaited adoption of RCS, but as soon as it went live, it was criticised for its awkward security flaw. Despite iMessage's constant praise of its end-to-end encryption, those green bubbles are still without it. 

Quick to react, Google and the GSMA said that end-to-end encryption for RCS is currently being developed. China comes along to ruin the fun, even though that might have won the day. Apple, Google, and other companies insist on end-to-end encryption since it appears that state-sponsored hackers have infiltrated US telco networks. 

Cross-platform RCS has suffered severely as a result of the FBI and CISA are now both cautioning the public to utilise encrypted platforms properly. There is no security when texting from an Android phone to an iPhone, as Samsung has warned customers. 

Google and the GSMA were quick to respond, promising that end-to-end encryption for RCS is in the works. But, although that might have won the day, China arrives to spoil the fun. It appears that state-sponsored hackers have broken into US telco networks, highlighting why Apple, Google, and others advocate for end-to-end encryption in the first place. With the FBI and CISA now warning citizens to use appropriately encrypted systems, cross-platform RCS has taken a significant knock. Even Samsung has advised consumers that texting from Android to iPhone is not secure. 

Apple has never denied that iMessage is only secure within its own walled garden. Google, not Apple, pushed for cross-platform RCS. When it finally arrived with iOS 18, Google sent out public messages about non-blurry images and other new capabilities, whereas Apple said little, if anything at all. 

So now it's up to Google Messages to pick up the pieces of this security catastrophe and figure out what to do next. How quickly can RCS be beefed up to meet the "responsible encryption" standard specified by the US government officials? Given the official warnings, how do Google and Apple encourage consumers to send basic RCS/SMS texts? How quickly will network confidence get better? 

However, with timing being everything, the ultimate impediment to that RCS train could be Apple's upcoming iPhone update—iOS 18.2. To everyone's surprise, the iMaker has chosen to provide all of its users—not just those in controlled Europe—the ability to choose their default apps. For the first time, choose an over-the-top service like WhatsApp or Signal as your primary call and message provider. 

The 2024 RCS dream has suffered a setback, though whether it has been buried beneath the waters remains to be seen. What is evident is that this benefits Meta, which owns the world's largest end-to-end encrypted messaging systems, WhatsApp and Facebook Messenger, even if they are not "responsibly" encrypted, as defined by the FBI, which requires authorised access to content when necessary. 

Google Messages customers who use that platform to text friends, family, and colleagues will now require a new app. If you don't already have WhatsApp, Messenger, or Signal, you should download them right now. WhatsApp is the clear winner, striking the ideal combination between security, functionality, and scalability. Many of the people you communicate with will already have the app installed.

In keeping with the security theme, you must take two steps to guarantee the integrity of end-to-end encryption. Start by correctly configuring WhatsApp (or a substitute). This includes passkeys when they are available and two-factor authentication. Second, make sure you avoid taking any chances when installing apps, downloading files, or clicking links. It's as if you haven't secured your stuff at all if an attacker uses malware to take over your phone or lures you into installing malicious software, regardless of the messenger you use. 

The irony for Google has continued with the announcement that Samsung is discontinuing RCS for millions of Galaxy users who are still using Samsung Messages and advising they migrate to Google Messages. The Galaxy maker told Verizon customers that "Samsung Messages will no longer support RCS after 1.6.2025." Switch to Google Messages to keep the more robust messaging you're accustomed to.”
Read more »
User Privacy
Data Breach Data Leak Employee Data MOVEit Attack User Privacy

Amazon Employee Data Leaked in MOVEit Attack Fallout

 

Amazon has confirmed that some employee data was accessed last year, presumably as part of the huge MOVEit hacking campaign. A hacker recently revealed on the BreachForums cybercrime forum that they had stolen Amazon employee information, such as names, phone numbers, email addresses, job titles, and other job-related information. 

The hacker claimed the data came from the 2023 MOVEit attack, which entailed exploiting a zero-day vulnerability in Progress Software's MOVEit file transfer software to gather sensitive information from thousands of organisations that had used the program. 

The MOVEit campaign, which is widely thought to have been carried out by the Cl0p ransomware group, impacted about 2,800 organisations and compromised the data of approximately 100 million people. 

Amazon confirmed the data theft in a statement released earlier this week, but added several important details. According to the firm, the data was obtained via a third-party property management vendor; neither Amazon or AWS systems were compromised. 

The incident impacted several of the third-party vendor's clients, including Amazon. Amazon stated that only employee work contact information, such as work email addresses, desk phone numbers, and building locations, were revealed, while other, more sensitive information, such as Social Security numbers and financial information, were not compromised. 

The hacker claims that the Amazon employee database has nearly 2.8 million records, however it is unknown how many employees are affected. The same hacker has also leaked employee data from BT, McDonald's, Lenovo, Delta Airlines, and HP. The data appears to be the result of the same MOVEit breach that targeted the same real estate services company that housed Amazon employee information.
Read more »
User Security
American Firm Data Breach Data Leak Hot Topic User Privacy User Security

Hot Topic Data Breach Exposes Private Data of 57 Million Users

 

Have I Been Pwned warns that an alleged data breach compromised the private data of 56,904,909 Hot Topic, Box Lunch, and Torrid users. Hot Topic is an American retail franchise that specialises in counterculture-themed clothes, accessories, and licensed music merchandise. 

The firm has approximately 640 stores in the United States and Canada, mostly in shopping malls, with a large customer base.

According to HIBP, the exposed information includes full names, email addresses, birth dates, phone numbers, physical addresses, transaction history, and partial credit card data for Hot Topic, Box Lunch, and Torrid users. 

On October 21, 2024, a threat actor known as "Satanic" claimed responsibility for the security incident on BreachForum. The threat actor claims to have siphoned 350 million user records from Hot Topic and its subsidiaries, Box Lunch and Torrid. 

"Satanic" attempted to sell the database for $20,000 while also demanding a $100,000 ransom from Hot Topic to remove the ad from the forums. According to a HudsonRock report published on October 23, the intrusion could be the result of an information stealer malware infection that acquired credentials for Hot Topic's data unification service. 

While Hot Topic has stayed silent, and no notifications have been issued to potentially impacted users, data analytics firm Atlas Privacy revealed last week that the 730GB database impacts 54 million users. Atlas further highlighted that the collection contains 25 million credit card numbers encrypted with a poor cypher that can be easily broken by current computers. 

Although Atlas is not positive that the database belongs to Hot Topic, it did note that approximately half of all email addresses had not been seen in previous breaches, adding to the authenticity of the threat actor's claims. According to Altas, the hack appears to have occurred on October 19, with data ranging from 2011 until that date. 

The company has set up a website where Hot Topic consumers can see if their email address or phone number was compromised in the data breach. Meanwhile, the threat actor continues to offer the database, albeit for a lower cost of $4,000. Potentially impacted Hot Topic consumers should be wary of phishing attacks, keep track of their financial accounts for strange activity, and change their passwords on all platforms where they use the same credentials.
Read more »
User Privacy
Chrome Extension Manifest V3 Mobile Security Security flaw SquareX User Privacy

Chrome Extensions Continue to Pose a Threat, Even With Google's Manifest V3

 

Users have always found browser extensions to be a useful tool for increasing productivity and streamlining tasks. They have, however, become a prime target for malicious actors attempting to exploit flaws, impacting both individual users and companies. 

Despite efforts to boost security, several of these extensions have found ways to exploit vulnerabilities in Google's latest extension framework, Manifest V3 (MV3). SquareX's recent research explained how these rogue extensions can continue to evade crucial security protections, exposing millions of users to risks such as data theft, malware, and unauthorised access to sensitive information. 

Google has always had troubles with Chrome addons. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before being removed. 

Google's previous extension framework, Manifest Version 2 (MV2), was notoriously unstable. It frequently granted excessive rights to extensions and allowed scripts to be introduced without user knowledge, making it less complicated for cybercriminals to steal data, access sensitive information, and install malware.

In response, Google launched Manifest V3, which intended to improve security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was supposed to address the vulnerabilities found in MV2, SquareX's study indicates that it falls short in important areas. 

Malicious extensions built on MV3 can still circumvent security measures and grab live video streams from collaboration services such as Google Meet and Zoom Web without requiring specific permission. They can even add unauthorised contributors to private GitHub repositories and send users to phishing pages masquerading as password managers. 

Furthermore, these malicious extensions, like their MV2 counterparts, can access browser history, cookies, bookmarks, and download history by displaying a fake software update pop-up that dupes users into downloading the malware. 

Once the malicious extension is installed, individuals and businesses are unable to notice its activity, leaving them vulnerable. Endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are examples of security solutions that cannot dynamically assess potential risks in browser extensions. 

SquareX has created a number of solutions targeted at enhancing browser extension security in order to address these issues. Their strategy includes customised rules that let administrators choose which extensions to accept or ban depending on user ratings, reviews, update history, and extension permissions.

This system can prevent network requests from extensions in real time using policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a customised Chromium browser on its cloud server, which will provide greater insights into the behaviour of potentially malicious extensions.
Read more »
User Privacy
Data Laws Data Privacy Digital Rights Privacy User Data User Privacy

Balancing Act: Russia's New Data Decree and the Privacy Dilemma

Balancing Act: Russia's New Data Decree and the Privacy Dilemma

Data Privacy and State Access

Russia's Ministry of Digital Development, Communications, and Mass Media has introduced a draft decree specifying the conditions under which authorities can access staff and customer data from businesses operating in Russia, according to Forbes.

The decree would authorize authorities to demand anonymized personal data of customers and employees from businesses in order to protect the population during emergencies, prevent terrorism, and control the spread of infectious diseases, as well as for economic and social research purposes.

The Proposed Decree

Expected to take effect in September 2025, this draft decree follows amendments to the law On Personal Data, adopted on August 8. This law established a State Information System, requiring businesses and state agencies to upload the personal data of their staff and customers upon request.

The Big Data Association, a nonprofit that includes major Russian companies like Yandex, VK, and Gazprombank, has expressed concerns that the draft decree would permit authorities to request personal data from businesses "for virtually any reason." They warned that this could create legal uncertainties and impose excessive regulatory burdens on companies processing personal data, affecting nearly all businesses and organizations.

Global Context: A Tightrope Walk

Russia is not alone in its quest for greater access to personal data. Countries around the world are grappling with similar issues. For instance, the United States has its own set of laws and regulations under the Patriot Act and subsequent legislation that allows the government to access personal data under certain conditions. Similarly, the European Union’s General Data Protection Regulation (GDPR) provides a framework for data access while aiming to protect individual privacy.

Each country’s approach reflects its unique political, social, and cultural context. However, the core issue remains: finding the right balance between state access and individual privacy.

Ethical and Social Implications

The debate over state access to personal data is not purely legal or political; it is deeply ethical and social. Enhanced state access can lead to improved public safety and national security. For example, during a health crisis like the COVID-19 pandemic, having access to personal data can help in effective contact tracing and monitoring the spread of the virus.
Read more »
User Security
Cyber Attacks Infostealer Malvertising Campaign User Privacy User Security

Malvertising Campaign Hijacks Facebook Accounts to Propagate SYS01stealer

 

A new malvertising effort is using Meta's advertising network to disseminate the SYS01 infostealer, a cybersecurity issue known to Meta and specifically Facebook users for collecting personal information. 

What distinguishes this attack is that it targets millions of people worldwide, primarily men aged 45 and up. It successfully disguises itself as advertisements for popular software, games, and online services. This campaign, discovered in September 2024, stands out for its imitation tactics and the popular brands it exploits. 

Instead of zeroing in on a single lure, the perpetrators impersonate a wide range of well-known brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder. 

Modus operandi 

According to Bitdefender's blog article, malicious adverts frequently lead to MediaFire links that offer direct downloads of seemingly legitimate software. These zip-archived downloads contain a malicious Electron program. 

When executed, this application drops and runs the SYS01 infostealer, frequently while presenting a fake app that replicates the advertised software. This deceitful strategy makes it harder for victims to recognise that they have been compromised. 

An Electron application is a desktop software that uses web technologies such as HTML, CSS, and JavaScript. Electron is an open-source framework built by GitHub that enables developers to build cross-platform programs that run on Windows, macOS, and Linux using a single codebase. 

However, in this attack, the Electron app employs obfuscated Javascript code and a standalone 7zip application to extract a password-protected archive containing the core malware components. This bundle contains PHP scripts used to install the infostealer and establish persistence on the victim's PC. The malware also includes anti-sandbox tests to circumvent detection by security experts. 

The primary goal of the SYS01 infostealer is to acquire Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used in subsequent assaults or frauds. 

What's worse, the assault takes advantage of the hijacked accounts' advertising capabilities, allowing attackers to produce new malicious ads that appear more authentic and easily evade security filters. This sets up a self-sustaining loop in which stolen accounts are used to propagate the malware even further. The stolen credentials are likely to be sold on underground marketplaces, enriching the crooks even more.
Read more »
Webflow
Crypto Wallet Cyber Fraud Phishing Site User Privacy Webflow

Webflow Sites Employed to Trick Users Into Sharing Login Details

 

Security experts have warned of an upsurge in phishing pages built with Webflow, a website builder tool, as attackers continue to use legitimate services such as Microsoft Sway and Cloudflare. 

The malicious campaign targets login credentials for multiple corporate webmail services, Microsoft 365 login credentials, and sensitive data from cryptocurrency wallets like Coinbase, MetaMask, Phantom, Trezor, and Bitbuy.

According to the researchers, between April and September 2024, the number of visitors to Webflow-created phishing pages jumped tenfold, and the attacks targeted over 120 organisations worldwide. The majority of the people targeted work in the banking, technology, and financial services industries in North America and Asia.

Attackers have utilised Webflow to create standalone phishing pages as well as to redirect unsuspecting users to additional phishing pages under their control. Because there are no phishing lines of code to write and identify, the former provides attackers with convenience and stealth, but the latter allows them to carry out more complex activities as required. 

Webflow is far more appealing than Cloudflare R2 or Microsoft Sway since it allows clients to create custom subdomains for free, as opposed to auto-generated random alphanumeric subdomains, which are likely to raise suspicion.

To increase the chances of success, phishing sites are designed to resemble the login pages of their legitimate counterparts. This method is used to deceive users into disclosing their credentials, which are subsequently at times exfiltrated to another server. 

Security experts have also discovered Webflow cryptocurrency phoney websites that use screenshots of genuine wallet homepages as their landing pages. When a visitor clicks anywhere on the fake website, they are taken to the real scam site. The final goal of a crypto-phishing campaign is to gain the victim's seed phrases, allowing the attackers to take over cryptocurrency wallets and pilfer funds. 

When users enter the recovery phrase in one of the assaults identified by the cybersecurity firm, they are presented with an error message saying that their account has been suspended due to "unauthorised activity and identification failure." Additionally, the message directs the user to start an online chat session on Tawk.to to contact their support personnel. 

It is worth noting that Avast's CryptoCore fraud operation exploited chat services such as LiveChat, Tawk.to, and Smartsupp. Instead of using search engines or clicking on other links, users should always enter the URL into their web browser to access important pages like their webmail or banking portal.
Read more »
User Privacy
BlackCat Change Healthcare Data Breach Medical Data User Privacy

UnitedHealth Claims Data of 100 Million Siphoned in Change Healthcare Breach

 

UnitedHealth has acknowledged for the first time that over 100 million people's personal details and healthcare data were stolen during the Change Healthcare ransomware assault, making it the largest healthcare data breach in recent years. 

During a congressional hearing in May, UnitedHealth CEO Andrew Witty warned that the attack had exposed "maybe a third" of all Americans' medical data.

A month later, Change Healthcare issued a data breach notification, stating that the February ransomware assault had exposed a "substantial quantity of data" for a "substantial proportion of people in America.” 

Last week, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal increased the overall number of affected people to 100 million, marking the first time UnitedHealth, Change Healthcare's parent company, published an official number for the breach. 

Change Healthcare has sent out data breach alerts since June stating that a huge amount of sensitive information was stolen during the February ransomware assault, including: 

  • Health insurance information (including primary, secondary, or other health plans/policies, insurance firms, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); 
  • Health information (such as medical record numbers, providers, diagnoses, medications, test results, images, care, and therapy); 
  • Personal information may include billing, claims, and payment information, as well as Social Security numbers, driver's licenses, state ID numbers, and passport numbers.

The information may differ for each person, and not everyone's medical history was disclosed. 

Change healthcare breach 

This data breach was prompted by a February ransomware attack on UnitedHealth subsidiary Change Healthcare, which resulted in severe outages across the US healthcare system. 

The disruption to the company's IT systems prevented doctors and pharmacists from filing claims, as well as pharmacies from accepting discount prescription cards, forcing patients to pay full price for their drugs.

The attack was carried out by the BlackCat ransomware group, also known as ALPHV. They used stolen credentials to get access to the company's Citrix remote access service, which did not have multi-factor authentication activated. 

During the attack, threat actors took 6 TB of data and ultimately encrypted network devices, forcing the organisation to shut down IT infrastructure in order to prevent the attack from propagating further.

UnitedHealth Group acknowledged paying a ransom to get a decryptor and have the threat actors delete the stolen data. The alleged ransom payment was $22 million, according to the BlackCat ransomware subsidiary that carried out the attack.

This ransom payment was meant to be shared between the affiliate and the ransomware operation, but the BlackCat abruptly stopped down, taking the entire payment and committing an exit scam. 

However, this was not the end of Change Healthcare's issues, since the affiliate claimed to still have the company's data and did not delete it as agreed. The affiliate collaborated with a new ransomware operation known as RansomHub and began releasing some of the stolen data, demanding an additional payment for the data not to be leaked.

The Change Healthcare entry on RansomHub's data breach site inexplicably removed a few days later, suggesting that UnitedHealth paid a second ransom demand. 

UnitedHealth said in April that the Change Healthcare ransomware assault resulted in $872 million in losses, which were included in Q3 2024 earnings and are estimated to total $2.45 billion for the nine months ending September 30, 2024.
Read more »
User Privacy
Data Breach Data Leak UN Documents United Nations User Privacy

Over Thousand UN Documents Linked to Gender Equality Exposed Online

 

A database believed to belong to the United Nations Trust Fund to End Violence Against Women was uncovered unsecured online, containing financial records, bank accounts, staff details, victim testimonies, and other information. 

Jeremiah Fowler, a cybersecurity researcher, uncovered the database, which contained 228 GB of information, and reported it to vpnMentor. It lacked password protection, leaving the 115,141 files displayed unencrypted and accessible to anyone with an internet connection. 

While not confirmed, the database contained data that linked it to UN Women and the UN Trust Fund to End Violence Against Women, such as letters and documents addressed to the UN and stamped with UN insignia, with a specific reference to UN Women. 

Fowler discovered scanned passport documents and ID cards in the database, as well as specific details on staff roles such as names, job titles, salary information, and tax data. 

“There were also documents labelled as “victim success stories” or testimonies,” Fowler wrote in his report. “Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014.” 

It is unclear how long the database has been exposed, whether it is managed by the UN Women organisation or a third party, and whether anyone outside of the organisation has accessed it. 

Fowler outlines a number of hypothetical possibilities in which the data might be exploited, including convincing spear phishing attempts that employ customised documents to target vulnerable email accounts. The records might theoretically also be used by a threat actor to obtain a high-level grasp of the organisational and the financial framework of the company. 

The UN Women organisation has an undated scam notice on its website, although the page dates back at least to July 2022, with an update in July 2024 that includes an instruction to use the Quantum procurement verification portal. 

Fowler notified the UN Information Security team about the unprotected database, and received a response that stated, "The identified vulnerability does not belong to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN Women.”
Read more »
Subscribe to: Posts (Atom)