wp_options
table under widget_block
.navigator.sendBeacon
function, ensuring stealthy exfiltration without alerting users or administrators.
Severe Security Implications
This malware poses a critical threat by covertly harvesting sensitive payment information, including credit card numbers and CVV codes.
A huge data security breach has come to light, with the data platform Builder.ai. It's a service that lets organizations build their own proprietary, custom software applications, which don't need heavy programming. According to a blog post by a security researcher, sensitive information from more than three million users' accounts was inadvertently leaked to the internet, leaving an open question of what now?
Jeremiah Fowler, a cybersecurity expert known for discovering unsecured online databases, found a Builder.ai archive with over 3 million records. This archive reportedly contained 1.29 terabytes of data, including very sensitive materials such as invoices, NDAs, email screenshots, and tax documents.
Worryingly, files contained access keys and configurations of two cloud storage systems. These keys, in the wrong hands, could grant hackers access to even more sensitive data.
What Was Exposed
The exposed database included the following:
337,434 invoices: The documents comprised transactions between Builder.ai and its clients.
32,810 master service agreements: Most agreements included user names, e-mail addresses, IP details and project estimations of the cost associated with a particular project giving a holistic overview of their sensitive information.
Such data left unprotected poses grave risks. This information could be used for phishing scams, identity theft, or even financial fraud by criminals. Phishing is the art of making people give up their personal information by claiming to be a trusted person. The presence of cloud storage keys in the database further increases the worry, as this may also open access to more sensitive files elsewhere.
Fowler quickly notified the company, Builder.ai. However, the company, in its defense, showed that it could not tighten the database security due to "complexities with dependent systems." It is already a month, and nobody knows if the problem persists.
Misconfigured databases are one of the constant problems of the digital era. Companies don't realize they have a shared responsibility to secure the data when it comes to cloud services, leaving large repositories of information exposed unintentionally.
For businesses, this is an important wake-up call regarding comprehensive cybersecurity practices- periodic checks and ensuring the databases are properly secured for users' data protection.
For users, vigilance is key. Anyone who's interacted with Builder.ai should keep an eye out on their accounts for anything weird and be on their toes for phishing scams.
And in this hyperconnected world, security breaches such as this remind us that vigilance is key, too, for companies as much as it is for their users.
The evolving relationship between travel and data privacy is sparking significant debate among travellers and experts. A recent Spanish regulation requiring hotels and Airbnb hosts to collect personal guest data has particularly drawn criticism, with some privacy-conscious tourists likening it to invasive surveillance. This backlash highlights broader concerns about the expanding use of personal data in travel.
This trend is not confined to Spain. Across the European Union, regulations now mandate biometric data collection, such as fingerprints, for non-citizens entering the Schengen zone. Airports and border control points increasingly rely on these measures to streamline security and enhance surveillance. Advocates argue that such systems improve safety and efficiency, with Chris Jones of Statewatch noting their roots in international efforts to combat terrorism, driven by UN resolutions and supported by major global powers like the US, China, and Russia.
Despite their intended benefits, systems leveraging Passenger Name Record (PNR) data and biometrics often fall short of expectations. Algorithmic misidentifications can lead to unjust travel delays or outright denials. Biometric systems also face significant logistical and security challenges. While they are designed to reduce processing times at borders, system failures frequently result in delays. Additionally, storing such sensitive data introduces serious risks. For instance, the 2019 Marriott data breach exposed unencrypted passport details of millions of guests, underscoring the vulnerabilities in large-scale data storage.
The European Union’s effort to create the world’s largest biometric database has sparked concern among privacy advocates. Such a trove of data is an attractive target for both hackers and intelligence agencies. The increasing use of facial recognition technology at airports—from Abu Dhabi’s Zayed International to London Heathrow—further complicates the privacy landscape. While some travelers appreciate the convenience, others fear the long-term implications of this data being stored and potentially misused.
Prominent figures like Elon Musk openly support these technologies, envisioning their adoption in American airports. However, critics argue that such measures often prioritize efficiency over individual privacy. In the UK, stricter regulations have limited the use of facial recognition systems at airports. Yet, alternative tracking technologies are gaining momentum, with trials at train stations exploring non-facial data to monitor passengers. This reflects ongoing innovation by technology firms seeking to navigate legal restrictions.
According to Gus Hosein of Privacy International, borders serve as fertile ground for experiments in data-driven travel technologies, often at the expense of individual rights. These developments point to the inevitability of data-centric travel but also emphasize the need for transparent policies and safeguards. Balancing security demands with privacy concerns remains a critical challenge as these technologies evolve.
For travelers, the trade-off between convenience and the protection of personal information grows increasingly complex with every technological advance. As governments and companies push forward with data-driven solutions, the debate over privacy and transparency will only intensify, shaping the future of travel for years to come.
SL Data Services, a U.S.-based data broker, experienced a massive data breach, exposing 644,869 personal PDF files on the web. The leaked records included sensitive information such as personal details, vehicle records, property ownership documents, background checks, and court records. Alarmingly, the exposed files were not encrypted or password-protected.
Cybersecurity expert Jeremiah Fowler discovered the breach, identifying sample records in the 713.1 GB database. Remarkably, 95% of the documents were labeled as “background checks.”
"This information provides a full profile of these individuals and raises potentially concerning privacy considerations," Fowler stated.
The breached documents contained the following sensitive information:
Fowler confirmed the accuracy of the residential addresses associated with named individuals in the leaked files.
According to Fowler, property reports ordered from SL Data Services were stored in a database accessible via a web portal for customers. The vulnerability arose when a threat actor, knowing the file path, could locate and access these documents.
SL Data Services used a single database for multiple domains without proper segmentation. The only separation was through folders named after the respective websites. After Fowler reported the breach, database access was blocked for a week, but during that time, over 150,000 additional records were exposed. It remains unclear how long the data was publicly accessible or what information was accessed by unauthorized parties.
When Fowler contacted SL Data Services, he was only able to reach call center agents who denied the breach, claiming their systems used SSL and 128-bit encryption. Despite these assurances, the exposed records suggest serious lapses in data security practices.
Fowler warned about the dangers posed by the leaked information:
"The criminals could potentially leverage information about family members, employment, or criminal cases to obtain additional sensitive personal information, financial data, or other privacy threats."
Publicly exposed data allows threat actors to:
To protect personal data when working with data brokers, Fowler recommends the following:
This breach underscores the importance of robust data security practices for companies handling sensitive information. By adopting proactive measures and holding data brokers accountable, both organizations and consumers can mitigate the risks of future breaches.
Dell, the renowned computer manufacturer, has issued a cautionary notice to its customers regarding a disconcerting data breach. The breach, which affects an estimated 49 million customers, involves unauthorised access to an online portal containing sensitive customer information. Dell has disclosed that the breached data includes customers' names, physical addresses, and detailed information regarding Dell hardware purchases such as service tags, item descriptions, order dates, and related warranty details. Notably, the compromised information excludes financial details, email addresses, and telephone numbers. Dell accentuated its collaboration with law enforcement and a third-party forensics firm to thoroughly investigate the breach. While Dell declined to specify the number of affected individuals, it assures ongoing efforts to address the incident.
Data for Sale on the Dark Web
Disturbingly, reports have surfaced indicating that a threat actor, operating under the pseudonym Menelik, endeavoured to sell a database containing Dell customer information on a prominent hacking forum. The compromised data encompasses purchases spanning from 2017 to 2024, affecting a staggering 49 million customers. While Dell's initial notification primarily encompasses personal purchases, the breadth of the breach extends its tendrils to affect consumers, enterprises, partners, and educational institutions alike.
In the wake of such an imminent breach, customers are vehemently advised to exercise utmost caution against potential phishing attacks. Armed with comprehensive customer information, malicious actors may orchestrate targeted scams through various mediums, ranging from deceptive emails to physical mail. The criticality of vigilance cannot be overstated, as hackers may employ sophisticated tactics, such as tech support or invoice scams, to extract sensitive information from unsuspecting victims. Furthermore, there exists a palpable risk of malware dissemination through malicious flash drives, underscoring the imperative for users to exercise discretion when interacting with external storage devices.
In response to the breach, Dell has initiated a rigorous investigation, leveraging the expertise of law enforcement agencies and third-party forensic specialists. While the company reassures customers that no financial or payment data, email addresses, or telephone numbers were compromised, it acknowledges the severity of the breach and the pressing need for proactive measures to secure customer data security.
As investigations progress, affected customers are implored to remain informed and enact robust security measures to mitigate the inherent risks associated with potential phishing and malware attacks, thereby safeguarding their sensitive personal information from malicious exploitation.
Artificial intelligence (AI) has reached another milestone in its quest to mimic human sensory perception. Recent breakthroughs in AI technology have demonstrated its ability to identify odors with remarkable precision, surpassing the capabilities of human noses. This development promises to revolutionize various industries, from healthcare to environmental monitoring.
Researchers from a Google startup have unveiled an AI system that can describe smells more accurately than humans. This innovative technology relies on machine learning algorithms and a database of molecular structures to discern and articulate complex scent profiles. The system's proficiency is not limited to simple odors; it can distinguish between subtle nuances, making it a potential game-changer in fragrance and flavor industries.
One of the key advantages of AI in odor identification is its ability to process vast amounts of data quickly. Human olfaction relies on a limited number of odor receptors, while AI systems can analyze a multitude of factors simultaneously, leading to more accurate and consistent results. This makes AI particularly valuable in fields such as healthcare, where it can be used to detect diseases through breath analysis. AI's unmatched sensitivity to odor compounds could potentially aid in the early diagnosis of conditions like diabetes and cancer.
Moreover, AI's odor identification capabilities extend beyond the human sensory range. It can detect odors that are imperceptible to us, such as certain gases or chemical compounds. This attribute has significant implications for environmental monitoring, as AI systems can be employed to detect pollutants and dangerous substances in the air more effectively than traditional methods.
In addition to its practical applications, AI's prowess in odor identification has opened up new avenues for creative exploration. Perfumers and chefs are excited about the possibilities of collaborating with AI to design unique fragrances and flavors that were previously unimaginable. This fusion of human creativity with AI precision could lead to groundbreaking innovations in the world of scents and tastes.
However, there are ethical considerations to be addressed as AI continues to advance in this field. Questions about privacy and consent arise when AI can detect personal health information from an individual's scent. Striking the right balance between the benefits and potential risks of AI-powered odor identification will be crucial.
As US tech giants threaten to sever their links with the UK, a significant fear has emerged among the technology sector in recent days. This upheaval is a result of the UK's proposed privacy bill, which has shocked the IT industry. The bill, which aims to strengthen user privacy and data protection rights, has unintentionally sparked a wave of uncertainty that has US IT companies considering leaving.
The UK's plans to enact strict privacy laws, which according to business executives, could obstruct the free movement of information across borders, are at the core of the issue. Users would be able to request that their personal data be removed from company databases thanks to the unprecedented power over their data that the new privacy regulation would give them. Although the objective is noble, major figures in the tech industry contend that such actions may limit their capacity to offer effective services and innovate on a worldwide scale.
Following an anonymous leak received on the Cyber podcast hosted by Ido Kinan and Noam Rotem, it has been revealed that the system has been breached. This has not only compromised the data of Shas activists and supporters but has also compromised the information of all Israeli citizens who are eligible to vote. Following that, Ran Bar-Zik, a software architect at the company, verified the findings.
According to a report by Calcalist, the anonymous leaker discovered the vulnerability with an automated scanning tool that detects such weaknesses. This tool was used by the anonymous leaker to detect the vulnerability.
The information held in the system is just as disturbing as the breach itself: detailed personal details, such as family ties, phone numbers, and bank account numbers, not included in the voter register, of millions of Israeli citizens.
An online PHP-powered system debugging tool that has been available for nearly four years has been breached as a result of a known vulnerability, and a common browser is all that is needed to exploit this vulnerability, so sophisticated tools are not required to expose this weakness.
As soon as it is available for widespread use, the debugger should be disabled. It should only be enabled during the testing phase. Adding a few characters to a website address indicating the location of the debugger and performing a few other simple actions without requiring much computer knowledge is all it takes to penetrate the debugger when it remains active after the system is put into operation.
Even though the breach in question was blocked, it is impossible to determine whether the information in the system had been compromised before it had been patched. There is a concern regarding who might have all the personal information that is stored in the system. This is because it is easy to exploit, and it was found without much effort.
Every time there is a round of elections, the Shas party receives a voter registration copy from the Ministry of Interior. This is the same for all the other parties in the country. During every election, it is required that the transmitted information, including all the details that have been added to it, is destroyed. All data included in it will be destroyed as well. Although this is the case, it seems that Shas has managed to retain the personal data of voters from the previous year's elections.
A professional and reliable electoral software operated by the Shas party for many years maintains a legally registered database as do all of Israel’s other parties. All of the information the Shas party holds has been legally collected, maintained, and complied with according to the law, backed up by cybersecurity experts that are the most knowledgeable in the field, the party spokesperson said in response to an inquiry by Haaretz.
The party explained that their attention was drawn to concerns that the database had been illegally accessed. Following the receipt of this information, they acted immediately by implementing several immediate changes to ensure the security of the entire database as soon as possible. Shas has conducted a thorough examination of the database systems to ensure that all information remains secure. As part of its ongoing inspection of the database systems, the party stated that "If any party is found to have violated the law, Shas will take appropriate action."
A similar incident occurred last year when a list of the names and phone numbers of 5,000 Likud activists was released online from the "Elector" platform, where they could be found on the Ghost in leak website, according to Israeli news agency Ynet.
There was a list uploaded by an anonymous source along with an email that circulated throughout many groups that stated that "The Likud's and Right's electoral system has been compromised." The list was sent by a source who identified himself as "an activist." The data will slowly leak out as the system is taken offline until the hackers are removed. Here are the first clusters of activists.
In a ruling issued by the Authority for the Protection of Privacy of the Ministry of Justice, it was determined that the Elector company, along with the Likud and Jewish Home parties which received technological services from the Elector company, had violated the Privacy Protection Law and the regulations governing its operation.
As a result of an enforcement procedure conducted by the Authority, it has been revealed that the election holder has violated the law in many ways, including in the security of its information systems, and in how they conduct itself as a holder of sensitive personal information, among other things.