Month: October 2024

US based financial services giant company Fidelity Investments warns 77,099 individuals of a data breach that exposed their personal information. The company revealed via a breach notification filed with the Office of the Maine Attorney General that it was hit by a breach on August 17, 2024, which the firm detected on August 19. A letter sent to the 77,099 customers caught up in the breach confirmed that the attackers stole personal information related to them.

Fidelity said that a third party had accessed and obtained certain information without authorization by using two customer accounts they recently set up. This implies that threat actors exploited “Broken Access Control”, the number one attack vector in OWASP’s Top 10 Web Application Security Risks. One of the risks associated with this is permitting the viewing or editing of someone else’s account by providing its unique identifier. After detecting the activity, the company terminated access to those accounts and launched an investigation with help from outside security experts.

Compromised information included names, Social Security Numbers, financial account data, and drivers license information. Fidelity confirmed that financial data was not exposed and Fidelity customer accounts were not hacked.

Read more about it here.

American peer-to-peer payments and money transfer company MoneyGram confirmed on September 21, 2024 that a cyberattack caused its services to become unavailable. The company has taken some of its systems offline since September 20 to contain the attack, and services were fully restore on September 26.

MoneyGram now confirms on its web site that the cyberattack exposed customer data, including customer name, contact info (such as phone numbers, email and postal addresses), dates of birth, government IDs, Social Security numbers, and transaction details:

“The impacted information included certain affected consumer names, contact information (such as phone numbers, email and postal addresses), dates of birth, a limited number of Social Security numbers, copies of government-issued identification documents (such as driver’s licenses), other identification documents (such as utility bills), bank account numbers, MoneyGram Plus Rewards numbers, transaction information (such as dates and amounts of transactions) and, for a limited number of consumers, criminal investigation information (such as fraud). The types of impacted information varied by affected individual.”

The company said it is proactively working to contain and remediate the attack with the help of external cybersecurity experts. The company already notified law enforcement about the data breach.

Read more about it here.

Web infrastructure and security company Cloudflare has disclosed that it autonomously mitigated a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. This is the largest publicly recorded thwarted DDoS to date. The assault consisted of a “month-long” barrage in September 2024 of more than 100 hyper-volumetric DDoS attacks flooding the network infrastructure with garbage data.

The previous record-breaking volumetric DDoS attack was reported by Microsoft in November 2021, peaking at 3.47 Tbps with a packet rate of 340 million Pps (Packets per second). The largest attack previously seen by Cloudflare peaked at 2.6 Tbps.

According to Cloudflare, the infected devices were spread across the globe but many of them were located in Russia, Vietnam, the US, Brazil and Spain

A Volumetric DDoS attack aims to overwhelm the target’s network or servers by flooding them with a massive volume of data. The goal is to consume all available bandwidth or system resources, rendering the service inaccessible to legitimate users.

Read more about it here.