Category: Uncategorized

A database containing the personal information of more than 8.8 million Zacks Investment Research users has emerged on a hacking forum.

Founded in 1978, Zacks is one of the leading quantitative investment research firms. The company’s initial data breach notification stated that “sensitive” information for about 820,000 customers had been accessed during the breach window, but that it was limited to those that had subscribed to the company’s “Zacks Elite” product between November 1999 and February 2005.

However, in June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum. The most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers and passwords stored as unsalted SHA-256 hashes”, reported Have I Been Pwned. “On disclosure of the larger breach, Zacks advised that in addition to their original report “the unauthorized third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format”.

Read more about it here.

A new phishing technique, called “File Archiver In The Browser”, can be leveraged to to “emulate” a file archiver software in a web browser, when the victim visits a .zip domain. Security researcher mr.d0x detailed the new attack technique in a recent post.

In mid May 2023, Google released several new top-level domains (TLDs) including .zip and .mov. Many cybersecurity researchers expressed concerns that these TLDs can be mistaken for file extensions. The researcher showcased how these TLD’s can be used to deliver malicious content.

To carry out an attack using this technique, the attacker needs to “emulate” a file archive software through HTML/CSS. The researchers shared two samples: The first one emulates the WinRAR file archive utility. To prevent suspicion, when user clicks on the “Scan” icon, a message box reassuring them that the files are secure is displayed.

The second one emulates the Windows 11 File Explorer window

“It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used” recommended the expert.

Read more about it here.

Toyota Motor Corporation, the largest automaker in the world by sales, disclosed a data breach that exposed the car location information of 2,150,000 customers between November 6, 2013, and April 17, 2023. The data breach stemmed from human error, leading to a cloud system being set to public instead of private. Data exposed due to the decade-long data breach includes vehicle locations, vehicle identification numbers and chassis numbers by drivers who signed up for the T-Connect/G-Link/G-Link Lite/G-BOOK service. Possibly, videos taken outside the vehicle were also exposed between November 14, 2016 and April 4, 2023.

Toyota pointed out that the exposed information only impacted customer in Japan, and it cannot be used to identify the owners of the vehicles, and is unware of any abuse of the exposed data.

Read more about it here.

Mobile giant T-Mobile disclosed its second data breach so far in 2023. A hacker gained access to the personal information of 836 of T-Mobile customers between late February and March. The personal information included full names, contact information, dates of birth, addresses, government ID’s, Social Security Numbers, and T-Mobile account numbers pins.

After detecting the security breach, T-Mobile reset account PINs of impacted customers.

In January 2023, T-Mobile reported another data breach affecting 37 million customers.

Read more about it here.

Hackers have reportedly been breaking into AT&T provided email addresses, and using this access to steal large amounts of cryptocurrency. While it’s not clear how many people have been impacted, one victim claimed that hackers stole $134,000 from a Coinbase account associated with a compromised email address. Email addresses with att.net, sbcglobal.net, bellsouth.net and other AT&T domain names have all reportedly been affected.

Presumably, the hackers gained access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.

AT&T has adopted security measures to prevent similar attacks, and forced a password reset on some email accounts.

Read more about it here.

OpenAI, the company behind popular ChatGPT AI chatbot, has launched a bug bounty program in an attempt to ensure its systems are “safe and useful for everyone”.

“Security is essential to OpenAI’s mission”, said the company. “We appreciate the contributions of ethical hackers who help us uphold high privacy and security standards for our users and technology.”

The company said that ChatGPT is in scope, including ChatGPT Plus, logins, subscriptions, OpenAI-created plugins (e.g. Browsing, Code Interpreter), plugins users create themselves, and all other functionality. Plugins developed by other users are out of the scope.

The bounties range from $200 for low-severity security issues, up to $20,000 for “exceptional discoveries”.

Read more about it here.

Yum! Brands, the company that owns restaurant chains KFC, Pizza Hut Taco Bell, disclosed a data breach. On January 13, 2023, Yum! Brands suffered a ransomware attack that forced it to take its IT systems offline, closing almost 300 restaurants in the UK for one day. Back then the company said that it had no evidence that the attackers exfiltrated any customer information.

In a breach notification letter that was sent to affected customers starting April 6, Yum! Brands revealed that it has now found out the attackers stole some individuals’ personal information, including names, driver’s license numbers, and other ID numbers.

The company added that the ongoing investigation has not found evidence that the stolen data had been used for identity theft or fraud, however, such data is typically traded or shared on underground hacker forums and ultimately used in phishing and other types of attacks.

Read more about it here.

Storage giant Western Digital confirmed on April 3, 2023 that its network has been breached and an unauthorized party gained access to multiple company systems. The California based computer drive maker and provider of cloud data storage services stated that the network security incident was identified on March 26. The investigation is still ongoing and Western Digital has yet to learn how much was taken.

Since the incident, Western Digital’s consumer cloud and backup service My Cloud has experienced outages, preventing customers from accessing their files. This included My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, SanDisk Ixpand Wireless Charger. Services were restored on April 12.

While Western Digital’s customers wait for more information, they can take action. Users should assume their accounts associated with Western Digital’s services may have been compromised, and therefore they should change their service account passwords and if possible, enable Multi-Factor Authentication (MFA).

Read more about it here.

Italian supercar manufacturer Ferrari disclosed on March 20, 2023 that it was recently the victim of a ransomware attack that may have disclosed certain personal information about its clients. The company said it was “recently contacted by a threat actos with a ransom demand related to such customer data. As a policy, Ferrari will not be held to ransom”.

The car make said that hackers accessed customers’ names, addresses, email addresses and telephone numbers. Based on its investigation so far, Ferrari said no payment information, bank account numbers or details of Ferrari cars owned or ordered had been stolen.

Ferrari hasn’t disclosed how many customers were impacted by the breach or how or when the company was compromised.

Read more about it here.

AT&T is notifying 9 million customers of data breach after a third-party vendor hack

Telecom giant AT&T is notifying 9 million of its customers that some of their information was exposed after a third-party vendor was hacked. “We recently determined that an unauthorized person breached a vendor’s system and gained access to your “Customer Proprietary Network Information (CPNI)”, reads the data breach communication sent by AT&T to the impacted customers. “However, please rest assured that no sensitive personal or financial information such as Social Security number or credit card information was accessed”, continues the communication. Passwords or personal information wasn’t breached either.

Exposed CPNI data includes customer first names, wireless account numbers, wireless phone numbers, and email addresses.
“A small percentage of impacted customers also had exposure of rate plan name, past due amount, monthly payment amount, various monthly charges, and/or minutes used. The information was several years old”, said AT&T.

In its email to the affected customers, AT&T confirmed that the marketing vendor has fixed the vulnerability. The company has also notified the federal law enforcement agencies about the incident.

Customers are advised to toggle off CPNI data sharing on their accounts, by making a CPNI Restriction Request to reduce exposure risks in the future if AT&T uses it for third-party vendor marketing purposes.

Read more about it here.