Privacy Roundup #0193 • August 2022
August 2022 was dominated by the Oktapus phishing spree that toppled Twilio and dozens of firms, alongside fresh scrutiny of data brokers, police location buying and Big Tech tracking.
1. Twilio confirms breach after staff fell for SMS phishing
Twilio disclosed that attackers tricked employees with text messages posing as the IT department and harvested their login credentials. The intruders then reached data belonging to a set of customers, in an incident the company traced to early August.
2. Oktapus phishing campaign breached more than 130 organisations
Researchers at Group-IB linked the Twilio attack to a wider campaign that struck at least 130 companies, including Mailchimp and Cloudflare. The crew, dubbed Oktapus, stole close to 10,000 employee credentials by impersonating Okta login pages.
3. Signal warns Twilio breach exposed 1,900 users' numbers
Signal told roughly 1,900 users that the Twilio compromise may have revealed their phone numbers or the SMS code used to register an account. The messenger stressed that message history, contacts and profile details were never at risk.
4. Cisco confirms hack by the Yanluowang ransomware gang
Cisco acknowledged that attackers breached its network after hijacking an employee's personal Google account and stealing synced credentials. The Yanluowang gang claimed to have taken about 2.8GB of files, though Cisco said no sensitive customer data was lost.
5. LastPass says source code stolen in developer breach
LastPass revealed that an intruder compromised a developer account and took portions of source code and proprietary technical information. The company insisted at the time that customer vaults and master passwords were untouched.
6. FTC sues data broker Kochava over sensitive location data
The Federal Trade Commission accused Kochava of selling geolocation data that could trace people to reproductive health clinics, places of worship and shelters. The complaint said a single sample covered more than 61 million unique devices.
7. EFF exposes Fog Data Science selling location surveillance to police
The Electronic Frontier Foundation published an investigation into Fog Data Science, which sells a tool called Fog Reveal that lets police browse device location histories. The records showed at least eighteen law enforcement clients paying a few thousand dollars a year for warrantless tracking.
8. Nebraska police used Facebook messages in an abortion prosecution
Police obtained private Facebook chats between a Nebraska teenager and her mother to build a case over an alleged illegal abortion. The disclosure fuelled fears that platform data could be turned against people seeking reproductive care.
9. Oracle hit with class action over alleged global surveillance
A class action accused Oracle of building dossiers on five billion people through tracking cookies and invisible pixels and selling the profiles on. The Irish Council for Civil Liberties' Johnny Ryan was among the named representatives.
10. DuckDuckGo drops its carve-out for Microsoft trackers
After a researcher found its browser allowed certain Microsoft scripts, DuckDuckGo said it would expand blocking to cover those trackers too. The change followed criticism that a Bing syndication deal had limited the firm's promised protection.
11. Janet Jackson's "Rhythm Nation" earns its own CVE
Microsoft revealed that playing the 1989 video could crash certain laptops by hitting a resonant frequency of their 5,400 RPM hard drives. The quirk was formally catalogued as a denial-of-service vulnerability under CVE-2022-38392.
12. TikTok in-app browser could log keystrokes, researcher warns
Developer Felix Krause found that TikTok's iOS app injects code able to monitor every keystroke and tap on third-party sites opened inside it. TikTok said the code was used only for debugging and performance monitoring, not to capture data.
13. Google scans of family photos led to false child abuse claims
A New York Times investigation described how Google flagged medical photos two fathers took of their sons, then disabled their accounts and reported them to police. Investigators cleared both men, yet Google refused to restore the accounts.
14. Mailchimp breach exposed DigitalOcean customer emails
DigitalOcean said attackers who compromised Mailchimp's internal tooling reached the email addresses of some of its customers. The cloud firm dropped Mailchimp as an email vendor after the crypto-focused phishing campaign came to light.
15. Slack reset passwords after leaking hashes for five years
Slack admitted that a bug had transmitted hashed passwords to other workspace members whenever someone created or revoked a shared invitation link. The flaw ran from April 2017 until July 2022 and affected about half a percent of users.
16. Sephora settles California's first public CCPA enforcement action
California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora over its handling of consumer data. Regulators said the retailer failed to disclose that it sold personal information and ignored opt-out signals from the Global Privacy Control.
17. DoorDash breach tied to the same Twilio hackers
DoorDash disclosed that attackers used credentials stolen from a third-party vendor to reach some of its internal tools. The intruders took names, email addresses, delivery addresses and phone numbers, plus partial card details for a smaller group.
18. Plex forces password resets after database intrusion
Plex told its users to reset passwords after an intruder reached a database holding emails, usernames and hashed passwords. The streaming company said payment details were never stored on the affected systems.
19. Twilio breach also hit Authy two-factor app users
Twilio disclosed that the attackers had reached the accounts of 93 users of Authy, its two-factor authentication app. The intruders registered additional devices to a handful of accounts before Twilio cut off their access.
20. Nelnet Servicing breach exposed 2.5 million student loan accounts
Disclosure letters revealed that a vulnerability in Nelnet's platform left the data of about 2.5 million borrowers exposed to an unauthorised party. The records, drawn from OSLA and Edfinancial accounts, included names, addresses and Social Security numbers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: