Tag Archive for: breach

Unjected Data Breach: Security Lapse Exposes Thousands of User Accounts

/in


Unjected, the controversial anti-vaccine dating platform, faces another bout of scrutiny as a recent security breach exposes the private data of over 35,000 users. 

The latest security problem, discovered by security researcher GeopJr, tackles alarming vulnerabilities within the platform’s infrastructure. It could compromise user privacy and safety.

Unjected Hit by a Glitch

Unjected Data Breach: Security Lapse Exposes Thousands of User Accounts

(Photo : Mufid Majnun from Unsplash) 

Unjected, a popular website that promotes anti-vaccine campaigns is now under attack by a glitch. The latest security issue exposes confidential information of some users.


GeopJr’s investigation reveals critical flaws in Unjected’s security measures, allowing unauthorized access to sensitive user information. The breach exposes personal details, including full names, birthdates, email addresses, and location data of thousands of users. Moreover, authentication issues enable malicious actors to manipulate user profiles and access private messages exchanged on the platform.

Related Article: Issue-Plagued AirPower Charges Apple Watch For the First Time: Is this an Upgraded Prototype?

History of Security Concerns

This isn’t the first time Unjected has faced security-related controversies. In July 2022, GeopJr uncovered an open administrator dashboard, granting unauthorized access to crucial site functionalities. Despite attempts to rectify the issue, subsequent glitches and outages persisted, raising concerns among users regarding data protection.

Persistent Security Lapses

Despite being alerted to the security vulnerabilities by GeopJr and the Daily Dot, Unjected has failed to address the issues adequately. Efforts to patch the leak inadvertently exacerbated the situation, introducing additional vulnerabilities, including unauthorized account deactivation.

User Concerns and Insecurity

The breach has left users apprehensive about their privacy and safety on the platform. Direct messages reveal widespread distrust and unease among users regarding Unjected’s security practices. Concerns range from potential government surveillance to fears of hacking and data exploitation.

Response and Lack of Transparency

Blackbaud Must Improve its Poor Security, Data Retention Practices to Avoid Future Breaches, Says FTC

(Photo :…

Source…

MarineMax confirms data breach | SC Media

/in


MarineMax has disclosed having employee and customer data stolen from its systems following a cyberattack last month, BleepingComputer reports.

“…[O]ur ongoing investigation has identified that this organization exfiltrated limited data from this environment that includes some customer and employee information, including personally identifiable information,” said the major U.S. global recreational boat, yacht, and superyacht retailer in an updated filing with the U.S. Securities and Exchange Commission.

No additional details regarding the perpetrator of the breach have been provided but the Rhysida ransomware-as-a-service operation already laid claim on the incident, demanding more than $1 million worth of bitcoin as ransom for financial documents and other data, which MarineMax denied.

MarineMax’s confirmation comes nearly a month after Rhysida leaked all of the data it purportedly stole from Chicago-based Lurie Children’s Hospital after it refused to pay the ransom. Sony-owned video game developer Insomniac Games also had 1.67 TB of files exposed by the ransomware gang as a result of not paying the $2 million ransom.

Source…

Critical Backdoor Internet Security Breach Accidentally Found Before Implementation – MishTalk

/in


I am fascinated by a story of how a Microsoft engineer discovered a major, heavily disguised, backdoor security breach that was years in the making, and nearly implemented.

Background

Hidden in a widely use compression utility was a software backdoor that would allow someone remote access to entire systems.

This was a multi-year endeavor by user named Jia Tan, @JiaT75 who gained trust over many years. His account is now suspended everywhere.

HackerNews has this interesting snip.

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday.

The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.

The Long Game

These opensource projects are volunteer work. They pay nothing.

The person normally responsible for the code, Lasse Collin (Larhzu), maintained the utility since 2009 but was suffering burnout.

Jia Tan started contributing in the last 2-2.5 years and gained commit access, and then release manager rights, about 1.5 years ago.

Backdoor Uncovered in Years-Long Hacking Plot

Much of this story is extremely geekish and difficult to understand. An article on Unicorn Riot is generally readable.

Please consider Backdoor Uncovered in Years-Long Hacking Plot

A fascinating but ominous software story dropped on Friday: a widely used file compression software package called “xz utils” has a cleverly embedded system for backdooring shell login connections, and it’s unclear how far this dangerous package got into countless internet-enabled devices. It appears the persona that injected this played a long game, gaining the confidence of the legitimate main developer, and thus empowered to release new versions themselves.

Andreas Freund reported this Friday morning on an industry security mailing list, leading many experts to spend the day poking under rocks and peering into the abyss of modern digital insecurity: “The upstream xz repository and the xz tarballs have been backdoored,” Freund wrote. It cleverly pokes a hole in the SSH daemon (sshd), which is essential to modern-day computing at the most fundamental level.

The…

Source…

AT&T data breach: Millions of customers caught up in major dark web leak

/in


Manage consent settings on AMP pages

These settings apply to AMP pages only. You may be asked to set these preferences again when you visit non-AMP BBC pages.

The lightweight mobile page you have visited has been built using Google AMP technology.

Strictly necessary data collection

To make our web pages work, we store some limited information on your device without your consent.

Read more about the essential information we store on your device to make our web pages work.

We use local storage to store your consent preferences on your device.

Optional data collection

When you consent to data collection on AMP pages you are consenting to allow us to display personalised ads that are relevant to you when you are outside of the UK.

Read more about how we personalise ads in the BBC and our advertising partners.

You can choose not to receive personalised ads by clicking “Reject data collection and continue” below. Please note that you will still see advertising, but it will not be personalised to you.

You can change these settings by clicking “Ad Choices / Do not sell my info” in the footer at any time.

Source…