Tag Archive for: Leaked

Oakland confirms some private data leaked in ransomware attack

/in


OAKLAND, Calif. (KRON) — An unspecified amount of data stolen from the City of Oakland in a recent ransomware attack has been leaked online, according to a statement from city officials.

On Friday, the City of Oakland confirmed that a third party was able to acquire some of the data from the attack, and they planned to release the information publicly. By Saturday afternoon, ransomware group PLAY had claimed responsibility for the attack and released the data.

The city shared a statement with KRON4 about the status of the investigation into the attack:

“While the investigation into the scope of the incident impacting the City of Oakland remains ongoing, we recently became aware that an unauthorized third party has acquired certain files from our network and released some of this information. We are working with third-party specialists and law enforcement on this issue, and are reviewing the involved files to determine their contents. If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law.

Protecting the confidentially of the information we hold is a responsibility we take seriously. We will continue to work diligently to investigate and address this incident while working with our expert teams to enhance our security even more moving forward.”

KRON On is streaming now

The City of Oakland initially informed residents of the ransomware attack on Feb. 10, nine days after the attack began. Several non-emergency systems were impacted afterwards including city phone systems, wireless internet at libraries, and the parking citation center. Most of these systems were back up by Feb. 28.

Cybersecurity analyst and security researcher Dominic Alvieri tells KRON4 he saw the post from PLAY threat group. He says employee IDs, passports and other documents were shared in the leak.

Source…

Oakland Confirms Data Leaked in Ransomware Attack – NBC Bay Area

/in



Oakland Confirms Data Leaked in Ransomware Attack  NBC Bay Area

Source…

Android game with 1m downloads leaked users’ private messages

/in


Popular mobile role-playing game (RPG) Tap Busters: Bounty Hunters spilled sensitive user data.

The research by Cybernews has discovered that the Tap Busters: Bounty Hunters app had left their database open to the public, allegedly exposing users’ private conversations for at least five months.

Also, app developers had sensitive data hardcoded into the client side of the app, making it vulnerable to further data leaks.

Tap Busters: Bounty Hunters is an idle RPG game with more than one million downloads on Google Play Store and a 4.5-star rating based on more than 45,000 reviews. In the game, players take on the role of bounty hunters trying to become masters of the galaxy. They defeat villains and collect loot as they travel through different alien realms. Idle game mechanics mean that players can progress in-game without constant input.

Significance

Researchers discovered that Tap Busters: Bounty Hunters leaked data through unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services. Anyone could have accessed the database in the meantime.

The 349MB-strong unprotected dataset contained user ids, usernames, timestamps, and private messages. If the data leaked had not been backed up and a malicious actor had chosen to delete it, it is possible that the user’s private messages would have been permanently lost without the possibility of recovery.

Along with an open Firebase instance, the developers left some sensitive information, commonly known as secrets, hardcoded in the application’s client side. The keys found were: fir ebase_database_url, gcm_defaultSenderId, default_web_client_id, google_api_key, google_app_id, google_crash_reporting_api_key, google_storage_bucket.

Hardcoding sensitive data into the client side of an Android app is unsafe, as in most cases, it can be easily accessed through reverse engineering.

No response

The game’s developer is Tilting Point, which owns several other successful games with a large player community. Some of these games have over five million downloads. The app developer was informed of the data spill but failed to close public access to the database.

The app developers…

Source…

The LastPass disclosure of leaked password vaults is being torn apart by security experts

/in


Last week, just before Christmas, LastPass dropped a bombshell announcement: as the result of a breach in August, which led to another breach in November, hackers had gotten their hands on users’ password vaults. While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager.

LastPass’ December 22nd statement was “full of omissions, half-truths and outright lies,” reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it’s being; he accuses the company of trying to portray the August incident where LastPass says “some source code and technical information were stolen” as a separate breach when he says that in reality the company “failed to contain” the breach.

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”

He also highlights LastPass’ admission that the leaked data included “the IP addresses from which customers were accessing the LastPass service,” saying that could let the threat actor “create a complete movement profile” of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

LastPass claims its “zero knowledge” architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn’t dispute that particular point, he does say that the phrase is misleading. “I think most people envision their vault as a sort of encrypted database where the…

Source…