A security researcher recently discovered a flaw in the way Instagram handled the validation of password reset codes. This defect means an attacker could request one million password reset codes within a ten-minute window and with 100% success. https://twitter.com/TheEllenShow/status/1164909072119787521
ISBuzz Team
Cybersecurity company Imperva has disclosed a data breach associated with customers of its Cloud WAF product, with exposed details including email addresses, hashed and salted passwords, API keys and customer-provided SSL certificates. https://twitter.com/CyberNewsApp/status/1166492133613809665
Instagram users are currently targeted by a new phishing campaign that uses login attempt warnings coupled with what looks like two-factor authentication (2FA) codes to make the scam more believable. Crooks use phishing to trick potential victims into handing over sensitive information via fraudulent websites they control with the help of a wide range of social engineering techniques, as well as messages designed to look like they’re sent by someone they know or a legitimate organization, Bleeping Computer reported.
Almost 14 million customers of hosting provider Hostinger need to reset their passwords as a hacker got into their database.The incident occurred on August 23 and a third party was able to access usernames, hashed passwords, emails, first names, and IP addresses. This was possible because the server had an authorization token that allowed access and privilege escalation to a RESTful API used for queries about customers and their accounts, including phone numbers and home address or business address. https://twitter.com/DavidPapp/status/1165881978517954561
The Security Service of Ukraine (SBU) last month discovered unauthorized computer equipment at the South Ukraine Nuclear Power Station near the city of Yuzhnoukrainsk in the Mykolaiv province. Investigators found that workers, possibly with assistance from some of the National Guard troops that protected the facility, were running a cryptocurrency mining operation. They were not using plant equipment — they took their own mining rigs into an administrative building — but they were using the organization’s electricity network to power their devices. Cryptocurrency mining equipment requires a lot of power and entities involved in these types of activities often look…
The UK’s cyber-security agency warned today developers to consider moving Python 2.x codebases to the newer 3.x branch due to the looming end-of-life (EOL) of the Python 2, scheduled for January 1, 2020. The UK National Cyber Security Centre (NCSC) cited security risks and possible code breakage in existing apps as the primary reasons, ZDNet reported.
Boston-based Massachusetts General Hospital has begun notifying 10,000 patients that their personal health information may have been exposed in a data breach, according to the Boston Globe. An unauthorized third party gained access to two computer programs used by researchers in the hospital’s neurology department in June. Massachusetts General Hospital took immediate steps to secure the programs. Patient data that may have been affected included names, dates of birth, medical record numbers and medical histories. No Social Security numbers or financial information were affected.
Vice reported that contractors working for Microsoft have listened to audio of Xbox users speaking in their homes in order to improve the console’s voice command features, Motherboard has learned. The audio was supposed to be captured following a voice command like “Xbox” or “Hey Cortana,” but contractors said that recordings were sometimes triggered and recorded by mistake.The news is the latest in a string of revelations that show contractors working on behalf of Microsoft listen to audio captured by several of its products. Motherboard previously reported that human contractors were listening to some Skype calls as well as audio recorded by Cortana, Microsoft’s Siri-like virtual…
In light of the recent Capital One data breach, where a misconfiguration in a cloud server resulted in a hacker exploiting 100 million customer accounts, a new study from Tripwire has found that 84 percent of organisations find maintaining security configurations across cloud services difficult. The study conducted by Tripwire surveyed security professionals attending Black Hat Las Vegas 2019, and also revealed that 75 percent think it’s easy to accidentally expose data publicly through the cloud.
It has been reported that, according to security firm ZeroFox, there has been a 56% year-over-year increase in digital threats targeting the financial space. Researchers scanned 2.9 billion pieces of content and found more than 8.9 million security events in a 12-month period. Brand abuse and manipulation was the most common threat, with more than 250,000 events. Ninety percent of these were name impersonations, often not easily detected due to disguising tactics.