A Shopify plugin meant to safeguard privacy did the opposite. For over 100 days, it quietly exposed hundreds of online stores to the kind of risk most businesses dread; data theft, full account takeover, and hijacked ad spend. Ironically, the culprit was a compliance plugin called Consentik, built to help Shopify merchants adhere to regulations like GDPR and CCPA. The flaw turned out to be an unsecured Kafka server that broadcast sensitive data in real-time. No password, no firewall, no warning. Researchers at Cybernews discovered the misconfigured server leaking: Shopify Personal Access Tokens Facebook Ad Tokens Real-time store analytics All…
Kirsten Doyle
Kirsten Doyle
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
A medical billing company tied to UnitedHealth has suffered one of the year’s largest healthcare breaches. More than 5.4 million people have been caught in the fallout. Episource, which handles claims and billing for doctors and hospitals, said a criminal gained access to its systems earlier this year. The breach lasted a week, ending on 6 February. In that time, the attacker was able to “see and take copies” of patient data. The information stolen includes names, phone numbers, addresses, emails. It also includes medical record numbers, test results, diagnoses, prescriptions, and other treatment data. Insurance plans and policy numbers…
A Chinese state-backed hacking group infiltrated a U.S. Army National Guard network and stayed there, undetected, for most of 2024. The group, known as Salt Typhoon, is believed to have operated inside the network of an unnamed U.S. state from March through December, according to a Department of Homeland Security memo. Their reach may have extended far beyond that single state. The threat actors exfiltrated sensitive data. Network traffic. Admin credentials. Diagrams. Even personally identifiable information and the geographic locations of National Guard personnel. According to the Pentagon’s findings, over and above mapping the compromised network, Salt Typhoon mapped its…
This year’s AI Appreciation Day shines a light on the rising power of artificial intelligence in every field. Cybersecurity experts come together to discuss what AI has achieved, and the hurdles it still faces. Cybersecurity experts share their views with Information Security Buzz: Traditional Access Controls Fall Short Rom Carmel, Co-founder and CEO at Apono, adds that unlike static on-prem environments, cloud infrastructure is distributed and dynamic, requiring real-time capabilities to manage access securely and efficiently. “As organizations scale and adopt multi-cloud architectures, traditional access controls often fall short, lacking the agility and context awareness needed to keep pace.” Carmel…
Threat actors have a new trick: hiding malicious JavaScript inside what looks like an innocent image, according to the Ontinue research team. A string of phishing campaigns is using SVG (Scalable Vector Graphics) files to smuggle browser redirects past traditional security tools. The result? Stealthy attacks, minimal user interaction, and victims who never see it coming. Images That Bite SVGs aren’t just pictures. They’re text-based XML files, which means attackers can slip JavaScript into them without raising alarms. In these campaigns, the SVG files include hidden scripts disguised within script tags, using a format that conceals the actual code content.…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a grave warning about a critical vulnerability affects railroad communication systems across the US. The flaw, designated as CVE-2025-1727, can potentially enable bad actors to control train brakes remotely (radio-proximity, not global internet). This vulnerability focuses on the End-of-Train and Head-of-Train protocols, collectively known as FRED. These systems link trains in movement. This vulnerability stems from insecure authentication within the protocol. Attackers can exploit this by using software-defined radio to spoof brake control packets. If exploited, the consequences could be dire. Unauthorized commands might cause sudden stops or brake failures. Such…
Four young people have been arrested after cyber attacks on some of the UK’s best-known retailers. The National Crime Agency picked up two 19-year-old men, a 17-year-old boy, and a 20-year-old woman. Early morning raids. Homes searched. Devices seized. All remain in custody. The arrests follow coordinated attacks on M&S, Co-op and Harrods in April. The suspects are being questioned on suspicion of blackmail, money laundering, computer misuse, and organised crime. Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit, said: “Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation…
Four linked vulnerabilities in OpenSynergy’s Blue SDK allow attackers to take over a vehicle’s infotainment system with a single click. The flaws affect major automotive brands, including Mercedes-Benz, Volkswagen, and Skoda. The PCA Security Assessment Team discovered the issues while analyzing compiled Blue SDK binaries. They didn’t have source code. They didn’t need it. The vulnerabilities affect the Bluetooth protocol stack used by many embedded systems in the automotive supply chain. Together, the flaws create a path to remote code execution in the operating system of the affected unit. Four Vulnerabilities, One Attack Chain The bugs span two components of…
A new vulnerability in Google Gemini for Workspace shows how AI can be turned into a silent accomplice. A security researcher has uncovered a way to smuggle malicious commands into an email, hidden from the user’s view but faithfully executed by Gemini. When the recipient clicks “Summarize this email,” Gemini parses the invisible instruction and inserts a phishing warning that appears to come directly from Google. There are no links. No attachments. Just invisible code buried in the email body. This indirect prompt injection (logged by 0DIN as submission 0xE24D9E6B) relies on HTML and CSS trickery. A few lines of…
A security lapse in McHire, McDonald’s chatbot-powered recruitment platform, exposed personal data from more than 64 million job applicants. The breach combined two fundamental flaws: default administrator credentials and an insecure direct object reference (IDOR) vulnerability. McHire, used by 90% of McDonald’s franchisees, lets candidates chat with a bot named Olivia, built by Paradox.ai, to apply for jobs, share personal details, and take a brief personality test. Two independent security researchers, Ian Carroll and Sam Curry, uncovered the flaws during a brief, informal review after spotting user complaints about the chatbot’s erratic behavior on Reddit. “123456” and You’re In While…