#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

data breach | Breaking Cybersecurity News | The Hacker News

Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You

Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You

Aug 16, 2018
With the release of Chrome 68, Google prominently marks all non-HTTPS websites as 'Not Secure' on its browser to make the web a more secure place for Internet users. If you haven't yet, there is another significant reason to immediately switch to the latest version of the Chrome web browser. Ron Masas, a security researcher from Imperva, has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website. The vulnerability, identified as CVE-2018-6177 , takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by "Blink Engine," including Google Chrome. To illustrate the attack scenario, the researcher took an example of Facebook, a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where you have been (loca
Snapchat Hack — Hacker Leaked Snapchat Source Code On GitHub

Snapchat Hack — Hacker Leaked Snapchat Source Code On GitHub

Aug 08, 2018
The source code of the popular social media app Snapchat was recently surfaced online after a hacker leaked and posted it on the Microsoft-owned code repository GitHub. A GitHub account under the name Khaled Alshehri with the handle i5xx , who claimed to be from Pakistan, created a GitHub repository called Source-Snapchat with a description " Source Code for SnapChat ," publishing the code of what purported to be Snapchat's iOS app. The underlying code could potentially expose the company's extremely confidential information, like the entire design of the hugely-successful messaging app, how the app works and what future features are planned for the app. Snapchat's parent company, Snap Inc., responded to the leak by filing a copyright act request under the Digital Millennium Copyright Act (DMCA), helping it takedown the online repository hosting the Snapchat code. SnapChat Hack: Github Took Down Repository After DMCA Notice Though it is not clear
How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte
Reddit Hacked – Emails, Passwords, Private Messages Stolen

Reddit Hacked – Emails, Passwords, Private Messages Stolen

Aug 02, 2018
Another day, another significant data breach. This time the victim is Reddit... seems someone is really pissed off with Reddit's account ban policy or bias moderators. Reddit social media network today announced that it suffered a security breach in June that exposed some of its users' data, including their current email addresses and an old 2007 database backup containing usernames and hashed passwords. According to Reddit, the unknown hacker(s) managed to gain read-only access to some of its systems that contained its users' backup data, source code, internal logs, and other files. In a post published to the platform Wednesday, Reddit Chief Technology Officer Christopher Slowe admitted that the hack was a serious one, but assured its users that the hackers did not gain access to Reddit systems. "[The attackers] were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API k
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Dixons Carphone Data Breach Affects 10 Million Customers

Dixons Carphone Data Breach Affects 10 Million Customers

Jul 31, 2018
Dixons Carphone's 2017 data breach was worse than initially anticipated. In an announcement on Monday, Dixons Carphone, one of the largest consumer electronics and telecommunication retailers in Europe, admitted that the breach affected around 10 million customers, up from an initial estimate of 1.2 million people the company acknowledged back in June. The company, which has been investigating the hack since it was discovered in June this year, said the investigation is nearly over and now there is evidence that some of the data may have been taken from its systems. The Carphone Warehouse and Currys PC World owner said the hackers may have accessed personal information of its affected customers including their names, addresses and email addresses last year. The hackers also got access to 5.9 million payments cards used at Currys PC World and Dixons Travel, but nearly all of those cards were protected by the chip-and-pin system . However, Dixons Carphone assured its cust
Activist Leaks 11,000 Private Messages from WikiLeaks' Twitter Chats

Activist Leaks 11,000 Private Messages from WikiLeaks' Twitter Chats

Jul 31, 2018
An activist has just leaked thousands of private messages of an organization that's been known to publishing others' secrets. More than 11,000 direct messages from a Twitter group used by WikiLeaks and around 10 close supporters have been posted online by journalist and activist Emma Best, exposing private chats between 2015 and 2017. The leaked chats have been referenced by American media outlets earlier this year, but for the very first time, all 11,000 messages have been published online, allowing anyone to scroll through and read messages themselves. "The chat is presented nearly in its entirety, with less than a dozen redactions made to protect the privacy and personal information of innocent, third parties. The redactions don't include any information that's relevant to WikiLeaks or their activities," Best said. The leaked DMs of the private Twitter chat group, dubbed " Wikileaks +10 " by Best, show WikiLeak's strong Republican favoritism,
Boys Town Healthcare Data Breach Exposed Personal Details of Patients

Boys Town Healthcare Data Breach Exposed Personal Details of Patients

Jul 30, 2018
Another day, Another data breach! This time-sensitive and personal data of hundreds of thousands of people at Boys Town National Research Hospital have been exposed in what appears to be the largest ever reported breach by a pediatric care provider or children's hospital. According to the U.S. Department of Health and Human Services Office for Civil Rights, the breach incident affected 105,309 individuals , including patients and employees, at the Omaha-based medical organization. In a "Notice of Data Security Incident" published on its website, the Boys Town National Research Hospital admitted that the organization became aware of an abnormal behavior regarding one of its employees' email account on May 23, 2018. After launching a forensic investigation, the hospital found that an unknown hacker managed to infiltrate into the employee's email account and stole personal information stored within the email account as a result of unauthorized access. T
Singapore's Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen

Singapore's Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen

Jul 20, 2018
Singapore's largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018. SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics. According to an advisory released by Singapore's Ministry of Health (MOH), along with the personal data, hackers also managed to stole 'information on the outpatient dispensed medicines' of about 160,000 patients, including Singapore's Prime Minister Lee Hsien Loong, and few ministers. "On 4 July 2018, IHiS' database administrators detected unusual activity on one of SingHealth's IT databases. They acted immediately to halt the activity," MOH said. The stolen data includes the patient's name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers. Th
DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

Jul 09, 2018
Besides Timehop , another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFactory, owned by GoDaddy. The breach initially happened back in last January this year and just emerged last Tuesday when an unknown attacker himself posted a breach note on the DomainFactory support forum. It turns out that the attacker breached company servers to obtain the data of one of its customers who apparently owes him a seven-figure amount, according to Heise . Later the attacker tried to report DomainFactory about the potential vulnerability using which he broke into its servers, but the hosting provider did not respond, and neither disclosed the breach to its customers. In that situation, the attacker head on to the company's support forum and broke the news with sample data of a few customers as proof, which forced DomainFactory to immediately shut down the forum website and initiate an investigation. Attacker G
Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

Jul 09, 2018
And the hacks just keep on coming. Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users. Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago. The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts. "We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website. Social Media OAuth2 Tokens Also Compromised Moreover, the attackers also got th
Facebook Admits Sharing Users' Data With 61 Tech Companies

Facebook Admits Sharing Users' Data With 61 Tech Companies

Jul 02, 2018
Facebook has admitted that the company gave dozens of tech companies and app developers special access to its users' data after publicly saying it had restricted outside companies to access such data back in 2015. It's an unusual clear view of how the largest social networking site manages your personal information. During the Cambridge Analytica scandal revealed March this year, Facebook stated that it already cut off third-party access to its users' data and their friends in May 2015 only. However, in a 747-page long document [ PDF ] delivered to Congress late Friday, the social networking giant admitted that it continued sharing data with 61 hardware and software makers , as well as app developers after 2015 as well. The disclosure comes in response to hundreds of questions posed to Facebook CEO Mark Zuckerberg by members of Congress in April about its company's practices with data of its billions of users. The Washington Post reported that the company
Typeform, Popular Online Survey Software, Suffers Data Breach

Typeform, Popular Online Survey Software, Suffers Data Breach

Jun 29, 2018
Typeform, the popular Spanish-based online data collection company specializes in form building and online surveys for businesses worldwide, has today disclosed that the company has suffered a data breach that exposed partial data of its some users. The company identified the breach on June 27th, and then quickly performed a full forensic investigation of the incident to identify the source of the breach. According to the company, some unknown attackers managed to gain unauthorized access to its servers and downloaded a partial data backups for surveys conducted before May 3rd 2018. Typeform confirmed that it patched the issue within just half an hour after identifying the intrusion, and emailed all the affected users, warning them to watch out for potential phishing scams, or spam emails. The company did not disclose any details about the vulnerability that was exploited by hackers to gain access to its servers, though it assured its users that no payment card details or pass
Another Facebook Quiz App Left 120 Million Users' Data Exposed

Another Facebook Quiz App Left 120 Million Users' Data Exposed

Jun 28, 2018
People are still getting over the most controversial data scandal of the year, i.e., Cambridge Analytica scandal , and Facebook is under fire yet again after it emerges that a popular quiz app on the social media platform exposed the private data of up to 120 million users for years. Facebook was in controversies earlier this year over a quiz app that sold data of 87 million users to a political consultancy firm, who reportedly helped Donald Trump win the US presidency in 2016. Now, a different third-party quiz app, called NameTests, found exposing data of up to 120 million Facebook users to anyone who happened to find it, an ethical hacker revealed. NameTests[.]com, the website behind popular social quizzes, like "Which Disney Princess Are You?" that has around 120 million monthly users, uses Facebook's app platform to offer a fast way to sign up. Just like any other Facebook app, signing up on the NameTests website using their app allows the company to fetch neces
Ticketmaster Suffers Security Breach – Personal and Payment Data Stolen

Ticketmaster Suffers Security Breach – Personal and Payment Data Stolen

Jun 28, 2018
Global entertainment ticketing service Ticketmaster has admitted that the company has suffered a security breach, warning customers that their personal and payment information may have been accessed by an unknown third-party. The company has blamed a third-party support customer service chat application for the data breach that believed to affect tens of thousands of its customers. The customer support chat application, made by Inbenta Technologies—a third-party artificial intelligence tech supplier—used to help major websites interact with their customers. In its statement , Ticketmaster said it discovered malicious software on the customer support application hosted on its UK website that allowed attackers to extract the personal and payment information from its customers buying tickets. Ticketmaster disabled the Inbenta product across all of its websites as soon as it recognized the malicious code. However, Inbenta Technologies turned away blame back to Ticketmaster, sa
Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

Jun 21, 2018
Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions. Google's Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients. Researchers from mobile security firm Appthority discovered that many app developers' fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone. Since Firebase offers app developers an API server, as shown below, to access their databases hosted with the service, attackers can gain acce
MyHeritage Says Over 92 Million User Accounts Have Been Compromised

MyHeritage Says Over 92 Million User Accounts Have Been Compromised

Jun 05, 2018
MyHeritage, the Israel-based DNA testing service designed to investigate family history, has disclosed that the company website was breached last year by unknown attackers, who stole login credentials of its more than 92 million customers. The company learned about the breach on June 4, 2018, after an unnamed security researcher discovered a database file named "myheritage" on a private server located outside of the company, and shared it with MyHeritage team. After analyzing the file, the company found that the database, which included the email addresses and hashed passwords of nearly 92.3 million users, are of those customers who signed up for the MyHeritage website before October 27, 2017. While the MyHeritage security team is still investigating the data breach to identify any potential exploitation of its system, the company confirmed that no other data such as credit card details and family trees, genetic data were ever breached and are stored on a separate sy
Facebook Accused of Giving Over 60 Device-Makers Deep Access to User Data

Facebook Accused of Giving Over 60 Device-Makers Deep Access to User Data

Jun 04, 2018
After being embroiled into controversies over its data sharing practices , it turns out that Facebook had granted inappropriate access to its users' data to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung. According to a lengthy report published by The New York Times, the social network giant struck data-sharing partnerships with at least 60 device manufacture companies so that they could offer Facebook messaging functions, "Like" buttons, address books, and other features without requiring their users to install a separate app. The agreements were reportedly made over the last 10 years, starting before Facebook apps were widely available on smartphones. Most notably, the publication suggests that the partnerships could be in breach of a 2011 consent decree by the Federal Trade Commission (FTC), which barred Facebook from granting other companies access to data of users' Facebook friends without their explicit consent
Finland's 3rd Largest Data Breach Exposes 130,000 Users' Plaintext Passwords

Finland's 3rd Largest Data Breach Exposes 130,000 Users' Plaintext Passwords

Apr 06, 2018
Over 130,000 Finnish citizens have had their credentials compromised in what appears to be third largest data breach ever faced by the country, local media reports . Finnish Communications Regulatory Authority (FICORA) is warning users of a large-scale data breach in a website maintained by the New Business Center in Helsinki ("Helsingin Uusyrityskeskus"), a company that provides business advice to entrepreneurs and help them create right business plans. Unknown attackers managed to hack the website ( https://liiketoimintasuunnitelma.com ) and stole over 130,000 users' login usernames and passwords, which were stored on the site in plain-text without using any cryptographic hash. Right after knowing of the breach on 3rd April, the company took down the affected website, which is currently showing "under maintenance" notice with a press release about the incident on its homepage. "We are very sorry for all the people who have been subjected to crime a
Facebook admits public data of its 2.2 billion users has been compromised

Facebook admits public data of its 2.2 billion users has been compromised

Apr 05, 2018
Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information. On Wednesday, Facebook CEO Mark Zuckerberg revealed that "malicious actors" took advantage of "Search" tools on its platform to discover the identities and collect information on most of its 2 billion users worldwide. The revelation once again underlines the failure of the social-media giant to protect users' privacy while generating billions of dollars in revenue from the same information. The revelation came weeks after the disclosure of the Cambridge Analytica scandal , wherein personal data of 77 million users was improperly gathered and misused by the political consultancy firm, who reportedly also helped Donald Trump win the US presidency in 2016. However, the latest scam revealed by the social media giant about the abuse of Facebook's search tools over the
Russian Hacker Who Allegedly Hacked LinkedIn and Dropbox Extradited to US

Russian Hacker Who Allegedly Hacked LinkedIn and Dropbox Extradited to US

Mar 31, 2018
A Russian man accused of hacking LinkedIn , Dropbox , and Formspring in 2012 and possibly compromising personal details of over 100 million users, has pleaded not guilty in a U.S. federal court after being extradited from the Czech Republic. Yevgeniy Aleksandrovich Nikulin, 30, of Moscow was arrested in Prague on October 5, 2016, by Interpol agents working in collaboration with the FBI, but he was recently extradited to the United States from the Czech Republic on Thursday for his first appearance in federal court. Nikulin's arrest started an extradition battle between the United States and Russia, where he faces significantly lesser criminal charges of stealing $3,450 via Webmoney in 2009. But the Czech Republic ruled in favor of the United States. In the U.S., Nikulin is facing: 3 counts of computer intrusion 2 counts of intentional transmission of information, code, or command causing damage to a protected computer 2 counts of aggravated identity theft 1 count
Facebook Collected Your Android Call History and SMS Data For Years

Facebook Collected Your Android Call History and SMS Data For Years

Mar 25, 2018
Facebook knows a lot about you, your likes and dislikes—it's no surprise. But do you know, if you have installed Facebook Messenger app on your Android device, there are chances that the company had been collecting your contacts, SMS, and call history data at least until late last year. A tweet from Dylan McKay, a New Zealand-based programmer, which received more than 38,000 retweets (at the time of writing), showed how he found his year-old data—including complete logs of incoming and outgoing calls and SMS messages—in an archive he downloaded (as a ZIP file) from Facebook. Facebook was collecting this data on its users from last few years, which was even reported earlier in media, but the story did not get much attention at that time. Since Facebook had been embroiled into controversies over its data sharing practices after the Cambridge Analytica scandal last week, tweets from McKay went viral and has now fueled the never-ending privacy debate. A Facebook spokespe
Cybersecurity Resources