data protection | Breaking Cybersecurity News | The Hacker News

Every tap, click, and swipe we make online shapes our digital lives, but it also opens doors—some we never meant to unlock. Extensions we trust, assistants we rely on, and even the codes we scan are turning into tools for attackers. The line between convenience and vulnerability has never been thinner. This week, we dive into the hidden risks, surprising loopholes, and the clever tricks cybercriminals are using to outsmart the systems we depend on. Stay with us as we unpack what’s happening behind the screen and how you can stay one step ahead. ⚡ Threat of the Week Dozens of Google Chrome Extensions Caught Stealing Sensitive Data — The challenges with securing the software supply chain reared once again after about three dozen extensions were found surreptitiously siphoning sensitive data from roughly 2.6 million devices for several months as part of two related campaigns. The compromises came to light after data loss prevention service Cyberhaven revealed that its browser extens...

Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure. The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform's OData Web API Filter , while the third vulnerability is rooted in the FetchXML API . The root cause of the first vulnerability is the lack of access control on the OData Web API Filter, thereby allowing access to the contacts table that holds sensitive information such as full names, phone numbers, addresses, financial data, and password hashes. A threat actor could then weaponize the flaw to perform a boolean-based search to extract the complete hash by guessing each character of the hash sequentially until the correct value is identified. "For example, we start by sending startswith(adx_identity_passwordhash, 'a') then startswith( adx_identity_p...

The Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix €4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020. An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data it collects from its users. This includes email addresses, telephone numbers, payment details, as well as information about what customers watch on the platform. "Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them," the DPA said , adding these constitute violations of the General Data Protection Regulation (GDPR). Besides failing to clarify the purpose and legal basis for gathering the data, the company has also been accused of being unclear about what kinds of information are shared with third-parties a...

This past week has been packed with unsettling developments in the world of cybersecurity. From silent but serious attacks on popular business tools to unexpected flaws lurking in everyday devices, there’s a lot that might have flown under your radar. Attackers are adapting old tricks, uncovering new ones, and targeting systems both large and small. Meanwhile, law enforcement has scored wins against some shady online marketplaces, and technology giants are racing to patch problems before they become a full-blown crisis. If you’ve been too busy to keep track, now is the perfect time to catch up on what you may have missed. ⚡ Threat of the Week Cleo Vulnerability Comes Under Active Exploitation — A critical vulnerability (CVE-2024-50623) in Cleo's file transfer software—Harmony, VLTrader, and LexiCom—has been actively exploited by cybercriminals , creating major security risks for organizations worldwide. The flaw enables attackers to execute code remotely without authorization...

Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country. In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains in question. Impacted devices include digital picture frames, media players, and streamers, and likely phones and tablets. "What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware," the BSI said in a press release. BADBOX was first documented by HUMAN's Satori Threat Intelligence and Research team in October 2023, describing it as a "complex threat actor scheme" that involves deploying the Triada Android malware on low-cost, off-brand Android devices by exploiting weak supply chain links...

Details have emerged about a now-patched security vulnerability in Apple's iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control ( TCC ) framework and result in unauthorized access to sensitive information. The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved validation of symbolic links (symlinks) in iOS 18, iPadOS 18 , and macOS Sequoia 15 . Jamf Threat Labs, which discovered and reported the flaw, said the TCC bypass could be exploited by a rogue installed on the system to grab sensitive data without users' knowledge. TCC serves as a critical security protection in Apple devices, giving end users a way to allow or deny a request from apps to access sensitive data, such as GPS location, contacts, and photos, among others. "This TCC bypass allows unauthorized access to files and folders, Health data, the microphone or camera, and m...

This week’s cyber world is like a big spy movie. Hackers are breaking into other hackers’ setups, sneaky malware is hiding in popular software, and AI-powered scams are tricking even the smartest of us. On the other side, the good guys are busting secret online markets and kicking out shady chat rooms, while big companies rush to fix new security holes before attackers can jump in. Want to know who’s hacking who, how they’re doing it, and what’s being done to fight back? Stick around—this recap has the scoop. ⚡ Threat of the Week Turla Hackers Hijack Pakistan Hackers' Infrastructure — Imagine one hacker group sneaking into another hacker group ’s secret hideout and using their stuff to carry out their own missions. That’s basically what the Russia-linked Turla group has been doing since December 2022. They broke into the servers of a Pakistani hacking team called Storm-0156 and used those servers to spy on government and military targets in Afghanistan and India. By doing th...

Many organizations struggle with password policies that look strong on paper but fail in practice because they're too rigid to follow, too vague to enforce, or disconnected from real security needs. Some are so tedious and complex that employees post passwords on sticky notes under keyboards, monitors, or desk drawers. Others set rules so loose they may as well not exist. And many simply copy generic standards that don't address their specific security challenges. Creating a password policy that works to protect your organization in the real world requires a careful balance: it must be strict enough to protect your systems, flexible enough for daily work, and precise enough to be enforced consistently. Let's explore five strategies for building a password policy that works in the real world. 1. Build compliant password practices Is your organization in a regulated industry like healthcare, government, agriculture, or financial services? If so, one of your top priorities...