ThreatPost: Exposed Database Reveals 100K+ Compromised Facebook Accounts

ThreatPost: Exposed Database Reveals 100K+ Compromised Facebook Accounts. “Cybercriminals left an ElasticSearch database exposed, revealing a global attack that compromised Facebook accounts and used them to scam others. Researchers have uncovered a wide-ranging global scam targeting Facebook users, after finding an unsecured database used by fraudsters to store the usernames and passwords of at least 100,000 victims.”

ThreatPost: Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak

ThreatPost: Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak. “A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.”

ZDNet: 23,600 hacked databases have leaked from a defunct ‘data breach index’ site

ZDNet: 23,600 hacked databases have leaked from a defunct ‘data breach index’ site. “More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind. The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.”

BetaNews: Source code for Windows XP and other Microsoft software leaks online

BetaNews: Source code for Windows XP and other Microsoft software leaks online. “Torrents have appeared online containing the source code for Windows XP, Windows 2000, and other software from Microsoft. Shared on the notorious 4chan, a collection of files approaching 50GB in size also include the source code for Windows Server 2003, Windows NT and MS DOS.”

ThreatPost: Unsecured Microsoft Bing Server Leaks Search Queries, Location Data

ThreatPost: Unsecured Microsoft Bing Server Leaks Search Queries, Location Data. “An unsecured database has exposed sensitive data for users of Microsoft’s Bing search engine mobile application – including their location coordinates, search terms in clear text and more. While no personal information, like names, were exposed, researchers with Wizcase argued that enough data was available that it would be possible to link these search queries and locations to user identities — giving bad actors information ripe for blackmail attacks, phishing scams and more.”

InfoSecurity: Webmaster Portal Leaks 63 Million Records

InfoSecurity: Webmaster Portal Leaks 63 Million Records. “Back in July, researchers at WebsitePlanet teamed up with Jeremiah Fowler to discover an Elasticsearch database belonging to Digital Planet that was left online without password protection, exposing nearly 63 million records. These included emails, names, internal user ID numbers, internal records and user posts related to 863,412 users of the site.”

Gizmodo: Prison Phone App Exposes Millions of Inmate Messages and Personal Data

Gizmodo: Prison Phone App Exposes Millions of Inmate Messages and Personal Data. “As many incarcerated individuals are having their visiting privileges restricted due to the global pandemic, Telmate’s Getting Out app has become one of the only options that families separated by incarceration have to keep in touch. But according to research published today, hundreds of millions of intimate messages from many millions of inmates were sitting exposed on the web.”

Tom’s Guide: 235 million Instagram, TikTok profiles exposed in data leak — what to do now

Tom’s Guide: 235 million Instagram, TikTok profiles exposed in data leak — what to do now . “Data from almost 235 million social-media profiles was left exposed on the open internet by a company that had ‘scraped’ the information from Instagram, TikTok and YouTube. The exposed data included full names, ages, genders, profile photos and, in some cases, telephone numbers and email addresses.”

BetaNews: 10 billion exposed credentials and where to find them

BetaNews: 10 billion exposed credentials and where to find them. “Researchers at password manager NordPass have identified a total of 9,517 unsecured databases containing 10,463,315,645 entries with such data as emails, passwords, and phone numbers. The databases are found across 20 different countries, with China being at the top of the list — the country has nearly 4,000 exposed databases. This means that potentially more than 2.6 billion users could have had their accounts breached.”

InfoSecurity Magazine: Cosmetics Giant Avon Leaks 19 Million Records

InfoSecurity Magazine: Cosmetics Giant Avon Leaks 19 Million Records. “A misconfigured cloud server at global cosmetics brand Avon was recently discovered leaking 19 million records including personal information and technical logs. Researchers at SafetyDetectives led by Anurag Sen told Infosecurity that they found the Elasticsearch database on an Azure server publicly exposed with no password protection or encryption.”

The Register: Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet

The Register: Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet. “A string of ‘zero logging’ VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.”

European Gaming: Popular Gambling App Exposed Millions of Users in Massive Data Leak

European Gaming: Popular Gambling App Exposed Millions of Users in Massive Data Leak. “Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion. The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world. Aside from leaking activity on the app, the breached database also exposed private user information.”

InfoSecurity: Global Dating App Users Exposed in Multiple Security Snafus

InfoSecurity: Global Dating App Users Exposed in Multiple Security Snafus. “Security researchers have discovered five dating apps in the US and East Asia which are leaking millions of customer records thanks to misconfigured cloud databases. A team from WizCase led by Avishai Efrat explained that the Elasticsearch servers, MongoDB databases and AWS buckets they found were left publicly accessible with no password.”

InfoSecurity: Online Learning Platform Exposes Data on One Million Students

InfoSecurity: Online Learning Platform Exposes Data on One Million Students. “Researchers from the firm claimed that the Elasticsearch database belonging to provider OneClass was left completely unsecured. The trove contained over 27GB of data, amounting to 8.9 million records, including many students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details.”

Silicon Angle: Niche dating app user data found exposed on misconfigured cloud instance

Silicon Angle: Niche dating app user data found exposed on misconfigured cloud instance. “The records of hundreds of thousands of users of a range of niche data apps have been exposed online in the latest case of a misconfigured cloud instance. Discovered by security researchers Noam Rotem and Ran Locar at vpnMentor… the 845 gigabytes of data containing 2.5 million records related to dating apps, including 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD and Herpes Dating.”