KXAN: Almost 2 million Texans affected by Texas Department of Insurance data breach. “The department said the personal information of 1.8 million workers who have filed compensation claims — including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries — was accessible online to members of the public from March 2019 to January 2022.”
Associated Press: Ransomware gang threatens to overthrow Costa Rica government. “A ransomware gang that infiltrated some Costa Rican government computer systems has upped its threat, saying its goal is now to overthrow the government.”
Bleeping Computer: Microsoft May 2022 Patch Tuesday fixes 3 zero-days, 75 flaws. “Today is Microsoft’s May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. Of the 75 vulnerabilities fixed in today’s update, eight are classified as ‘Critical’ as they allow remote code execution or elevation of privileges.”
The Verge: Google Assistant’s automatic password updater gets wider rollout. “A Google Assistant feature designed to automate the time-consuming process of changing your passwords after a breach appears to be getting a wider rollout. That’s according to a tweet from leaker Max Weinbach and a report from Android Police.”
WIRED: What to Do If You Can’t Log In to Your Google Account. “The web is filled with advice and shortcuts on what to do in this situation, from tapping your password manager to turning off two-factor authentication (not recommended!). Rather than use Google’s most popular tool, Search, for the answer, we decided to ask the company directly what happens when users can’t get in and what steps they should take to recover their account. Guemmy Kim, director of account safety and security at Google, guided us through our questions.”
Engadget: Grindr location data was reportedly for sale for at least three years (updated). “Grindr’s past willingness to share sensitive data may have been more problematic than previously thought. The Wall Street Journal understands precise Grindr user location data was collected from the online ad network MoPub (once owned by Twitter) and put on sale through its partner company UberMedia (now UM) since ‘at least’ 2017.”
Ars Technica: Apple, Google, and Microsoft want to kill the password with “Passkey” standard. “The standard is being called either a ‘multi-device FIDO credential’ or just a ‘passkey.’ Instead of a long string of characters, this new scheme would have the app or website you’re logging in to push a request to your phone for authentication. From there, you’d need to unlock the phone, authenticate with some kind of pin or biometric, and then you’re on your way.”
TechCrunch: Meta faces years of tougher antitrust oversight in Germany. “Facebook’s rebranded parent, Meta, has become the next tech giant to be confirmed as subject to a special competition abuse control regime in Germany, following a 2021 update to its digital competition rules that are focused on large digital companies which are considered to be of ‘paramount significance for competition across markets’, as the law puts it. The designation, which stands for five years, empowers the regulator, the Federal Cartel Office (FCO), to take faster action to respond to competition concerns linked to Meta’s operations by imposing operational conditions intended to correct antitrust abuses.”
Engadget: Bored Ape Yacht Club’s Instagram compromised in $2.4 million NFT phishing scam. “Bored Ape Yacht Club creator Yuga Labs is investigating a phishing attack after a hacker stole nearly $2.5 million worth of NFTs through the official Bored Ape Instagram account. The company disclosed the hack on Monday morning in a tweet warning followers not to click on links or mint new tokens.”
SecurityWeek: GitHub Announces Mandatory 2FA for Code Contributors. “Code hosting platform GitHub on Wednesday said it would make it mandatory for software developers to use at least one form of two-factor authentication (2FA) by the end of 2023.”
Bleeping Computer: Open source ‘Package Analysis’ tool finds malicious npm, PyPI packages. “The Open Source Security Foundation (OpenSSF), a Linux Foundation-backed initiative has released its first prototype version of the ‘Package Analysis’ tool that aims to catch and counter malicious attacks on open source registries. In a pilot run that lasted less than a month, the open source project released on GitHub, was able to identify over 200 malicious npm and PyPI packages.”
WIRED: You Need to Update iOS, Android, and Chrome Right Now. “APRIL HAS BEEN a big month for security updates, including emergency patches for Apple’s iOS and Google Chrome to fix vulnerabilities already being used by attackers. Microsoft has released important fixes as part of its mid-April Patch Tuesday, while Android users across multiple devices need to make sure they are applying the latest update when it becomes available. Here are all the April updates you need to know about.”
Keene Sentinel: Social media posts on NH landfill legislation spark concern. “A social media post late last month depicting blood dripping from the scorecard of a state Senate vote is among communications that led some lawmakers to notify the legislative security detail, Sen. Jeb Bradley said Monday.”
1 News New Zealand: Spate of ram-raids driven by social media – police. A “ram-raid” is when a vehicle is crashed into a target location with the intention of robbery. “Police say social media is a key driving force behind the spike in ram raids across the country. Detective Inspector Karen Bright told reporters on Wednesday that offenders as young as 11 years old were posting their exploits online.”
Bleeping Computer: Redis, MongoDB, and Elastic: 2022’s top exposed databases. “Security researchers have noticed an increase in the number of databases publicly exposed to the Internet, with 308,000 identified in 2021. The growth continued quarter over quarter, peaking in the first months of this year. In the first quarter of 2022, the amount of exposed databases peaked to 91,200 instances, researchers at threat intelligence and research company Group-IB say in a report shared with BleepingComputer.”
The ResearchBuzz Firehose is regular RB content presented as individual posts.
For digest-type posts a couple of times a day, please visit ResearchBuzz.
Want to know how to best use the Firehose for content discovery?
Check out this handy article.