Cybersecurity Weekly: Competing bug bounties, Disney+ password reuse attack

November 25, 2019 by Sam Fay

Google offers up to $1.5 million for Pixel Titan M exploits in 2020. A hacker offers $100,000 for corporate secrets. Disney+ suffers a password reuse attack less than a week after launch. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. Google offering up to $1.5 million for Pixel Titan M exploits

According to Google, it paid out over $4 million for more than 1,800 reported vulnerabilities since the launch of its Android Security Rewards program in 2015. In the past year, payouts totaled over $1.5 million and the highest single reward paid out in 2019 was just over $161,000. Google plans to increase its investment into this program in 2020.
Read more »

2. Data-enriched profiles on 1.2 billion people exposed in gigantic leak

An open Elasticsearch server exposed the rich profiles of more than 1.2 billion people to the open internet. If accessed by cybercriminals, the data, which includes several accounts tied to each individual, could be used for highly effective, targeted phishing attacks, business email compromise and identity theft.
Read more »

3. DDoS-for-Hire boss gets 13 months jail time

A 21-year-old Illinois man was sentenced to 13 months in prison last week for running multiple DDoS-for-hire services that launched millions of attacks over several years. In just the first 13 months of the 27-month long conspiracy, users of the hacker’s tools ordered approximately 4 million DDoS attacks.
Read more »

4. Hacker offers $100,000 for leaks of corporate secrets

A phishing campaign is underway which states that your password will expire unless you login and confirm that you want to keep it the same. Once the victim clicks on the “Keep same password” link, they will be brought to a generic mail server login page. With these credentials, hackers can perform BEC scams or password reuse attacks.
Read more »

5. Android camera app bug lets apps record video without permission

A new vulnerability has been found in the camera apps for millions, if not hundreds of millions, of Android devices that could allow other apps to record video and take pictures without the required permissions.This vulnerability is known to affect the Google Camera and Samsung Camera apps if they have not been updated since July 2019.
Read more »

6. Ransomware bites 400 veterinary hospitals

A California veterinary company is still working to recover from a ransomware attack late last month that affected more than half of its 700 animal care facilities, separating many veterinary practices from their patient records, payment systems and practice management software. The company said it expects to be fully operational within the next week.
Read more »

7. Disney+ credentials land in dark web hours after service launch

Stolen user accounts for the new Disney+ streaming service appeared on Dark Web sites just hours after it went live on November 12. Researchers found credentials for sale in the underground for $3 to $11 per account as attackers took advantage of users who share their accounts. Some victims were locked out of their accounts entirely.
Read more »

8. Official Monero site hacked to distribute cryptocurrency-stealing malware

On November 18, an anonymous hacker quietly replaced legitimate Linux and Windows binaries available for download with malicious versions designed to steal funds from users’ wallets. This was revealed on Monday after a Monero user spotted that the cryptographic hash for binaries he downloaded from the official site didn’t match the hashes listed on it.
Read more »

9. T-Mobile discloses data breach affecting prepaid wireless customers

T-Mobile’s U.S. branch disclosed a security breach that, according to the company, impacted a small number of customers of its prepaid service. Exposed data included name, billing address, phone number and account number, but did not include any financial information, social security numbers or passwords.
Read more »

10. Magecart attack yields payment, personal info

Hackers accessed’s “Checkout” and “My Wallet” pages early last month and added malicious script to steal shoppers’ personal information, such as credit card data. The company discovered the hack on October 15 when it observed a suspicious connection between and a remote website, the company said in a data breach notification.
Read more »

Posted: November 25, 2019
Sam Fay
View Profile