Cybersecurity Weekly: In-person password reset, Apple bug bounty, Wawa cyberattack
38,000 people were forced to pick up their email passwords in person following a security incident at a German university. Apple opened up its bug bounty program to all security researchers. A recent cyberattack stole payment data from over 700 Wawa stores. All this, and more, in this week’s edition of Cybersecurity Weekly.
Phishing simulations & training
1. 38,000 people forced to pick up email passwords in person
Following a security incident at the Justus Liebig University Giessen in Germany, 38,000 students and academics were forced to stand in line to pick up their new account passwords in person. Prospective students were affected as well, forcing them to apply in person or through traditional mail.
Read more »
2. Amazon conference badges tracked attendees' movements
After Amazon’s 2019 re:Invent conference in early December, Bluetooth beacons were found in Attendee badges. Amazon said the beacon was anonymous and was used to understand foot traffic at events. Some attendees said they weren't aware of the beacons, and would have opted-out if they had known about them ahead of time.
Read more »
3. Apple opens up its bug bounty program to all security researchers
After announcing its bug bounty program at the Black Hat security conference back in August, Apple officially opened up the program to all security researchers. Apple has also raised its maximum bounty reward from $200,000 to $1.5 million and the company will accept vulnerability reports on several new platforms.
Read more »
4. Hackers stole customers' payment card details from over 700 Wawa stores
Wawa recently disclosed a data breach incident that exposed credit card information of thousands of customers who used their cards at its stores since March 2019. By the time it was discovered by the Wawa security team on December 10, the malware already infected in-store payment processing systems at “potentially all Wawa locations.”
Read more »
5. Fake Star Wars streaming sites steal fans’ credit cards
Attackers are already exploiting the hype around the release of the new Star Wars: The Rise of Skywalker movie by luring potential victims into fake streaming sites and stealing their credit card information. Security researchers found over 30 fraudulent sites that supposedly distribute free copies of the new movie.
Read more »
6. TP-Link router bug let attackers login without passwords
TP-Link patched a critical vulnerability that could allow attackers to remotely take control of their Archer line of routers. To exploit this vulnerability, the hacker simply needs to send an HTTP request containing a character string longer than the allowed length, which results in the user password being completely voided.
Read more »
7. Former IT employee jailed for taking down airline systems
A former employee of technology provider Blue Chip was sentenced to 10 months in prison for taking down the computers of British airline Jet2 for over 12 hours. He also hacked into the CEO’s email account multiple times to check for incriminating evidence and to see what was being discussed regarding the incident within the company.
Read more »
8. LifeLabs paid hackers to recover stolen medical data of 15 million Canadians
Canadian lab testing company LifeLabs decided to pay off hackers to prevent them from leaking customers' personal information, including lab test results. Names, physical addresses, login credentials, dates of birth and health card numbers were stolen in the attack. LifeLabs also claims to “have the breach under control” after paying to retrieve the data.
Read more »
9. Honda exposed 26,000 records of North American customers
Honda exposed roughly 26,000 vehicle owner records containing personally identifiable information of North American customers after misconfiguring an Elasticsearch cluster in October 2019. Their security team in Japan quickly secured the server within a few hours of being notified by a security researcher.
Read more »
See Infosec IQ in action
10. Facebook faces another huge data leak affecting 267 million users
More than 267 million Facebook users’ IDs, phone numbers and names were exposed to an online database on December 19. Security researcher Bob Diachenko uncovered the open database, and noted the information that was lost “could potentially be used for spam and phishing campaigns.”
Read more »
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Cybersecurity Weekly: In-person password reset, Apple bug bounty, Wawa cyberattack
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
