Cybersecurity Weekly: In-person password reset, Apple bug bounty, Wawa cyberattack

December 22, 2019 by Sam Fay

38,000 people were forced to pick up their email passwords in person following a security incident at a German university. Apple opened up its bug bounty program to all security researchers. A recent cyberattack stole payment data from over 700 Wawa stores. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. 38,000 people forced to pick up email passwords in person

Following a security incident at the Justus Liebig University Giessen in Germany, 38,000 students and academics were forced to stand in line to pick up their new account passwords in person. Prospective students were affected as well, forcing them to apply in person or through traditional mail.
Read more »

2. Amazon conference badges tracked attendees’ movements

After Amazon’s 2019 re:Invent conference in early December, Bluetooth beacons were found in Attendee badges. Amazon said the beacon was anonymous and was used to understand foot traffic at events. Some attendees said they weren’t aware of the beacons, and would have opted-out if they had known about them ahead of time.
Read more »

3. Apple opens up its bug bounty program to all security researchers

After announcing its bug bounty program at the Black Hat security conference back in August, Apple officially opened up the program to all security researchers. Apple has also raised its maximum bounty reward from $200,000 to $1.5 million and the company will accept vulnerability reports on several new platforms.
Read more »

4. Hackers stole customers’ payment card details from over 700 Wawa stores

Wawa recently disclosed a data breach incident that exposed credit card information of thousands of customers who used their cards at its stores since March 2019. By the time it was discovered by the Wawa security team on December 10, the malware already infected in-store payment processing systems at “potentially all Wawa locations.”
Read more »

5. Fake Star Wars streaming sites steal fans’ credit cards

Attackers are already exploiting the hype around the release of the new Star Wars: The Rise of Skywalker movie by luring potential victims into fake streaming sites and stealing their credit card information. Security researchers found over 30 fraudulent sites that supposedly distribute free copies of the new movie.
Read more »

6. TP-Link router bug let attackers login without passwords

TP-Link patched a critical vulnerability that could allow attackers to remotely take control of their Archer line of routers. To exploit this vulnerability, the hacker simply needs to send an HTTP request containing a character string longer than the allowed length, which results in the user password being completely voided.
Read more »

7. Former IT employee jailed for taking down airline systems

A former employee of technology provider Blue Chip was sentenced to 10 months in prison for taking down the computers of British airline Jet2 for over 12 hours. He also hacked into the CEO’s email account multiple times to check for incriminating evidence and to see what was being discussed regarding the incident within the company.
Read more »

8. LifeLabs paid hackers to recover stolen medical data of 15 million Canadians

Canadian lab testing company LifeLabs decided to pay off hackers to prevent them from leaking customers’ personal information, including lab test results. Names, physical addresses, login credentials, dates of birth and health card numbers were stolen in the attack. LifeLabs also claims to “have the breach under control” after paying to retrieve the data.
Read more »

9. Honda exposed 26,000 records of North American customers

Honda exposed roughly 26,000 vehicle owner records containing personally identifiable information of North American customers after misconfiguring an Elasticsearch cluster in October 2019. Their security team in Japan quickly secured the server within a few hours of being notified by a security researcher.
Read more »

10. Facebook faces another huge data leak affecting 267 million users

More than 267 million Facebook users’ IDs, phone numbers and names were exposed to an online database on December 19. Security researcher Bob Diachenko uncovered the open database, and noted the information that was lost “could potentially be used for spam and phishing campaigns.”
Read more »

Posted: December 22, 2019
Sam Fay
View Profile