U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.
KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.
Amazon has suffered a major data breach that caused customer names and email addresses to be disclosed on its website, just two days ahead of Black Friday. The e-commerce giant said it has emailed affected customers but refused to give any more details on how many people were affected or where they are based.
The firm said the issue was not a breach of its website or any of its systems, but a technical issue that inadvertently posted customer names and email addresses to its website. In a short statement, Amazon said: “We have fixed the issue and informed customers who may have been impacted.”
Instagram informed some users last week that their passwords may have been exposed as a result of using the “Download Your Data” tool. The tool, which allows users to export their profile information, photos, videos, comments and other data associated with their account, prompts users to enter an email address to which a download link will be sent and their Instagram password.
The social networking service said it recently discovered that when customers used the download tool, their password may have been displayed in the URL in their web browser after the data was downloaded. The company also found that the passwords were stored on its systems as a result of the process. Instagram says it has made changes to the tool to prevent such data leaks.
A poorly secured database exposed at least 26 million text messages, password reset links and codes, two-factor verification codes, temporary passwords, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.
The leaky database, owned by communications firm Vovox, was found on Shodan by Sébastien Kaul, a security researcher based in Berlin. Kaul discovered the database lacked password protection and left names, phone numbers, and text messages easily searchable. Vovox took down the database after it was contacted with an inquiry from TechCrunch.
Read more about how the exposed data put people risk on DarkReading.
Personal details of nearly 700,000 American Express (Amex India) India customers were exposed online via an unsecured MongoDB server. The huge trove of data was discovered by Bob Diachenko from cybersecurity firm Hacken, most of the records were encrypted, but 689,272 records were stored in plaintext. The expert located the database by using IoT search engines such as Shodan and BinaryEdge.io.
689,272 plaintext records included personal details of Amex India customers’ phone numbers, names, email addresses, and ‘type of card’ description fields. The archive included 2,332,115 records containing encrypted data (i.e. names, addresses, Aadhaar numbers, PAN card numbers, and phone numbers.
A huge customer database containing 11 million records that include personal details, has been discovered sitting online, unprotected. The data was available from a MongoDB instance set up on the hosting infrastructure from Grupo-SMS USA, LLC, and could be accessed by anyone able to find the path to it.
Independent security researcher Bob Diachenko found the information by scanning the internet using publicly available tools. His research revealed that the dataset had been last indexed by Shodan search engine on September 13, but it is unclear how long it was open for access before that date.
Government Payment Service (GovPayNet) has been alerted to a leak of more than 14 million customer records dating back to 2012, KrebsOnSecurity reported this week.
GovPayNet is used by nearly 2,300 government agencies in 35 states to process online payments for traffic tickets, bail payments, court-imposed fines, and other fees. The service operates under the Web domain GovPayNow.com, which was found leaking customer data including names, addresses, phone numbers, and the last four digits of credit card numbers.
Read more about the GovPayNow data leak on DarkReading.
It’s become standard boilerplate every time there’s a major personal security breach: Equifax gets hacked; Essential phishes its own customers; whenever this happens, the companies say, “We offer troubled customers a year of LifeLock, an identity theft protection service, for free.”
But what if LifeLock itself isn’t that secure? Guess what, kids? LifeLock may not be that secure after all. Security expert Brian Krebs reported on the problem, saying: “Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers.”
Read about how a vulnerability on the LifeLock website reportedly “allowed anyone with a Web browser to index email addresses associated with millions of customer accounts,” on ZDNet.
RoboCent, a Virginia Beach-based political robocall firm, has exposed the personal details of hundreds of thousands of US voters, according to the findings of a security researcher who stumbled upon the company’s database online.
The researcher, Bob Diachenko of Kromtech Security, says he discovered the data using a recently launched online service called GrayhatWarfare that allows users to search publicly exposed Amazon Web Services data storage buckets. Such buckets should never be left exposed to public access, as they could hold sensitive data.
Read more about the RoboCent data leak affecting thousands of US voters on BleepingComputer.
A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned.
The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training — known as ALERRT — at Texas State University.
Read more about the leaked data that reveals many police departments are unable to respond in an active shooter situation on ZDNet.