@siliconangle.com - 60d
A significant data leak has exposed the location data of approximately 800,000 Volkswagen electric vehicles, including models from VW, Audi, Seat, and Skoda. This breach was a result of a cloud misconfiguration within Volkswagen's software subsidiary, Cariad, which stores data on Amazon Web Services. The leaked data included real-time GPS locations, with some being accurate to within ten centimeters, along with other sensitive information. The issue came to light after a whistleblower alerted the German newspaper Der Spiegel, and security researchers from the Chaos Computer Club also helped uncover the leak.
The exposed data potentially allows for the tracking of vehicle locations and could be linked to vehicle owners, their names, and contact details. This raises serious privacy concerns, and in some instances, it was possible to even determine the travel patterns of individuals, including two German politicians. The incident highlights the critical importance of robust cloud security practices by automotive manufacturers and their software subsidiaries. While Volkswagen claims accessing the data required bypassing security mechanisms, it underscores the severe consequences of mishandling sensitive customer information.
Recommended read:
References :
- electrek.co: Massive data leak at Volkswagen exposes locations of 800,000 EV drivers, for months
- malware.news: Almost 800K electric cars' data exposed by Cariad
- Techzine Global: Volkswagen data breach highlights major privacy risks
- ciso2ciso.com: CISO2CISO article about exposed cloud server tracking 800,000 Volkswagen, Audi, and Skoda EVs.
- The Verge: The Verge report on Volkswagen leak exposing location data for 800,000 electric cars.
- Electrek: Electrek article about massive data leak at Volkswagen exposing locations of 800,000 EV drivers.
- Latest from TechRadar: TechRadar article about over 800,000 electric car owners and drivers having private info exposed online.
- Cybernews: 800,000 Volkswagen owners' data was left unprotected and exposed. What are your thoughts? Read more⤵️
- ciso2ciso.com: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs – Source:hackread.com
- arstechnica.com: whistleblower-finds-unencrypted-location-data-for-800000-vw-evs
- techcrunch.com: TechCrunch reports on a Volkswagen leak that exposed precise location data.
- www.engadget.com: Engadget reports huge Volkswagen data leak exposed the locations of 460,000 EV drivers.
- www.scworld.com: Almost 800K electric cars' data exposed by Cariad
- pxlnv.com: Volkswagen Subsidiary Left Vehicle Location Data Unprotected in Amazon Storage
- siliconangle.com: Location data from 800,000 Volkswagen vehicles exposed by cloud misconfiguration
- Pixel Envy: Volkswagen Subsidiary Left Vehicle Location Data Unprotected in Amazon Storage
- www.carscoops.com: VW Group had sensitive info, including GPS coordinates, of 800K+ electric vehicles exposed on an unprotected AWS database for months before it was alerted
- Ars OpenForum: Whistleblower finds unencrypted location data for 800,000 VW EVs
- SiliconANGLE: Location data from 800,000 Volkswagen vehicles exposed by cloud misconfiguration
- Techmeme: VW Group had sensitive info, including GPS coordinates, of 800K+ electric vehicles exposed on an unprotected AWS database for months before it was alerted (Thanos Pappas/Carscoops)
- toot.majorshouse.com: Why do they need the location data in the first place? Why does any company need this data? Volkswagen leak exposed location data for 800,000 electric cars
- Dataconomy: A data leak exposed the location data of approximately 800,000 Volkswagen (VW) electric vehicles (EVs) for several months, impacting vehicles from VW, Audi, Seat, and Skoda, as reported by Der Spiegel.
- Mashable: Volkswagen leak exposed location of 800,000 electric car drivers for months
- Miguel Afonso Caetano: Connected cars are great—at least until some company leaves unencrypted location data on the Internet for anyone to find.
- TechSpot: Volkswagen leak exposes private information of 800,000 EV owners, including location data
- discuss.techlore.tech: Volkswagen leak exposed location data for 800,000 electric cars
- Techlore: Volkswagen leak exposed location data for 800,000 electric cars
- jbz: Cariad has since patched the vulnerability, which had revealed data about the usage of Skodas, Audis, and Seats, as well as what Motor1 calls "incredibly detailed data" for VW ID.3 and ID.4 owners. The data set also included pinpoint location data for 460,000 of the vehicles, which Der Spiegel said could be used to paint a picture of their owners' lives and daily activities
- DMR News: Volkswagen Data Leak Exposed Location Data for 800,000 Electric Cars
- osint10x.com: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs
- Osint10x: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs
- Alex Jimenez: Volkswagen leak exposed location data for 800,000 electric cars The leak also included the emails, addresses, and phone numbers of drivers in some cases, Der Spiegel reports.
Bruce Schneier@Schneier on Security - 19d
The UK government has reportedly ordered Apple to create a backdoor for accessing end-to-end encrypted data in iCloud. This demand, made under the Investigatory Powers Act, seeks blanket access to all encrypted content, not just specific accounts. The law, known as the "Snoopers' Charter," prohibits Apple from even revealing the demand.
The Washington Post reported that the UK government served Apple with a “technical capability notice” requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This has caused alarm among privacy advocates and tech experts with many seeing it as an emergency. Experts warn that complying with the order could weaken user trust and expose sensitive data to misuse, also a backdoor for the government puts everyone at greater risk of hacking, identity theft, and fraud. It is being reported that Apple is likely to turn the feature off for UK users rather than break it for everyone worldwide.
Recommended read:
References :
- Casey Newton: Reports on Apple's potential response to the UK's demand to access encrypted iCloud data.
- jonnyevans: UK orders Apple to let it access everyone’s encrypted data
- Tao of Mac: UK Government Orders Apple to Create Global iCloud Encryption Backdoor
- Deeplinks: The Electronic Frontier Foundation (EFF) strongly opposes the UK's demand, emphasizing that weakening encryption undermines privacy and security.
- Schneier on Security: The Washington Post is that the UK government has served Apple with a “technical capability notice� as defined by the 2016 Investigatory Powers Act, requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This is a big deal, and something we in the security community have worried was coming for a while now. The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand.
- www.macrumors.com: UK Government Orders Apple to Create Global iCloud Encryption Backdoor
- gbhackers.com: UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access
- techcrunch.com: UK government demands Apple backdoor to encrypted cloud data report
- CyberInsider: U.K. Secretly Ordered Apple to Create Encryption Backdoor
- gbhackers.com: UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access
- Carly Page: Government officials in the UK have reportedly ordered Apple to build a backdoor that would give its authorities access to users’ encrypted iCloud data. Apple will likely stop offering its encrypted cloud storage offering, Advanced Data Protection, to users in the country
- tomas-svojanovsky.medium.com: The UK’s Secret Demand for an Apple Backdoor: What It Means for Your Privacy and Apple’s Encryption Battle
- cyberinsider.com: U.K. Secretly Ordered Apple to Create Encryption Backdoor
- 9to5Mac: It’s being reported that the British government secretly ordered to create a backdoor into all content uploaded by users anywhere in the world.
- The Register - Security: UK Home Office silent on alleged Apple backdoor order
- Matthew Green: Let’s be clear about what this article is saying. The U.K. has a law that allows it to issue “technical capability notices� to companies. These notices require the company to effectively disable, or secretly backdoor, their encryption mechanisms.
- Matthew Green: The U.K. may be preparing to issue Apple an order that forces them to (secretly) disable encryption.
- 9to5mac.com: 9to5Mac reports on the UK government's secret order for Apple to create a worldwide iCloud backdoor.
- Six Colors: This article discusses the implications of the UK government's order for Apple to implement a backdoor for end-to-end encryption.
- The Internet Review: This article discusses the UK government's mandate for Apple to create a global iCloud encryption backdoor.
- Open Rights Group: UK government seeks to break encryption in secret, with minimal accountability and potentially global impacts. They're failing in their primary duty to protect British citizens in a world where cybersecurity threats are increasing. Privacy = security. We must protect encryption!
- Anonymous ???????? :af:: It will affect users around the world: The UK's demands for Apple to break encryption is an emergency for us all. Weakening encryption violates human rights!
- arstechnica.com: The UK demands Apple break encryption to allow gov’t spying worldwide, reports say Apple last year opposed UK's secret notices demanding encryption backdoors.
- CCC: It will affect users around the world: The UK's demands for Apple to break encryption is an emergency for us all. Weakening encryption violates human rights!
- Metacurity: UK government demands Apple create an encrypted cloud backdoor
- www.computerworld.com: UK orders Apple to let it access everyone’s encrypted data
- Anonymous ???????? :af:: Government officials in the UK have reportedly ordered Apple to build a backdoor that would give its authorities access to users’ encrypted iCloud data.
- Ars Technica: UK demands Apple break encryption to allow gov’t spying worldwide, reports say Apple last year opposed UK's secret notices demanding encryption backdoors.
- www.bbc.co.uk: The UK government seeks to break encryption in secret, with minimal accountability and potentially global impacts. They're failing in their primary duty to protect British citizens in a world where cybersecurity threats are increasing. Privacy = security. We must protect encryption!
- Mark Nottingham: What can Apple do in the face of a UK order to weaken encryption worldwide? Decentralise iCloud, to start.
- @PrivacyMatters: Mastodon post on the UK demanding Apple to create a backdoor to access all iCloud content.
- securityaffairs.com: UK Gov demands backdoor to access Apple iCloud backups worldwide
- techcrunch.com: The UK government's secret demands for backdoor access to encrypted iCloud accounts is a "global emergency", critics have warned
- The Tuta Blog: Tuta.com: Apple to backdoor encryption? Round 2
- www.cybersecurity-insiders.com: UK Home Office Seeks Access to Apple iCloud Accounts
- SecureWorld News: A secret order issued by the United Kingdom's government is sparking global alarm among privacy advocates and cybersecurity experts.
- Carly Page: The UK government's secret demands for backdoor access to encrypted iCloud accounts is a "global emergency", critics have warned
- www.cybersecurity-insiders.com: CyberSecurity Insiders article about details on Home Office Apple iCloud access
- securityboulevard.com: UK Is Ordering Apple to Break Its Own Encryption
- securityboulevard.com: The United Kingdom has made a bold demand to Apple, purporting to require the company to create a backdoor to access encrypted cloud backups of all users worldwide.
- blog.cryptographyengineering.com: U.K. asks to backdoor iCloud Backup encryption
- www.helpnetsecurity.com: The UK’s secret iCloud backdoor request: A dangerous step toward Orwellian mass surveillance
- www.scworld.com: Reported UK-ordered iCloud encryption backdoor slammed
- Freedom of the Press: social.freedom.press topic about officials issued a secret order to Apple to create a backdoor for “blanket� access to encrypted data on its iCloud service for users worldwide.
- freedom.press: 📩 U.K. officials issued a secret order to Apple to create a backdoor for “blanket� access to encrypted data on its iCloud service for users worldwide. Read about how to protect yourself in our digital security newsletter (and subscribe):
- Help Net Security: The UK’s secret iCloud backdoor request: A dangerous step toward Orwellian mass surveillance
@tomshardware.com - 77d
Microsoft’s new AI feature ‘Recall’ for Copilot+ PCs stores screenshots of sensitive data, including credit cards and social security numbers, even when a ‘sensitive information’ filter is enabled. This has raised serious privacy and security concerns among users. This feature takes continuous screenshots of everything a user does. The data is stored locally but sent off to Microsoft’s LLM for analysis. This has prompted an investigation by the UK Information Commissioner’s Office. This incident highlights the potential risks of AI-powered surveillance features and the importance of user privacy.
Recommended read:
References :
- Techmeme: Microsoft's new version of Recall appears to still capture sensitive data like credit card numbers, even with the "sensitive information" filter enabled (Avram Piltch/Tom's Hardware)
- hachyderm.io: screenshots and numbers ( ), even with the "sensitive information" filter enabled Despite promising to filter personal data out, still captures it.
- Techmeme: Microsoft's new version of Recall appears to still capture sensitive data like credit card numbers, even with the "sensitive information" filter enabled (Avram Piltch/Tom's Hardware)
- www.tomshardware.com: screenshots credit cards and Social Security numbers, even with the "sensitive information" filter enabled
- Metacurity: Microsoft Recall screenshots credit cards and Social Security numbers, even with the "sensitive information" filter enabled
- PrivacyDigest: screenshots credit cards and numbers, even with the "sensitive information" filter enabled | Tom's Hardware Despite promising to filter personal data out, Recall still captures it
- TechSpot: Microsoft Recall is capturing screenshots of sensitive information like credit card and social security numbers
- Techzine Global: Microsoft Recall is still a privacy nightmare
- Pivot to AI: «When Piltch asked Microsoft about the issues [of sending over sensitive information like credit card numbers] , it referred him to a blog post saying AI makes mistakes» Ah yes, it's perfectly normal (and on-brand) for MS to push the recall bs despite all of this. 🤦♂️
- bsky.app: Attackers can abuse the Windows UI Automation framework to steal data from apps
- David Gerard: Windows AI Copilot+ Recall stores screenshots of sensitive data, regardless of ‘sensitive information’ filter
- Amy Castor: Windows AI Copilot+ Recall stores screenshots of sensitive data, regardless of ‘sensitive information’ filter
- securityonline.info: Abusing Microsoft’s UI Automation Framework: The New Evasion Technique Bypassing EDR
- www.csoonline.com: Attackers can abuse the Windows UI Automation framework to steal data from apps
- www.computerworld.com: Hands on with Microsoft’s Windows Recall: Not impressive yet
Sergiu Gatlan@BleepingComputer - 72d
The FTC has taken action against data brokers Gravy Analytics and Mobilewalla for illegally collecting and selling sensitive information about American residents, including geolocation data from sensitive locations such as places of worship, abortion clinics, and political events. The FTC’s actions aim to protect consumer privacy and limit the collection of sensitive data from vulnerable locations. This highlights the increasing concerns regarding data privacy and the need for stricter regulations on data brokers. The settlements highlight the importance of responsible data handling and compliance with privacy regulations.
Recommended read:
References :
- CyberInsider: US Data Brokers Face FTC’s Wrath Over Tracking Consumers Online
- CyberScoop: FTC goes after three data brokers with enforcement actions
- www.bleepingcomputer.com: FTC bans data brokers from selling Americans’ sensitive location data
- techcrunch.com: TechCrunch article on the same topic.
- www.pcmag.com: PCMag article covering the FTC's ban.
- 404 Media: FTC Bans Location Data Company That Powers the Surveillance Ecosystem
- The Verge: Precise location data from advertising IDs and mobile apps can be used for surveillance that, according to the FTC, puts millions of Americans at risk.
- Hacker News: FTC takes action against Gravy Analytics, Venntel for selling location data
- The Verge: Two data brokers banned from selling ‘sensitive’ location data by the FTC
- Zack Whittaker: FTC has banned two data brokers, Gravy Analytics (Venntel) and Mobilewalla from collecting and selling Americans' sensitive location histories
- Links: FTC takes action against data brokers for unlawfully collecting and selling user location data.
- malware.news: FTC bans data brokers from selling sensitive information of Americans
- www.pandasecurity.com: FTC bans data brokers from selling sensitive information of Americans
@pcmag.com - 2d
Employee screening firm DISA Global Solutions has confirmed a significant data breach affecting over 3.3 million individuals. The breach, which occurred between February 9, 2024, and April 22, 2024, involved unauthorized access to the company's systems. DISA provides employment screening solutions like drug and alcohol testing and background checks for over 55,000 organizations. The company discovered the breach on April 22, 2024, and initiated an investigation with the help of third-party forensic experts.
DISA's investigation revealed that hackers accessed sensitive personal and financial data. Potentially compromised information includes names, Social Security numbers, driver's license numbers, financial account information, and other government-issued ID numbers. DISA is notifying affected individuals directly and offering 12 months of credit monitoring and identity restoration services through Experian. The company urges individuals to remain vigilant against phishing attacks, monitor their accounts regularly, and report any suspicious activity to authorities.
Recommended read:
References :
- DataBreaches.Net: On February 3, DataBreaches quoted a press release by BakerHostetler about a breach update from DISA Global Solutions that DISA had issued on January 23, 2025.
- Carly Page: mastodon.social on Employee screening giant DISA Global Solutions has confirmed a data breach affecting 3.3 million people
- www.pcmag.com: Reporting on the data breach at DISA Global Solutions.
- PCMag UK security: Hack at Employee Screening Firm DISA Exposes Personal Data of 3.3M People
- CyberInsider: Data Breach at DISA Global Solutions Exposes 3.3M Americans
- Help Net Security: Background check, drug testing provider DISA suffers data breach
- Dataconomy: DISA Global Solutions, a leading provider of employment screening solutions, acknowledged a breach affecting more than 3.3 million people. The incident involved unauthorized access to sensitive personal and financial data, potentially affecting a large portion of the U.S. population.
- The Register - Security: Drug-screening biz DISA took a year to disclose security breach affecting millions
- gbhackers.com: US Employee Background Check Firm Hacked, 3 Million Records Exposed
- Talkback Resources: US Background Check Firm Data Breach Exposes 3.3M Records [app] [net]
- Talkback Resources: DISA Global Solutions experienced a data breach affecting over 3.3 million individuals, including 15,000 Maine residents, involving unauthorized access to personal data collected for employment screening purposes, prompting the company to offer credit monitoring and identity restoration services and enhance cybersecurity measures
- securityaffairs.com: DISA Global Solutions, a Texas-based company that provides employment screening services (including drug and alcohol testing and background checks) for over 55,000 organizations, has suffered a cyber incident that led to a data breach, which resulted in the potential compromise of personal and financial information of over 3.3 million individuals.
- Talkback Resources: Background check provider data breach affects 3 million people who may not have heard of the company [net]
- Talkback Resources: Background check provider data breach affects 3 million people who may not have heard of the company
JournalBot@Ars OpenForum - 40d
General Motors and OnStar have been banned from sharing consumers’ geolocation and driver behavior data with consumer reporting agencies for the next five years, following an investigation by the Federal Trade Commission (FTC). The FTC found that GM had been collecting data through its OnStar Smart Driver program, which monitored driving habits and location, sometimes as frequently as every three seconds. This information was then sold to third-party platforms, including telematics analysis firms such as Verisk and LexisNexis, without adequate consent from customers. These third-party companies then offered the driver data to insurance companies, who used it to raise premiums for drivers deemed to be 'high risk'.
The investigation revealed that many consumers were unaware that their data was being shared and sold, with some expressing concern that it directly impacted their insurance costs. GM has acknowledged these privacy concerns and has discontinued the Smart Driver program, as well as terminated its third-party telematics relationships with LexisNexis and Verisk. As part of the settlement with the FTC, GM must now take steps to improve transparency for its customers regarding data collection practices.
Recommended read:
References :
- Ars OpenForum: GM sold geolocation and other driving data without adequate consent, FTC says.
- The Register - Security: We'll defo ask for permission next time, automaker tells FTC General Motors on Thursday said that it has reached a settlement with the FTC "to address privacy concerns about our now-discontinued Smart Driver program."
- www.ftc.gov: GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,
- Quartz: GM can't sell your location data for the next 5 years
- 9to5mac.com: The Federal Trade Commission (FTC) has taken action against General Motors and OnStar for selling location and driving behavior data from millions of GM car owners without proper consent, requiring both companies to halt such practices for five years.
- arstechnica.com: GM faces ban on selling driver data that can be used to raise insurance rates
- discuss.privacyguides.net: FTC proposes banning General Motors from disclosing geolocation and driving behavior data
- www.bleepingcomputer.com: The Federal Trade Commission (FTC) has announced action against General Motors (GM) and its subsidiary, OnStar, for unlawful collection and sale of drivers' precise geolocation and driving behavior data without first obtaining their consent.
- The Verge: Illustration: Alex Castro / The Verge General Motors and its subsidiary OnStar are banned from selling customer geolocation and driving behavior data for five years, .
- BleepingComputer: FTC orders GM to stop collecting and selling driver’s data
- BleepingComputer: The FTC has accused General Motors (GM) of collecting and selling drivers' precise geolocation and driving behavior data without their consent.
- 9to5Mac: FTC bans General Motors from selling driving data without permission, adding to case for CarPlay 2
Bill Toulas@BleepingComputer - 71d
Meta has been fined €251 million (approximately $263 million) by the Irish Data Protection Commission (DPC) for violations of the General Data Protection Regulation (GDPR). The fine is a result of a 2018 data breach that compromised the personal information of 29 million Facebook accounts globally, around 3 million of those being EU based users. The breach occurred due to a vulnerability in Facebook's "View As" feature which allowed hackers to gain access to user accounts. This vulnerability was present since July 2017 and was exploited in September 2018, with malicious actors using scripts to steal access tokens to users’ accounts. The hackers were able to obtain sensitive information such as names, dates of birth, and other personal data.
The DPC imposed the fine due to Meta's failure to adequately protect user data as required by GDPR and its failure to fully disclose the breach details. The fine includes penalties for not implementing sufficient data protection principles in its systems and for storing more user data than necessary. Additionally, the regulator determined that Meta failed to document the breach and its remediation efforts, and that the notifications sent to the regulatory body were insufficient. This penalty highlights the importance of adhering to data protection laws and ensuring user data is secure.
Recommended read:
References :
- SiliconANGLE: Ireland’s privacy regulator fines Meta €251M over 2018 cyberattack
- TechCrunch: Meta fined $263M over 2018 security breach that affected ~3M EU users
- www.bleepingcomputer.com: The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts.
- jbz: Meta fined $263M over 2018 security breach that affected ~3M EU users | TechCrunch
- BleepingComputer: The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts.
- Calishat: An Irish regulator helping police European Union data privacy on Tuesday said it had fined Facebook-owner Meta 251 million euros ($263 million) for a data protection failure that saw users' accounts hacked.
- The Hacker News: Meta Fined €251 Million for 2018 Data Breach Impacting 29 Million Accounts
Zack Whittaker@techcrunch.com - 76d
UnitedHealthcare's Optum recently experienced a security lapse, exposing an internal AI chatbot to the public internet. This chatbot, designed for employees to ask questions about claims and related procedures, was accessible without a password. A security researcher discovered the vulnerability, and TechCrunch was able to verify it before Optum took the chatbot offline. While it's not believed that the chatbot contained sensitive patient data, its exposure raises concerns about the security practices surrounding internal AI tools, particularly as UnitedHealth faces scrutiny over its broader use of AI.
The chatbot, described by an Optum spokesperson as a "demo tool" for proof of concept, maintained a history of employee inquiries, including questions like "What should be the determination of the claim" and "How do I check policy renewal date." Interestingly the bot also produced a seven paragraph rhyming poem about denying health claims when asked. Optum has since stated that the tool was never put into production and the site is no longer accessible. They have confirmed that the tool did not use or contain any protected health information.
Recommended read:
References :
- Slashdot :verified:: UnitedHealthcare's Optum Left an AI Chatbot, Used By Employees To Ask Questions About Claims, Exposed To the Internet
- Zack Whittaker: A spokesperson for Optum said the chatbot was a 'demo tool developed as a potential proof of concept.' The chatbot kept a stored history of what employees asked the chatbot, including: 'What should be the determination of the claim,' and 'How do I check policy renewal date.'
- TechCrunch: UnitedHealth’s Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet
- TechCrunch: UnitedHealthcare’s Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet
- techcrunch.com: UnitedHealth’s Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet
- yro.slashdot.org: UnitedHealthcare's Optum Left an AI Chatbot, Used By Employees To Ask Questions About Claims, Exposed To the Internet
- tcrn.ch: UnitedHealthcare’s Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet
- ansuz / ???: UnitedHealth’s Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet
- Patrick C Miller :donor:: UnitedHealth's Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet | TechCrunch
- bsky.app: UnitedHealth's Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet | TechCrunch
gist.github.com via pushcx@lobste.rs - 28d
A 15-year-old hacker has uncovered a significant security vulnerability related to Cloudflare's caching feature. This "zero-click deanonymization attack" can expose a user's precise location, within a 250-mile radius, without any interaction required from the user. The exploit impacts several popular platforms, including Signal and Discord, raising concerns for privacy among users. The hacker published a research paper warning about this undetectable exploit, targeted towards journalists, activists, and hackers, highlighting how attackers could send a malicious payload and reveal locations within seconds.
Multiple online cybercrime platforms including Cracked, Nulled, Sellix, and StarkRDP, have been seized by law enforcement in a large international operation. These sites, which facilitated the trading of stolen data, malware, and hacking tools, were used by over 10 million users. The operation involved authorities from multiple countries, and included arrests, property searches, and the confiscation of devices and funds. Europol reports that these platforms had generated over a million euros in illicit profits. The shutdown also targeted supporting services like financial processor Sellix and hosting service StarkRDP. Authorities indicate that these forums also offered AI-based tools to automate security vulnerability scans and enhance phishing attacks.
Recommended read:
References :
- lobste.rs: Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
- The Hacker News: Authorities Seize Domains of Popular Hacking Forums in Major Cybercrime Crackdown
- blog.cloudflare.com: Cloudflare : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour.
- BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- www.bleepingcomputer.com: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- cyb_detective: An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
- Anonymous ???????? :af:: An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
- : Cloudflare : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour. This caused all operations against R2 object storage to fail for the duration of the incident, and caused a number of other Cloudflare services that depend on R2 to fail as well.
- bsky.app: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
- : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour.
Mike Robinson@Tech Crawlr - 50d
A significant data breach at location data firm Gravy Analytics has exposed the sensitive location data of millions of users. The compromised data includes coordinates from mobile devices across the US, Europe, and Russia, with some records also linking the location data to specific apps. Popular apps like Candy Crush, Tinder, MyFitnessPal, and various others are impacted. The data was initially posted on a Russian-language forum by a hacker using the alias "Nightly".
The breadth of the breach is staggering with apps across several categories being affected including dating apps such as Grindr, games like Temple Run and Subway Surfers, transit apps such as Moovit, period trackers, religious apps including muslim prayer and christian bible apps, various pregnancy trackers, and even virtual private network (VPN) applications. It appears that these apps were co-opted by rogue members of the advertising industry to collect this data through the advertising bid stream, often without the knowledge of the app developers. This has raised concerns about how user data is being collected and sold within the advertising ecosystem.
Recommended read:
References :
- malware.news: Massive breach at location data seller: “Millions” of users affected
- www.404media.co: Hackers claim massive breach of location data giant, threaten to leak data
- Malwarebytes: Massive breach at location data seller: “Millions” of users affected
- www.techdirt.com: Gravy Analytics specializes in location intelligence, meaning it collects sensitive phone location and behavior data.
- gbhackers.com: Gravy Analytics Hit by Cyberattack, Hackers Allegedly Stole data
- Techmeme: A hack of location data firm Gravy reveals Candy Crush, Tinder, and thousands of other apps are being used to steal user location data; apps may not even know (Joseph Cox/Wired)
- Miguel Afonso Caetano: Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government.
- www.wired.com: Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location
- bsky.app: New from 404 Media: data hacked from location giant Gravy reveals thousands of ordinary apps hijacked to steal your location data. Candy Crush, MyFitnessPal, Tinder. Period trackers, prayer apps. Because of how data collected, apps may not even know
- www.404media.co: See the Thousands of Apps Hijacked to Spy on Your Location
- Techmeme: A hack of location data firm Gravy reveals Candy Crush, Tinder, and thousands of other apps are being used to steal user location data; apps may not even know (Joseph Cox/Wired)
- Miguel Afonso Caetano: 'Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps. The list includes dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.
- flipboard.com: Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location
@www.forbes.com - 54d
Apple has agreed to a $95 million settlement to resolve a class-action lawsuit concerning its Siri voice assistant. The lawsuit alleges that Siri recorded private conversations when unintentionally activated, sharing these recordings with third parties including advertisers and human reviewers. The plaintiffs claim this happened without their consent and that they were then targeted with specific ads based on these conversations, with some citing examples of receiving ads for products or medical treatments after discussing those topics near their devices. The settlement also mentions that Apple employed contractors to listen to some of these recordings which included private and confidential conversations.
Apple denies any wrongdoing as part of the settlement. However, the agreement indicates that eligible users who owned a Siri-enabled device between 2014 and 2019 may be entitled to a payout of up to $20 per device. Class members are defined as individuals who are current or former owners of a Siri Device and reside in the US and its territories. They must also be willing to declare under oath that Apple recorded their conversations while Siri was accidentally activated. The final size of each payment will depend on the number of claims made.
Recommended read:
References :
- www.bbc.com: Report on Apple paying $95 million to settle a lawsuit about Siri listening
- www.businessinsider.com: Report about who might be eligible for a payout in the Siri settlement.
- www.forbes.com: Details of the Apple Siri settlement and how users can claim.
- Hacker News: Apple Siri Eavesdropping Payout–Here's Who's Eligible and How to Claim L: C: posted on 2025.01.04 at 09:40:24 (c=1, p=3)
- www.forbes.com: Apple Siri Eavesdropping Payout—Here’s Who’s Eligible And How To Claim
- www.apple.com: Our longstanding privacy commitment with Siri
- The Verge: The Verge article on Apple refuting rumors about Siri and advertising.
- Quartz: Apple says Siri isn't eavesdropping and selling your data
- www.benzinga.com: Apple Clarifies Siri Privacy Policy After $95 Million Settlement Over Allegations Of Unauthorized Recordings
@www.forbes.com - 9d
A new report by Citizen Lab and the EFF Threat Lab has uncovered critical security vulnerabilities within the popular Chinese social media application, RedNote. The analysis, conducted on version 8.59.5 of the app, revealed that RedNote transmits user content, including viewed images and videos, over unencrypted HTTP connections. This exposes sensitive user data to potential network eavesdroppers, who can readily access the content being browsed.
Additionally, the report highlights that the Android version of RedNote contains a vulnerability that could allow attackers to access the contents of files on a user's device. The app also transmits device metadata without adequate encryption, sometimes even when using TLS, potentially enabling attackers to learn about a user's device screen size and mobile network carrier. Despite responsible disclosures to RedNote and its vendors NEXTDATA and MobTech in late 2024 and early 2025, no response has been received regarding these critical security flaws.
Recommended read:
References :
- citizenlab.ca: The report highlights three serious security issues in the RedNote app.
- Deeplinks: The EFF Threat Lab confirmed the Citizen Lab findings about Red Note.
- www.forbes.com: Is RedNote Safe? Here's What Millions of TikTok Users Need to Know
- Deeplinks: Crimson Memo: Analyzing the Privacy Impact of Xiaohongshu AKA Red Note
@feeds.feedburner.com - 69d
Apple is notifying users who are likely targets of government-sponsored spyware, but is redirecting them to third-party security labs instead of performing in-house forensic analysis. This decision stems from Apple's concern that in-depth analysis could reveal spyware capabilities to the attackers. The company is alerting victims that their devices are potentially compromised by mercenary spyware and specifically directing them to seek assistance from the nonprofit Access Now, which runs a digital security lab specializing in this area.
This approach is supported by cybersecurity experts who work with at-risk individuals such as human rights defenders and journalists. They agree that Apple is taking the correct course by informing users while abstaining from forensic analysis. John Scott-Railton, a senior researcher at the Citizen Lab, noted that the notifications have been a “game changer for spyware accountability research.” The notifications from Apple, according to Access Now, indicate a high confidence in the warning, emphasizing the importance of taking it seriously. Apple’s stance comes from an incident where they declined to analyze devices belonging to campaign staff of US vice president Kamala Harris after they triggered an anomaly detection tool.
Recommended read:
References :
- infosec.exchange: LorenzoFB's Mastodon post on Apple's spyware notifications.
- Zack Whittaker: Zack Whittaker's Mastodon post on Apple's spyware notifications.
- techcrunch.com: TechCrunch article about Apple sending victims to a nonprofit lab.
- Techmeme: Experts say Apple's spyware notifications for victims are a game changer for research; the notifications direct the victims to nonprofit security lab Access Now (Lorenzo Franceschi-Bicchierai/TechCrunch)
@www.cnbc.com - 29d
DeepSeek AI, a rapidly growing Chinese AI startup, has suffered a significant data breach, exposing a database containing over one million log lines of sensitive information. Security researchers at Wiz discovered the exposed ClickHouse database was publicly accessible and unauthenticated, allowing full control over database operations without any defense mechanisms. The exposed data included user chat histories, secret API keys, backend details, and other highly sensitive operational metadata. This exposure allowed potential privilege escalation within the DeepSeek environment.
The Wiz research team identified the vulnerability through standard reconnaissance techniques on publicly accessible domains and by discovering unusual, open ports linked to DeepSeek. The affected database was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000. Researchers noted the ease of discovery of the exposed data and the potential for malicious actors to have accessed it. DeepSeek has been contacted by security researchers, and has now secured the database after the discovery, however, it remains unclear if unauthorized third-parties were also able to access the information.
Recommended read:
References :
- NewsGuard's Reality Check: NewsGuard: with news-related prompts, DeepSeek's chatbot repeated false claims 30% of the time and provided non-answers 53% of the time, giving an 83% fail rate (NewsGuard's Reality Check)
- www.theregister.com: Upgraded China's DeepSeek, which has rattled American AI makers, has limited new signups to its web-based interface
- Pyrzout :vm:: Social.skynetcloud.site post about DeepSeek's database leak
- www.wired.com: Wiz: DeepSeek left one of its critical databases exposed, leaking more than 1M records including system logs, user prompt submissions, and users' API keys (Wired)
- ciso2ciso.com: Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeek
- The Hacker News: DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked
- Wiz Blog | RSS feed: Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History | Wiz Blog
- www.theverge.com: News about DeepSeek's data security breach.
- www.wired.com: Wired article discussing DeepSeek's AI jailbreak.
- arstechnica.com: Report: DeepSeek's chat histories and internal data were publicly exposed.
@www.theverge.com - 50d
Washington state has filed a lawsuit against T-Mobile regarding the 2021 data breach that exposed the personal information of approximately 79 million people nationwide, including over 2 million Washington residents. The lawsuit alleges that T-Mobile was aware of security vulnerabilities for years but failed to address them, leading to the breach that began in March 2021 and went unnoticed for six months. The state claims the company also inadequately notified affected customers and downplayed the severity of the incident which involved sensitive information being sold on the dark web.
The lawsuit further asserts T-Mobile did not meet industry standards for cybersecurity and used weak passwords for accounts with access to consumer data. Washington Attorney General Bob Ferguson stated that the breach was avoidable, criticizing T-Mobile’s failure to fix known vulnerabilities. In addition to seeking compensation for those impacted, the state is also seeking a court order mandating T-Mobile to improve its cybersecurity practices, enhance transparency in future incidents, and align with industry standards. It has also been revealed that T-Mobile may have hired a third party firm to purchase leaked data in an attempt to prevent it being sold more widely.
Recommended read:
References :
- www.bleepingcomputer.com: Washington state sues T-Mobile over 2021 data breach security failures
- The Verge: T-Mobile is under fire again over its 2021 data breach
- 9to5mac.com: 9to5Mac article on Washington state suing T-Mobile over the data breach.
@go.theregister.com - 21d
Gravy Analytics is facing a new lawsuit following a data breach that allegedly compromised the location data of tens of millions of smartphones. This marks the fourth lawsuit against the company since January 2025, accusing them of failing to adequately protect personal data. The information, which includes precise coordinates harvested from installed apps, is feared to have been stolen from the analytics firm's AWS S3 storage buckets.
A complaint filed in federal court in northern California alleges that a massive archive containing the geo-locations of people's phones has been compromised. Gravy Analytics confirmed a data security breach occurred, which was discovered on January 4, 2025. The FTC previously banned Gravy Analytics and its subsidiary Venntel from selling sensitive location data in December 2024, and this latest breach only raises additional concern about data privacy.
Recommended read:
References :
- ciso2ciso.com: Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker – Source: go.theregister.com
- The Register: Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker Fourth time’s the harm? Gravy Analytics has been sued yet again for allegedly failing to safeguard its vast stores of personal data, which are now feared stolen. And by personal data we mean information including the locations of tens of millions of smartphones, coordinates of whi…
- go.theregister.com: Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker
- ciso2ciso.com: Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker – Source: go.theregister.com
- Pyrzout :vm:: Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker
- The Register - Security: Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker
@securityonline.info - 51d
A critical security vulnerability, identified as CVE-2024-8474, has been discovered in the OpenVPN Connect application. This flaw affects versions prior to 3.5.0, and stems from the application logging the user's private key in clear text within the application log. A malicious actor who gains access to a device running a vulnerable version of OpenVPN Connect could potentially extract this private key, using it to decrypt the user's VPN traffic. This vulnerability makes VPN protection completely ineffective. OpenVPN Connect is a widely used client application, boasting over 10 million downloads on the Google Play Store, making it vital for users to be aware of this threat.
To address this, OpenVPN has released version 3.5.1, which fixes the key leakage vulnerability. While this latest update also addresses a separate app stability issue, users are strongly encouraged to update as soon as possible to ensure their protection. As a precautionary step it's recommended users check application logs for any suspicious activity if they were using a vulnerable version, and to change their VPN usernames and passwords. The OpenVPN Connect app itself requires users to connect to a separate VPN server. Users should remain vigilant for potential security risks and make it a habit to keep software updated.
Recommended read:
References :
- cR0w :cascadia:: OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic
- securityonline.info: CVE-2024-8474: OpenVPN Connect Vulnerability Leaks Private Keys
- securityonline.info: CVE-2024-8474: OpenVPN Connect Vulnerability Leaks Private Keys
- nvd.nist.gov: OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic
|
|
FlagThis - #privacy