CyberSecurity news

FlagThis - #privacybreach

@siliconangle.com - 59d

VW EV Location Data Exposed by Cloud Misconfig - A cloud misconfiguration exposed the location data of 800,000 Volkswagen electric vehicles, raising privacy concerns.
References: electrek.co , malware.news , ciso2ciso.com ...
A significant data leak has exposed the location data of approximately 800,000 Volkswagen electric vehicles, including models from VW, Audi, Seat, and Skoda. This breach was a result of a cloud misconfiguration within Volkswagen's software subsidiary, Cariad, which stores data on Amazon Web Services. The leaked data included real-time GPS locations, with some being accurate to within ten centimeters, along with other sensitive information. The issue came to light after a whistleblower alerted the German newspaper Der Spiegel, and security researchers from the Chaos Computer Club also helped uncover the leak.

The exposed data potentially allows for the tracking of vehicle locations and could be linked to vehicle owners, their names, and contact details. This raises serious privacy concerns, and in some instances, it was possible to even determine the travel patterns of individuals, including two German politicians. The incident highlights the critical importance of robust cloud security practices by automotive manufacturers and their software subsidiaries. While Volkswagen claims accessing the data required bypassing security mechanisms, it underscores the severe consequences of mishandling sensitive customer information.

Recommended read:
References :
  • electrek.co: Massive data leak at Volkswagen exposes locations of 800,000 EV drivers, for months
  • malware.news: Almost 800K electric cars' data exposed by Cariad
  • Techzine Global: Volkswagen data breach highlights major privacy risks
  • ciso2ciso.com: CISO2CISO article about exposed cloud server tracking 800,000 Volkswagen, Audi, and Skoda EVs.
  • The Verge: The Verge report on Volkswagen leak exposing location data for 800,000 electric cars.
  • Electrek: Electrek article about massive data leak at Volkswagen exposing locations of 800,000 EV drivers.
  • Latest from TechRadar: TechRadar article about over 800,000 electric car owners and drivers having private info exposed online.
  • Cybernews: 800,000 Volkswagen owners' data was left unprotected and exposed. What are your thoughts? Read more⤵️
  • ciso2ciso.com: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs – Source:hackread.com
  • arstechnica.com: whistleblower-finds-unencrypted-location-data-for-800000-vw-evs
  • techcrunch.com: TechCrunch reports on a Volkswagen leak that exposed precise location data.
  • www.engadget.com: Engadget reports huge Volkswagen data leak exposed the locations of 460,000 EV drivers.
  • www.scworld.com: Almost 800K electric cars' data exposed by Cariad
  • pxlnv.com: Volkswagen Subsidiary Left Vehicle Location Data Unprotected in Amazon Storage
  • siliconangle.com: Location data from 800,000 Volkswagen vehicles exposed by cloud misconfiguration
  • Pixel Envy: Volkswagen Subsidiary Left Vehicle Location Data Unprotected in Amazon Storage
  • www.carscoops.com: VW Group had sensitive info, including GPS coordinates, of 800K+ electric vehicles exposed on an unprotected AWS database for months before it was alerted
  • Ars OpenForum: Whistleblower finds unencrypted location data for 800,000 VW EVs
  • SiliconANGLE: Location data from 800,000 Volkswagen vehicles exposed by cloud misconfiguration
  • Techmeme: VW Group had sensitive info, including GPS coordinates, of 800K+ electric vehicles exposed on an unprotected AWS database for months before it was alerted (Thanos Pappas/Carscoops)
  • toot.majorshouse.com: Why do they need the location data in the first place? Why does any company need this data? Volkswagen leak exposed location data for 800,000 electric cars
  • Dataconomy: A data leak exposed the location data of approximately 800,000 Volkswagen (VW) electric vehicles (EVs) for several months, impacting vehicles from VW, Audi, Seat, and Skoda, as reported by Der Spiegel.
  • Mashable: Volkswagen leak exposed location of 800,000 electric car drivers for months
  • Miguel Afonso Caetano: Connected cars are great—at least until some company leaves unencrypted location data on the Internet for anyone to find.
  • TechSpot: Volkswagen leak exposes private information of 800,000 EV owners, including location data
  • discuss.techlore.tech: Volkswagen leak exposed location data for 800,000 electric cars
  • Techlore: Volkswagen leak exposed location data for 800,000 electric cars
  • jbz: Cariad has since patched the vulnerability, which had revealed data about the usage of Skodas, Audis, and Seats, as well as what Motor1 calls "incredibly detailed data" for VW ID.3 and ID.4 owners. The data set also included pinpoint location data for 460,000 of the vehicles, which Der Spiegel said could be used to paint a picture of their owners' lives and daily activities
  • DMR News: Volkswagen Data Leak Exposed Location Data for 800,000 Electric Cars
  • osint10x.com: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs
  • Osint10x: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs
  • Alex Jimenez: Volkswagen leak exposed location data for 800,000 electric cars The leak also included the emails, addresses, and phone numbers of drivers in some cases, Der Spiegel reports.
Mike Robinson@Tech Crawlr - 49d

Massive Location Data Breach Affects Millions - A data breach at Gravy Analytics exposed sensitive location data of millions of users from apps like Candy Crush, Tinder, and MyFitnessPal.
A significant data breach at location data firm Gravy Analytics has exposed the sensitive location data of millions of users. The compromised data includes coordinates from mobile devices across the US, Europe, and Russia, with some records also linking the location data to specific apps. Popular apps like Candy Crush, Tinder, MyFitnessPal, and various others are impacted. The data was initially posted on a Russian-language forum by a hacker using the alias "Nightly".

The breadth of the breach is staggering with apps across several categories being affected including dating apps such as Grindr, games like Temple Run and Subway Surfers, transit apps such as Moovit, period trackers, religious apps including muslim prayer and christian bible apps, various pregnancy trackers, and even virtual private network (VPN) applications. It appears that these apps were co-opted by rogue members of the advertising industry to collect this data through the advertising bid stream, often without the knowledge of the app developers. This has raised concerns about how user data is being collected and sold within the advertising ecosystem.

Recommended read:
References :
  • malware.news: Massive breach at location data seller: “Millions” of users affected
  • www.404media.co: Hackers claim massive breach of location data giant, threaten to leak data
  • Malwarebytes: Massive breach at location data seller: “Millions” of users affected
  • www.techdirt.com: Gravy Analytics specializes in location intelligence, meaning it collects sensitive phone location and behavior data.
  • gbhackers.com: Gravy Analytics Hit by Cyberattack, Hackers Allegedly Stole data
  • Techmeme: A hack of location data firm Gravy reveals Candy Crush, Tinder, and thousands of other apps are being used to steal user location data; apps may not even know (Joseph Cox/Wired)
  • Miguel Afonso Caetano: Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government.
  • www.wired.com: Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location
  • bsky.app: New from 404 Media: data hacked from location giant Gravy reveals thousands of ordinary apps hijacked to steal your location data. Candy Crush, MyFitnessPal, Tinder. Period trackers, prayer apps. Because of how data collected, apps may not even know
  • www.404media.co: See the Thousands of Apps Hijacked to Spy on Your Location
  • Techmeme: A hack of location data firm Gravy reveals Candy Crush, Tinder, and thousands of other apps are being used to steal user location data; apps may not even know (Joseph Cox/Wired)
  • Miguel Afonso Caetano: 'Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps. The list includes dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.
  • flipboard.com: Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location
@www.forbes.com - 54d

Apple Settles Siri Privacy Eavesdropping Lawsuit - Apple is settling a class-action lawsuit for $95 million over Siri recording users without consent, potentially sharing conversations with third parties.
Apple has agreed to a $95 million settlement to resolve a class-action lawsuit concerning its Siri voice assistant. The lawsuit alleges that Siri recorded private conversations when unintentionally activated, sharing these recordings with third parties including advertisers and human reviewers. The plaintiffs claim this happened without their consent and that they were then targeted with specific ads based on these conversations, with some citing examples of receiving ads for products or medical treatments after discussing those topics near their devices. The settlement also mentions that Apple employed contractors to listen to some of these recordings which included private and confidential conversations.

Apple denies any wrongdoing as part of the settlement. However, the agreement indicates that eligible users who owned a Siri-enabled device between 2014 and 2019 may be entitled to a payout of up to $20 per device. Class members are defined as individuals who are current or former owners of a Siri Device and reside in the US and its territories. They must also be willing to declare under oath that Apple recorded their conversations while Siri was accidentally activated. The final size of each payment will depend on the number of claims made.

Recommended read:
References :
  • www.bbc.com: Report on Apple paying $95 million to settle a lawsuit about Siri listening
  • www.businessinsider.com: Report about who might be eligible for a payout in the Siri settlement.
  • www.forbes.com: Details of the Apple Siri settlement and how users can claim.
  • Hacker News: Apple Siri Eavesdropping Payout–Here's Who's Eligible and How to Claim L: C: posted on 2025.01.04 at 09:40:24 (c=1, p=3)
  • www.forbes.com: Apple Siri Eavesdropping Payout—Here’s Who’s Eligible And How To Claim
  • www.apple.com: Our longstanding privacy commitment with Siri
  • The Verge: The Verge article on Apple refuting rumors about Siri and advertising.
  • Quartz: Apple says Siri isn't eavesdropping and selling your data
  • www.benzinga.com: Apple Clarifies Siri Privacy Policy After $95 Million Settlement Over Allegations Of Unauthorized Recordings
@securityonline.info - 51d

OpenVPN Vulnerabilities Expose Private Keys - A vulnerability in OpenVPN Connect allows attackers to access user's private keys by accessing log files, compromising VPN traffic confidentiality.
A critical security vulnerability, identified as CVE-2024-8474, has been discovered in the OpenVPN Connect application. This flaw affects versions prior to 3.5.0, and stems from the application logging the user's private key in clear text within the application log. A malicious actor who gains access to a device running a vulnerable version of OpenVPN Connect could potentially extract this private key, using it to decrypt the user's VPN traffic. This vulnerability makes VPN protection completely ineffective. OpenVPN Connect is a widely used client application, boasting over 10 million downloads on the Google Play Store, making it vital for users to be aware of this threat.

To address this, OpenVPN has released version 3.5.1, which fixes the key leakage vulnerability. While this latest update also addresses a separate app stability issue, users are strongly encouraged to update as soon as possible to ensure their protection. As a precautionary step it's recommended users check application logs for any suspicious activity if they were using a vulnerable version, and to change their VPN usernames and passwords. The OpenVPN Connect app itself requires users to connect to a separate VPN server. Users should remain vigilant for potential security risks and make it a habit to keep software updated.

Recommended read:
References :
  • cR0w :cascadia:: OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic
  • securityonline.info: CVE-2024-8474: OpenVPN Connect Vulnerability Leaks Private Keys
  • securityonline.info: CVE-2024-8474: OpenVPN Connect Vulnerability Leaks Private Keys
  • nvd.nist.gov: OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic

Blogs

Research Tools