Aviva
October 25, 2017
•[ hack, misconfiguration, finance ]
According to the security group RedLock, a group of hackers managed to breach Amazon Web Services belonging to two companies on the Amazon Cloud: Aviva and Gemalto. The breach was due to poor password policy and aimed to use the resources to mine cryptocurrency.
Tarte Cosmetics
October 25, 2017
•[ leak, misconfiguration, retail ]
Tarte Cosmetics exposes nearly two million customers' personal data to the public via two unsecured MongoDB databases. Unfortunately the gang Cru3lty get hold of the data, demanding 0.2 Bitcoins for recovering the database once the data had been deleted or encrypted.
Forrester Research
October 6, 2017
•[ hack, misconfiguration, technology ]
Forrester, one of the world's leading market research and investment advisory firms, admits that a security breach took place during the past week. An unidentified attacker (or attackers) has gained access to the infrastructure hosting its website stealing site credentials and proprietary research.
Etherparty
October 1, 2017
•[ hack, misconfiguration, finance ]
Hackers disrupt the Etherparty ICO (Initial Coin Offering) after hijacking the platform's website, displaying their own Ethereum address, tricking 59 ICO participants into sending funds to the wrong wallets.
Legendas.TV
October 1, 2017
•[ hack, misconfiguration ]
In October 2017, the now defunct Brazilian service for retrieving subtitles in Portuguese Legendas.TV suffered a data breach that exposed nearly 4M customer records. The impacted data included names, usernames, email and IP addresses and unsalted SHA-1 hashes.
Road Sign in Modesto
September 10, 2017
•[ hack, misconfiguration, government ]
An electronic road sign in the city of Modesto, California is hacked and defaced with a message against President Donald Trump.
"Girls" Twitter account
August 17, 2017
•[ hack, misconfiguration, technology ]
Several HBO Twitter accounts are taken over by the notorious OurMine hacking group, posting #HBOHacked messages and warnings about security. Affected accounts include the main HBO Twitter account, as well as those for TV shows including Game of Thrones and Girls.
Taringa
August 1, 2017
•[ leak, misconfiguration, technology ]
In September 2017, news broke that Taringa had suffered a data breach exposing 28 million records. Known as "The Latin American Reddit", Taringa's breach disclosure notice indicated the incident dated back to August that year. The exposed data included usernames, email addresses and weak MD5 hashes of passwords.
Mansfield 103.2
July 11, 2017
•[ hack, misconfiguration, technology ]
The UK Communications Regulator (Ofcom) is hunting a pirate who persistently overrides frequency of Mansfield 103.2 to play a modified version of "The Winker's Song".
Reliance Jio
July 9, 2017
•[ leak, misconfiguration, technology ]
Personal details of some 120 million Reliance Jio customers are exposed on the Internet in probably the biggest breach of personal data ever in India.
8tracks
June 27, 2017
•[ hack, misconfiguration, technology ]
In June 2017, the online playlists service known as 8Tracks suffered a data breach which impacted 18 million accounts. In their disclosure, 8Tracks advised that "the vector for the attack was an employees GitHub account, which was not secured using two-factor authentication". Salted SHA-1 password hashes for users who didn't sign up with either Google or Facebook authentication were also included. The data was provided to HIBP by whitehat security researcher and data analyst Adam Davies and contained almost 8 million unique email addresses. The complete set of 18M records was later provided by JimScott.Sec@protonmail.com and updated in HIBP accordingly.
Exposed VINs
June 5, 2017
•[ leak, misconfiguration, automotive ]
In June 2017, an unsecured database with more than 10 million VINs (vehicle identification numbers) was discovered by researchers. Believed to be sourced from US car dealerships, the data included a raft of personal information and vehicle data along with 397k unique email addresses.
Hotels
June 3, 2017
•[ leak, misconfiguration, retail ]
Hotels.com sends an email to some customers advising that their username, password, email address, and the last four digits of stored credit card numbers were potentially stolen last month (between may 22 and 29).
OneLogin
May 31, 2017
•[ hack, misconfiguration, technology ]
OneLogin reveals the details about an attack on its systems, confirming that a "threat actor" has accessed database tables including "information about users, apps, and various types of keys." The attacker was been able to rifle through OneLogin's infrastructure for seven hours.
Road Sign in Houston
May 30, 2017
•[ hack, misconfiguration, government ]
Someone hacks a road sign in Houston with a message against Donald Trump.
Fast Health
May 28, 2017
•[ hack, misconfiguration, healthcare ]
Fast Health reports a security breach that could affect over 700 of their patients, when a third-party altered a code on their server, stealing the credit card information of close to 700 customers who paid bills online from January 14, 2016 to December 20, 2016.
The Harvard Crimson
May 25, 2017
•[ hack, misconfiguration, education ]
The website of Harvard's 144-year-old newspaper is defaced and posts fake stories and an altered picture of Facebook CEO Mark Zuckerberg (who was visiting the institution).
Blackburn High School
May 19, 2017
•[ leak, misconfiguration, education ]
Police investigate a major privacy breach at Blackburn High School, which saw the personal information of families, including their phone numbers, addresses and Medicare details, published online.
Reincubate
May 11, 2017
•[ leak, misconfiguration, technology ]
In October 2020, the app data company Reincubate suffered a data breach which exposed a backup from November 2017 (the newest record in the data appeared several months earlier). The data included over 616k unique email addresses, names and passwords stored as PBKDF2 hashes.
Netflix
April 28, 2017
•[ ransomware, misconfiguration, technology ]
TheDarkOverlord leaks upcoming episode of Orange is the New Black after Netflix doesn't pay extortion demand. The hack happened via a "production vendor".
