Hacks of the Month —January

Security Vulnerabilities

Hacks of the Month —January

These are the hacks and attacks that happened last month. A short recap and rundown of what you might have missed in regards to consumer personal data exposed. Hacks of the Month —January!

Week 1 (Jan 1-11):

CastHack —Smart TVs

Hackers hijack smart TVs and Chromecasts dubbed as “CastHack” displaying a message. Due to home router setting called Universal Plug and Play (UPnP), which is used to help smart devices easily connect to other devices on a private network – however, the feature can also publicly expose the devices’ internet ports if configured that way.

pswd-breach-site

Blur Data Breach 

Password manager Blur disclosed that 2.4 million users personal information were potentially affected. The issue was a misconfigured Amazon S3 storage bucket. The exposed information includes unique email addresses, first and last names, encrypted Blur passwords, password hints, for users who registered their accounts before January 6, 2018.

Week 2 (Jan 12-19):

OXO Breach

OXO, kitchen and housewares firm sent to its customers that their e-commerce website was breached between 2017-2018. The compromise may have included names, billing and shipping address, and credit card information.

 

breach-sms-voice

VOIPO exposes texts and call logs 

VOIPO, a California Voice-Over-IP (VoIP) service provider accidentally left millions of customer call logs, SMS message logs, and credentials in plain text, publicly accessible to anyone without authentication. An open ElasticSearch database was discovered by Justin Paine from CloudFlare using the search engine Shodan. Justin Paine notified VOIPO’s CTO of the find. According to Justin Paine, the database contained many logs and time stamps of calls and texts. The exposed information logs date back to July 2017 (call logs) and to December 2015 (SMS/MMS logs). Anyone who uses VOIPo should change their passwords as a precaution.

breach-milli

Massive Emails & Passwords Data Dump

Known as Collection #1, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services.

Week 3 (Jan 20-31):

private-mssg-views

Exposed Twitter Private Tweets—Android Users
Twitter has disclosed that it fixed a bug, that for more than four years made private tweets publicly on the platform. between November 3rd, 2014 and January 14, 2019 twitter users for Android had a bug that exposed users who turn on “protect your tweets” to be made public. Protect your tweets is meant for only to be visible person’s followers. Twitter has notified users and turned

privacy bug

FaceTime Privacy Bug
A privacy bug for iPhone users allowed FaceTime users to make calls to others in the app that causes it to “answer” a call and eavesdrop into the audio feed. Recently reporting the bug impacts devices running IOs 12.1 or later. The bug has been reported to Apple and has made Group Facetime temporarily unavailable as of Tuesday, January 29.

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
support@smartfix.theme

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
support@smartfix.theme

Store Hours
Mon - Sun 09:00 - 18:00