Another month of who got hacked, consumer data left publicly accessible, and unpatched flaws to report on. For this month, we listed a short recap and rundown on consumer data left exposed by various companies. Read on for the latest security flaw and data breaches for hacks of the month —August 2019.
Google security researcher discovers a 20-year-old unsecured vulnerability affecting all versions of Microsoft Windows (Windows XP – Windows 10). The security flaw allows attackers to bypass User Interface Privilege Isolation (UIPI) allowing an unprivileged process to:
- Read sensitive text from any window of other applications (including passwords from dialog boxes)
- Gain SYSTEM privileges
- Take control of the UAC consent dialog
- And send commands to the administrator’s console session
Microsoft has patched the security flaw in its August Patch Tuesday update.
Mozilla Firefox has patched a flaw in it’s password manager. The “security glitch” allows for locally stored passwords which are accessed through “saved logins” to be copied without a master password, (A code CVE-2019-11733). These were accessible by copying to the clipboard through the ‘copy password’ context menu item without first entering the master password. As a result allowing for potential theft of stored passwords.”
Choice Hotels has confirmed a data breach. About 700,000 guest records were stolen from an unsecured server. The company stated the exposed data was hosted on a third-party vendor’s server. Data exposed was publicly available without a password or any requirement for authentication. Exposed consumer data included:
- Physical & Email Address
- Phone Numbers
- And payment Information
161 million records stored on Moviepass data servers suffer from a data breach. The exposed data was stored on an unsecured server, and publicly available without a password or need for authentication (this sounds familiar doesn’t it?). As a result, MoviePass has taken the database offline. The exposed data included:
- MoviePass Debit card numbers
- Debit card balance
- Personal credit cards
- Billing Information (Names, Addresses)
- Email Address
- And Passwords
Lenovo’s decommissioned Lenovo Solution Center is found to contain yet another security flaw. The software came pre-installed on millions of older Lenovo PCs. Security researchers at Pen Test Partners found the flaw can execute code on a targeted system and give Administrator or System-level privileges. All Lenovo laptops since 2011 have this program installed. As a result, we recommend uninstalling the program and migrate to Lenovo Vantage or Lenovo Diagnostics. Lenovo has instructions on how to uninstall the software here.
Hostinger, a popular web, cloud, and virtual private server hosting provider, as well as a domain registrar, confirmed a data breach. The affected server has been accessed by an unauthorized third party. Consequently the unauthorized user had access to 14 million of Hostiner’s user data. The company said it secured the system, and identified the origin of the unauthorized access. The exposed data was made up of:
- User names
- Email Addresses
- Hashed Passwords
- First Names
- IP Addresses
The the company reset the affected user passwords. They are also urging anyone impacted to cross check if their password is being re-used somewhere else. If so, to change them ASAP! Reusing passwords across other sites is a real problem nowadays. Don’t let your accounts get hacked and locked out, practice good password security and change them every 60 to 90 days.