Hacks of the Month —January
These are the hacks and attacks that happened last month. A short recap and rundown of what you might have missed in regards to consumer personal data exposed. Hacks of the Month —January!
Week 1 (Jan 1-11):
Hackers hijack smart TVs and Chromecasts dubbed as “CastHack” displaying a message. Due to home router setting called Universal Plug and Play (UPnP), which is used to help smart devices easily connect to other devices on a private network – however, the feature can also publicly expose the devices’ internet ports if configured that way.
Password manager Blur disclosed that 2.4 million users personal information were potentially affected. The issue was a misconfigured Amazon S3 storage bucket. The exposed information includes unique email addresses, first and last names, encrypted Blur passwords, password hints, for users who registered their accounts before January 6, 2018.
Week 2 (Jan 12-19):
OXO, kitchen and housewares firm sent to its customers that their e-commerce website was breached between 2017-2018. The compromise may have included names, billing and shipping address, and credit card information.
VOIPO exposes texts and call logs
VOIPO, a California Voice-Over-IP (VoIP) service provider accidentally left millions of customer call logs, SMS message logs, and credentials in plain text, publicly accessible to anyone without authentication. An open ElasticSearch database was discovered by Justin Paine from CloudFlare using the search engine Shodan. Justin Paine notified VOIPO’s CTO of the find. According to Justin Paine, the database contained many logs and time stamps of calls and texts. The exposed information logs date back to July 2017 (call logs) and to December 2015 (SMS/MMS logs). Anyone who uses VOIPo should change their passwords as a precaution.
Massive Emails & Passwords Data Dump
Known as Collection #1, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services.
Week 3 (Jan 20-31):
Exposed Twitter Private Tweets—Android Users
Twitter has disclosed that it fixed a bug, that for more than four years made private tweets publicly on the platform. between November 3rd, 2014 and January 14, 2019 twitter users for Android had a bug that exposed users who turn on “protect your tweets” to be made public. Protect your tweets is meant for only to be visible person’s followers. Twitter has notified users and turned
FaceTime Privacy Bug
A privacy bug for iPhone users allowed FaceTime users to make calls to others in the app that causes it to “answer” a call and eavesdrop into the audio feed. Recently reporting the bug impacts devices running IOs 12.1 or later. The bug has been reported to Apple and has made Group Facetime temporarily unavailable as of Tuesday, January 29.