Hacks of the Month —March
These are the hacks, data breach attacks, and exposed flaws that happened last month. A short recap and rundown of what you might have missed in regards to consumer personal data exposed. Hacks of the Month —March!
Week 1 (March 1-9 ):
Linkedin job posting phishing scams
A new warning to users seeking employment on Linkedin. If you receive a DM on LinkedIn, you should be wary. This attack is manipulating people to accept message invitations and from there the hacker can send you malicious documents waiting to be open and downloaded. Staff should be trained and taught to be wary of clicking links and opening attachments. Don’t have employees or LinkedIn users accept direct mail requests.
Hackable Smart Alarm Systems
Two smart alarm systems for cars found flawed hackable security on their third-party apps. Over millions of car owners were left at risk of having their cars stolen. Pandora and Viper are the two car alarms with over 300 million registered cars. The two companies acknowledged the bugs and patched them within days of receiving alerts from the white hats.
Facebook Messanger Security Bug
Mark Zukerberg shared a “privacy-focused vision” for Facebook, Whatsapp, and Instagram after yet another privacy flaw in Facebook Messenger was found. If you remember, back in 2016 it was discovered that security flaws in Facebook messenger allowed other parties to potentially intercept and even modify your messages. Now Impreva’s Ron Masas, who in the past identified a bug on Facebook allowed unauthorized websites to view users location, likes and interests discovered this new flaw in the web version of Facebook Messenger. The flaw doesn’t allow you to view the messages but can be used to see who you are messaging with . Facebook made a statement pointing out the flaw of its Messenger website was not “Facebook-specific.”
Week 2 (March 10- 16):
Email Marketing Firm Exposed
Over 2 billion email records exposed on an unsecured server by Verifications.io, an email address validation service for enterprises.
The compromised data includes: dates of birth, email addresses, employers, genders, geographic locations, IP addresses, Job Titles, names, phone numbers, and physical addresses.
College Housing Applications Data Breach
Hackers gained access to three colleges though Slate, a system used for student housing application. Three colleges were affected by the breach: Oberlin College in Ohio, Grinnell College in Iowa, and Hamilton College in New York. Hackers broke into the system promising prospective students access to their files for a price — one Bitcoin. No other universities were affected by the breach, the company said. All three colleges advised prospective students not to pay the attackers. Victims may have had their name, address, birthday, email and other admissions data compromised.
Week 3 (March 17-23 ):
MySpace Data Deleted Forever
Social Network Myspace announced in a message posted on its website that it lost 13 years worth of users files after a server migration. After users noticed they can’t download or transfer music by posting over on Reddit. The company admits that over 15 billion user photos and 53 million songs hosted are now gone. Unfortunately, this is how it can go with any cloud storage: when you store your stuff on other people’s computers and servers. We recommend keeping your own backups of the stuff you really care about.
Hacker puts 26 million users accounts up on Dark Web
A Pakistani hacker who in the past sold millions of online accounts in the dark web has re-emerged with data from another six websites. Stolen user accounts have been put up for sale on the dark web. The websites included: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirutal, and Coubic. If you’re a user of the above listed websites or previous websites disclosed, you should consider changing your passwords and also check if you re-use the same password.
Week 4 (March 24- 31):
Family Locator app Exposed
A security researcher found a flaw in an app called Family Locator by ReactApps. The app used for loved ones to track their whereabouts left the backend of their database exposed. This made data accessible by anyone searching for a way into the systems. Over 230,000 users data was exposed which include: users’ names, plain-text passwords, history of locations and email addresses. The app has been offline on all device app stores.