Secret CISO 4/8: Massive Data Breaches at boAt and DOST, US Lawmakers Strike Data Privacy Deal, AI Vulnerability to Viruses Revealed
Good morning, Secret CISO readers! Today's newsletter is packed with critical updates from the world of cybersecurity. We start with a significant geopolitical move as a senior Australian lawmaker broaches the topic of security cooperation with Taiwan. This development could have far-reaching implications for the region's security landscape. Next, we dive into a massive data breach that has hit boAt, a popular Indian audio products and smartwatch maker. Over 7.5 million customers' personal information has been leaked, putting them at risk of identity theft, financial fraud, and phishing attacks. In another data breach incident, personal data of some DOST employees have been compromised, prompting an on-site investigation by the National Privacy Commission. Meanwhile, US lawmakers have struck a deal on data privacy legislation, potentially resolving an investigation into TikTok's alleged faulty privacy and data security practices. We also cover a story about Home Depot, where a small number of employee data has been compromised through a third-party data breach. Lastly, we delve into the world of AI with a story about Big Tech's race to buy AI training data and how it impacts security. Stay tuned for more updates and insights from the cybersecurity world. Stay safe and secure!
Data Breaches
- BoAt Data Breach: A significant data breach has occurred, affecting over 7.5 million customers of boAt, a popular Indian audio products and smartwatch maker. The breach was reportedly carried out by a hacker named 'ShopifyGUY', who claims to have dumped more than 2GB of customer data. The leaked personal information poses a severe risk to the affected customers, potentially exposing them to identity theft, financial fraud, and phishing attacks. Source: BW Disrupt, News18, The Mobile Indian
- DOST Data Breach: The National Privacy Commission (NPC) has reported a data breach at the Department of Science and Technology (DOST), compromising the personal data of some employees. Preliminary assessments indicate that personal information such as names, gender, civil status, and addresses has potentially been exposed. An on-site investigation is currently underway. Source: Manila Bulletin, Rappler
- Home Depot Employee Data Breach: Home Depot has confirmed that a small number of its employee data has been compromised through a third-party data breach. The retail giant has formally revealed the breach but has not disclosed further details about the extent of the breach or the specific data compromised. Source: Tech Times
- Coffee Meets Bagel Data Breach: Dating app Coffee Meets Bagel reported a massive data breach affecting approximately six million users. The news of the hack was revealed on Valentine's Day, although the exact details of the breach and the type of data compromised have not been disclosed. Source: AOL
- Cyberport Data Breach: A massive data breach has occurred at Cyberport, a government-funded hi-tech hub in Hong Kong. The breach has exposed the private information of more than 13,000 individuals. In response to the breach, Cyberport has promised to improve its security measures. Source: South China Morning Post
Security Research
- State of Digital Privacy in the U.S.: A study reveals that 69% of U.S. adults feel overwhelmed by the number of passwords they have, and 27% have had their personal data misused in the past year. This highlights the need for more robust digital privacy measures. Source: U.S. News
- Over 92,000 old D-Link NAS devices are open to a high severity flaw: Security researcher Netsecfish found that these devices are vulnerable to attacks, with no available patch. This highlights the risks of using outdated hardware. Source: IT Pro
- Near-Miss Cyberattack Put US Officials and Tech Industry on Edge: A potentially devastating cyberattack was narrowly avoided, according to security researcher Satnam Narang. This incident underscores the ongoing threat of cyberattacks. Source: Insurance Journal
- Kidnappings in Chad could spark a regional security crisis: Research by the Institute for Security Studies (ISS) indicates a rise in kidnappings in Chad, which could lead to a regional security crisis. This highlights the importance of addressing security issues at a regional level. Source: ISS Africa
- Cybercriminals Targeting Latin America with Sophisticated Phishing Scheme: Security researchers have discovered a sophisticated phishing scheme targeting Latin America, demonstrating the ease with which malware can be installed under the guise of popular software downloads. Source: The Hacker News
Top CVEs
- CVE-2024-1958: The wpb-show-core WordPress plugin before 2.7 has a Reflected Cross-Site Scripting vulnerability due to unsanitized parameters. This could be exploited by high privilege users or unauthenticated users. Source: vulners.com
- CVE-2024-1588: The SendPress Newsletters WordPress plugin through 1.23.11.6 has a Stored Cross-Site Scripting vulnerability. High privilege users such as admin could exploit this even when the unfiltered_html capability is disallowed. Source: vulners.com
- CVE-2024-1589: Similar to CVE-2024-1588, the SendPress Newsletters WordPress plugin through 1.23.11.6 has a Stored Cross-Site Scripting vulnerability that could be exploited by high privilege users. Source: vulners.com
- CVE-2024-1292: The wpb-show-core WordPress plugin before 2.6 has a Reflected Cross-Site Scripting vulnerability due to unsanitized parameters. High privilege users could potentially exploit this. Source: vulners.com
- CVE-2024-1956: The wpb-show-core WordPress plugin before 2.7 has a Reflected Cross-Site Scripting vulnerability. This could be exploited through an unauthenticated request. Source: vulners.com
Final Words
And that's a wrap for today's edition of Secret CISO. From the sensitive subject of security cooperation in Taiwan to the massive data breach affecting boAt users, it's clear that the world of cybersecurity is as dynamic and unpredictable as ever. Remember, in this digital age, staying informed is your first line of defense. So, don't keep this valuable information to yourself. Share this newsletter with your friends and colleagues to help them stay one step ahead of the cyber threats lurking in the shadows. Until next time, stay safe, stay vigilant, and keep the secrets of the CISO close to your chest.