CYBER SECURITY NEWS – WEEK OF MAY 08, 2023
ChatGPT confirms data breach
- The exploit came via a vulnerability in the Redis open-source library. This allowed users to see the chat history of other active users.
- In the grand scheme of things, the ChatGPT exploit was minor, and OpenAI patched the bug within days of discovery. But even a minor cyber incident can create a lot of damage.
- However, that was only a surface-level incident. As the researchers from OpenAI dug in deeper, they discovered this same vulnerability was likely responsible for visibility into payment information for a few hours before ChatGPT was taken offline.
Millions of patients’ data confirmed stolen after Fortra mass-hack
- NationBenefits, a Florida-based technology company that offers supplementary benefits to its 20 million-plus members across the U.S., confirmed in April that hackers had stolen member data as the result of a mass ransomware attack targeting customers who used Fortra’s GoAnywhere file-transfer software.
- At the time, NationBenefits confirmed that more than 7,100 state residents had their personal information stolen in the cyberattack, but the full number of affected individuals was not known.
- Now, a listing on the U.S. Department of Health’s data breach portal confirms that more than three million NationBenefits members had data stolen in the incident, making it the third largest health data-related breach of 2023 so far.
Western Digital says hackers stole customer data in March cyberattack
- Western Digital has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack.
- The company emailed the data breach notifications late Friday afternoon, warning that customers’ data was stored in a Western Digital database stolen during the attack.
- “Based on the investigation, we recently learned that, on or around March 26, 2023, an unauthorized party obtained a copy of a Western Digital database that contained limited personal information of our online store customers,” Western Digital said.
Twitter says ‘security incident’ exposed private Circle tweets
- Twitter disclosed that a ‘security incident’ caused private tweets sent to Twitter Circles to show publicly to users outside of the Circle.
- “Twitter Circle is a way to send Tweets to select people, and share your thoughts with a smaller crowd,” reads Twitter’s description of the privacy feature.
- However, around April 7th, Twitter users began warning that tweets to Twitter Circles were no longer private and shown publicly to people outside of the Circle in their timelines.
City of Dallas hit by Royal ransomware attack impacting IT services
- The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack’s spread.
- Local media reported that the City’s police communications and IT systems were shut down Monday morning due to a suspected ransomware attack.
- This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system.
- The Dallas County Police Department’s website was also offline for part of the day due to the security incident but has since been restored.
WordPress custom field plugin bug exposes over 1M sites to XSS attacks
- Security researchers warn that the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS).
- Patchstack’s researcher Rafie Muhammad discovered the high-severity reflected XSS vulnerability on May 2, 2023, which was assigned the identifier CVE-2023-30777.
- XSS bugs generally allow attackers to inject malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser.