Try it
Schedule a Demo
4 1

SecureFact – Cyber Security News – Week of December 30, 2024

Hackers steal ZAGG customers’ credit cards in third-party breach

  • Hackers have compromised ZAGG Inc.’s customer credit card information through a breach of the FreshClicks app, a third-party application linked to its e-commerce provider, BigCommerce.
  • The attack occurred between October 26 and November 7, 2024, during which malicious code was injected into the app, allowing the theft of sensitive data including names, addresses, and payment card details.
  • ZAGG, known for its consumer electronics accessories, has taken steps to address the breach by notifying affected customers and offering a 12-month free credit monitoring service through Experian.
  • They have also alerted federal law enforcement and regulatory bodies about the incident.

*Source

Customer data from 800,000 electric cars and owners exposed online

  • Volkswagen’s software subsidiary, Cariad, has exposed sensitive data from approximately 800,000 electric vehicles due to misconfigurations in its cloud storage.
  • This breach, which was discovered by the Chaos Computer Club (CCC), allowed access to terabytes of customer information, including precise geo-location data for around 460,000 cars, with some locations accurate to within ten centimeters.
  • The exposed data includes details from VW, Audi, Seat, and Skoda models and could potentially link to drivers’ identities.
  • Most affected vehicles are located in Germany, but data from several other European countries was also compromised.
  • Following responsible disclosure by the CCC on November 26, Cariad quickly secured the data to prevent further access.
  • While the company asserts that no evidence suggests misuse of the data by unauthorized parties, the incident highlights significant vulnerabilities in automotive data security and raises concerns about privacy and potential tracking of vehicle owners.

*Source

Iranian Hackers Breach Israeli Company: Data Leaked, Infrastructure Wiped Out

  • Iranian hackers have successfully breached an Israeli company, leading to significant data leaks and the destruction of critical infrastructure.
  • The attack targeted a firm involved in providing services to various sectors, and it resulted in the exposure of sensitive information, including personal data and operational details.
  • The hackers reportedly utilized sophisticated techniques to infiltrate the company’s systems, which allowed them to wipe out essential infrastructure components.
  • This incident is part of an ongoing trend of cyber warfare between Iran and Israel, with both nations frequently targeting each other’s critical infrastructure and private entities.
  • The breach highlights vulnerabilities within cybersecurity frameworks and raises concerns about the implications for national security and public safety in Israel.

*Source

More than 910,000 patients at risk after ConnectOnCall health data breach

  • A data breach at ConnectOnCall, a telehealth platform owned by Phreesia, has compromised the personal and medical information of over 910,000 patients.
  • The breach occurred between February 16 and May 12, 2024, when an unknown hacker accessed the platform and extracted sensitive data from provider-patient communications.
  • The exposed information includes names, phone numbers, medical record numbers, dates of birth, health conditions, treatments, and in some cases, Social Security numbers.
  • Following the discovery of the breach on May 12, Phreesia took immediate action to secure the platform and reported the incident to federal authorities.
  • Phreesia has since taken ConnectOnCall offline while enhancing its security measures. Affected individuals have been notified via mail, and those whose Social Security numbers were compromised are being offered identity and credit monitoring services.

*Source

Postman Data Leak – 30,000 Publicly Accessible Workspaces Could Lead Massive Hack

  • A data leak involving Postman has exposed approximately 30,000 publicly accessible workspaces, raising concerns about potential security vulnerabilities.
  • The leak was identified by security researchers who found that sensitive information, including API keys, database credentials, and other confidential data, was accessible without proper authentication.
  • This situation poses a significant risk, as malicious actors could exploit the exposed information to launch attacks against organizations using these workspaces.
  • Postman has been alerted to the issue and is working on measures to enhance security and prevent unauthorized access.
  • The incident highlights the importance of securing development environments and ensuring that sensitive data is not inadvertently shared or left exposed in public repositories.

*Source

Duke Energy announces data breach that could effect some of the 8M customers

  • Duke Energy has recently reported a significant data breach that occurred in May 2024, affecting approximately 370,000 individuals.
  • The breach involved unauthorized access by a third party to the company’s IT network, compromising sensitive customer information.
  • This includes utility account numbers, names, email addresses, mailing addresses, dates of birth, phone numbers, and partial Social Security numbers for residential customers, as well as partial federal tax IDs for businesses.
  • The company has initiated an investigation into the incident and is cooperating with legal firms to assess potential claims for compensation from affected customers.
  • Duke Energy has also offered free credit monitoring and identity theft protection services to those whose information may have been unlawfully accessed.

*Source