Search This Blog

Showing posts with label Customer Data. Show all posts

Researchers Flag Serious Authentication Bypass Vulnerability After Pega Infinity Hotfix Released

 

After security researchers discovered a flaw in the Pega Infinity enterprise software platform, users are being advised to upgrade their installations. 

CVE-2021-27651 is a critical-risk vulnerability in Pega's Infinity program versions 8.2.1 to 8.5.2, according to the research team of Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert. 

The proof-of-concept shows how an intruder can circumvent Pega Infinity's password reset system. Via administrator-only remote code execution, assailants could then use the reset account to “fully compromise” the Pega case. It includes modifying complex pages or templating. The researchers collaborated with the developer Pegasystems, to construct a hot patch. According to the vendor, customers running the program on-premises should check if their version is affected and apply the relevant hot patch. 

With over 2,000 users, Pega Infinity is a common enterprise software suite. Customer service and sales automation, an AI-driven ‘customer decision hub,' workforce intelligence, and a ‘no-code' development platform are all included in the kit. The Pega Infinity vulnerability was discovered as a result of the security researchers' involvement in Apple's bug bounty program. 

“We’d been hacking on Apple's bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig. 

“After reading a blog post from two amazing researchers, we agreed to take a different approach and target vendors [supplying technology to Apple].”Curry has written about his experiences with Apple's bug bounty program in the past. 

Burp Suite was used by the researchers to find the password reset flaw in Pega Infinity. According to Curry, this allows for a complete compromise of any Pega instance with "no prerequisite information." Justin Rhinehart also developed a Nuclei template for determining whether or not the software is running Pega Infinity. 

“Pega's customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.” 

Curry states that Pega was able to collaborate with the researchers to patch the flaw, although they needed time for customers using Infinity on-premises to upgrade their installations. Curry mentioned that the procedure took more than three months.

Amazon Fake Reviews Scam Exposed in Data Breach

The identities of over 200,000 people who appear to be participating in Amazon fraudulent product review schemes have been exposed by an open database. 

There is an ongoing struggle between the e-commerce giant and shady traders all over the world who want to hamstring rivals and gain an advantage by creating fake product feedback. The ways in which they function and remain under Amazon's radar differ, but an open ElasticSearch server has revealed some of their inner workings. 

Researchers from Safety Detectives reported on Thursday that the server, which was open to the public and accessible online, held 7GB of data and over 13 million documents appeared to be connected to a widespread fake review scam. It is unknown who owns the server, but due to messages written in Chinese that were leaked during the incident, there are indications that the company might be based in China. 

The database includes the user names, email addresses, PayPal addresses, links to Amazon accounts, and both WhatsApp and Telegram numbers, which also included records of direct messages between consumers willing to provide false reviews and traders willing to pay them. The leak may implicate "more than 200,000 people in unethical activities," according to the team. 

The database, as well as the messages it included, exposed the strategies used by suspicious sellers. One approach involves sending a customer a connection to the goods or products for which they want 5-star ratings, and the customer then makes a purchase. After a few days, the customer leaves a positive review and sends a message to the vendor, which will result in payment via PayPal — which could be a 'refund,' while the item is kept for free. It's more difficult to spot fraudulent, paid reviews because refund payments are held off the Amazon website. 

On March 1, an open ElasticSearch server was discovered, but the owner could not be identified. On March 6, however, the leak was detected and the server was secured. 

"The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors," the researchers speculated. "What's clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon's terms of service." 

Vendors are not allowed to review their own goods or receive a "cash incentive, discount, free products, or other compensation" in exchange for positive reviews, according to Amazon's spokesperson and review policy which includes third-party organizations. However, since Amazon is such a popular online marketplace, it's likely that some vendors will continue to try to take advantage of review systems in order to increase their profits. 

"We want Amazon customers to shop with confidence, trusting that the reviews they read are genuine and appropriate," a spokesperson for the company said. "We have clear policies for both reviewers and selling partners that forbid the misuse of our community features, and we suspend, ban, and taint people who break them," states the company.

Hackers Target Rogers With a New SMS Phishing Campaign

 

Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Hotbit Shut Down all Services After a Cyberattack

 

After an alleged cyberattack on Thursday, cryptocurrency trading site Hotbit has shut down all of its services. A note on the platform's website reads, “Hotbit just suffered a serious cyber-attack starting around 08:00 PM UTC, April 29, 2021, which led to the paralysation of a number of some basic services.”   

While the hackers were unable to obtain access to Hotbit's wallets, they were able to penetrate the platform's user database. Customers should ignore all contact from people pretending to be members of the exchange, according to the Hotbit team. Hotbit has reported that pending trading orders are cancelled to avoid damages when all regular activities are suspended during the ongoing maintenance. During the upkeep, the exchange also agreed to cover all damages incurred by exchange-traded funds listed on its website.

Before restoring servers and facilities, the exchange is looking for any evidence of computer tampering that may have contaminated any of the frequently backed up data. Due to the time required to review backup data before beginning the system restoration process, customers were advised that the investigation and recovery process could take anything from 7 to 14 days. 

The attackers have obtained access to plain text customer information (phone number, email address, and asset data) contained in Hotbit's servers, according to the company. Despite the fact that customers' passwords and 2FA keys were secured, the exchange advised consumers to update their passwords on all other web sites where they used the same credentials. 

Alex Zhou, Hotbit's chief security officer, told users on the exchange's Telegram group that customer funds were unaffected by the attack, saying: “The attacker tried to break into the wallet server to steal funds but the action was identified and blocked successfully by Hotbit risk control system. All users’ funds are safe. At the same time, Hotbit is in the process of transferring all funds in hot wallet to cold wallet, the details of the whole integration could be seen on the chain,” he said. 

Multiple token outflows from one of Hotbit's established wallets to another address that currently holds around $14 million in many altcoins, according to data from Ethereum transaction tracking platform Etherscan.

According to comments on social media and in the platform's Telegram forum, the length of time provided for the maintenance is causing considerable unrest among Hotbit users.

Furniture Retailer Vhive's Data Breach: Customer Information Leaked Online, Under Investigation

 

The officials are investigating a data breach at local furniture retailer Vhive, which resulted in customer’s personal information such as phone numbers and physical addresses being leaked online. In response to questions from The Straits Times on Saturday, April 3, police confirmed that a report had been filed on the matter.

According to the company, information compromised in the hack includes customers' names, physical and e-mail addresses, and mobile numbers, but it did not include identification numbers or financial information.

In a Facebook post on March 29, Vhive announced that its server was hacked on March 23 and that it was working with police and other relevant agencies, as well as IT forensic investigators, to investigate the breach. 

"All financial records in relation to purchases made with Vhive are held on a separate system which was not hacked," said Vhive. 

"We are truly sorry for the incident and stand ready to assist you if you require immediate help," Vhive told customers. 

According to ST's checks on Saturday afternoon, Vhive's e-mail servers were also compromised. The website only displayed a warning of the cyber attack, while the company's stores on the online shopping platforms Lazada and Shopee were open for business. 

The Altdos hacking group, which operates mainly in Southeast Asia, has claimed responsibility for the breach. In an email to affected customers on Saturday, Altdos said it had hacked into Vhive three times in nine days and claimed to have stolen information of over 300,000 customers as well as nearly 600,000 transaction records. 

The group announced that it will publish 20,000 customer records daily until its demands to Vhive’s management are met. In its Facebook statement, Vhive said it would be closely guided by the forensic investigator and authorities on the steps to protect its systems and ensure that customers can conduct transactions securely. 

In previous hacking incidents, Altdos has stolen customer data from companies, blackmailed the compromised company, leaked the data online if its requirements were not met, and publicized the violations. The cyberattacks were mainly focused on stock exchanges and financial institutions. 

In January, Altdos claimed to have broken into the IT infrastructure of the Bangladeshi conglomerate Beximco Group and stole data from 34 of its databases. 

Last December, it hacked a Thai securities trading firm and posted stolen data online when the firm allegedly failed to confirm her emails and claims.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.

'ShinyHunters', a Hacker Group Selling Databases of 10 Organization on the Dark Web for $18,000


A group of hackers has put the user databases of 10 companies for sale on the dark web, a part of the internet world that requires specialized software to be accessed, it isn't normally visible to search engines. 

The group that is selling more than 73.2 million user records goes by the name of 'Shinyhunters' and was reportedly behind the breach of Indonesia's biggest online store, Tokopedia. Notably, it's the success of Tokopedia's breach that has encouraged the hackers to steal and sell data from various organizations including Zoosk (online dating app, 30 million records), Minted (online marketplace, 5 million records), Chatbooks (Printing service, 15 million records), Mindful (Health magazine, 2 million records), Bhinneka (Indonesia online store, 1.2 million records), Home Chef (Food delivery service, 8 million records) and others. The samples of the aforementioned stolen records have been shared by the hackers; security experts have verified the same to confirm the authenticity of most of the databases that are being sold separately by the hackers for almost $18,000. However, the legitimacy of some of the enlisted user records is yet to be proved. Despite the ambiguity and confusion, ShinyHunters seems to be a well-founded threat actor as per community sources. 

In the last week's breach targeting Tokopedia, initially, hackers published 15 million user records for free, however, later on, the organization's full database containing around 91 million records was put on sale for $5,000. 

Allegedly the hacker group has also been involved in the data breach of a very popular Facebook-funded education initiative, Unacademy, the breach affected a total of 22 million user records. 

Reports indicate that the data posted by hackers contain authentic databases that could lead to serious concerns for all the affected organizations, although there are limited insights available about ShinyHunters, the modus-operandi of the hacker group resembles that of Gnosticplayers, a computing hacking group that made headlines for selling stolen data of the dark web with its latest victim being Zynga Inc, a mobile social game company.

1.1 Million Customers Records of SCUF Gaming Exposed Online


The database of more than 1 million customers was exposed online by 'SCUF Gaming', a subsidiary of Corsair that develops high-end gamepads for Xbox, PS4, and PC. The incident led to the exposure of clients' names, payment info, contact info, repair tickets, order histories, and other sensitive information. Other data belonging to the company's staff and internal API keys were also compromised as a result.

The data was left unprotected for two days before being discovered by the security researcher, Bob Diachenko who reported the same to Scuf Gaming. The team led by the researcher found the data on the web without any password protection or authentication.

The database was taken down by the company in less than two hours of being notified. Meanwhile, bot crawlers got enough time to locate the exposed database and a ransom note was found demanding 0.3 BTC from the company. The note says that the data had been downloaded by the cybercriminals, however, no such action is being detected by the systems. "Your Database is downloaded and backed up on our secured servers. To recover your lost data, Send 0.3 BTC to our BitCoin Address and Contact us by eMail.” The note read.

Experts are of the belief that the involved criminals did not get enough time to delete or encrypt the data present in the database, hence, it's unlikely that they would have been able to download it either. However, SCUF clients and staff could face a risk of phishing attacks, identity theft, and fraud by the cybercriminals who might have downloaded some pieces of
the leaked database.

In a conversation with Comparitech, a spokesperson for Corsair, parent company to SCUF gaming told, “…Once notified, we identified the root cause of this exposure and secured the database within two hours. While investigating Mr. Diachenko’s warning, we also discovered that a bot had connected to the database’s server and placed a ransom note there. We have no evidence that either the bot or any other actor was able to misappropriate customer data.

This issue was specific to one system, being operated off-site due to work-from-home precautions resulting from the current COVID-19 pandemic.”

To stay on a safer side, SCUF Gaming customers are advised to keep an eye for any suspicious activity in regard to their bank accounts as scammers who were to able gather whatever bits of information they could, are likely to attempt targeted phishing attacks.

Financial and Customer Info being Exposed in Slickwraps Data Breach


Slickwraps, a mobile device case retailer that specializes in designing and assembling the most precision-fitted phone cases in the world has suffered a major data breach that exposed the personal information of employees including their API credentials, resumes and much more.



In January 2020, a security researcher named Lynx attempted to gain access to Slickwraps's systems, he acquired full access to the company's website employing a path traversal vulnerability present in a script which is used by them for customizing cases.

After exploiting the vulnerability, Lynx sent emails stating the same to the company and upon receiving no response to those emails, he decided to make public disclosure of the vulnerability and how he exploited it to acquire access to the systems and the data that was compromised.

While giving insights of the incident, Lynx told that it allowed them to acquire access to 9GB of personal customer data that included employee resumes, customers' pictures, API credentials, ZenDesk ticketing system along with more sensitive data such as hashed passwords, transactions, and contact-related information.

As per the reports, multiple attempts made by Lynx to report the data breaches to Slickwraps were blocked by the company. Even though Lynx made it clear that they don't want any bounty and are just trying to get Slickwraps to publicly disclose the breach.

In a post made by Lynx on Medium, he stated, "They had no interest in accepting security advice from me. They simply blocked and ignored me."

While accepting the shortcomings of the company in terms of user security, Jonathan Endicott, Slickwraps CEO, apologized for the data breach and said, "There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back."

"We are reaching out to you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party."

"Upon finding out about the public user data, we took immediate action to secure it by closing any database in question. As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts."

"We are deeply sorry about this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving the communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cybersecurity firm to audit and improve our security protocols."

"More details will follow and we appreciate your patience during this process." the statement further read.

SoPo Nonprofit Told, Unknown Number of Clients Affected by Data Breach


A South Australian company, PSL Services, also known as Peregrine Corporation involved in the operation of service stations, convenience retail outlets and tobacconists recently disclosed a data breach to Mainebiz.

The company administered from its head office in Kensington Park, South Australia told that personal data of its employees including their names, email accounts, some medical information along with other sensitive information may have been accessed illegally between December 16 and December 19, 2019. Other information accessed without authorization includes address, DOB, Driving License Number, Social Security Number and Identifying Numbers of clients for participation in Mainecare.

There have been no speculations made by the corporation as to who is behind the public breach of its confidential data, however, the officials told in an email that there are chances that the criminal behind the incident was trying to force the agency in sending funds electronically which they did not.

Post-incident, the company was subjected to back to back investigations and it refused to specify the number of employees being affected. PSL did not provide other details regarding the incident such as whether the individuals were clients, employees, family members or others. As per some news releases, PSL came to know about the breach on 17th December after some suspicious activity was observed in an employee's email account, it immediately reported the same to its information services department.

The corporation told that it had “notified the Office of Civil Rights at U.S. Department of Health and Human Services, the Maine Attorney General, and prominent news media outlets throughout the state of Maine."

Referencing from the statements given by Lori Sanville, executive director, “The contents of a small number of email accounts were exposed,”

“The number is unknown until the data mining is completed. We will then contact anyone affected.”

In regard of the same incident, PSL also contracted with a cybersecurity vendor to further investigate the matter and come up with security measures, as per Sanville. In addition, she told Mainebiz, “We want our clients and the community to know that we take this matter very seriously and that we remain committed to assisting our clients first and foremost."

Banking customers are tricked by SCA checks

Online scammers are using changes to European banking rules around customer authentication to trick consumers into handing over their sensitive financial details, according to Which?

The consumer rights group warned that attackers are spoofing the emails being sent from banks, payment firms and e-commerce providers asking for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements.

Firms across the EU are gearing up for the changes, part of PSD2, which will require a form of two-factor authentication on any online transactions over €30, although some exceptions apply.

Ironically, payments providers and e-commerce firms in the UK have been given a further 18 months to comply with the new rules, originally set for a September 14 deadline.

Yet that hasn’t stopped the scammers: Which? claimed it has already spotted phishing emails imitating emails from Santander, Royal Bank of Scotland (RBS) and HSBC.

Urging the recipient to update their banking information ahead of “new procedures,” they include links designed to take the victim to a legitimate-looking page designed to harvest banking details.

Which? argued that in many cases, legitimate brands are making it harder for consumers to spot phishing emails, by including links in their own emails, and by using multiple unusual domains for various landing pages.

The group claimed that 78% of its members think banks and other financial firms should never include links in emails, to make phishing attempts easier to spot.

Tripwire VP, Tim Erlin, agreed, arguing that companies can’t simultaneously tell customers not to follow links in emails but then continue to send them emails urging them to click through.

“As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails,” he added.

“Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold.”

10,000 Clients Affected in Aegon Life Insurance Data Leak


Around 10,000 customers of Aegon Life Insurance, a joint venture between the Netherlands-based Aegon and India's Times Group, fall prey to a data leak which was caused through website's support channels, which clients used to communicate with the insurer regarding their grievances.

Reportedly, the data compromised included all the details ranging from the very basic demographic ones like name, gender, age to more specific ones such as health policy problems and annual income. It occurred due to a security vulnerability in the company's website.

Renie Ravin, Indian web developer and co-founder of the independent blogging platform, 'IndiBlogger', discovered the vulnerability which led to the data leak and reported it to the company in July 2019.

However, there is no evidence of the exposed data being illegally accessed or misused.

Referencing from the statements given by the company, "Aegon Life Insurance, India announces that a vulnerability on their website exposed information of some Indian customers who had used web forms to get in touch with Aegon Life."

"Aegon Life immediately fixed the vulnerability and have since informed all customers of this exposure. Aegon Life estimates that up to 10,000 customers were possibly affected."

"We will initiate an outreach program in the coming days to offer guidance to affected customers and to let them know what information was exposed. At Aegon Life, data security and customer privacy are of utmost importance and we will continue to be transparent with customers as we investigate further," the company added.









Capital One Data Breach, Hacker gets Access to 100 Million Accounts


A massive data breach to Capital One servers compromised the personal details of an estimated 106 million bank customers and applicants across Canada and the US.

The suspected hacker, Paige Thompson, 33, has been arrested by FBI on Monday. She has shared details about the data breach on a GitHub page earlier in April, according to the criminal complaints.

Thompson broke into a Capital One server and illegally acquired access to customers' names, addresses, credit limit, contact numbers, balances, credit score, and other related data.

According to the documents, the 33-year-old, Seattle resident gained access to 80,000 bank account numbers, 1 million Canadian Social Insurance numbers, and 140,000 Social Security numbers.

Thompson who had previously worked with Amazon Web Services as a software engineer was able to access the data by exploiting a misconfigured web application firewall in company's infrastructure, as per a court filing.

Despite the magnitude of the breach, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company told.

Expressing concern over the matter, Chairman Richard Fairbank, said, "While I am grateful that he perpetrator has been aught, I am deeply sorry for what has happened.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," he assured.

Meanwhile, the company is notifying the victims and aiding them with identity protection and free credit monitoring.



One Plus found leaking user data

Chinese smartphone brand OnePlus has been reportedly leaking data of OnePlus phone users for years. According to a report by 9to5 Google, OnePlus has been ‘unknowingly’ leaking crucial personal information of its users publicly for quite a considerable amount of time and it is only when the major security flaw was pointed out to the company recently that it has started to investigate. Here is everything you must know about this breach in privacy.
According to the report, OnePlus has been leaking names and email addresses of hundreds of its users, through the ‘Shot on OnePlus’ application that allegedly carries a security flaw. The app offers you a place to upload photos taken by your OnePlus device to be featured as wallpapers by OnePlus users globally.
As the name suggests, ‘Shot on OnePlus’ allows users to upload their photos from the phone or from a website (for which they need to be logged in to the OnePlus account) and set user-submitted photos as their wallpaper. Users can also adjust their profile, including their name, country, and email address from the app and the website. OnePlus chooses one photo every day to feature in the app and on the website. According to 9to5Google, the API OnePlus used to make a link between their server and the app was “fairly easy to access” despite carrying private information about users. It said anyone with an access token could “do most actions” with the API. An API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other.

9to5Google said it discovered the “somewhat major” vulnerability in the API OnePlus uses for the app a couple of months ago, and that the company had already fixed it. It said it was unclear for how long users’ data had been leaking in this way, but believed it had been happening since the launch of the ‘Shot on OnePlus’ app many years ago.

The leak was reported taking place because of a flaw which was communicated to the company in early May but hasn’t been completely patched despite a fix being rolled out.

Malware Attack Compromises Titan’s System and Steals Customer Data


Titan Manufacturing and Distribution  Inc. and its computer framework was reported to be compromised by a malware that too for about a year around from November 23, 2017 until October 25, 2018 as per an IT security expert.

Given the fact that the company expressed that it doesn't store customer data, the malware installed in the company's framework could have gained access to the users' shopping cart including their data, for example, the users' full names, billing addresses, contact numbers, payment card details, like the card numbers, termination dates, as well as verification codes.

After finding out about the episode, Titan advised its customers about the occurrence and unveiled in a notice for the customers who have had purchased products from its online stores between November 23, 2017 and October 25, 2018, that they might have been influenced by the said incident.

 “Titan Manufacturing and Distributing, Inc. (“Titan”) values your business and recognizes the importance of the security of your information. For these reasons, we are writing to let you know, as a precautionary measure, that Titan has been the victim of a data security incident that may involve your information,” the notice read.

Titan is now working intimately with a 'third-party' IT security expert so as to research and investigate the incident carefully and is all set to provide one-year complimentary identity theft protection for all conceivably influenced customers.

By finding a way to upgrade their security framework and moving its computer framework to another server, deleting and resetting all authoritative login credentials the company has additionally asked for its users to remain cautious by frequently monitoring their financial records for any suspicious exercises and take immediate measures by reporting them.