Logins and passwords of users of the Russian online store Ozon leaked to the Internet


The database including more than 450 thousand e-mail addresses and user passwords from accounts of the Russian online store Ozon was found on one of the sites that collect data leaks.

According to journalists, the leak occurred six months ago, but the company did not declare it. The found database combines two other bases, the originals of which were found on one of the hacker forums in November 2018.

As it turned out, a massive data leak could occur in three cases: data theft by an Ozon employee, an attack by a hacker who got inside the organization, or an incorrectly configured external server that opened unauthorized access to the database to anyone.

It is interesting to note that in 450 thousand of published logins and passwords, the number of data belonging to users of the company does not exceed a few percents.

"At the same time, most of the discovered accounts are inactive, that is, they have not been used for a long time," the company said.

Ozon explained that after the leak became known, compromised passwords were reset, and users were notified of the incident.

The official representative of Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media) Vadim Ampelonsky said that Roskomnadzor intends to obtain explanations from the online store Ozon due to the leakage of user data.

Ampelonsky noted that Roskomnadzor is concerned about the actions of Ozon under the circumstances, as the online store did not notify in a timely manner about this situation, which threatened the safety of customers.

According to the official representative of Roskomnadzor, the e-mail address and password not only allows access to the user's account, but also allows to collect personal information and to act on his behalf.

The press Secretary of Roskomnadzor said that at the moment Russian laws do not oblige to notify the Supervisory authority about leaks, but now the relevant regulatory documents are being developed.

British Airways fined £183m for data leak





The UK's data privacy authority has announced that they have slammed  British Airways with a fine of £183m for failing to protect its customers' data.

The Information Commissioner's Office (ICO) said that this is the first time that they had handed out such a huge penalty, and had to made it public under new rules.

Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The ICO blamed the incident on "poor security" at British Airways as its website was diverted to a fraudulent site. Through this pseudo site, the personal details of more than 500,000 customers were retrieved. 

Alex Cruz, British Airways chairman and chief executive, said: "We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused."


British Airways has said  that they will appeal  against the penalty. 

One Plus found leaking user data

Chinese smartphone brand OnePlus has been reportedly leaking data of OnePlus phone users for years. According to a report by 9to5 Google, OnePlus has been ‘unknowingly’ leaking crucial personal information of its users publicly for quite a considerable amount of time and it is only when the major security flaw was pointed out to the company recently that it has started to investigate. Here is everything you must know about this breach in privacy.
According to the report, OnePlus has been leaking names and email addresses of hundreds of its users, through the ‘Shot on OnePlus’ application that allegedly carries a security flaw. The app offers you a place to upload photos taken by your OnePlus device to be featured as wallpapers by OnePlus users globally.
As the name suggests, ‘Shot on OnePlus’ allows users to upload their photos from the phone or from a website (for which they need to be logged in to the OnePlus account) and set user-submitted photos as their wallpaper. Users can also adjust their profile, including their name, country, and email address from the app and the website. OnePlus chooses one photo every day to feature in the app and on the website. According to 9to5Google, the API OnePlus used to make a link between their server and the app was “fairly easy to access” despite carrying private information about users. It said anyone with an access token could “do most actions” with the API. An API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other.

9to5Google said it discovered the “somewhat major” vulnerability in the API OnePlus uses for the app a couple of months ago, and that the company had already fixed it. It said it was unclear for how long users’ data had been leaking in this way, but believed it had been happening since the launch of the ‘Shot on OnePlus’ app many years ago.

The leak was reported taking place because of a flaw which was communicated to the company in early May but hasn’t been completely patched despite a fix being rolled out.

Unprotected database exposes data of 80 million US households




Security researchers have uncovered a security breach that exposes the data of more than half of United States households. 

Experts working with a firm named vpnMentor, that expertises in analyzing virtual private network services, discovered a database containing details of about 80 million American households. 

The database was hosted on a Microsoft cloud server, that includes some sensitive information like names, addresses, locations, gender, age, income, home type and marital status, among other data. 

However, social security numbers and credit card details were not enlisted there. 

Researchers Ran Locar and Noam Rotem said it's unclear who owns the 24-gigabyte database.  

'Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to,' the researchers said. 

'It's hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.'  

Meanwhile, the database is still available online, and is not protected by password. 

'This isn’t the first time a huge database has been breached,' the researchers explained. 

'However, we believe that it is the first time a breach of this size has included peoples' names, addresses, and income. 

'This open database is a goldmine for identity thieves and other attackers,' they added.  







Data Leakage in the Federal portal of public services exposes the personal data of millions of Russians

Details of passport, social security number and employment data of 2.24 million Russian citizens were publicly available. Ivan Begtin, the Chairman of the Data Markets Association was discovered this leak. He analyzed the information of the largest Russian electronic trading platforms, where commercial purchases and public procurement are placed, and where important data was publicly available.

Begtin checked 562 thousand records of ZakazRF, 550 thousand records of RTS-tender, as well as records of Sberbank AST and other major Russian electronic trading platforms. Confidential information was in the public domain on each of the websites.

According to the Chairman of the Data Markets Association, the error occurred due to the illiteracy of developers and inaccuracies in the legislation. In his opinion, decisions on approval of major transactions should be published in the public domain by law. These documents often contain personal data. Second, the electronic signature that customers and suppliers use contains data about the name, e-mail and social security number.

Konstantin Bochkarev, the legal advisor of CMS, said that the disclosure of passport data may result in criminal liability for violation of privacy. According to him, there were examples when the phone number was recognized as a personal or family secret in practice of the Moscow city court.

Experts believe that the developers have violated the law "On personal data". The data can be removed by Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) on the request of an individual or media reports.

At the moment, Roskomnadzor has already sent to the electronic trading platforms requests for the disclosure of personal data of more than 2 million bidders.

It is interesting to note that Google said in December that the data of 52.5 million people started to be publicly available due to an error in the Google+ service. Applications independently requested data on age, name and e-mail. The company assured that the card data and other personal data were not available to the application.

Facebook leaks millions of Instagram passwords

2018 – What a year was it for Facebook! Data scandals and security leaks, issues from Cambridge Analytica and trails by authorities, Facebook have gone under every shit it’s connected with.

And the problems just keep coming in 2019. And in this year, it seemed to have enough already by internal probs, where is announced in a blog post last month saying, “Millions of users passwords were stored in a readable format in their databases!”

Just a day after the social networking giant admitted that it "unintentionally" uploaded email contacts of nearly 1.5 million of new users, Facebook has now revealed that it exposed millions of Instagram users' passwords in a data-security lapse. The password exposure is part of the security breach that was first reported last month by Krebs on Security. Admitting the security blunder, Facebook has said that the company it stored passwords of millions of users in plain text on its internal servers.

However, at that time Facebook claimed that “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users” have been affected. Incidentally, the company has chosen just to update the old blog post while making the new revelation. "This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way," a Facebook spokesperson said in a statement. Here's all you need to know about this latest 'password leak' from Facebook ...

The process was unintentional – according to Facebook – and happened when users were prompted for their password as part of a security verification process. It's been going on since May 2016 but Facebook says its now deleting all the scraped data.

In the updated post Facebook says: We will be notifying these users as we did the others.

U S disaster relief agency leaks private data of hurricane survivors


The U.S. Agency for International Development (USAID) is activating a Disaster Assistance Response Team (DART) to Mozambique to lead the U.S. Government's response to Cyclone Idai, which has caused catastrophic flooding, killed hundreds of people, and affected hundreds of thousands of others in Mozambique, Zimbabwe, and Malawi.

The US Federal Emergency Management Agency exposed 2.3 million disaster survivors to possible identity theft, according to the new report.

To date, USAID has mobilized $700,000 in total assistance to support emergency water, sanitation, hygiene, and shelter needs in Mozambique, Zimbabwe, and Malawi caused by torrential rain and flooding in early March, followed by Cyclone Idai. Of this, $200,000 is for relief efforts in Mozambique in response to the damage caused by Cyclone Idai, and $500,000 was provided to Mozambique, Zimbabwe, and Malawi in response to the flooding earlier in the month.

Those exposed by the breach included survivors of Hurricane Harvey, which hit Texas in 2017. The report finds Fema unnecessarily shared personal information, including bank details, with the outside contractor while applying for transitional sheltering in hotels, according to a report by the Office of Inspector General. The name of the contractor was not made public.

The USAID DART, an elite team of US disaster experts, will assess damage, identify humanitarian needs, and work closely with local authorities and humanitarian organizations on the ground to provide critical assistance to people affected by the cyclone. The storm, which has destroyed homes, livelihoods, and public infrastructure, follows a week of heavy rains and flooding across Southeast Africa that had already displaced tens of thousands of people.

Fema admitted the leak but said it had found no evidence that the improperly shared data was compromised.

“Since the discovery of this issue, Fema has taken aggressive measures to correct this error,” Fema press secretary Lizzie Litzow said in a statement. “Fema is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” she added.

The Dark Side of Kremlin- The Catalogue of Russian Data Leaks: All You Need To Know




Thousands of Russian emails and documents were leaked online in the late January in a catalogue named “The Dark Side of Kremlin”.


The catalogue was published by a “transparency collective” which goes by the name of “Distributed Denial of Secrets”.

DDoS encompasses an anonymous group of journalists, researchers, tech-experts and activists.

The documents contained private information regarding all the major hot-shots of Russia including the politicians, religious figures and the military.

The DDoS say, that their only job is to provide information to those who need it. If the information strengthens suspicions it hardly matters.

They also mentioned that their collection of data including emails, chat logs and attachments were hacked a few years ago by several hacking groups in Russia and Ukraine.

The Cyber Junta, Russian hackers Shaltai-Boltai, Ukrainian Cyber Alliance and other international parties were among the few accused.

The information leaked includes private documents and emails from the Ministry of Defense, the Russian Presidential Administration and other high-level political operatives.

Russia’s Prime Minister Dimitry Medvedev’s phone was hacked and his holiday pictures were uploaded online.

Russian President’s chef who controls companies that cater fancy banquets in Kremlin also lost his private notes to the leak.

The leak also includes the elaborate personal notes made by the chef on conversations between Putin and European leaders from Italy and Britain.

The most revealing hacks were the ones that came from the Russian Presidential Administration, which fairly let the Russian government, be a little more “transparent”.

The leak had details on how the government controls the Russian media and the way it transmits messages etc.

The most concerning part is that no one knows for sure how much and what kinds of information have been laid out bare in the open.

The leaks also provide an insight about the relations between Ukraine and Russia.

The inner-doings of Russia’s proxies and other insidious groups have also been brought into the light.

The DDoS had experienced a wipe on their servers making it imperative for them to upload it soon, in order to prevent the data from being censored.

Reportedly, this leak can’t be considered as a revenge for anything that has happened before, it was just an attempt at transparency.

A lot of the information present in the leaks was already available on the web but a lot of new investigations have been given birth due to this massive leakage.

This Russian document leak has created a paradigm shift in the way countries take their cyber-security seriously.

Analyzing these leaks could possibly lead Russia to adopting a new way of securing the web and its Presidential administration.

The government has already started taking care of its cyber-security vigilantly and all the loop holes will soon be filled up.