Weekly Update 428
I wouldn’t say this is a list of my favourite breaches from this year as that’s a bit of a disingenuous term, but oh boy were there some memorable ones. So many of the incidents I deal with are relatively benign in terms of either the data they expose or the nature of the service, but some of them this year were absolute zingers. This week, I’m talking about the ones that really stuck out to me for one reason or another, here’s the top 5:
References
- Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
- The Spoutible breach was one of the most bizarre instances of returning unnecessary data via an API I’ve ever seen (passwords, 2FA secrets and the code used in “magic links” to reset passwords)
- It’s one thing for spyware to be used for stalking partners against their terms and conditions, it was quite another for pcTattletale to explicitly refer to marital infidelity as a use case for the product (this data breach actually killed the company)
- The “Combolists Posted to Telegram” breach was more significant for the stealer logs than it was the combolists aggregated from other sources (that really brought this class of breach into the spotlight for me)
- The National Public Data breach was much more significant for the exposure of hundreds of millions of social security numbers than it was for the email addresses that went into HIBP (that’s another company that folded as a result of their breach)
- The Muah.AI breach exposed a trove of requests by users to create CSAM images (the linked thread is a mind-boggling series of tweets about both the content and the justifications offered for not having controls on the images created)
Troy Hunt
Go to troyhunt