Week 41 Cyberattack Digest 2018 – Google+, Facebook, Navionics and others
Do you like our tradition of posting weekly cyber attack digest on Mondays? We do, and here is a new portion of the latest cyber incidents that we have chosen for you.
Google+ glitch affects 500,000 accounts
by SC Media – 9 October 2018
In order not to say that hackers are always guilty of all misfortunes, let’s start this week’s digest with an opposite case. As a result of Google+ API glitch, user profile data was exposed to developers. During the period from the beginning of 2015 to March 2015, profile data of hundreds of thousands of users on Google+ was accessible to third-party developers. Still Google decided not to notify its users and hide the glitch in order not to draw displeasure of regulators: the company supposed that the incident could pose risk to its reputation. As part of Project Strobe review, the company discovered the bug in one of its Google+ People APIs , “a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access.”
“Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API,” – commented Google. Also, the company’s representatives mention that there was no evidence that any developer was aware of the misfortunate bug, or abusing the API. Also there are no traces of Profile data misusage.
Google+ will be winded down for consumers over the next ten months; the company said that it would further tighten its privacy and data protection efforts.
New details on Facebook breach
by The Telegraph – 12 October 2018
Well, probably, Facebook has another opinion on solving security problems. Facebook experienced a major security breach back in September affecting over 30 million people. As the company is busy notifying its users about the possible compromise of their phone numbers and personal details, the investigation is ongoing. Now, anyone can visit the Facebook Help Centre in order to check if they were affected and what information was stolen. Two weeks ago, Facebook made public that FBI launched an investigation, and initially it was claimed that 50m had been affected. Facebook’s head of product Guy Rosen did not give any comments on who was behind the attack, but revealed that the attack was traced back to a group of “seed” accounts.
Using initial accounts, the malefactor used a bug in Facebook’s code that related to a the “View As” feature to access the profiles of friends. The feature had been introduced in July 2017. This way it was possible to open up the profile pages of about 30 million people and access confidential information.
Another accidental leak at Navionics
by SC Media – 9 October 2018
Another incident that flooded headlines this week was (ironically) another accidental data breach. The leak exposed over 260,000 records of customers of Navionics marine navigation company. The exposed information was found by Bob Diachenko, director of cyber risk researcher at Hacken. About 19GB of data containing 261,259 records were indexed by the Shodan search engine in the beginning of September. Therecords included email addresses, names in some cases, purchased products IDs, and user IDs. Diachenko commented that other data left in the open included “application version and platform used, device ID, longitude and latitude, boat speed, a navigation device, horizontal accuracy, and other navigation details.”
Navionics learned about the issue on September 11 and informed all its potentially affected customers immediately after that.
Copeland Borough Council attack cost £2m
by BBC News – 10 October 2018
Copeland Borough Council came up with the details of an attack that took place back in August. Copeland, Islington and Salisbury councils were affected as part of the Bank Holiday cyber attack when malefactors demanded a bitcoin ransom in order to regain access to encrypted data. The council said the incident cost it about £2m. A sabotage attack locked staff out of several services, including payroll, planning and environmental health. The officials noted that The authority said that experts had been hired for the better protection from possible future attacks.
There is also no evidence that any sensitive data has been taken.
This week was (happily?) not notable for clamorous cyber attacks, still it has shown that human factor can also cause a lot of trouble. And in order not to miss future incidents, follow us on Twitter, Facebook, and LinkedIn.
The post Week 41 Cyberattack Digest 2018 – Google+, Facebook, Navionics and others appeared first on ERPScan.
