Category: Security & Privacy

Blockchain-based lending platform Figure has experienced a data breach affecting close to 1 million customers. The breach, confirmed by the company last week, allowed hackers to access a limited number of files from its systems, compromising sensitive customer information.

Security researcher Troy Hunt, known for Have I Been Pwned, analyzed the breached data and identified 967,200 unique email addresses linked to Figure customers, along with customer names, dates of birth, physical addresses, and phone numbers being exposed.

The cybercrime group ShinyHunters claimed responsibility for the attack, disclosing 2.5 gigabytes of allegedly stolen data on their leak site. This incident underscores the ongoing challenges companies face in protecting customer data against sophisticated cyber threats.

Source: TechCrunch

Microsoft has acknowledged a critical bug that allowed its Copilot AI to access and summarize confidential emails from customers without authorization. The bug, originally identified by Bleeping Computer, enabled Copilot Chat to read and outline email contents since January, even bypassing data loss prevention policies designed to protect sensitive information in Microsoft’s large language model.

Copilot Chat, an AI-powered chat feature available to Microsoft 365 subscribers using Office products like Word, Excel, and PowerPoint, was affected by this vulnerability, identified internally as CW1226324. This issue led to draft and sent emails labeled as ‘confidential’ being incorrectly processed by Microsoft 365 Copilot chat.

Microsoft has initiated the deployment of a fix for this bug earlier this month. However, the company has not disclosed the extent of the impact, with no comments provided on the number of affected customers. This incident raises concerns about data privacy and security within Microsoft’s ecosystem, highlighting the importance of stringent safeguards to prevent unauthorized access to sensitive information.

Source: TechCrunch

A recent report by Amnesty International has revealed that Intellexa’s Predator spyware was used by a government customer to hack the iPhone of a prominent journalist in Angola, raising significant concerns over journalist privacy and security.

The human rights organization’s investigation found that Teixeira Cândido, a local journalist and press freedom activist, was targeted with malicious links sent via WhatsApp in 2024. Upon clicking on one of these links, Cândido’s iPhone was compromised by Intellexa’s Predator spyware.

This incident underscores the growing trend of government entities leveraging commercial surveillance tools to target journalists, politicians, and civilians, amplifying worries about privacy violations and potential abuse of spyware technology.

Intellexa, a company known for its controversial operations and efforts to evade export regulations, faced sanctions from the outgoing Biden administration in 2024, alongside its founder and associates, shedding light on the regulatory challenges posed by surveillance vendors.

This case serves as a stark reminder of the vulnerability of journalists and activists to sophisticated spyware attacks, highlighting the need for increased scrutiny and safeguards against the misuse of surveillance technologies in the digital age.

Source: TechCrunch

The European Parliament has taken a precautionary step by prohibiting lawmakers from utilizing the embedded AI tools on their official devices due to cybersecurity and privacy concerns linked to storing sensitive data in the cloud.

According to a report by Politico, the parliament’s IT department expressed uncertainties about the security of data stored on AI companies’ servers and indicated that the extent of data sharing with these companies is still under evaluation.

As a result, the decision was made to keep these AI features disabled to ensure data safety.

By preventing the use of AI chatbots such as Anthropic’s Claude, Microsoft’s Copilot, and OpenAI’s ChatGPT on their devices, lawmakers aim to mitigate the risk of U.S. authorities compelling these companies to disclose user information. Additionally, the reliance of AI chatbots on user-provided data for model enhancement raises concerns about potential data exposure and sharing.

This development aligns with the broader context of the EU reassessing its interactions with U.S. tech corporations, especially in light of recent data subpoena incidents involving prominent tech and social media firms.

Source: TechCrunch

The Department of Homeland Security’s recent actions have brought technology and privacy concerns to the forefront, as reported by TechCrunch. Homeland Security has been pressuring tech giants to reveal the identities behind social media accounts critical of Immigration and Customs Enforcement (ICE).

Recent reports have highlighted instances where Homeland Security issued subpoenas to unmask anonymous Instagram users critical of ICE. This tactic, which includes the use of administrative subpoenas that bypass judicial oversight, has raised alarms about privacy and free speech.

According to The New York Times, the frequency of these subpoenas has surged in recent months, with Google, Meta, Reddit, and Discord being targeted. While some companies have complied with these requests, others like Google have stated a commitment to notifying users and challenging overly broad demands.

This escalation in government requests underscores the delicate balance between national security interests and individual privacy rights in the digital age. Tech companies face increasing pressure to navigate these demands while safeguarding user trust and data protection.

Source: TechCrunch

A critical security vulnerability in the web admin dashboards of DavaIndia Pharmacy, a major player in India’s pharmaceutical sector, has exposed sensitive customer data and internal systems, raising concerns over data privacy and cybersecurity. According to TechCrunch, the flaw allowed unauthorized access to a trove of online pharmacy orders, including customer details, product listings, pricing data, and drug-prescription requirements.

Security researcher Eaton Zveare discovered that the flaw enabled outsiders to exploit ‘super admin’ privileges, granting them full control over the platform. The incident, now rectified, underscores the importance of robust cybersecurity measures in safeguarding sensitive data. With DavaIndia Pharmacy rapidly expanding its retail footprint, the exposure of nearly 17,000 online orders and administrative controls across hundreds of stores highlights the scale of the security oversight.

Such vulnerabilities could have severe repercussions, potentially leading to misuse of private health information, unauthorized modifications to product details, and even website defacement. The accessibility of this data since late 2024 emphasizes the critical need for continuous monitoring and prompt mitigation of security risks in digital platforms.

Source: TechCrunch

Japanese sex toy manufacturer Tenga recently disclosed a data breach where a hacker gained unauthorized access to an employee’s email account, compromising customer information. According to an email obtained by TechCrunch, the breach exposed customer names, email addresses, and correspondence, potentially including order details and customer service inquiries.

The breach also led to the hacker sending spam emails to contacts in the compromised account, raising concerns about data privacy and security. Tenga advised customers to change their passwords and remain cautious of suspicious emails, emphasizing the importance of cybersecurity measures. Following the incident, the company took steps to enhance security, including resetting the compromised account’s credentials and implementing multi-factor authentication across systems to prevent unauthorized access.

This breach underscores the significance of robust cybersecurity practices, such as multi-factor authentication, in safeguarding sensitive customer data from malicious actors.

Source: TechCrunch

Figure Technology, a prominent blockchain-based lending platform, has acknowledged a data breach incident. The breach, as reported by TechCrunch, was the result of a social engineering attack on an employee, leading to the unauthorized access and theft of a limited number of files.

In response, Figure’s spokesperson, Alethea Jadick, stated that the company is actively collaborating with partners and affected individuals. As a measure of support, Figure is offering free credit monitoring services to all impacted parties upon notification.

While specific details about the extent of the breach remain undisclosed, the hacking group ShinyHunters has claimed responsibility for the incident. The group, known for data breaches, revealed that Figure’s refusal to meet their ransom demands resulted in the disclosure of 2.5 gigabytes of allegedly stolen data.

The compromised data reportedly included personal details such as customers’ full names, home addresses, dates of birth, and phone numbers. ShinyHunters also disclosed to TechCrunch that Figure was part of a larger hacking operation targeting users of the single sign-on provider Okta, with other victims including prestigious institutions like Harvard University and the University of Pennsylvania (UPenn).

Source: TechCrunch

Amazon’s Ring, a prominent home security company, has decided to terminate its partnership with Flock Safety, a provider of AI-powered surveillance cameras utilized by various law enforcement agencies. This move follows their joint agreement in October, aimed at enabling Ring doorbell users to share footage with Flock for assisting in evidence collection and investigations.

According to a report by TechCrunch, Flock’s AI cameras have been accessed by entities such as Immigration and Customs Enforcement (ICE), the Secret Service, and the Navy, despite Flock’s assertion of no direct collaboration with ICE. Ring officially announced the cancellation of the partnership, citing the substantial time and resource requirements for integration.

Concerns have been raised about the potential misuse of Ring’s technology, particularly after its Super Bowl commercial showcased the AI-enabled Search Party feature’s capability to locate lost pets using neighborhood cameras. While Ring assures that its technology cannot process human biometrics, similarities exist between Ring’s features and those of Flock, which allows government and police partners to conduct natural language searches on video footage from its cameras, potentially amplifying racial biases when utilized by law enforcement.

With Ring introducing a facial recognition feature named ‘Familiar Faces,’ enabling users to label frequently seen individuals, the debate on privacy and surveillance continues.

Source: TechCrunch

Dutch telecommunications company Odido has disclosed a significant data breach affecting millions of its customers. The breach, reported by TechCrunch, involved hackers gaining unauthorized access to Odido’s customer contact system and exfiltrating a vast amount of sensitive customer data. This breach, impacting over 6.2 million customers, includes personal details such as names, phone numbers, addresses, dates of birth, bank account information, and government-issued ID numbers. Fortunately, certain critical data like call records, location information, and billing details were not compromised. Both Odido and its subsidiary Ben NL assured that their core services like phone, internet, and television remain unaffected by the breach.

This incident underscores the growing threat of data breaches targeting telecom companies, with governments and cybercriminals seeking to pilfer confidential customer information. The breach serves as a reminder of the importance of robust cybersecurity measures in safeguarding sensitive data. Odido’s response to this breach and the subsequent investigation will be closely monitored as the company works to mitigate the impact on affected customers.

Source: TechCrunch

Vincenzo Iozzo, a prominent figure in the cybersecurity industry, has been removed from the official websites of the Black Hat and Code Blue conferences. Iozzo, the CEO of SlashID, was previously a member of the Black Hat review board since 2011, but his name is no longer visible on the conference websites as of the latest update.

Iozzo’s removal follows the release of over 2,300 documents by the Department of Justice, which revealed his correspondence with convicted sex offender Jeffrey Epstein from 2014 to 2018. The emails show Iozzo’s attempts to arrange meetings with Epstein even after allegations of Epstein’s misconduct surfaced in late 2018.

In response to his removal, Iozzo stated that he has not resigned voluntarily and is open to a thorough investigation. Iozzo’s career includes notable contributions to the cybersecurity field, such as his early work on Apple’s mobile software and his role as the founder of the cybersecurity startup IperLane, which was later acquired by CrowdStrike.

Black Hat has not provided any comments on the matter at this time, leaving the situation surrounding Iozzo’s removal from the conference websites open to interpretation and further investigation.

Source: TechCrunch

Recent events surrounding Coupang’s data breach in South Korea have led to legal action from U.S. investors against the South Korean government, creating a tech-related geopolitical issue.

Coupang, a major e-commerce platform in South Korea, faced a significant data breach affecting millions of customers. The breach not only prompted a regulatory investigation into data security but also sparked allegations of discriminatory treatment by the South Korean government toward the U.S.-based company.

Investors, including Greenoaks, Altimeter, Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management, are now pursuing international arbitration under the U.S.-Korea Free Trade Agreement. They claim losses due to what they perceive as unfair actions by the government during the investigation.

The breach compromised personal information of nearly 34 million Korean customers, including sensitive data like names, email addresses, and order histories. Despite other data breaches in Korea resulting in milder repercussions, Coupang faced intensified government scrutiny and alleged misrepresentations of the breach’s extent.

This case highlights the intersection of technology and international trade agreements, demonstrating how data breaches can lead to legal disputes with broader geopolitical implications.

Source: TechCrunch