Issue 64 - Week of May 9th

1.       Tumblr discloses email security breach: Hackers obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, the Yahoo-owned microblogging site Tumblr announced last week. Tumblr staff confirmed in a blog they believe that this information was not used to access Tumblr accounts but as a precaution the affected users will be required to set a new password.

2.       4 data breaches reported last week: (i) Kiddicare, company that sells child toys and accessories across the United Kingdom was hacked and 794,000 Accounts Leaked. (ii) UserVoice, a web-based service that offers customer service and helpdesk tools, notified that the company suffered a data breach and some user accounts were compromised, including their names, email addresses, and passwords. (iii) Google suffered a minor data breach after a vendor unintentionally leaked sensitive information about its undisclosed number of employees to the wrong email address — but luckily, the person who received it deleted the email straight away. (iv) A fine of about $260,000 was imposed on a London-based HIV clinic, for leaking data of 781 HIV patients.

3.       InvestBank UAE breached: Close on the heels of the Qatar National Bank leak - a 10 gigabyte file holding sensitive financial data compromised from an InvestBank in the United Arab Emirates (UAE) has been leaked online. The file contains information on tens of thousands of customers from a bank based in Sharjah. The dump appears to contain payment card data, as well as a large number of sensitive, internal files relating to the bank's employees and systems.

4.       Commercial Bank of Ceylon hacked?: Commercial Bank of Ceylon, based in Colombo, Sri Lanka, has apparently been hacked, with its data posted online last week by the Bozkurtlar hacking group, which has also posted five other data dumps from banks including The Dutch Bangla Bank (Bangladesh), The City Bank (Bangladesh), Trust Bank (Bangladesh), Business Universal Development Bank (Nepal) and Sanima Bank (Nepal).

5.       'Pawn Storm' APT campaign rolls on with attacks in Germany, Turkey: A sophisticated group of hackers called 'Pawn Storm' setup a fake webmail server designed to look like a German Political party's webmail server in an apparent attempt to steal the email credentials of party members. They also targeted the personal emails credentials of these party members. In a similar attack - Turkish prime minister, members of the country’s parliament and Turkey’s largest newspapers were targeted.  Based on the profile of the Pawn Storm's victims, it is suggested that the group is based out of Russia.

6.       OkCupid user account data released: OkCupid is an American-based international operating free online dating, friendship, and social networking website. Sensitive data like usernames, sexual preferences, orientation and more, belonging to almost 70,000 users has been released online by researchers. Last year, another online dating service -  Ashley Madison suffered a breach.

7.       Pornhub launches Bug Bounty program; offering reward up to $25,000: With the growing number of cyber-attacks and data breaches, a significant number of companies and organizations have started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get a reward. Now, even pornography sites are starting to embrace bug bounty practices in order to safeguard its user's security. Pornhub has partnered with HackeOne - a bug bounty startup that operates bug bounty programs for companies.

8.       10-year-old boy becomes the youngest Bug Bounty hacker: 10-year-old Finnish boy - Jani from Helsinki, recently reported an Instagram bug to Facebook that allowed him to delete other Instagram users' comments just by entering a malicious code into the app's comment field. Jani was rewarded $10K, he said he will use the money to buy a football and a new bicycle. He has been learning about hacking and programming from instructional videos on YouTube. His dream job is to become an information security expert.

9.       Sony 2014 breach linked to $81m Bangladesh Bank cyber heist: After SWIFT announced that a second unnamed banking customer had been hit with malware similar to that of the Bangladesh heist  - a security firm has published an analysis linking the tools used in both these attacks to the 2014 attack on Sony Pictures.  While North Korean hackers are believed to be behind the Sony breach the recent attack on banks is suspected to be the handiwork of North Korea and Pakistani hackers.

10.   Mozilla asks court to disclose firefox exploit used by FBI to hack Tor users: Mozilla has filed a brief with a U.S. District Court asking the FBI to disclose the potential vulnerabilities in its Firefox browser that the agency exploited to unmask TOR users in a criminal investigation. Last year, the FBI used a zero-day flaw to hack Tor browser and de-anonymize users visiting child sex websites.