An app used by the U.S. Army at a major combat training base was recently removed because some of its code was written in Russia.
data leak
Appointment Booker 'FlexBooker' Suffers Second Data Leak
The vpnMentor research team discovered a data leak from FlexBooker, a company that makes online appointment booking tools for businesses.
Security Friday: Everything Bad is New Again – TMO Daily Observations 2022-02-04
Andrew Orr and Kelly Guimont discuss Security Friday updates, including some suggested beverage pairings for each topic.
Civicom Data Leak Affects Over 100,000 Files
Video conference company Civicom has had a data leak, found by the Website Planet Security team. Over 100,000 files were included.
Security Friday: This Week in (Sad) Data Breaches – TMO Daily Observations 2022-01-21
Andrew Orr joins host Kelly Guimont to discuss a Safari data leak, encrypted messaging, and as always, a new data breach.
Security Friday: This Week in Data Leaks – TMO Daily Observations 2021-12-17
Andrew Orr and Kelly Guimont discuss the security news and updates of the week, including two data leaks and end on a festive note.
Sennheiser Leak Exposed 55GB of Data for Thousands of Customers
Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a cache of data from audio company Sennheiser. It appears to be from an old cloud account that’s been dormant since 2018. Over 28,000 Sennheiser customers were exposed, with sensitive private data leaked.
While it’s unclear how all this data was collected, it appears to be from customers and businesses requesting samples of Sennheiser products.
Examples of entries: Full names, Email addresses, Phone numbers, Home addresses, Names of companies requesting samples, Number of the requesting company’s employees
US Logistics Company 'D.W. Morgan' Leaks Data Through Amazon S3
A report from Website Planet reveals D.W Morgan left an Amazon S3 bucket unprotected, resulting in the exposure of over 2.5 million files.
An Amazon S3 bucket owned by D.W. Morgan was left accessible without authorization controls in place, exposing sensitive data relating to shipments and the company’s clients.
As a market leader, D.W. Morgan provides services to some of the biggest companies in the world and there are major Fortune 500 organizations with data exposed on the open bucket.
Digital Marketing Agency 'Cronin' Leaks 92 Million Employee, Client Records
Security researcher Jeremiah Fowler in cooperation with the WebsitePlanet research team found an unprotected database from Cronin. It exposed 92 million database records from employees and clients.
The exposed server was named “Cronin-Main” and many of the records contained references to Cronin. These records included internal data such as employee and client information. Also included in the dataset was a “Master Mailing List” with direct physical names, addresses, Salesforce IDs, phone numbers, and references to where the leads came from.
(Update) Medical AI Company 'Deep6' Leaks 68 GB Trove of Patient Records
Security researcher Jeremiah Fowler together with the WebsitePlanet research team found an unprotected database belonging to Deep6. The records appear to contain data of those based in the United States.
Update: Deep6 reached out and said the news is misleading, saying “In August, a security researcher accessed a test environment that contained dummy data from MIT’s Medical Information Mart of Intensive Care (MIMIC) system, an industry standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems.”
Meanwhile, according to WebsitePlanet, Mr. Fowler said, “I sent 3 follow up emails on Aug 11, Aug 12, Aug 23. No one has ever replied since the first message on Aug 10th. I validated that the doctor’s names were real individuals by searching obscure names (see screenshot). This is highly unusual in my experience to use real individuals’ data in a ‘dummy environment’ under any circumstances. Because no one replied, we added our disclaimer that we are highlighting that no patient data appeared in plain text, the records were “medical related”, and we never implied any wrongdoing or risk.”