Twitter confirmed Friday that a bad actor used a vulnerability to match private information with potentially anonymous Twitter accounts, posing risks to users privacy. The vulnerability allowed someone to match an email or phone number to any Twitter accounts tied to that information and the name of the accounts, Twitter wrote in a press blog. "We can confirm the impact was global," a Twitter spokesperson said in an email. READ MORE...
A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry. A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack. READ MORE...
Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks to steal Microsoft 365 credentials. Open redirects are web app weaknesses that allow threat actors to use the domains of trusted organizations and websites as temporary landing pages to simplify phishing attacks. They're used in attacks to redirect targets to malicious sites that will either infect them with malware or trick them into handing over sensitive information. READ MORE...
Security and application delivery solutions provider F5 has released its quarterly security notification for August 2022, which informs customers about 21 vulnerabilities affecting BIG-IP and other products. The company has released separate advisories for a dozen high-severity vulnerabilities, as well as eight medium-severity and one low-severity flaws. READ MORE...
A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim's personal information and a different email address. READ MORE...
The word "protocol" crops up all over the place in IT, usually describing the details of how to exchange data between requester and replier. But there is also an important protocol that helps humans in IT, including researchers, responders, sysadmins, managers and users, to be circumspect in how they handle information about cybersecurity threats. That protocol is known as TLP, short for the Traffic Light Protocol, devised as a really simple way of labelling cybersecurity information. READ MORE...
Slack proactively reset the passwords of 0.5% of its users on Thursday after it was alerted to a vulnerability that transmitted hashed versions of user passwords to other workspace members. The enterprise messaging and collaboration platform said in a blog post it fixed the bug in the shared invite link functionality, which creates a link to permit others to join a Slack workspace. READ MORE...