December 2, 2022
The private information of 5.4 million Twitter users is currently being shared for free on an underground forum. The data was exposed in July 2021 by a vulnerability in Twitter’s API, allowing unauthorized parties to scrape profile information using phone numbers and email addresses. Originally malicious actors were selling the stolen data on underground forums however, the data appears to have been dumped. Some researchers believe there are multiple data dumps of Twitter users from multiple data leaks, possibly including the data of 17 million users.
Data Security Perspective: Twitter users should be aware of phishing and scam attempts that may result from having profile information leaked. Users should approach emails with scrutiny, as a malicious actor may send carefully crafted phishing emails in order to gain financial or other sensitive information.
November 29, 2022
Third-party medical IT provider, Connexin Software, notified over 2.2 million patients of a data breach. Noticing anomalous network activity, the company determined an unauthorized party had accessed an offline set of patient data and removed some data. The exposed data included Social Security numbers, treatment, billing, and insurance information, along with personal information of pediatric patients and parents. Connexin Software is offering a year of child identity monitoring services to those affected and notifying affected patients.
Data Security Perspective: Using a third party can, in some cases, be a risk for data exposure and breaches. Companies should ensure that when using a third party that they have adequate security measures in place. Additionally, affected users should be aware of any fraudulent activity that may arise from having their PII exposed.
November 25, 2022
Researchers at DataDog have identified a vulnerability in AWS AppSync, that could allow unauthorized access to AWS resources. AppSync is an AWS service that developers use to create serverless GraphQL and Pub/Sub Apis. In order to use AppSync, a role is created with the necessary IAM permissions. DataDog researchers determined that the ARN sent in the request could be modified to a different ARN that they don’t have access to, bypassing validation. Exploiting this vulnerability could enable threat actors to gain access and control to various AWS services. Another issue with this vulnerability is that detection can be challenging. The requests made, malicious or not, would appear as regular AppSync requests and, therefore would not necessarily appear out of the ordinary.
Data Security Perspective: Amazon patched this vulnerability in September and announced no accounts were affected. This research highlights how new vulnerabilities are continually coming to light. Users should always keep up to date with patches.
November 18, 2022
Engineer Tom Forbes has discovered that IT company InfoSys accidentally published AWS keys to Python Index Project (PyPi). Metadata inside of an internal package contained the AWS access key and AWS secret key with full permissions belonging to InfoSys, which while it had been published in February 2021, was still active. As a result, an S3 bucket containing clinical data related to John Hopkins. However, the data was not verified to see if it contained sensitive medical data.
Data Security Perspective: Companies using AWS and IAM should follow best practices for assigning roles and permissions so that in the event of credentials leaking, access can be minimized, along with temporary credentials. In addition, developers need to be aware of publicly uploading files containing developer secrets.