Security News > 2022 > July

A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards. The rogue worker had contacted about half a dozen HackerOne customers and collected bounties "In a handful of disclosures," the company said on Friday.

Threat actors are hacking verified Twitter accounts to send fake but well-written suspension messages that attempt to steal other verified users' credentials. Twitter verifies accounts if they are considered notable influencers, celebrities, politicians, journalists, activists, and government and private organizations.

Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors. Cybersecurity firm Sekoia also observed it using QNAP NAS devices as command and control servers servers in early November [PDF], while Microsoft said it found malicious artifacts linked to this worm created in 2019.

Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted. Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off.

Following heightened worries that U.S. users' data had been accessed by TikTok engineers in China between September 2021 and January 2022, the company sought to assuage U.S. lawmakers that it's taking steps to "Strengthen data security." "Employees outside the U.S., including China-based employees, can have access to TikTok U.S. user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team," TikTok CEO Shou Zi Chew wrote in the memo.

NASA is researching new techniques for multiplexing SQUIDs-that's superconducting quantum interference devices-for X-ray observatories. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Google on Thursday announced a slew of improvements to its password manager service aimed at creating a more consistent look and feel across different platforms. The updates are also expected to automatically group multiple passwords for the same sites as well as introduce an option to manually add passwords.

Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "Complex multi-step attack flow" and an improved mechanism to evade security analysis. Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent.

A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

At 19 minutes after 3 o'clock UK time today , the criminals behind this scam registered a generic and unexceptionable domain name of the form control-XXXXX.com, where XXXXX was a random-looking string of digits, looking like a sequence number or a server ID:. 28 minutes later, at 15:47 UK time, we received an email, linking to a server called facebook. We've highlighted the error message "Password incorrect", which comes up whatever you type in, followed by a repeat of the password page, which then accepts whatever you type in.