Security News

The open-source e-commerce platform PrestaShop has released a new version that addresses a critical-severity vulnerability allowing any back-office user to write, update, or delete SQL databases regardless of their permissions. The permissions of each user are set so that they're only allowed to access the information and features necessary for their role, which is a crucial security feature of PrestaShop.

A chain of two critical flaws has been disclosed in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers. "The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers' PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services," cloud security firm Wiz said in a new report shared with The Hacker News.

The Kodi Foundation has disclosed a data breach after hackers stole the organization's MyBB forum database containing user data and private messages and attempted to sell it online. The now-shut down Kodi forum has roughly 401,000 members who used it to discuss media streaming, exchange tips, offer support, share new add-ons, and more in 3 million posts.

Researchers at the University of Surrey have developed software that can assess the amount of data that an artificial intelligence system has acquired from a digital database of an organization, in response to the increasing global interest in generative AI systems. This verification software can be used as part of a company's online security protocol, helping an organisation understand whether an AI has learned too much or even accessed sensitive data.

Today, the FBI confirmed they have access to the database of the notorious BreachForums hacking forum after the U.S. Justice Department also officially announced the arrest of its owner. 20-year-old Conor Brian Fitzpatrick was charged for his involvement in the theft and sale of sensitive personal information belonging to "Millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies" on the Breached cybercrime forum.

The US Attorney's Office for the district alleged Sagar Steven Singh and Nicholas Ceraolo had not only blackmailed victims using their personal info by threatening to post it on a public-facing website, but they also made "Emergency requests" to social media companies asking for information about users. It might interest readers to know that Twitter, for example, had 11,500 requests for information on 28,000 accounts worldwide from government and law enforcement officials from July to December 2021.

Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack. The attack chain commences with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler.

A DNA diagnostics company will pay $400,000 and tighten its security in the wake of a 2021 attack where criminals broke into its network and swiped personal data on over two million people from a nine-year-old "Legacy" database the company forgot it had. The genetic testing firm, DNA Diagnostics Center reached a settlement deal with states' attorneys general in Ohio and Pennsylvania last week, after the social security numbers of 45,000 residents of the two states was exposed, with each of the states getting $200k. DDC offers paternity testing, immigration testing, veterinary DNA testing and forensic testing.

Microsoft believes the gang who boasted it had stolen and leaked more than 200,000 Charlie Hebdo subscribers' personal information is none other than a Tehran-backed gang. On January 4, a previously unknown cyber-crime group that called itself Holy Souls claimed to have stolen a Charlie Hebdo database containing 230,000 customers' names, email addresses, phone numbers, addresses, and financial information, and offered it for sale for about $340,000.

Nissan North America has begun sending data breach notifications informing customers of a breach at a third-party service provider that exposed customer information. In the notification sample, Nissan claims it received notice of a data breach from one of its software development vendors on June 21, 2022.