Microsoft reveals hackers accessed some Outlook.com accounts for months

“Microsoft has started notifying some Outlook.com users that a hacker was able to access accounts for months earlier this year. The software giant discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019. Microsoft says the hackers could have viewed account email addresses, folder names, and subject lines of emails, but not the content of emails or attachments.”

Once more a malware installed on Point of Sale terminals…

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

Multi-Factor Auth Bypassed in Office 365 and G Suite IMAP Attacks

“Massive IMAP-based password-spraying attacks successfully breached Microsoft Office 365 and G Suite accounts, circumventing multi-factor authentication (MFA) according to an analysis by Proofpoint.

This technique takes advantage of the fact that the legacy authentication IMAP protocol bypasses MFA, allowing malicious actors to perform credential stuffing attacks against assets that would have been otherwise protected.”

Tax Returns Exposed in TurboTax Credential Stuffing Attacks

“Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack.”

Bug Lets Callers Snoop On You Without Permission

“A serious Apple iOS bug has been discovered that allows FaceTime users to access the microphone and front facing camera of who they are calling even if the person does not answer the call.”

Suggestion is to disable FaceTime until a patch is released later this week.

Alert (AA19-024A) DNS Infrastructure Hijacking Campaign

“The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.”

Marriott reveals data breach affecting 500 million hotel guests

WiFi firmware bug affects laptops, smartphones, routers, gaming devices

List of impacted devices includes PS4, Xbox One, Samsung Chromebooks, and Microsoft Surface devices.

100 Million Quora users affected by massive data breach

Have you noticed that the latest breeches tend to be 100 Million Plus? Anyway, if you use the site, be sure to change the password and any other sites that are linked (e.g., social networks).

Quora Security Update

“For approximately 100 million Quora users, the following information may have been compromised:

• Account information, e.g. name, email address, encrypted password (hashed using bcrypt with a salt that varies for each user), data imported from linked networks when authorized by users
• Public content and actions, e.g. questions, answers, comments, upvotes
• Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.

The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious.“

Jared, Kay Jewelers Parent Fixes Data Leak

“The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers.”

It apparently does not affect other retailers owned by Signet Jewelers (like Zales and Piercing Pagoda).