data leak

Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a cache of data from audio company Sennheiser. It appears to be from an old cloud account that’s been dormant since 2018. Over 28,000 Sennheiser customers were exposed, with sensitive private data leaked.

While it’s unclear how all this data was collected, it appears to be from customers and businesses requesting samples of Sennheiser products.

Examples of entries: Full names, Email addresses, Phone numbers, Home addresses, Names of companies requesting samples, Number of the requesting company’s employees

A report from Website Planet reveals D.W Morgan left an Amazon S3 bucket unprotected, resulting in the exposure of over 2.5 million files.

An Amazon S3 bucket owned by D.W. Morgan was left accessible without authorization controls in place, exposing sensitive data relating to shipments and the company’s clients.

As a market leader, D.W. Morgan provides services to some of the biggest companies in the world and there are major Fortune 500 organizations with data exposed on the open bucket.

Over a thousand web apps from Microsoft’s Power Apps platform have leaked 38 million records. This data includes COVID-19 contact tracing.

The data included a range of sensitive information, from people’s phone numbers and home addresses to social security numbers and COVID-19 vaccination status.

The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools.

An SQL database containing what appears to be highly sensitive health insurance data of more than 6,000 patients has been leaked on a hacker forum.

The author of the post claims that the data was acquired from US insurance giant Humana and includes detailed medical records of the company’s health plan members dating back to 2019. The leaked information includes patients’ names, IDs, email addresses, password hashes, Medicare Advantage Plan listings, medical treatment data, and more.

A database owned by Dreamhost was found unsecured and publicly accessible online. It contained 814 million entries of exposed usernames, display names, and emails for WordPress accounts.

The exposed log files contained what appears to be 3 years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. On May 4th a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team.

Update: DreamHost reached out to say that none of those records contain data that would have allowed access to DreamHost accounts. They consist entirely of entries that include object update records, error reports, and log entries. Data from just 21 individual websites were involved. More information can be found on its website.

CVS Health recently leaked approximately one billion user records that include email addresses, user IDs, and metadata. The information was discovered in a non-password protected database.

CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs. I was informed that this was a contractor or vendor who managed this dataset on behalf of CVS Health, but it was confidential as to who the vendor was.