Finnish Mental Health Startup Vastaamo Leaked Patient Data

Vastaamo ran the largest network of private mental-health providers in Finland. William Ralston tells the story on WIRED, and how hackers used the data to threaten patients.

A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data.

What an incompetent company. No anonymization of patient records, no encryption of data. In other words, unfortunately common. Two developers hired at Vastaamo were even arrested in a previous security breach.

LinkedIn Data Leak of 500 Million People Sold Online

Just days after a Facebook data leak was discovered, security researchers found another one, this time involving LinkedIn. It affects a similar amount of users, 500 million, with data being sold on a “popular hacker forum.”

The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.

Facebook Leaks Data of 553 Million People Like Phone Numbers

The personal data of 553 million Facebook users was posted in a hacking forum over the weekend. Data includes phone numbers, full names, locations, email addresses, and other information.

While it’s a couple of years old, the leaked data could prove valuable to cybercriminals who use people’s personal information to impersonate them or scam them into handing over login credentials, according to Alon Gal, the chief technology officer of the cybercrime intelligence firm Hudson Rock, who discovered the trough of leaked data on Saturday.

Facebook PR has been downplaying the leak, saying it’s “only” two years old. But for most people, their phone number, email addresses, and full names probably haven’t changed in that time.

iPhone ‘Call Recorder’ App Leaked User Conversations

An iPhone app called Call Recorder lets users record their phone call conversations. But a recently discovered bug leaked those calls.

But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.

A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”

Fashion App ‘21 Buttons’ Exposes Data of European Influencers

An e-commerce app called 21 Buttons has exposed the private data of hundreds of people across Europe.

Among the millions of photos and videos, we also viewed hundreds of invoices detailing payments to users in the 21 Buttons Rewards program, covering the last few months. Some of these invoices appear to be test data, but many of them were definitely legitimate invoices detailing real records of payments made.

Spotify Resets User Passwords Over Data Leak

Spotify has reset an unknown number of user passwords after a bug in its system exposed private data to business partners.

In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” The company did not name the business partners, but added that Spotify “did not make this information publicly accessible.”

Fortunately, those like me who created a Spotify account using Sign In with Apple shouldn’t have too much information leaked.

Gaming Company Razer Leaked 100,000 Users’ Data

In August, security researcher Volodymyr Diachenko found a server owned by Razer that exposed the data of over 100,000 users. It took the company over three weeks to get around to fixing the issue.

The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you’d expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines.

Prison Phone Service ‘Telmate’ Leaks Data of Inmates

Telmate, owned by Global Tel Link, makes an app for prisoners to send messages and calls to friends and family. It exposed a database of private messages, call logs, and personal information numbers in the tens of millions. Why? The database wasn’t secured with a password.

Comparitech security researcher Bob Diachenko on August 13, 2020 discovered the unsecured database and immediately reported it to Global Tel Link, the company that owns and operates Telmate. The company, to its credit, responded within two hours and secured the database an hour later, but it’s possible that other unauthorized parties accessed it prior to Diachenko’s disclosure.

‘Deep Social’ Data Leak Exposes 235 Million Profiles of Instagram, TikTok, YouTube

A database containing almost 235 million social media profiles of users from Instagram, TikTok, and YouTube has been exposed because it wasn’t password-protected.

Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, [security researcher Bob] Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later.

AI Company ‘Cense AI’ Leaks 2.5 Million Medical Records

Secure Thoughts worked with security researcher Jeremiah Fowler to uncover how Cense AI leaked 2.5 million medical records, which included names, insurance records, medical diagnosis notes, and a lot more.

The records were labeled as staging data and we can only speculate that this was a storage repository intended to hold the data temporarily while it is loaded into the AI Bot or Cense’s management system. As soon as I could validate the data, I sent a responsible disclosure notice. Shortly after my notification was sent to Cense I saw that public access to the database was restricted.

1: Burn this company down. 2: Sounds like most of the data are from patients in New York.

20GB Intel Data Leak Spread on Twitter Includes Source Code

An anonymous leaker took to Twitter to leak 20GB of Intel data and says more is coming soon.

The poster encourages downloaders to look for mentions of ‘backdoors’ in some of the Intel source code, and even provides a sample clip of one such listing, but we aren’t sure of the intentions behind the listings in the code.

Hitting Command + F to look for mentions of backdoors, because such backdoors would conveniently  be labeled as such, right?

Careless ‘Whisper’ Leaks Years of User Data

Whisper, an app for people to share their secrets, exposed user data like age, location, and more for years.

The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.

The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app’s release in 2012 to the present day.

You can never be 100% secure but at least put a damn password on your server.

Someone Stole Clearview AI’s List of Clients

Clearview AI gained notoriety for partnering with law enforcement on facial recognition, using its database of billions of scraped images from the web. But someone just stole its list of clients.

…Clearview AI disclosed to its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. The notification said the company’s servers were not breached and that there was “no compromise of Clearview’s systems or network.”

Meanwhile, law enforcement on end-to-end encryption: “Who needs that kind of encryption, other than maybe the military? We don’t even — in law enforcement — use encryption like that.”

Wyze Leaks Data of 2.4 Million Security Camera Customers

Wyze makes cheap security cameras for people, cheap in terms of price and now apparently security (ironically). A database of its user data was found exposed on the internet, unsecured.

This included a staggering array of personal information including email addresses, a list of cameras in the house, WiFi SSIDs and even health information including height, weight, gender, bone density and more.

“We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th,” the company said. It denied that it had leaked bone density information, for example, but confirmed it had leaked “body metrics” for a small number of beta testers.

I’m still trying to figure out why a security camera company would have health information.

Database of 1.2 Billion Records Found With Scraped Data

A database filled with 1.2 billion records of data was found on the dark web back in October. I hesitate to call this a data breach because:

While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.

In other words this is all data that people have willingly put on their social media profiles. While it can be used for nefarious purposes (especially phone numbers) this is less of a breach and more of a database of scrapes. Nevertheless I’m using our “data breach” tag.

Amazon Ring Surveillance Cameras Leak Customer Data

Romanian security company Bitdefender found that Amazon Ring doorbell cameras were leaking customer data like Wi-Fi credentials.

Bitdefender researchers have discovered an issue in Amazon’s Ring Video Doorbell Pro IoT device that allows an attacker physically near the device to intercept the owner’s Wi-Fi network credentials and possibly mount a larger attack against the household network.

At the moment of publishing this paper, all Ring Doorbell Pro cameras have received a security update that fixes the issue described herein.

You can view the whitepaper [PDF] here.

WIN an iPhone 16 Pro Max!