Unsecured server exposes 419 million records of phone numbers linked to Facebook accounts

Security researcher Sanyam Jain uncovered an unguarded server that was left publicly accessible without any password protection. The server contained at least 419 million records linked to several Facebook users including celebrities. Out of which, 133 million records were related to U.S.-based Facebook users. 18 million records belonged to Facebook users in the U.K., and Over 50 million records were linked to Vietnamese Facebook users. The exposed records included users’ unique Facebook ID and their associated phone numbers. The exposed records also included Facebook users’ names, gender, and country. The security researcher who found the leaky server contacted TechCrunch to assist him in finding the owner of the database. TechCrunch reviewed the database and verified the authenticity of the records by matching a known Facebook user’s phone number against the list of exposed Facebook IDs.

Researchers noted that the records appeared to be loaded into the unprotected database at the end of last month. However, the records are old. After this, they contacted the web host and secured the database. A spokesperson for Facebook, Jay Nancarrow said that the exposed records are old and had been scraped before Facebook disabled access to user phone numbers.


Personal data of over 200,000 customers affected in data breach of UK-based Truly Travels

Truly Travels, a British holiday firm has suffered a data breach due to an unsecured Amazon Web Services server. The incident has impacted the personal details of over 200,000 customers. As reported by Verdict, the data in the server was left open to the internet for three years. This included customers’ names, email addresses, home addresses, phone numbers, and birth dates. In total, there were 532,000 audio files in the unprotected server. Of these, 212,000 belonged to Truly Travels, which trades under the name Teletext Holidays. The calls took place between 10 April 2016 and 10 August 2016. They ranged from a few minutes to up to an hour and appeared to involve UK customers. A majority of audio calls included customers’ queries about trips, location cost, and flight timings. The calls also included partial card details such as the type of card, name on the card and expiry date. The names and dates of birth of accompanying passengers such as partners and children were also a part of some audio files. Teletext Holidays removed all 532,000 files immediately after Verdict notified the company. Furthermore, the company is taking all appropriate steps to ensure that such situations does not occur in the future.


CircleCI suffered data breach involving third-party analytics vendor

CircleCI suffered a data breach incident compromising user data after an attacker gained unauthorized access to one of its third-party vendor account. Users who accessed the CircleCI platform between June 30, 2019, and August 31, 2019, are impacted by this incident. On August 31, 2019, a CircleCI team member noticed an email notification from one of their third-party analytics vendors and suspected that unusual activity was taking place in that particular vendor account. Upon which, the employee immediately forwarded the email to CircleCI security team and launched an investigation on the incident. The compromised user data includes usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses and user-agent strings. The other exposed information includes organization names, repository URLs, branch names, and repository owners. However, no CircleCI user secrets, auth tokens, password hashes, build artifacts, build logs, source code, Social Security numbers or credit card information were involved in the incident. Upon detecting the unusual activity in the vendor account, CircleCI’s security team launched an investigation on the incident. The investigation revealed that the added database was not a CircleCI resource. Upon which, the security team immediately removed the malicious database and the compromised user from the tool. The team then collaborated with the third-party vendor in order to identify the exact vulnerability that caused the incident. Steps to improve CircleCI’s security practices are being taken by the security team, which includes enforcing 2FA on third-party accounts, and implementing single sign-on (SSO) for all of the integrations.


High-severity zero-day vulnerability for Android OS disclosed

A high-severity, zero-day security vulnerability for Android OS, which resides in the Video for Linux 2 (v4l2) driver has been disclosed. To exploit this vulnerability, attackers first needs to have local access to the device, following which they can take complete control of the device. This vulnerability exists in the driver of v4l2, an application used for video recording. When attackers have access to execute low-privileged code on a device, they can exploit this vulnerability to escalate their privileges. Once attackers have the required privileges, they can run malicious applications and take over the entire device. Zero Day Initiative (ZDI) has calculated the severity of this bug to be 7.8 out of 10. This vulnerability doesn’t help hackers break into users’ phones or attack remotely. Local access is required to inject malicious code, which can then be used to hijack the device. Lance Jiang and Moony Li of TrendMicro Research first reported this vulnerability to Google in March. Google acknowledged it and promised a fix, but no ETA was provided. After Google released its September 2019 Android Security Bulletin, which did not include a fix for this vulnerability, researchers from TrendMicro went public with the details. With no security fix from Google, it is up to the Android users to keep their devices safe from attacks. It is highly recommended that users install applications only from verified sources.


Unprotected database of flight booking site Option Way exposes sensitive customer information

Security researchers from vpnMentor, Noam Rotem and Ran Locar discovered an unprotected Elasticsearch database belonging to a flight booking website ‘Option Way’. The unsecured database has leaked over 100 GB of data of customers from various countries including France, Belgium, Algeria, Switzerland, and Austria. The exposed information includes the personal information of customers such as names, dates of birth, gender, email addresses, phone numbers, and home addresses. The compromised information also includes customers’ booking details such as dates of flight departure and return, unique PNR numbers attached to their reservations, destinations, and flight prices. The leaky database also exposed Option Way’s credit card details as well as the personal information of its employees. Researchers discovered the leaky database on August 20, 2019. After examining the database, the researchers notified Option Way about the vulnerability on August 25, 2019, and the owners of the database responded back 4 days later. “With this information obtained, the victim can be exploited in various criminal schemes, from credit card fraud all the way to complete identity theft. Hackers can sell PII to the highest bidder on the dark web and combine it with other forms of attack, making the criminals exploiting the data untraceable,” researchers said in a blog.​


Over 600,000 GPS Trackers of 29 Different Models Expose User Information Including Real-time Location

Researchers from Avast have identified that GPS child trackers manufactured by Shenzhen i365 expose user information. Researchers uncovered that at least 29 models of GPS trackers contain serious security flaws that expose user information including real-time GPS coordinates. Avast researchers examined the T8 Mini child tracker and found that its companion mobile app is downloaded from an unsecured website. They also found out that at least 600,000 devices are having the same default password of ‘123456’. These vulnerabilities could allow an attacker to hijack user accounts, spoof users’ locations, or access the microphone to spy on conversations. Furthermore, researchers determined that all the communication data travels unencrypted from the GSM network to the cloud server. Researchers noted that around 50 GPS tracking mobile applications available on both Google Play and iOS App Store share the same unencrypted API platform. On June 24, 2019, Avast researchers notified Shenzhen i365 about the vulnerabilities, however, they did not hear back from the vendor.


Edited and compiled by cyber security specialist James Aguilan.