Data Leak Hits 2.5 Million Customers of Cosmetics Giant Yves Rocher*:

           

  • A French retail consultancy exposed data on millions of its clients’ customers as well as sensitive business information, after researchers discovered an unsecured Elasticsearch database.

 

  • Aliznet, which specializes in digital transformation, names the likes of tech giants IBM, Oracle and Salesforce, retail leaders like Auchan, and big brands including Yves Rocher and Lacoste as its clients.

 

  • However, researchers from vpnMentor were able to access a private Aliznet database containing data on 2.5 million Canadian Yves Rocher customers.

 

  • This included names, phone numbers, email addresses, dates of birth and postcodes.

 

  • They also discovered over six million customer orders in the database, including transaction amount, currency used, delivery date and store location.

 

  • Along with this sensitive personally identifiable information (PII) on customers, vpnMentor found internal Yves Rocher data including: stats on store traffic, turnover and order volumes, product descriptions and ingredients for over 40,000 products, and product prices and offer codes.

 

  • This info could be a big asset to Yves Rocher’s competitors, allowing them to estimate store sales, order volumes and other trading data, the research team claimed.

 

  • “Competing cosmetic and beauty companies could use this information to create highly effective advertising campaigns targeted at Yves Rocher customers. This could lead to Yves Rocher losing customers to competitors,” the research team added.

 

 

*Source: infosecurity-magazine, September 03, 2019

 

A huge database of Facebook users’ phone numbers found online*:

 

  • Hundreds of millions of phone numbers linked to Facebook accounts have been found online. 

 

  • The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.

 

  • A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username.

 

  • Some of the records also had the user’s name, gender and location by country.

 

  • This is the latest security lapse involving Facebook data after a string of incidents since the Cambridge Analytica scandal, which saw more than 80 million profiles scraped to help identify swing voters in the 2016 U.S. presidential election.

 

  • This latest incident exposed millions of users’ phone numbers just from their Facebook IDs, putting them at risk of spam calls and SIM-swapping attacks, which relies on tricking cell carriers into giving a person’s phone number to an attacker.

 

  • With someone else’s phone number, an attacker can force-reset the password on any internet account associated with that number.

 

  • This latest data exposure is the most recent example of data stored online and publicly without a password.

 

  • Although often tied to human error rather than a malicious breach, data exposures nevertheless represent an emerging security problem.

 

 

*Source: TechCrunch, September 5, 2019

 

 

 

Online Depression Tests Are Collecting and Sharing Your Data*:

 

  • Privacy International published a report—Your mental health for sale—which explored how mental health websites handle user data.

 

  • The digital rights nonprofit looked at 136 mental health webpages across Google France, Google Germany and the UK version of Google, according to the report.

 

  • They chose websites based on advertised links and featured page search results for depression-related terms in French, German, and English, and also included the most visited sites according to web analytics service SimilarWeb.

 

  • According to the report, the organization used the open-source software webxray to identify third-party HTTP requests and cookies.

 

  • The analysis found that 97.78 percent of the webpages had a third-party element, which might include cookies, JavaScript, or an image hosted on an outside server.

 

  • Webxray’s analysis found that 76.04 percent of the webpages had trackers for marketing purposes—80.49 percent of the pages in France, 61.36 percent of the pages in Germany, and 86.27 percent of them in the UK.

 

  • Among the third-party trackers also included the likes of advertising services from Google, Facebook, and Amazon, with Google trackers being the most present, followed by Facebook and Amazon.

 

  • Privacy International found that some of the depression test websites stored user’s responses and shared them along with their test results with third parties.

 

  • And the report also brings up the issue around consent—especially given the EU’s recently enacted General Data Protection Regulation (GDPR) and its push to better protect the digital privacy of consumers.

 

  • Not only were many of these webpages tracking users’ sensitive information, but they were doing so without meeting the new legal standards for consent.

 

*Source: gizmodo, September 05, 2019

 

 

Forget email: Scammers use CEO voice ‘deepfakes’ to con workers into wiring cash*:

 

  • Criminals are using AI-generated audio to impersonate a CEO’s voice and con subordinates into transferring funds to a scammer’s account.

 

  • So-called deepfake voice attacks could be the next frontier in a scam that’s cost US businesses almost $2bn over the past two years using fraudulent email.

 

  • The Wall Street Journal reports that the CEO of an unnamed UK-based energy company thought he was talking on the phone with his boss, the CEO of the German parent company, who’d asked him to urgently transfer €220,000 ($243,000) to a Hungarian supplier.

 

  • However, the UK CEO was in fact taking instructions from a scammer who’d used AI-powered voice technology to impersonate the German CEO.

 

  • It’s the voice equivalent of deepfake videos that are causing alarm for their potential to manipulate public opinion and cause social discord.

 

  • The insurer believes the scammer had used commercially available AI voice-generating software to carry out the fraud.

 

  • The UK-based CEO became suspicious when the fraudster called a third time requesting a second transfer and noticed the call was from an Austrian number. He didn’t make any further transfers.

 

  • However, the original transfer went to a Hungarian account under the scammers’ control and was then transferred to Mexico.

 

  • CEOs could be an easier target for AI-generated voice fraud because their voices are often contained in earnings calls, media appearances, YouTube videos, and conferences, offering scammers plenty of data to build a model of someone’s voice.

 

  • The scam bears the hallmarks of an older fraud that’s already caused massive losses in the US. That is, business email compromise, which cost US businesses $1.3bn in 2018 alone.

 

  • While BEC crime involves manipulating people through fraudulent email, the basic scam and goal are the same, albeit via a different medium.

 

  • It involves spoofing or compromising a senior officer’s email account and emailing instructions for a financial controller to urgently transfer funds to an account controlled by the scammer.

 *Source: ZDnet, September 04, 2019