8.3 million plaintext passwords leaked

A leak of almost 13 million DailyQuiz users appeared for sale online from multiple sources, following a breach of the app’s database last year. This includes 8.3 million plaintext passwords, emails, and IP addresses. The dataset was available for sale through Telegram channels and hacker forums for about $2,000 in cryptocurrency, although the Record reports it recently moved into being publicly available online. Data from the leak has also been provided to Have I Been Pwned so users can see if they are impacted. 

(The Record)

Dozens of US towns buy surveillance gear from firms tied to human rights abuses

According to contract documents seen by TechCrunch, at least 100 U.S. counties, towns and cities bought surveillance gear from the Chinese companies Hikvision and Dahua. This includes purchases made from the firms after they were placed on a federal economic sanctions list in 2019 after they were tied to the suppression of ethnic minorities in China, particularly Uighur Muslims, although being on the list did not ban state or local governments from buying from them. The biggest spender was the Board of Education in Fayette County, Georgia, who paid $490,000 for thermal imaging cameras for temperature checks at schools. According to the surveillance news site IPVM, thermal cameras from both companies often produced inaccurate readings, leading to a public health advisory from the USFDA. 

(TechCrunch)

Russia threatens to slow Google

The Russian communications watchdog Roskomnadzor previously placed a punitive slowdown on Twitter traffic in the country after the company refused to delete banned content, and now the regulator is threatening similar action against Google. The agency said it sent more than 26,000 requests for Google to remove illegal information, including videos with info on drugs, violence or materials from so-called extremist organizations. Google could be fined up to 10% of the company’s total annual revenue for repeat violation according to Russian law. Rozkomnadzor also accused Google of censorship for alleged YouTube restrictions on Russian media platforms RT and Sputnik. Court records show Google is suing regarding the demands to remove the banned comment. The regulator declined to comment when asked if Google could be banned outright in the country. 

(Reuters)

Irish hospital threat actors targeted the US too

A new flash alert from the FBI advised that the ransomware group behind an attack on the Irish healthcare system we previously reported on also targeted “at least” 16 healthcare and emergency networks in the US, including police and 911 dispatch centers. The threat actors used the Conti ransomware, using the now standard double-extortion scheme. The Conti ransomware is believed to be under the control of the Russia-based Wizard Spider cybercrime gang, with code and distribution links to Ryuk ransomware. The FBI did not identify specific victims or say if any organizations paid a ransom. 

(Engadget)

Thanks to our episode sponsor, Sumo Logic

Empower your SOC teams with a single platform that addresses security, compliance and configuration. Register for Sumo Logic’s Modern SOC Summit June 8-9. Whether you are just getting started or want a technical deep dive, this event has something for you. Reserve your spot for this virtual event at sumologic.com and click on the link at the top of the screen.

Chip shortage might somehow get worse

Taiwan’s director general of Taipei’s cultural and economic office in New York warned that a sudden rise in community transmission of COVID-19 in Taiwan may further exacerbate the ongoing chip shortage. The country previously had zero reported cases by community transmission for the last eight months, now with over 700 reported since May 9th. Currently only about 1% of Taiwan’s population is vaccinated. This comes as TSMC announced it will increase auto chip output by 60% in 2021, representing a 30% increase over the 2019 pre-pandemic levels. 

(Bloomberg)

Instagram testing WhatsApp for 2FA factor

App researcher Alessandro Paluzzi reports that Instagram is working on a system to use WhatsApp to send two-factor authentication codes as an alternative to SMS. Based on screenshots, users would have to verify their WhatsApp account through SMS, with WhatsApp not storing any user Instagram data. Once WhatsApp is set as the 2FA factor, no other SMS interaction is required. It’s unclear when Instagram might release this as a feature.

(The Next Web)

French intelligence finds bluetooth flaw

Researchers at the French intelligence agency ANSSI recently disclosed multiple bugs in the Bluetooth Core and Mesh Profile specifications that could open the door for man-in-the-middle attacks. The vulnerabilities impact Passkey authentication which could allow a malicious actor in range to create a series of responses to determine each bit of the randomly generated Passkey selected by the pairing initiator in each round of the pairing procedure. Once these bits were identified in a pairing session, the attackers could pair with the device. Impacted vendors include Cisco, Microchip, Red Hat, Intel, and Android.

(Security Affairs)

Data leak from Japan’s top dating app

Japan’s most popular dating app, Omiai, reported it found unauthorized server access from April, potentially exposing photos of ID cards, drivers licenses, and passports on 1.7 million users. Credit card data was not exposed in the breach. It’s not clear if the data was actually exfiltrated when accessed. The app had 6.8 million monthly users in April, meaning the leak potentially impacted 25% of its user base. 

(Bloomberg)