Cyber Security Headlines: Microsoft $20M COPPA settlement, Hactivists take credit for outages, SEC sues Coinbase

Microsoft to pay $20M settlement for illegally collecting children’s data

Microsoft will pay $20 million to settle charges brought by the Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA). The FTC said children under the age of 13 who signed up for Microsoft’s Xbox gaming service were asked to provide personal information including name, email address, phone number and date of birth. Until 2019, the sign-up screen also included a pre-filled check box allowing Microsoft to share user information with advertisers. Microsoft collected the data before asking for a parent to complete the account setup, but then retained the data even if the parent abandoned the sign-up process.

In other Microsoft regulatory news, the company has set aside $425 million to pay a fine it anticipates receiving from the Irish Data Protection Commission (DPC) due to potential General Data Protection Regulation (GDPR) violations for alleged targeted advertising on the platform of its subsidiary, LinkedIn.

(TechCrunch and Dark Reading) hit by outages as hacktivists claim DDoS attacks

On Tuesday, suffered a series of outages following two major outages Monday, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app. Microsoft claims technical issues were the cause of the outages. However, hacktivists known as Anonymous Sudan took to their Telegram channel, claiming it has been carrying out DDoS attacks on the service as retaliation for the US government intervening in Sudanese internal affairs. The hackers went on to request a $1 million ransom from Microsoft to cease their attacks.

(Bleeping Computer)

SEC accuses Coinbase of breaking US regulations

The US Securities and Exchange Commission (SEC) crypto crackdown continues as the regulator has sued the largest American cryptocurrency exchange, Coinbase, for operating as an “unregistered broker, exchange and clearing agency.” The SEC said, “Coinbase has for years defied the regulatory structures and evaded the disclosure requirements that Congress and the SEC have constructed for the protection of the national securities markets and investors.”  The lawsuit follows a similar action the SEC took against the Binance crypto exchange on Monday.

(The Guardian)

1Password launches its public passkey beta

Password manager 1Password has launched its public beta for passkeys, which will allow users to replace passwords with authentication systems built into their devices. 1Password users can now create, store, and share passkeys for supported websites by installing the 1Password beta browser extension for Chrome, Edge, Safari, Firefox, or Brave. Passkeys can only be created for websites and services that have rolled out their own passkey support. 1Password users will be able to vote on which sites and services they’d like to support passkeys. While it won’t guarantee those platforms will integrate passkey support, the hope seems to be that developers will be motivated to add the feature due to popular demand.

(The Verge)

And now a word from our sponsor, Trend Micro

Hybrid work, cloud adoption, and shadow IT have introduced new cybersecurity risks to organizations. Security leaders are left asking, “How can I manage our expanding attack surface?”

Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities in their “Risk to Resilience World Tour.

Hear from experts on the latest threat landscape trends, solutions, and platform strategies to manage risk and defend your organization with speed and accuracy. Find the closest city to you and register today to take a leap towards a more resilient future.

Head to

Researchers spot a different kind of Magecart card-skimming campaign

Researchers from Akamai have spotted an ongoing Magecart campaign infecting an unknown number of e-commerce sites in the US, UK, and several other countries. The malware is skimming credit card numbers and personally identifiable information (PII) from customers on these sites. But what makes this campaign even more dangerous is that the threat actor is also using the infected sites as hosts for delivering the card-skimming malware to other target sites. Researchers say that the campaign has been going on for at least a month and like typical Magecart campaigns, the primary targets are sites running the open source Magento e-commerce platform.

(Dark Reading)

Verizon releases its annual Data Breach Investigations Report (DBIR)

On Tuesday, Verizon issued its 2023 Data Breach Investigations Report (DBIR). The report revealed that three-quarters of data breaches over the last year (74%) involved the human element, caused by employees falling for social engineering attacks, making errors, or using their access maliciously. Credentials accounted for seventy-six percent of the data compromised in social engineering attacks followed by internal organizational information (28%) and personal data. Finally, the report noted that ransomware events held steady accounting for about a quarter of overall incidents, however the median cost of a ransomware attack doubled since the prior year. Verizon noted that in order to rein in these key trends, organizations need to focus on employee security hygiene, implementing true multifactor authentication, and collaboration across organizations to share threat intelligence. 

(Dark Reading)

CISA releases joint guide to securing remote access software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC) and Israel National Cyber Directorate (INCD) have released the Guide to Securing Remote Access Software. The guide informs organizations how to detect and defend against malicious actors abusing this software by providing common exploitations and associated tactics, techniques and procedures (TTPs). Threat actors often exploit these products to evade detection and establish network connections through cloud-hosted infrastructure. 

(Security Magazine)

Threat actors are creating nudes using AI

Sextortion involves a malicious actor using hacking techniques or coercion obtaining explicit images and videos from their victims, then threatening to leak them unless a payment is made. The FBI is warning that sextortionists are now scraping innocuous publicly available images and videos posted on social media platforms then feeding them into deepfake AI content creation tools that turn them into sexually explicit content. In many cases the threat actors are skipping payment demands and proceeding to upload the content to public sites. The FBI recommends adults posting content online restrict viewing access to their friends and to contact authorities if they discover themselves to be the subject of explicit deepfake content.

(Bleeping Computer)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.