News

Threat detection firm CloudSEK has identified thousands of applications leaking Algolia API keys, and tens of applications with hardcoded admin secrets, which could allow attackers to steal the data of millions of users. Organizations can use Algolia’s API to incorporate into their applications functions such as search, discovery, and recommendations. The API is used by over 11,000 companies, including Lacoste, Slack, Medium, and Zendesk. CloudSEK says it has identified 1,550 applications that leaked Algolia API…

Read More

The County of Tehama, California, has started informing employees, recipients of services, and affiliates that their personal information might have been compromised in a data breach. The incident, Tehama County says, was identified on April 9, but the investigation into the matter stretched to August 19, when it was determined that personally identifiable information (PII) was compromised. The investigation revealed that an unauthorized third-party had access to the county’s systems between November 18, 2021, and…

Read More

Atlassian informed customers this week that it has patched critical vulnerabilities in its Crowd and Bitbucket products. In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8. “There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue…

Read More

A Ukrainian hacker sought by US authorities for a decade was arrested last month in Switzerland, the specialist website Krebs on Security reported. Vyacheslav Igorevich Penchukov, 40, was arrested in the Swiss canton of Geneva on October 23 while visiting his wife, the site reported. Swiss authorities confirmed to the news website Watson the arrest of a Ukrainian national sought by US authorities who is refusing extradition, but did not identify the suspect by name.…

Read More

The Open Source Security Foundation (OpenSSF) on Wednesday announced the adoption of Secure Supply Chain Consumption Framework (S2C2F), a Microsoft-built framework for consuming open source software. In use within Microsoft since 2019 and made public in August 2022, S2C2F defines real-world threats to open source software (OSS) and includes requirements to mitigate them. The consumption-focused framework takes a threat-based, risk-reduction approach to mitigating supply chain threats against the OSS. The framework includes eight different areas…

Read More

An SQL injection vulnerability in Zendesk Explore could have allowed a threat actor to leak Zendesk customer account information, data security firm Varonis reports. Zendesk Explore is the analytics and reporting service of Zendesk, a popular customer support software-as-a-service solution. According to Varonis, two vulnerabilities in Zendesk Explore could have allowed an attacker to access conversations, comments, email addresses, tickets, and other information stored in Zendesk accounts with Explore enabled. The two issues, however, were…

Read More

Canadian supermarket and pharmacy chain Sobeys is recovering from a cyberattack that might have involved the Black Basta ransomware. Sobeys is the second largest supermarket chain in Canada and a wholly-owned subsidiary of Empire Company Limited, which operates more than 1,500 stores across the country, under brands such as Foodland, IGA, Lawtons, Needs, Safeway, and more. On November 7, Empire disclosed that it fell victim to a cyberattack that impacted some in-store systems at its…

Read More

Microsoft-owned code hosting platform GitHub has announced the introduction of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability enables repository maintainers to allow security researchers to report to them any vulnerabilities identified in their code. Some repositories may contain specific instructions on how the maintainers can be contacted for vulnerability reporting, but for those that do not, researchers often report issues publicly.…

Read More