By Deeba Ahmed
In total 22 proprietary software vulnerabilities were identified in the firmware, which Qualcomm addressed in its January 2023…
This is a post from HackRead.com Read the original post: Chip Vulnerabilities Impacting Microsoft, Lenovo, and Samsung Devices

In total 22 proprietary software vulnerabilities were identified in the firmware, which Qualcomm addressed in its January 2023 security bulletin.

Firmware attacks are increasingly common nowadays as cybercriminals are focusing more on the lower-level embedded code, which supports hardware. **Qualcomm**’s hardware is the latest target in this regard.

Reportedly, the company was notified about the presence of nearly 2 dozen security vulnerabilities in its flagship chipset suite, Snapdragon.

**Vulnerabilities Details**

These vulnerabilities were discovered by Binarly AI-powered firmware protection company. In total 22 proprietary software issues were identified in the firmware, which Qualcomm addressed in its January 2023 security bulletin.

These include 2 bugs in automotive tracked as CVE-2022-33218 and CVE-2022-33219 and one bug in powerline communication firmware tracked as CVE-2022-33265. These bugs were rated critical or high severity and their patching was quite complex.

Additionally, five major vulnerabilities in UEFI firmware on ARM were identified and tracked as CVE-2022-40516 to CVE-2022-40520. These vulnerabilities impacted the whole infrastructure of ARM-based devices and laptops.

Binarly discovered two types of vulnerabilities, including out-of-bounds read issued and stack-based buffer overflows. Both were connected to the DXE driver and could be exploited by whoever gained elevated privileges.

The company has released patches for the vulnerabilities in its latest security advisory, including patches for five connectivity and boot issues.

**Which Devices are at Risk?**

Devices made by Lenovo, Microsoft, and Samsung are at risk due to using Snapdragon chipsets. However, the scope of impact is highly diverse as the vulnerabilities may affect vehicles to powerline communications. For your information, the Snapdragon CPU uses the ARM architecture.

Therefore, apart from Lenovo and other manufacturers, ARM-based Microsoft Surface and Windows Dev Kit 2023/Project Volterra computers were also affected by the vulnerabilities. Some vulnerabilities could lead to arbitrary code execution and be exploited for a Secure Boot bypass, allowing an attacker to gain persistence on a device by gaining privileges to write to the file system.

**How the Flaws Were Discovered?**

Binarly founder and CEO, Alex Matrosov revealed that they discovered around nine security vulnerabilities while examining the Lenovo Thinkpad X13s firmware powered by the Snapdragon system-on-a-chip.

Further probe revealed that some vulnerabilities were specific to Lenovo devices and five impacted Qualcomm reference codes. This means the vulnerabilities were impacting laptops and all other devices having Snapdragon chips installed.

Matrosov clarified that this was the first time UEFI firmware vulnerabilities connected to the ARM device architecture were disclosed at such a scale. The CEO also noted that the number of affected chipsets is “massive.”

The good news is that Lenovo has addressed the issue and its advisory is available here.

1.  Alert: New Bluetooth flaw lets attackers monitor traffic
2.  Source code of over 50 top organizations leaked online
3.  Hackers Exploiting MSI Afterburner to Deliver Coin Miner
4.  400 chip flaws turn 3 billion Android phones into spying tool
5.  Microsoft hopes Windows PCs protection with Pluton security chip

Chip Vulnerabilities Impacting Microsoft, Lenovo, and Samsung Devices

By Owais Sultan
An insider threat has emerged as one of the most significant threats to all types of businesses and organizations.
This is a post from HackRead.com Read the original post: Preventing Insider Attacks on Your HR System

Insider attacks can come from a variety of sources, including current and former employees, contractors, and third-party vendors.

Insider attacks on HR systems can be devastating for any organization. Not only can they lead to the loss of sensitive information, such as employee records and payroll data, but they can also erode trust and damage the company’s reputation.

Whether it be employee negligence, credential theft, or a criminal insider, the average cost of such a data breach is estimated at $484,931 per incident. That’s why it’s crucial to take steps to prevent these types of attacks from happening in the first place.

So, how do you do that? It all starts with identifying potential insider threats and implementing strong security measures to protect your HR systems.

**Identifying potential insider threats**

Insider attacks can come from a variety of sources, including current and former employees, contractors, and third-party vendors. This is why it is vital that you are aware of all individuals who have access to your HR systems and that you regularly review and update access permissions to ensure that only those who need access have it.

It’s also important to be aware of any individuals who have access to sensitive HR information, even if they don’t have direct access to the systems themselves. For example, a receptionist with access to physical employee files could potentially steal sensitive information and pass it along to someone else.

 This is why you must have strict protocols in place for accessing and handling sensitive information, regardless of whether it is stored digitally or in physical form.

**Implementing security measures**

Once you’ve identified potential insider threats, it’s time to take action to protect your HR systems. Some key measures to consider include:

**Using strong, unique passwords for all HR system accounts.**

Avoid using the same password for multiple accounts and consider using a password manager to generate and store secure passwords. It’s also a good idea to regularly update passwords and encourage employees to do the same.

**Enabling two-factor authentication for HR system accounts.**

This adds an extra layer of security by requiring users to enter a code sent to their phone or email in addition to their password when logging in. Two-factor authentication can help prevent unauthorized access, even if an attacker manages to obtain an employee’s password.

**Regularly reviewing and updating access permissions for HR systems**

Make sure that only those who need access have it and remove access for anyone who no longer needs it, such as former employees. It’s also a good idea to periodically review access permissions to ensure that they are still appropriate for each individual.

**Monitoring HR system activity and flagging any suspicious behaviour**

Use tools such as intrusion detection systems and log monitoring to identify and alert you to any unusual activity. This can help you catch potential insider attacks early on and take action to prevent further damage. Different HRIS systems have different security features, so be sure to review the available options and choose one that offers the right level of protection for your organization.

**Implementing security training for all HR personnel**

Make sure that everyone who has access to HR systems and sensitive information is aware of proper security practices and knows how to identify and report potential threats. Training can help employees understand the importance of protecting sensitive information and give them the tools they need to do so.

**Responding to an insider attack**

Despite your best efforts, it’s still possible that an insider attack could occur. In the event of an attack, it’s important to act quickly to minimize the damage. Some steps to take include:

*   Disconnecting affected HR systems immediately to prevent further access can help prevent an attacker from doing further damage and give you time to assess the situation.

*   Conducting a thorough investigation to identify the source of the attack – This may involve working with cyber security experts and law enforcement to track down the perpetrator. It’s important to understand how the attack occurred and what information may have been accessed or compromised.

*   Implementing additional security measures to prevent future attacks – This may include strengthening passwords, enabling two-factor authentication, and conducting regular security assessments. It’s also a good idea to review your current security protocols and see if there are any areas that need improvement. This could include strengthening access controls, increasing monitoring of system activity, or implementing additional training for employees.

*   Communicating the incident to relevant parties, including employees and authorities if necessary – It’s important to be transparent about the situation and to take steps to restore trust and prevent similar attacks from happening. This may involve informing employees about the attack, explaining what steps are being taken to address it, and offering resources for any affected individuals. Depending on the severity of the attack, it may also be necessary to inform authorities and take legal action against the perpetrator.

**Final word**

Preventing insider attacks on HR systems is a continuous process that requires regular attention and updates. By being proactive and taking steps to identify and mitigate potential threats, you can protect your organization’s sensitive information and maintain the trust of your employees.

It’s also important to have a response plan in place in case an attack does occur so that you can act quickly and effectively to minimize the damage and prevent future attacks. By following these best practices, you can help ensure that your HR systems are secure and that your organization’s sensitive information is protected.

1.  Managing Insider Threats with Internal Monitoring
2.  SEC charges dark web user of insider trading, money laundering
3.  Some Meta Employees and Security Guards Hacked User Accounts
4.  SpaceX employee admits security fraud, insider trading on dark web
5.  Insider hacks Marriott hotel reservation system; slashes rate up to 95%

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Preventing Insider Attacks on Your HR System

By Owais Sultan
Do you run a Product as a Service business? Use the powerful advertising strategies in this article to…
This is a post from HackRead.com Read the original post: Advertising Strategies for PaaS services

**Do you run a Product as a Service business? Use the powerful advertising strategies in this article to succeed with your business & reach a wider audience.**

**Advertising Strategies For PaaS Services**

Businesses nowadays are increasingly turning to **PaaS services** to power their applications and services. They need an effective advertising plan to get the word out about their offer and attract new customers.

Have you ever considered using Platform-as-a-Service (PaaS) services to help promote your business? PaaS is a cloud computing platform that provides software tools, technologies, and resources needed to build applications.

It allows developers to quickly deploy applications and manage their infrastructure without worrying about the complexities of hardware or servers.

PaaS services are becoming increasingly popular for smaller and larger organizations looking for secure, reliable, cost-effective ways to manage their infrastructure. PaaS provides a range of features that can be used to create web applications quickly and efficiently without worrying about maintenance or server configuration.

However, **top PaaS providers** are also looking for some strategies that can help to attract more customers and stand out from the competition. This blog post will look at some of the best advertising strategies for PaaS services. Let’s dive in. 

**Set The Right Goals**

Setting goals for developing an advertising strategy for a Platform-as-a-Service (PaaS) company is essential to success. Every PaaS app will have different goals; the more your team can find out about the desired result, the more effective your plan can be. 

Whether you want to build brand awareness or directly increase conversions and revenue, define those objectives, so you know where to focus your efforts. Once you’ve done this, create a comprehensive, creative advertising plan that meets your goals and budget. 

Support it with data and analytics so you’re always aware of what strategies are succeeding, where you need improvement and any changes in consumer attitudes or behaviours. 

Advertising your PaaS product effectively means constantly adapting and refining processes, but with strong objectives in place, this should never feel intimidating.

**Improve Your Customer Experience**

When it comes to your PaaS services, the customer experience should always take priority. Therefore, crafting ads, and highlighting your services’ quality and convenience is critical. Your goal should be to convince customers that making the switch to you is worth it. 

To do so, an advertising strategy needs to focus on showcasing how customers will benefit from using your service, think of fast delivery times, improved efficiency, and access to exclusive features. It also helps if your visuals are attractive and upbeat; after all, creating ads with a touch of wit is guaranteed to draw attention. 

**Explain The Benefits, Not The Features**

When advertising PaaS services, a surefire way to get your audience interested is to focus on the benefits of the services instead of the features. Put simply; you want to explain why these services are unique and valuable for your target audience. 

Narrate a story that speaks directly to each member of your customer base, so they understand how the service fits into their needs and lifestyle. Boldly communicate what can be accomplished thanks to this PaaS offering and highlight the difference it makes or can make.

Speak in an attractive, knowledgeable way and sprinkle creative content throughout your advertising strategy, don’t underestimate the power of visuals and videos. Keep it brief but convincing, showcasing plenty of use cases and powerful testimonials devoted customers have shared about using the services.

**Don’t Underestimate Your Marketing Efforts**

Every business has to market itself to be successful, which goes for Platform-as-a-Service (PaaS) services. Many organizations need to pay more attention to their need to market themselves, not realizing its impact on their success. To build a foundation of promotion and recognition among the wider public, it’s important to develop a comprehensive advertising strategy. 

This would include carefully selecting appropriate channels, such as **search engine optimization** and content marketing, in addition to paid ads or promotions. Finding the right combination will work wonders in helping your PaaS services gain more visibility while creating trust and loyalty with potential customers. 

Remember to consider how far good marketing can take you. Investing in your advertising efforts will help you see a great return on investment in no time. Just like a prototype in **Figma** aids developers in bringing their ideas to life, well-crafted advertising strategies can similarly jump-start your PaaS services and get them off the ground.

**Ensure Customers Don’t Leave**

Optimizing your advertising strategy for PaaS Services is important to ensure customers stay. This can be achieved by bringing in new customers and emphasizing keeping existing ones. 

You should focus on developing tailored experiences that cater to the needs of existing customers and include provisions for feedback to iron out any issues or flaws that arise quickly. 

Furthermore, discount or loyalty initiatives such as offering coupons, exclusive loyalty cards, or referral programs could help you retain users. Also, ensure your advertising strategies constantly evolve with the markets, so your services remain competitive and interesting for customers.

**Offer Free Trial Period**

Businesses can benefit from offering a free trial period for their PaaS services. Free trials allow potential customers to test the services for a certain time and can be limited or unrestricted depending on the company’s advertising strategy. This is an effective way to get people on board with no obligations, as people are likelier to take advantage of something offered for free. 

Furthermore, providing free trials makes it easier for customers to decide whether or not they would like to commit to a specific service, as it allows them to experience what your company offers. 

In addition, a free trial encourages word-of-mouth marketing since satisfied customers will likely recommend the service, increasing brand awareness and lead generation significantly.

1.  **Crucial Cybersecurity Software Features (2022)**
2.  **5 Best Learning Management System (LMS) Software**
3.  **Why You Need to Amp Up Your Onboarding Experience**
4.  **Understanding Software Supply Chain and How to Secure It**

Advertising Strategies for PaaS services

By Waqas
Apparently, the server belongs to a company based in the US with offices around the globe including India.
This is a post from HackRead.com Read the original post: Top ERP Firm Exposing Half a Million Indian Job Seekers Data

At the time of writing, a misconfigured server belonging to an Enterprise Resource Planning (ERP) Software provider based in California, United States was still exposing data to public without any security authentication or password.

An **Elasticsearch server** belonging to a major international IT recruitment and software solution provider is currently exposing the personal data of more than half a million Indian candidates looking for jobs.

However, the data is not limited to jobseeker as the server is also exposing the company’s employees’ data. Another important aspect of this data exposure is the fact that it also contains the company’s client records from different companies, including Apple and Samsung.

This was confirmed to Hackread.com by **Anurag Sen**, a prominent independent security researcher. What is worse, the server is still exposed and publicly accessible without any security authentication or password. Originally, the server was being exposed since late December 2022.

It all started when Anurag scanned for **misconfigured databases on Shodan** and noted a server exposing more than 6GB worth of data to public access. Anurag said that the server belongs to a company originally based in the United States with offices around the globe  
including India. Whilst the database contains details of job seekers in **India**.

Hackread.com would not share the name of the company in this article because the server is still exposed.

**Exposed Data**

Anurag’s analysis of the server revealed that the exposed records contain personal data of over 575,000 individuals, while the size of the data is over 6.3GB and increasing with new data with each day passing. This data includes the following:

*   Full Name
*   Date of birth
*   Email address
*   Phone number
*   Resume details
*   Employer details

The screenshot below shows the candidate details and client data that are currently being exposed:

Image credit: Anurag Sen – Hackread.com

The screenshot below was taken from the live server that shows the company’s client details. Some of these are top companies Apple, Samsung, Sandisk, Unilog, Moody, Intuit, NEC Corporation, Falabella and many more.

The company’s client list also indicates that its a high-profile business with a presence all over the globe.

Screenshot credit: Anurag Sen – Hackread.com

**Indian CERT Alerted**

Since the server is still live at the time of writing; Anurag alerted the Indian Computer Emergency Response Team over the weekend. However, there has been no response from the authorities yet.

**India and server misconfiguration**

India is home to almost 1.4 billion people. This makes the country a lucrative target for businesses as well as cybercriminals. The more the investment, the more widespread and vulnerable the IT infrastructure becomes.

Last year, several top data exposure-related incidents involving tens of millions of victims were reported from India. These included **Indian Federal Police and banking records**, **Covid antigen test results**, **MyEasyDocs**, online packaging marketplace **Bizongo**, etc.

**Impact**

It is yet unclear whether a third party accessed the database **with malicious intent**, such as ransomware gangs or threat actors. However, if it did, it would be devastating for the victim and the healthcare firm responsible for the server.

Furthermore, considering the extent and nature of the exposed data, the incident can have far-reaching implications, such as bad actors downloading the data, carrying out phishing scams, or identity theft-related fraud.

Hackers can hold the company’s server or **data for ransom** and leak it on cybercrime forums if their demands are not met. Nevertheless, the victims in this situation are the job hunters who trusted authorities with their personal information.

**Misconfigured Databases – Threat to Privacy**

Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. **In 2020**, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. 

**In 2021**, the number increased to 399,200 exposed databases. The top 10 countries with top database leaks due to misconfiguration in 2021 included the following:

*   USA – 93,685 databases
*   China – 54,764 databases
*   Germany – 11,177 databases
*   France – 9,723 databases
*   India – 6,545 databases
*   Singapore – 5,882 databases
*   Hong Kong – 5,563 databases
*   Russia – 5,493 databases
*   Japan – 4,427 databases
*   Italy – 4,242 databases

1.  **Hackers claim to be selling 13TB of Domino’s India data**
2.  **Hackers leak data of 29 million Indian job seekers for download**
3.  **India’s COVID-19 surveillance tool exposed millions of user data**
4.  **Hackers leak millions of Airtel India user data with Aadhaar numbers**
5.  **9,517 unsecured databases identified with 10 billion records globally**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Top ERP Firm Exposing Half a Million Indian Job Seekers Data

By Deeba Ahmed
The issue was caused by the software architecture used in Google Home devices.
This is a post from HackRead.com Read the original post: Google Home Vulnerability: Eavesdropping on Conversations

Matt Kunze, an ethical hacker, reported wiretapping bugs in Google Home Smart Speakers, for which he received a bug bounty worth $107,500.

Google Assistant is currently more popular among smart homeowners than Amazon Alexa and Apple Siri, given its superior intuitiveness and capability to conduct lengthy conversations. However, according to the latest research, a vulnerability in **Google Home Smart speakers** could allow attackers to control the smart device and eavesdrop on user conversations indoors.

**Findings Details**

The vulnerability was identified by Matt Kunze, a security researcher using the moniker DownrightNifty Matt. The researchers revealed that if exploited, the vulnerability could allow the installation of backdoors and convert Google Home Smart speakers into wiretapping devices. Moreover, Google fixed the issue in April 2021 following responsible disclosure on 8 January 2021 and developing a Proof-of-Concept for the company.

**Possible Dangers**

The vulnerability could let an adversary present within the device’s wireless proximity install a backdoor account on the device and start sending remote commands, access the microphone feed, and initiate arbitrary HTTP requests. All of this could be possible if the attacker is within the user’s LAN range because making malicious requests **exposes the Wi-Fi password** of the device and provides the attacker direct access to all devices connected to the network.

**What Caused the Issue?**

Matt discovered that the problem was caused by the software architecture used in Google Home devices as it let an adversary add a rogue Google user account to their target’s smart home devices.

A threat actor would trick the individual into installing a malicious Android application to make the attack work. It will detect a Google Home automation device connected to the network and stealthily start issuing HTTP requests to link the threat actor’s account to the victim’s device.

In addition, the attacker could stage a Wi-Fi de-authentication attack to disconnect the Google Home device from the network and force the appliance to initiate a setup mode and create an open Wi-Fi network. Subsequently, the attacker can connect to this network and request additional details such as device name, certificate, and cloud\_device\_id. They could use the information and connect their account to the victim’s device.

According to Matt’s **blog post**, the attacker could perform a range of functions, such as turning the speaker’s volume down to zero and making calls to any phone number apart from spying on the victim via the microphone. The victim won’t suspect anything because just the device’s LED turns blue when the exploitation happens, and the user would think the firmware is being updated.

Matt successfully connected an unknown user account to a Google Home speaker. He created a **backdoor account** on the targeted device and obtained unprecedented privileges that let him send remote commands to the Home mini smart speaker, access its microphone feed, etc. Watch the demo shared by the researcher:

It is worth noting that there’s no evidence this security loophole was misused since its detection in 2021. Being an ethical hacker, the researcher notified Google about the issue, and it was patched. Matt received a **bug bounty** worth $107,500 for detecting this security flaw.

1.  **Google Home Mini Secretly Recorded Conversations**
2.  **Voice assistant devices manipulated with ultrasonic waves**
3.  **Comcast voice remote control could be turned into a spying tool**
4.  **Using laser on Alexa and Google home to unlock your front door**
5.  **DolphinAttack: Voice Assistant Apps Siri and Alexa Can Be Hacked**

Google Home Vulnerability: Eavesdropping on Conversations

By Deeba Ahmed
3Commas' CEO, Yuriy Sorokin, has acknowledged the breach.
This is a post from HackRead.com Read the original post: 3Commas API Database Leaked by Anonymous Hacker

The Federal Bureau of Investigation (FBI) has launched an investigation into the hacking incident targeted against an Estonian crypto trading platform, 3Commas.

**Incident Details**

The hack occurred in early December 2022, during which the hacker gained access to the trading service’s system via the Application Programming Interface (**API**). How they compromised and accessed the platform’s systems is still a mystery.

Reportedly, 3Commas discovered the hacking on December 10th 2022 and an investigation was launched to determine the scale of damage and perpetrators. The FBI was duly notified. Two service users were contacted by the bureau’s Cincinnati Field Office on Thursday in connection to the incident. 

**A Case of Misses Alarm?**

In a **blog post** published December 11th, 2022, 3Commas CEO rubbished the claims from hackers and labelled them as “Bad faith actors” who are “making accusations using falsified evidence.”

Additionally, within the past few months, many 3Commas users discovered their funds were traded on different crypto exchanges they had linked to their accounts without their consent.

**According to** Coin Desk, One of the affected groups comprising sixty members contacted the US Secret Service and other agencies to report their missing funds. As per this group’s leader Edmundo Pena, the losses amounted to over $20 million. However, the platform **claimed** these users became targets of a phishing attack and there wasn’t anything wrong with the service.

**Leaked Data**

3Commas’ API data was the key target in this breach. An initial probe suggested that an anonymous entity leaked around 100,000 Binance and KuCoin API keys belonging to 3Commas. 

Leaked data includes usernames, hashed passwords, and email IDs, but it is unclear if cryptocurrency assets were stolen or financial information was accessed during the breach. According to the API database leaker, the 3Commas keys were sold by an insider. 

> — db (@tier10k) December 28, 2022

However, 3Commas CEO Yuriy Sorokin stated that there was no evidence to believe that any of their employees were involved in the attack. While the investigation is underway, 3Commas has urged users to protect their private and financial data and change their passwords.

Furthermore, they must enable 2FA authentication and monitor their accounts for any unusual activity. Binance CEO Changpeng Zhao aka CZ suggests that users may disable 3Commas API keys because of the leaks.

> I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.
> 
> Stay #SAFU.
> 
> — CZ 🔶 Binance (@cz\_binance) December 28, 2022

1.  **The Most Common API Vulnerabilities**
2.  **Cloud Hacking – Why API Remains the Biggest Threat?**
3.  **Urlscan.io API Inadvertently Leaked Sensitive Data and URLs**
4.  **Google reveals unpatched 0day vulnerability in Microsoft’s API**
5.  **Millions impacted as payment API flaws exposing transaction keys**

3Commas API Database Leaked by Anonymous Hacker

By Deeba Ahmed
An EarSpy attack is a proof of concept of a new type of attack on Android devices that exposes users to eavesdropping.
This is a post from HackRead.com Read the original post: EarSpy Attack Can Use Motion Sensors Data to Pry on Android Devices

A technical paper titled “EarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear Speakers” has revealed how snoopers can exploit motion sensors installed inside **Android** cellphones can help adversaries eavesdrop on the user’s conversations.

**Startling Facts About Motion Sensors**

A team of researchers from different universities, including Rutgers University, Texas A&M University, Temple University, New Jersey Institute of Technology, and the University of Dayton, conducted the research.

The research team comprised Ahmed Tanvir Mahdad, Cong Shi, Zhengkun Ye, Tianming Zhao, Yan Wang, Yingying Chen, and Nitesh Saxena.

Dubbing this side-channel attack EarSpy, researchers noted that motion sensors could be used for registering ear speaker reverberations so that the attacker can determine caller identity and gender and listen to their private conversations.

This research has substantiated the assumption that eavesdropping through capturing motion sensor data is possible.

**How does EarSpy Attack help in Snooping?**

Researchers wrote that the **study** (PDF) was based on the belief that smartphones’ built-in motion sensors can let attackers collect data on indoor locations and touchscreen inputs along with listening to audio conversations without needing explicit permissions before collecting raw data.

Initially, they thought generating powerful vibrations through ear speakers to eavesdrop on user conversations wasn’t possible. But during their research, the team realized that modern smartphones have high-quality stereo speakers and highly sensitive sensors that can detect finer vibrations.

Hence, they finally determined the ideal environment for successful eavesdropping using various devices and techniques. They used multiple pre-recorded audio files, a 3rd party application for capturing sensor data as they simulated calls, and a machine learning algorithm for results interpretation.

**Research Findings**

The team found that gender detection was 98.6%, and speaker detection was up to 92.6% accurate. Moreover, they found speech detection up to 56.42% accurate. This proved the existence of differentiating between speech features in the accelerometer data that attackers can exploit for spying. EarSpy focused on gender recognition using data collected at 20 Hz, which indicates a lower sampling rate can allow attackers to determine the user’s gender.

Overview of ear speaker eavesdropping

**How to Prevent Eavesdropping?**

Researchers recommended limiting permissions to counter eavesdropping via sensor data so that 3rd party applications cannot record sensor data without the user’s permission. It is worth noting that Android 13 doesn’t allow sensor data collection at 200 Hz without the user’s permission to prevent accidental data leaks.

Furthermore, experts suggested that mobile device manufacturers must be cautious about designing more powerful speakers and instead focus on maintaining a similar sound pressure during audio conversations as was maintained by old-generation phones ear speakers.

Lastly, positioning motion sensors as far from the ear speaker as possible could minimize the phone speaker’s vibrations and diminish spying chances.

1.  **5 Tips for Protecting Your Phone from Malware**
2.  **10 Android Educational Apps That Collect Most User Data**
3.  **SSID Stripping flaw lets hackers mimic real wireless access points**
4.  **Hackers could access photos, videos without unlocking your phone**

EarSpy Attack Can Use Motion Sensors Data to Pry on Android Devices

By Habiba Rashid
The threat actor claims that Twitter data was "scraped via a vulnerability."
This is a post from HackRead.com Read the original post: 400 Million Twitter Users’ Scraped Info Goes on Sale!

The sample data seen by Hackread.com shows that the sold information also includes records on top celebrities and political figures, such as Democratic Rep. Alexandria Ocasio-Cortez and Bollywood’s Salman Khan.

On December 23, 2022, a threat actor going by the handle “Ryushi” claimed to sell more than 400 million Twitter users’ personal details on BreachedForums, a cybercrime and hacking forum that surfaced as an alternative to the **now-seized Raidforums**.

As seen by Hackread.com, the sample data attached to the post contains private email addresses, usernames, follower counts, creation dates, and, in certain cases, the user’s phone numbers.

The sample data also contains a variety of well-known user accounts including New York Democratic Rep. Alexandria Ocasio Cortez, Ethereum cryptocurrency founder Buterin, Indian actor Salman Khan and cybersecurity reporter Brian Krebs. 

> Hey @elonmusk, since you don't seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn't happen on your watch, but you owe Twitter a reply.
> 
> — briankrebs (@briankrebs) December 27, 2022

It is worth mentioning that the latest data leak came just one month after a hacker leaked the contact and personal details of over **5.3 million Twitter users** online. Both the earlier and latest incidents are now being **investigated** by Irish authorities.

The threat actor stated in the post that the data had been “scraped via a vulnerability” but did not specify any further details.

Further, they openly advised the **CEO of the social media giant, Elon Musk**, that he should buy this data directly from the hacker instead of “paying $276 million USD in GDPR breach fines like Facebook did” but does not specify a price at which the data is being sold.

Sample data seen and analyzed by Hackread.com (Image credit: Waqas – Hackread.com)

Offering to conduct the “deal” through a middleman, the threat actor states, “After that, I will remove this thread and will not sell this info again. And data won’t be sold to anyone else, which will stop a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things that will make your users lose trust in you as a company and thus stunt the current growth and hype.”

Researchers who have seen the sample data believe that this alleged data leak is the result of an API flaw which allowed the threat actor to search any email addresses or phone numbers and return a **Twitter** profile.

This attack followed only months after Twitter entered into a **consent order** with the US Federal Trade Commission binding it to maintain a privacy and information security program for the next two decades.

The agreement ended a federal investigation into Twitter’s use of phone numbers and email addresses for advertising purposes when they were collected to be used for multi-factor authentication. Twitter also paid a $150 million civil penalty.

Therefore, if this data breach is verified, the impact on Twitter would be drastic both financially and socially. At the time of writing, the data was still up for grabs.

1.  **Hackers leak scraped data of 87,000 GETTR users**
2.  **Nearly 500 million WhatsApp User Records Sold Online**
3.  **Leaky Server Exposing Scraped Data of 150,000 Mastodon Users**
4.  **Leaked: 235m Instagram, TikTok, YouTube users’ scraped records**
5.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

400 Million Twitter Users’ Scraped Info Goes on Sale!

By Deeba Ahmed
It turns out that hackers stole much more than just the source code from LastPass.
This is a post from HackRead.com Read the original post: LastPass: Hackers Stole User Data and Encrypted Password Vaults

According to LastPass, hackers managed to access end-user names, company names, billing addresses, telephone numbers, email IDs, and IP addresses in the August 2022 data breach.

In August 2022, **Hackread.com reported** on a data breach involving the popular password management service LastPass in which the company claimed only its source code was stolen by hackers. The latest reports reveal that the breach’s scope was way more extensive than the company claimed earlier.

Do not confuse the new details with the data breaches that LastPass revealed in September of 2022, or the one **in earlier December** of this year.

On Thursday, LastPass released updated information about the breach, revealing that attackers managed to steal the personal data of a large number of its customers, including encrypted password vaults. Furthermore, the attackers used previously leaked data to access the vaults.

Hackers reportedly accessed the private data and metadata of its customers. The information obtained by attackers included end-user names, company names, billing addresses, telephone numbers, email IDs, and IP addresses the customers used for accessing **LastPass**‘s services.

Further, the attackers also copied the backup of customer vault data, including website URLs and other encrypted data fields, like website usernames, form-filled data, secure notes, and passwords. But unencrypted credit card data wasn’t breached.

These fields were secured with **256-bit AES encryption**. Hence it could only be decrypted through a unique encryption key obtained from the master password of each user. For this, the attackers used LastPass’s Zero Knowledge architecture, Karim Toubba, the company’s CEO, wrote.

He didn’t reveal how recent the backup was but noted that the attacker used brute force to obtain the master password and decrypt the vault data.

“If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the internet to attempt to access your account,” the CEO added.

The attackers also stole proprietary technical data and source code from LastPass’s development environment. All of this they achieved using the compromised accounts of an employee.

According to LastPass’s **blog post**, the attacker obtained keys and credentials to steal data from a backup stored in a Cloud-based storage service, which operated independently and wasn’t a part of its production environment. The encrypted vault data was also stored in the same service’s “proprietary binary format.”

The incident is currently under investigation. The company has notified a small portion (3%) of its business clients to take preventive measures on their account configurations.

1.  **LastPass hacked; security compromised for good**
2.  **LastPass Flaw Allowed Hackers to Steal Credentials**
3.  **Critical vulnerabilities found in popular Password Managers**
4.  **PasswordState password manager’s update dropped malware**

LastPass: Hackers Stole User Data and Encrypted Password Vaults

By Waqas
In BetMGM's case, hackers are selling data of 1.57 million customers, while data of 68,000 DraftKings customers is also up for grabs.
This is a post from HackRead.com Read the original post: Online Casinos DraftKings and BetMGM Hacked; Data of Millions at Risk

Threat actors are now targeting online betting platforms and casinos since two mainstream casino sites have been targeted and hacked within a brief period.

**BetMGM Hacked**

MGM Resorts owns BetMGM. **In May 2022**, MGM Resorts had 142 million customer records leaked on Telegram from the **2020 breach**; BetMGM is the latest to suffer a data breach.

BetMGM is an online sports betting platform that suffered a data breach recently, resulting in the leaning of data of 1.57 million of its customers. As seen by Hackread.com, the attacker placed the stolen database up for sale the same day on BreachedForums, a cybercrime and hacking forum that surfaced as an alternative to the **now-seized Raidforums**.

In their post, the attacker claimed the database contained records dating from November belonging to every customer who had placed a casino wager. The message was posted on December 21st, 2022. The hacker also shared data samples. However, it wasn’t clarified how much they demanded to sell the database.

“We breached BetMGM’s casino database current as of Nov 2022. The database is inclusive of every BetMGM casino customer (over 1.5M) as of November 2022 from MI, NJ, ON, PV, and WV. Any customer that has placed a casino wager is included in this database,” the hacker said.

On the other hand, BetMGM confirmed the attack by posting a statement on its website on the same date, i.e. December 21st, 2022. The statement revealed the hackers gained unauthorized access to its system and stole patron records.

The company revealed that it detected a data breach on November 22 and suspects that the intrusion occurred in May 2022.

**What Data Was Stolen?**

According to BetMGM, the stolen data includes names, postal addresses, email IDs, phone numbers, dates of birth, account identifiers, hashed Social Security Numbers, and transactions-related information of its customers.

The data “varied by patron,” the company **stated**, adding that so far, there’s no evidence that passwords and account funds were accessed. The company still urges its customers to change passwords and has promised to offer impacted customers free identity restoration and credit monitoring services for up to two years.

**DraftKings Hacking**

Another online sports betting platform, DraftKings, has become the target of hacking lately and has lost the private data of 68,000 customers. The company became a victim of a **credential stuffing attack** where the attackers used previously leaked credentials to access DraftKings’ user accounts and steal personal data.

The hackers also withdrew funds from victims’ accounts. It is worth noting that the company’s cofounder Paul Liberman has **confirmed** the attackers stole $300,000 from victims’ accounts. The incident occurred in November.

DraftKings stated that it would restore the stolen funds and sent notification letters to affected customers on Friday, informing them about the leaking of their data.

“Based on our investigation to date, we believe that attackers may have previously gained access to your username or email address and password from a non-DraftKings source and then used those credentials to access your DraftKings account,” the letter read.

**What Data was Exposed?**

According to DraftKings, the personal information compromised in this breach can include customer names, phone numbers, addresses, email IDs, account balances, profile photos, previous transaction information, last password change date, and the last four digits of their payment cards.

However, there wasn’t any evidence that hackers stole Social Security Numbers, financial account numbers, and driver’s license numbers. DraftKings urged customers to change their account credentials and reset passwords immediately.

“We have restored amounts that have been withdrawn from certain accounts in connection with credential stuffing attacks, as determined and identified by DraftKings,” the company stated.

1.  **Casino Becomes Victim of Data Hack, courtesy Fish Tank**
2.  **Ransomware Group ‘FIN10’ Hacked Casinos, Mining Firms**
3.  **Computer System of Canadian Casino Hacked; Data Stolen**
4.  **Hackers attack Casino’s fish tank thermometer to obtain data**
5.  **Gambler Hacks Casino Surveillance System To Win $33.2 Million**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism