Privacy bugs in well-known services. Wolverine credential-stuffing. Dating apps exposed data? BMW owners' info for sale.

Summary

By the CyberWire staff

At a glance.

LinkedIn is working on a privacy bug.
DuckDuckGo reviews its handling of favicons.
Alleged University of Michigan breach was really a minor wave of credential-stuffing.
Dating apps leak personal information through exposed, unsecured databases.
BMW owners database for sale in criminal markets.

Privacy bug found in LinkedIn.

ZDNet reports that a beta version of iOS 14, which includes a feature that enables users to see each paste notification, has revealed an inadvertent feature of LinkedIn: the app reads clipboard content after each keystroke. Contacted about the issue, LinkedIn said the behavior was inadvertent, that they "don't store or transmit the clipboard contents," and that the company is working to eliminate the bug as soon as possible.

DuckDuckGo questioned over favicon handling.

DuckDuckGo users, as one would expect a touchy lot with respect to privacy, are complaining to the privacy-focused search engine about the way it handles favicons, icons that carry frequently visited urls. HackRead reports that the problem amounts to collection of a user's browser history. The Daily Swig has an account of DuckDuckGo's response: this is, the company says, a bug, not a policy, and that the search engine intends to address the issue promptly.

In an apparently unrelated matter, users in India report that many of that country's ISPs are blocking access to DuckDuckGo. Why they're doing so isn't clear, and according to TechRadar several of the ISPs are restoring access. There's some speculation that the search engine was inadvertently swept up in New Delhi's ban of fifty-nine apps on the grounds that they're potentially susceptible to Chinese control and hence represent an unacceptable security risk.

Third-party data breaches affect University of Michigan students and alumni.

Rumor and alarum circulated Friday, the Detroit Free-Press reports, among University of Michigan alumni and students to the effect that the university had sustained a massive data breach that compromised their university email credentials. (One representative tweet read, "If you’re a Umich student or even if you just recently graduated, change your password!! Database got hacked and thousands of email and passwords have been released.") The university investigated, however, and found that there was no breach. Some accounts had been compromised, but that was due to older breaches at third-party sites like Chegg, Zynga, and LinkedIn being used in credential-stuffing attacks against those who reuse passwords. Michigan has reset passwords of affected accounts and is notifying the users; the university would also like people to please stop reusing passwords and while they're at it start using two-factor authentication.

Dating apps leaked personal information in exposed, unsecured databases.

Researchers at WizCase report that five dating apps based in three different countries (the US, South Korea, and Japan) have inadvertently left user data exposed in unsecured databases. The five services affected are:

"Catholic Singles — Leaked email addresses and phone numbers put users at risk of phishing emails and phone scams."
"SPYKX — Exposed cleartext passwords and email addresses could let hackers access personal data kept on the account, leading to identity theft and fraud."
"YESTIKI — GPS data, venue addresses, and match dates and times make users vulnerable to stalkers."
"Blurry — Exposed messages may contain identifiable private data that could be used to blackmail users."
"Charin and Kyuun — Leaked data includes user search preferences and message content that can be used to blackmail victims who want to keep information private."

WizCase's blog does not indicate whether they disclosed their discovery to the five affected sites, nor does it say what if any action the sites took to secure the data.

WizCase says it also found six other databases whose ownership was unclear, but that appear to contain information scraped from other dating sites.

BMW owners database offered for sale in the underground.

Cybercriminals of the KelvinSecurityTeam are selling a database holding personally identifiable information from 384,319 British owners of BMWs. SC Magazine reports that the offer was discovered by Tel Aviv-based dark web intelligence shop KELA. The information includes initials and last names, emails, addresses, vehicle numbers, dealer names, and other material. KELA says the KelvinSecurityTeam represents the data as having been obtained from "a call center."

We heard from ImmuniWeb, whose founder and CEO Ilia Kolochenko sees the incident as one deriving from poorly managed IT, and he observes with regret that some of the intrusions that result from such carelessness may never be discovered, still less disclosed:

“At ImmuniWeb, we're observing a rapid and uncontrolled proliferation of shadow and abandoned IT assets, spanning from unprotected cloud to vulnerable web applications with business-critical data. The situation is dramatically exacerbated by third-parties with privileged access to organizations’ data - exactly what has reportedly happened with BMW, when a supplier is to blame for the incident."

"Even though stolen credit card data is now becoming cheaper amid the pandemic, many methods of credit card use require physical activities and human presence, so are in fact costlier and riskier to implement amid COVID-19. The situation is, however, rather a temporary fluctuation than a long-term trend.

"Against this background attackers are shifting their malicious efforts to target other goods such as PII*. We should also expect skilled cybercriminals to attack organizations for their trade secrets and other types of intellectual property. Worse, some of such intrusions are never discovered or reported.”

Selected Reading

Anonymous Hackers Warns to All: 'Uninstall TikTok Now!' (Tech Times) Anonymous said its a certified 'Chinese malware.'

‘State-backed’ group spying on Indians: Report (The Times of India) India News: After seven years of targeting countries in West Asia and Europe, a sophisticated and resilient cyber espionage group, Promethium, has shifted its foc

North Korean hackers linked to web skimming (Magecart) attacks, report says (ZDNet) After hacking banks and cryptocurrency exchanges, orchestrating ATM cash-outs, and deploying ransomware, North Korean hackers have now set their sights on online stores.

North Korean hackers are skimming US and European shoppers (Sansec) North Korean state sponsored hackers are implicated in the interception of online payments from American and European shoppers, Sansec research shows. Hackers associated with the APT Lazarus/HIDDEN COBRA1 group were found to be breaking into online stores of large US retailers and planting payment skimmers as early as May 2019.

Enterprises in Americas, Europe Targeted With Valak Information Stealer (SecurityWeek) The Valak information stealer is being distributed in ongoing campaigns aimed at enterprises in North America, South America, Europe and likely other regions

Try2Cry ransomware tries to worm its way to other Windows systems (BleepingComputer) A new ransomware known as Try2Cry is trying to worm its way onto other Windows computers by infecting USB flash drives and using Windows shortcuts (LNK files) posing as the targets' files to lure them into infecting themselves.

BMW customer database for sale on dark web (SC Media) A database of 384,319 BMW car owners in the U.K. is being offered for sale on an underground forum by the KelvinSecurity Team hacking group, according to

NHAI was hit by ransomware attack, suffered loss of data (The Times of India) Last week’s cyber attack on the mail server of the National Highways Authority of India (NHAI) has been found to be a ransomware attack tha.

Notorious criminal group hacks Fort Worth agency, holding data for ransom, experts say (Fort Worth Star-Telegram) A ransomware gang is holding Fort Worth’s regional transportation agency’s private data hostage, according to two cybersecurity companies that monitor the criminal group.

5 dating apps caught leaking millions of user-sensitive data (HackRead) All 5 apps were exposing user data due to database misconfiguration.

Data Breach: Millions of Dating App Records, Messages, and User Profiles Exposed in Data Leak (WizCase) WizCase’s security team has recently uncovered breaches in 5 different dating site and app databases. These leaks have compromised user data, including sensitive and confidential information like real names, billing addresses, email addresses, phone numbers, private messages, and more. The total number of leaked entries is in the millions. Every server was easily accessible ...

Cyber thieves use selfies to steal your personal information (KOMO) Fraudsters are always looking to up their game. The cyber thieves who send out phishing emails have figured out a new way to steal your personal information. In most cases, when if you click on a link in one of these bogus emails, you get taken to a copycat website run by the criminals. It looks legitimate and asks you to login using your personal credentials. Do that and you’ve given hackers the keys to your account.

LinkedIn says iOS clipboard snooping after every key press is a bug, will fix (ZDNet) The new clipboard access detection and warning feature in iOS 14 exposes another app.

DuckDuckGo collecting user browsing data without consent (HackRead) An ethical hacker on Twitter revealed how intentionally or unintentionally DuckDuckGo is tracking the websites a user visits.

University of Michigan: Leaked emails, passwords were from '3rd-party data breaches' (Detroit Free Press) University of Michigan says a breach of student email addresses and passwords was the result of older "third-party data breaches".

Early Covid-19 tracking apps easy prey for hackers, and it might get worse before it gets better (POLITICO) The apps could prove vital to curtailing the virus’s spread as states reopen, but security fears may make them unpopular with users.

Companies start reporting ransomware attacks as data breaches (BleepingComputer) Corporate victims are finally starting to realize that ransomware attacks are data breaches and have begun to notify employees and clients about data stolen data.

Equifax Investors' Attys Will Earn $29.6M Fee In Stock Suit (Law360) A team of attorneys from Bernstein Litowitz Berger & Grossmann LLP and Bondurant Mixson & Elmore LLP will be taking home a more than $29.6 million counsel fee for representing a proposed class of Equifax investors after securing a $149 million settlement of a suit over the company's vast 2017 data breach, a Georgia federal judge determined.

Insurer Won't Defend Biz That Sold Access To Biometric Data (Law360) Citizens Insurance Co. of America told an Illinois federal judge that it has no duty to defend Wynndalco Enterprises in a class suit accusing Wynndalco of violating biometric privacy by selling access to Clearview AI Inc.'s database to Illinois consumers.

Patients Sue Fla. Orthopedic Provider Over April Data Breach (Law360) Customers have hit Florida Orthopaedic Institute with a proposed class action in state court over an April data breach, claiming the health care provider failed to protect patients' medical records and personal information and also did not investigate or notify them in a timely manner.