This week two popular online sites suffered hacks, exposing sensitive customer data.
Flipboard, a popular news aggregation app, confirmed that it had seen unauthorised access to databases containing some users’ account information, including full names, usernames, hashed passwords and email addresses.
There is no evidence of unauthorised access to digital tokens used to connect Flipboard accounts to third-party accounts (such as Facebook).
As a precaution, all passwords have been reset and digital tokens have been replaced or deleted.
Elsewhere Canva, a Sydney-based online graphic design service, suffered a hack which exposed details such as customer usernames, real names, email addresses, and city & country information. Hashed passwords and Google tokens for some users were also present in the database.
Well-known hacker GnosticPlayers has claimed responsibility for the Canva hack, which has potentially affected 139 million users around the world.
We recommend that customers of both sites update their passwords. Now would also be a good time to check if your account has appeared in any other public data breaches. Visit Have I Been Pwned, enter your email address and go from there.
The NCSC has published analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches.
Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words.
Windows vulnerability still affecting nearly 1 million computers
A couple of weeks ago we wrote about a Remote Code Execution vulnerability (CVE-2019-0708) in our threat report, but to date almost a million computers are still vulnerable.
The vulnerability, which was privately reported to Microsoft by the NCSC, affects older versions of Windows and it poses a serious threat. The NCSC works with vendors to help mitigate critical security issues before they cause real harm. We have a history of disclosing vulnerabilities to major software vendors and the disclosure of CVE-2019-0708 to Microsoft is an example of that.
The vulnerability, which has been dubbed BlueKeep, has gathered more traction in the mainstream press this week. You can read further detail in the Threat Report issued on the 17th May, but our advice still stands – keep your systems up-to-date and patched.
Organisations and individuals should apply Microsoft’s May security patches as soon as possible. In particular, organisations should focus on the following:
- external facing RDP servers
- critical servers such as domain controllers and management servers
- non-critical servers but those with RDP enabled
- the rest of the desktop estate
Further information about the May 2019 security updates can be found on Microsoft’s website.