Latest news with #dataexposure
Irish Times
16 hours ago
- Business
- Irish Times
Records of six million people exposed in Qantas cyber attack
Qantas has suffered a major cyber-attack, potentially exposing the records of up to 6 million customers. The airline said on Wednesday that the affected system had now been contained and its systems were secured. The system in question was a third-party platform used by the airline's contact centre, which contains the records of 6 million customers. The data includes customer names, email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details. Frequent flyer accounts were not compromised, neither were passwords, pins or login details. READ MORE Qantas said it first detected the unusual activity on Monday and immediately took steps to contain the system. Qantas is assessing the portion of data stolen but said it was expected to be 'significant'. The identity of the attacker is not yet known but is believed to bear similarities to the tactics of the so-called Scattered Spider ransomware group that had been targeting airlines and retail stores in the US and UK. The Guardian reported in May that Scattered Spider is unusual among hacking groups deploying ransomware because it is composed of native English speakers from countries such as the UK, US and Canada. The FBI last week warned airlines in the US that the group was targeting the aviation sector. In a post on X, the FBI said the group uses social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access, and bypassing multi-factor authentication. 'They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,' the FBI said. They then steal sensitive data for extortion and often deploy ransomware that locks up company systems. Qantas said it has informed the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, as well as the Australian federal police. The airline's chief executive, Vanessa Hudson, said the company had recruited independent specialised cybersecurity experts to investigate the matter. A dedicated customer support line and a dedicated page on the company's website will update customers as the investigation progresses. 'We sincerely apologise to our customers and we recognise the uncertainty this will cause,' Ms Hudson said. 'Our customers trust us with their personal information and we take that responsibility seriously. 'We are contacting our customers today and our focus is on providing them with the necessary support.' Cyber-attacks remain on the increase in Australia, after superannuation funds in April suffered hacks on a small handful of customers that resulted in more than $500,000 being taken from their accounts. In May, the Office of the Australian Information Commissioner said the number of data breaches reported under the mandatory notification scheme had increased by 25 per cent in 2024, compared with 2023. According to the report covering July 1st to December 31st 2024, there were 595 data breaches in the latter half of the year, taking the total number of breaches reported that year to 1,113, up 25 per cent from 893 in 2023. In the half year, the highest number of reports came from health providers (121) followed by government (100), finance (54), legal and accounting (36), and retail (34). The report found 69 per cent of the data breaches occurred due to malicious or criminal attack, with phishing – that is, using compromised credentials to access data – being the most common at 34 per cent of such incidents. It was followed by ransomware at 24 per cent. The majority of reported breaches affected fewer than 5,000 people each but two were reported to affect between 500,000 and 1 million people. Most personal information in the breaches comprised contact information, ID information or financial or health information. - Guardian
Yahoo
6 days ago
- Business
- Yahoo
BI revealed that Scale AI exposed sensitive data about Big Tech clients. Now, the company says it's taking action.
This post originally appeared in the Business Insider Today newsletter. You can sign up for Business Insider's daily newsletter here. Good morning. A huge congratulations to our video team for winning two News & Documentary Emmy Awards last night for The True Cost of Mining Electric Car Battery Metals and The Man Who Feeds Gaza's Children. If you haven't yet, give these incredible videos a watch. In today's big story, a report by BI revealed that Scale AI exposed sensitive data about clients like Meta and xAI in public documents. The company has since said it's launching an investigation. What's on deck Markets: Why a billionaire investor is predicting a "little bull market" for stocks. Tech: Amazon's grocery chief didn't mince words when it came to the unit's internal bureaucracy. Business: Christmas morning might look a little different this year thanks to rising toy prices. But first, confidential? Not you needed was the right URL. With that, anyone could access a number of Scale AI's public Google Docs, some of which were marked "confidential." A few clicks later, private information about the company and thousands of its contractors would have been at your fingertips. Business Insider revealed this in our reporting. We alerted Scale AI about the security hole two weeks ago, and the company has since launched an investigation and locked down thousands of files that were previously accessible. Some of those files tracked AI training projects for high-profile customers like Google, xAI, and Meta. BI saw sensitive details about how Google used ChatGPT to improve its own struggling chatbot, then called Bard. For Elon Musk's xAI, public documents showed details of "Project Xylophone," an initiative to improve its chatbot's conversations on a wide range of topics, from the zombie apocalypse to life on Mars. Meta, which is making a $14 billion investment in Scale AI, had confidential training documents exposed with links to audio files with examples of "good" and "bad" speech prompts. Then there's the contractors. Their names, private email addresses, and details about their work performance were all accessible. BI saw a spreadsheet titled "Good and Bad Folks" that categorized dozens of workers as either "high quality" or suspected of "cheating." There's no indication that Scale AI had suffered a data breach because of this. Scale AI has routinely used public Google Docs to track work for high-profile customers, as it's an efficient way to share information with its more than 240,000 contractors. But while "efficiency" has long been the watchword in Big Tech, it shouldn't come at the expense of "security." Cyberdefense experts told BI that Scale AI's practice could have left it vulnerable. After Scale AI's lockdown following our report, one contractor told BI that many teams' work had ground to a halt due to the new restrictions. "We are basically chilling out here," the contractor said. For more on Scale AI, sign up to get the next edition of my colleague Alistair Barr's Tech Memo newsletter in your inbox tomorrow. 1. The tech trade still has room to run. With the tech-heavy Nasdaq hovering near all-time highs, UBS recommends that investors stick with the sector. The bank said AI adoption is still in its early stages and is set to continue growing. 2. Jerome Powell is having doubts about the data. The Fed Chair on Tuesday voiced concerns about the quality of economic data from the Bureau of Labor Statistics — a huge concern since the Fed relies on that data to adjust policy. DOGE cuts may be to blame. 3. Investing advice from a billionaire. Bill Gross is bearish on bonds and bullish on stocks, citing AI as a likely growth factor. He shared his take on how investors should position themselves in an unpredictable market. 1. Amazon's Whole Foods chief slams the unit's internal bureaucracy. In an internal meeting, Jason Buechel recently blamed the unit's red tape for slowing down the business, according to a recording of the meeting exclusively obtained by BI. Amazon is unifying its grocery teams under its "One Grocery" initiative and Buechel identified "overlapping work" as a top priority. 2. Are you coming to my party? RSVP on Partiful. No, wait, it's on Luma. It's on Apple Invites. I mean Shine Parties. Young people are sending invitations for everything from big birthday bashes to move-outs and crash-outs. The age of invitation overload is making it harder to understand what we're attending and what's expected of us. 3. Apple keeps betting on big-budget movies, but the math doesn't add up. The Brad Pitt-led racing movie "F1" is Apple's newest theatrical release. But the company's movie-making arm seems like a big money pit, and it's not clear what Apple's getting out of it, BI's Peter Kafka writes. 1. Sorry, kids. No more cheap toys. Toy prices increased by 2.2% between April and May, according to federal statistics. That's thanks to President Donald Trump's tariffs, since most toys are made in China. As a parent, BI's Katie Notopoulos has mixed feelings. 2. The billionaires who bet big on the NYC mayoral primary — and lost. Zohran Mamdani is projected to win the Democratic nomination for mayor, edging out frontrunner Andrew Cuomo. See the billionaires who together spent millions on anti-Mamdani messaging, including Michael Bloomberg, Bill Ackman, and Ken Griffin. 3. Amazon is coming for Walmart's rural dominance. Amazon recently announced it's adding 4,000 "smaller" communities to its same-day and next-day delivery service. The move takes direct aim at Walmart, which can deliver from its more than 4,600 stores that are located within 10 miles of 90% of the US population. The finance industry's newest social media sensation roasts private equity bros — and they love it. Uber made a big change to how it prices trips. It might be the real secret to the company's turnaround. The internet is loving Wall Street's crash-out over 'Zaddy Zohran'. A judge just handed Meta a big AI copyright victory. He said lawyers for the other side fumbled the case. Diddy prosecutors drop Kid Cudi-related arson and kidnapping from their racketeering case. Why a billionaire investor thinks bitcoin's total value could more than double to $5 trillion. Notice a red sticker on a Dollar Tree item? It means the price is going up. Here's the latest stat showing how the US housing market has frozen over in 2025. Don't expect Jeff Bezos and Lauren Sánchez to get traditional wedding gifts. Bureau of Economic Analysis publishes final GDP data for Q1. Nike and Walgreens Boots Alliance report earnings. Dan DeFrancesco, deputy editor and anchor, in New York (on parental leave). Hallam Bullock, senior editor, in London. Meghan Morris, bureau chief, in Singapore. Grace Lett, editor, in Chicago. Amanda Yen, associate editor, in New York. Lisa Ryan, executive editor, in New York. Akin Oyedele, deputy editor, in New York. Ella Hopkins, associate editor, in London. Read the original article on Business Insider
Fox News
25-06-2025
- Fox News
16 billion passwords leaked in massive data breach
Your personal data is collected by almost every site or app you visit. The world is more data hungry than ever because it's now the most important asset, even more valuable than oil. Your shopping history is logged, your search history is captured, and your phone number, email address, and IDs are all stored. But that doesn't mean all this data is safe. If you've ever received a spam call, phishing email, or a fake support call, your personal data is out there. And if you want proof of how poorly your data is treated, a newly uncovered database offers a stark reminder. More than 16 billion login credentials, collected from years of past data breaches, have been compiled into one of the largest aggregated archives of cybersecurity incidents ever seen, according to a report. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide — free when you join. Cybernews describes the exposed database as a "blueprint for mass exploitation." The records include login credentials from popular platforms like Google, Facebook, and Apple. Security researchers emphasize that this isn't the result of a new, single breach. Instead, it's a massive collection of previously stolen credentials from various past leaks, phishing scams, and third-party data exposures, some of which were forgotten, underreported, or re-shared. BleepingComputer, a cybersecurity site that reviewed the archive, confirmed the data appears to be aggregated from older breaches rather than a fresh incident. This makes the scope of the exposure particularly dangerous because attackers can use this central trove for targeted attacks, including credential stuffing. Credential stuffing becomes much easier when attackers have access to such a vast pool of usernames and passwords. This technique involves using stolen login details across multiple sites, exploiting the fact that many users reuse the same credentials. So even if your account wasn't part of a recent breach, you could still be at risk if your old credentials are part of this newly indexed compilation. We reached out to Apple, Google and Meta for comment. A Google spokesperson stated that this issue did not stem from a Google data breach and that Google continues to strongly encourage users to adopt more secure, passwordless authentication methods, such as passkey. They also suggest using tools like Google Password Manager, which securely stores your passwords and notifies you when they've been involved in a breach, allowing you to take immediate action. A rep from Meta said, "We don't have a statement to share at this time as we're still looking into this," but did offer some tips to secure your account, a security check-up tool, and the introduction of passkeys on Facebook. We did not hear back from Apple before our deadline. In statements given to the media, a Google spokesperson clarified that the company was not the source of the leak. Instead of raising alarms, Google is encouraging users to adopt more secure practices. These include using passkeys, a newer form of authentication that relies on biometric data or a device PIN instead of a traditional password. Google is also promoting its Password Manager, which alerts users if any of their stored credentials have been exposed. This tool can automatically generate strong passwords and keep them encrypted across your devices. Meta has taken similar steps by rolling out support for passkeys on Facebook mobile apps. While adoption remains low, the company is signaling that passwordless logins are the future of secure access. These changes reflect a growing industry shift toward authentication methods that cannot be phished or reused. We reached out to Apple, Google, and Meta for comment but did not receive a response before our deadline. With credential leaks becoming a growing threat, protecting your data requires a mix of smart security habits and reliable tools. Here are five effective ways to keep your information safe. 1. Use a password manager: Infostealer malware often targets passwords saved directly in web browsers, making them easy targets. Instead of relying on your browser to store credentials, use a dedicated password manager that offers zero-knowledge architecture and military-grade encryption to keep your data safe. The best options work across all your devices and browsers, offer secure sharing, monitor for data breaches, and even generate health reports on your passwords. Get more details about my best expert-reviewed Password Managers of 2025 here. 2. Enable two-factor authentication (2FA): Even if your credentials are stolen, 2FA adds an extra layer of security by requiring a second form of verification, such as a code from an authentication app or biometric confirmation. Cybercriminals rely on stolen usernames and passwords to break into accounts, but with 2FA enabled, they cannot gain access without the additional security step. Make sure to enable 2FA on important accounts like email, banking, and work-related logins. 3. Use strong antivirus software and be cautious with downloads and links: Infostealer malware often spreads through malicious downloads, phishing emails, and fake websites. Avoid downloading software or files from untrusted sources, and always double-check links before clicking them. Attackers disguise malware as legitimate software, game cheats, or cracked applications, so it is best to stick to official websites and app stores for downloads. The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 4. Keep software updated: Cybercriminals exploit outdated software to deliver malware. Keeping your operating system, browsers, and security software up to date ensures that known vulnerabilities are patched. Enable automatic updates whenever possible, and install reputable antivirus or endpoint protection software that can detect and block infostealer threats before they compromise your system. 5. Consider a personal data removal service: The massive leak of 16 billion credentials shows just how far your personal information can spread and how easily it can resurface years later in aggregated hacker databases. Even if your passwords were part of an old breach, data like your name, email, phone number, or address may still be available through data broker sites. Personal data removal services can help reduce your exposure by scrubbing this information from hundreds of these sites. While no service can guarantee total removal, they drastically reduce your digital footprint, making it harder for scammers to cross-reference leaked credentials with public data to impersonate or target you. These services monitor and automatically remove your personal info over time, which gives me peace of mind in today's threat landscape. Check out my top picks for data removal services here. Get a free scan to find out if your personal information is already out on the web Passwords are no longer enough. That is why I have always believed tech companies should phase them out entirely and require two-factor authentication across the board. Passwords, once the foundation of online identity, are now one of its weakest links. Companies like Google and Meta are already building systems that move beyond them. The tools are available. The message is clear. You do not need to wait for a breach to start taking security seriously. Do you think tech companies are investing enough in their cybersecurity infrastructure? Let us know by writing to us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels Answers to the most asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
TechCrunch
02-06-2025
- Business
- TechCrunch
Vanta bug exposed customers' data to other customers
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. Vanta, which helps corporate customers automate their security and compliance processes, said it identified an issue on May 26 and that remediation will complete June 4. The incident resulted in 'a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers,' according to the statement attributed to Vanta's chief product officer Jeremy Epling. Epling said fewer than 4% of Vanta customers were affected, and have all been notified. Vanta has more than 10,000 customers, according to its website, suggesting the data exposure likely affects hundreds of Vanta customers. One customer affected by the incident told TechCrunch that Vanta had notified them of the data exposure. The customer said Vanta told them that 'employee account data was erroneously pulled into your Vanta instance, as well as out of your Vanta instance into other customers' instances.' The customer told TechCrunch that Vanta's notice said this type of data 'generally includes' information like employee names, roles, and information about configurations of some tools, such as the use of multi-factor authentication. When asked by TechCrunch, Vanta spokesperson Erin Cheng would not say what types of customers' data were involved during the incident or comment on whether Vanta employee data was exposed. Founded in 2018, Vanta has raised more than $350 million to date, including $150 million in its most recent Series C funding round in July 2024.
Yahoo
24-05-2025
- Business
- Yahoo
Naukri exposed recruiter email addresses, researcher says
a popular Indian employment website, has fixed a bug that exposed the email addresses of recruiters using its platform to search and hire talent online. The issue, discovered by security researcher Lohith Gowda, affected the API that Naukri used on its Android and iOS apps. The API exposed the email addresses of recruiters visiting profiles of potential candidates on Naukri's platform. The issue did not appear to affect the company's website. "The exposed recruiter email IDs can be used for targeted phishing attacks, and recruiters may receive excessive unsolicited emails and spam," Gowda told TechCrunch. He added that exposed email IDs could be added to public breach databases or spam lists, and mass email address scraping could lead to automated bot abuse or scams. TechCrunch verified the exposure after the researcher shared details about the bug. The researcher confirmed to TechCrunch that the issue was fixed earlier this week, which Naukri corroborated on Friday. "All identified enhancements are implemented, ensuring our systems remain updated and resilient," Alok Vij, IT infrastructure head at Naukri's parent company InfoEdge, told TechCrunch over email. "Our teams have not detected any usual activity that affects the integrity of user data." Founded in March 1997, is India's top classified recruitment website, helping connect recruiters, employers, and job seekers. Apart from India, the site exists in the Middle East as "Certain features of our recruiter profiles are designed to be public to enable users to know who has access to their profile(s). We conduct regular audits and security assessments," said Vij. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
