exposed

GitHub Token Breach: Mintlify Announces Customer Data Compromise

Mintlify Breach Tokens
Documentation startup Mintlify says dozens of customers had GitHub tokens exposed in a data breach at the start of the month and publicly disclosed last week. Mintlify helps developers create documentation for their software and source code by requesting access and tapping directly into the customer’s GitHub source code repositories. These private tokens allow GitHub users to share their account access with third parties apps, including companies like Mintlify. “The targets of this attack were GitHub tokens of our users,” Wang told TechCrunch by email. We are currently working with GitHub and our customers to uncover if any of the other tokens were used by the attacker,” Wang said.

“2-Year Delay in Public Disclosure of COVID-19 Vaccination Records Due to Irish Government Website Glitch”

Irish Army Coronavirus Covid 19
A bug in an Irish government website that exposed COVID-19 vaccination records took two years to publicly discloseThe Irish government fixed a vulnerability two years ago in its national COVID-19 vaccination portal that exposed the vaccination records of around a million residents. But details of the vulnerability weren’t revealed until this week after attempts to coordinate public disclosure with the government agency stalled and ended. Security researcher Aaron Costello said he discovered the vulnerability in the COVID-19 vaccination portal run by the Irish Health Service Executive (HSE) in December 2021, a year after mass vaccinations against COVID-19 began in Ireland. Costello’s public disclosure marks more than two years since first reporting the vulnerability. His blog post included a multi-year timeline revealing a back and forth between various government departments that were unwilling to take claim to public disclosure.

Election Commission of India Addresses Privacy Vulnerabilities in Citizen Information Retrieval

Election Commission India Rti Portal
India’s federal election commission has fixed flaws on its website that exposed data related to citizens’ requests for information related to their voting eligibility status, local political candidates and parties, and technical details about electronic voting machines. The bugs allowed access to the RTI requests, download transaction receipts, and responses shared by the officials without properly authenticating user logins. Some of the exposed data included the RTI filing date, the questions asked, the applicant’s name and mailing address, the applicant’s poverty line status, and RTI responses. The bugs were fixed earlier this week following CERT-In’s intervention. The Election Commission of India did not respond to a request for comment.

Database leak reveals 2FA codes for global tech giants

Dripping 2fa
The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. YX International claims to send five million SMS text messages daily. But codes sent over SMS text messages are not as secure as stronger forms of 2FA, such as an app-based code generator, since SMS text messages are prone to interception or exposure — or in this case, leaking from a database onto the open web. TechCrunch found in the exposed database sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. YX International would not say for how long the database was exposed.

Critical Vulnerability on Indian State Government Website Leaks PII of Residents

Rajasthan Local Voter Getty
An Indian state government has fixed security issues impacting its website that exposed the sensitive documents and personal information of millions of residents. The bugs existed on the Rajasthan government website related to Jan Aadhaar, a state program to provide a single identifier to families and individuals in the state to access welfare schemes. One of the bugs allowed anyone to access personal documents and information with knowledge of a registrant’s phone number. The state’s Jan Aadhaar portal, which launched in 2019, says it has more than 78 million individual registrants and 20 million families. The portal aims to offer “One Number, One Card, One Identity” to residents in the northern state of Rajasthan for accessing state government welfare schemes.

The Unintended Leak of Mercedes-Benz Source Code: A Consequence of a Published Password Error

Gettyimages 103035382
Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it. The London-based cybersecurity company said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January. According to Mittal, this token — an alternative to using a password for authenticating to GitHub — could grant anyone full access to Mercedes’s GitHub Enterprise Server, thus allowing the download of the company’s private source code repositories. “The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal explained in a report shared by TechCrunch. It’s not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023.

Hyundai Motor India Resolves Security Vulnerability Revealing Customers’ Private Information

Hyundai Motor India Getty
In a phone conversation on Thursday, Hyundai Motor India spokesperson Siddhartha P. Saikia said the company would provide a statement. The bug exposed the customer’s personal information through the web links Hyundai Motor India shared with customers over WhatsApp after receiving their vehicles for servicing at an authorized service station. TechCrunch shared the details of the bug with Hyundai Motor India on the same day, and requested Hyundai Motor India fix the bug within seven days due to its simplicity and severity. Established in 1996, Hyundai Motor India is among the top three carmakers in the country, alongside Maruti Suzuki and Tata Motors. Hyundai Motor India has a network of over 1,500 service stations in the country.

“Security Breach Unveils Confidential Customer Data: MongoDB’s Investigation”

Gettyimages 598748844 1
Database management giant MongoDB says it’s investigating a security incident that has resulted in the exposure of some information about customers. In an update published on Sunday, MongoDB said does not believe hackers accessed any customer data stored in MongoDB Atlas, the company’s hosted database offering. For one customer, this included system logs, MongoDB said. System logs can include information about the running of a database or its underlying system. MongoDB declined to say how many customers may be affected by the compromise of its corporate systems.

Ubiquiti Resolves Vulnerability Exposing Private Video Streams to Fellow Customers

Push Notification Ubiquiti Flaw Bug
Ubiquity, the networking and video surveillance camera maker, has fixed a bug that users say mistakenly allowed them access to the accounts and private live video streams of other customers. Reports first emerged on Reddit that some customers received push notifications on their phones featuring Ubiquiti account-related information and private video streams belonging to other customers. Another person said they logged into their Ubiquiti account but were presented with the account data of another customer. “I logged in and I seem to be someone else,” said one person on the Ubiquiti subreddit. Ubiquiti is a cloud and technology company that makes routers, network switches, security and video surveillance gear, which can be remotely controlled and operated through its centralized cloud offering.