<img src="//pixel.quantserve.com/pixel/p-_JKXxuL8SR7wu.gif?labels=_fp.event.Default" style="display: none;" border="0" height="1" width="1" alt="Quantcast">
blog-banner.jpg

Next-Gen CASB Blog

Bitglass Security Spotlight: A Step-By-Step Guide To Breach Instagram

By Juan Lugo | October 7, 2019 at 5:00 AM
Newspaper Icon with News Title - Red Arrow on a Grey Background. Mass Media Concept.

Here are the top stories of recent weeks:  

  • Hacker Demonstrates his Step-By-Step Process to Breach Instagram’s Login Module
  • Uber Security Flaw Enables Threat Actors to Hitch a Ride, at Your Expense
  • Cyber Criminals Have Been Targeting IoT Connected Gas Pumps
  • Court Ruled In Favor of Start-up that Data Scraped LinkedIn User Profiles For Years
  • Hackers Find a Way to Attack One Billion Google Calendar Users

Hacker Demonstrates his Step-By-Step Process to Breach Instagram’s Login Module

An Israeli hacker, ZHacker13, found a vulnerability with Instagram that exposes users’ personal information, similar to the recent Facebook leak that exposed 419 million users. Facebook confirms that the exposed data would enable threat actors to exploit user information, including full names, phone numbers, usernames, and user id. However, the tech giant claims that it had been aware of this security flaw and that it has prompted changes to be made since. The hacker confirms that if done correctly with the necessary computing power, a brute force attempt to breach Instagram’s login form would yield millions of users’ login credentials. 

Uber Security Flaw Enables Threat Actors to Hitch a Ride, at Your Expense

Avid security aficionado and entrepreneur, Anand Prakash, exposes Uber security liability that would grant access to user accounts. Once a threat actor initiates an account takeover, they’d have access to account privileges such as hailing Uber rides and buying meals via Uber Eats. Moreover, they would have access to users’ personal and payment information. The ride-sharing app took a hard hit back in 2016 when it failed to properly disclose a breach that exposed information on millions of Uber customers and drivers. Hackers are becoming more sophisticated over time and these corporations are lacking the right security tools to defend against these types of threats. 

Cyber Criminals Have Been Targeting IoT Connected Gas Pumps

Hackers in Russia are modifying the firmware in smart meters in order to trick the devices into recording lower readings. This exploit would yield the user more resources for a fraction of the cost. At the moment, groups of individuals in Russsian and Brazilian forums are dispersing step-by-step tutorials on how to hack IoT connected gas pumps in order to purchase the resource at a cheaper price. However, there is a growing concern that this inferior trend can be the spark that triggers threat actors into utilizing this exploit for a far grander scheme. IoT cyber attacks are in their infancy and will continue to be a prevailing threat as billions of home and workplace devices are expected to connect to the cloud in the coming years. 

Court Ruled In Favor of Start-up that Data Scraped LinkedIn User Profiles For Years

An injunction upheld by the Ninth US Circuit Court of Appeals has resulted in favor of hiQ, a San Francisco based start-up that has been scraping personal information through users’ LinkedIn profiles over the last few years. The Microsoft owned company has been forced to remove a block that it put on hiQ to prevent further scraping. The conclusion was that platform users’ own the rights to the data, rather than LinkedIn – which leaves the uploaded content susceptible to data scraping. Additionally, users should be aware that when they publish information on LinkedIn, it becomes public domain. LinkedIn made the argument that by scraping user data, hiQ was essentially hacking it’s platform. However, not only did the court rule in favor of hiQ, but it also suggested that LinkedIn remove the public access feature to prevent further scraping. 

Hackers Find a Way to Attack One Billion Google Calendar Users

Threat actors discovered a way to target Google Calendar users by sending them malicious links through invites. The links lead to a fictitious online poll or questionnaire that incentivizes users with financial compensation upon completion. Users are prompted to provide personal financial information in order to receive the reward. As a force of habit, Gmail users sometimes incautiously click on unsolicited Google Calendar notifications, and because anyone is able to schedule meetings with a targeted user, it can be dangerous for users who are unaware of these types of attacks. Additionally, security advocates warn that these phishing schemes can lead to a whole host of socially engineered attacks and can even be used to gain physical access into secured facilities.

To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from data leakage, malware, and more, download the Top CASB Use Cases below. 

Top CASB Use Cases