Weekly Threat Report - 15th November 2019
Disney+ accounts hijacked within days of launch
Thousands of subscribers to the recently launched Disney+ online streaming platform have had their accounts hijacked, according to an investigation by cyber security researchers.
Subscribers reported that hackers accessed their accounts and changed the email address and password details, locking them out. Thousands of subscribers’ accounts have been put up for sale on the dark web.
Cyber security researchers suggest that some accounts were hijacked because people use the same passwords for different sites, some of which may have been previously compromised.
Using the same password for multiple accounts makes the accounts more vulnerable to compromise. However, we recognise that remembering multiple complex passwords can be difficult without help. We have published top tips on keeping your family safe online which includes guidance on password managers and setting up two-factor authentication (2FA) wherever it is available.
Data breach exposes thousands of gamers
A US gaming company has inadvertently leaked the personal information of thousands of online players.
Wizards of the Coast, which publishes games based on science fiction themes, emailed users informing them about the breach. It is thought that names, email addresses and passwords were exposed. Users have been advised to change their passwords.
The incident appears to have been caused by a database backup file left unprotected in a public Amazon Web Services (AWS) storage bucket.
Large stores of data are a tempting target for attackers. The NCSC has published advice on how to adequately protect such information and details on how to configure AWS S3 buckets to protect data.
Anyone concerned about the security of their online accounts should follow the guidance in ‘Top tips for staying secure online’. We have also issued specific online gaming advice for families and individuals.
Flaw revealed in Android camera app
Google has acknowledged a now-patched security flaw (CVE-2019-2234) in Android phones that enabled third-party apps to bypass the camera permissions by using storage permissions.
Security researchers were able to design and implement an app which exploited the flaw. The researchers proved that basic storage permissions could be used by attackers to access to the users’ camera, and video, remotely record calls, and use the data location information within photos to locate the phone . This could be done even when the phone was locked with the screen turned off.
Keeping your apps and operating systems up to date is an effective way of maintaining security on your devices. The easiest way to do this is to turn on automatic updates, if you can.
The NCSC has issued advice on how to ensure your devices are as secure as possible.