Each month we post a round-up of cyber security news that we find insightful and contribute to a more full understanding of the world of cyber security.

January 2024 Was A Big Month For Mass Data Breach News

We saw news of two big data breaches in January 2024:

1. The naz.api breach was reported in January but the breach actually occurred in September 2023. It contains 71 million unique email addresses, their passwords, and the service that they are associated with. This breach was particularly noteworthy due to the fact that one-third of the email addresses had never been seen before in other data breaches. [Source]

2. The “Mother Of All Breaches”, containing over 26 billion records. This sounds pretty scary but further analysis by experts revealed that the hoard of data is largely made up of data from previously-disclosed breaches, some dating back more than a decade. [Source]

We highly recommend that you use the free service “Have I Been Pwned?” to determine if your email address and any associated credentials were observed in these data breaches or dozens of other breaches. For organizations that need to monitor all of their staff’s email addresses for being included in data breaches, check out our Cyber Security Training Program offering. We combine breach monitoring, fun training, and phishing simulations to lower your organization’s risk of cyber attacks.

Microsoft Got Hacked

Russian state-sponsored hackers successfully hacked Microsoft and were able to access emails and documents belonging to senior executives, the security team, and the legal team. The attack was disclosed in January, but it appears that the hackers had access to Microsoft since at least November 2023. Microsoft disclosed the attack in a report to the Securities and Exchange Commission (SEC) and indicated that the attacks initially targeted an old, non-production service that wasn’t protected by Microsoft’s normal suite of security capabilities.

This attack underscores the importance of establishing cyber security best practices like multi-factor authentication, deactivating old accounts, and ensuring that each account has limited privileged access. [Source]

FTC Issues Warnings About QR Codes

The Federal Trade Commission (FTC) recently issued a warning about how the square QR codes common in restaurants and parking garages can be abused by fraudsters and attackers. These malodorous individuals can hide malicious links within the QR codes that can cause your device to install malware or trick you into disclosing sensitive information, including payment information and login credentials. Additionally, phishing emails that contain QR codes to malicious links are on the rise, as they can evade many spam and phishing detection systems. [Source]

In this warning, the FTC recommends: 

• Checking the URL associated with the QR code to make sure it is legitimate. Oftentimes, your phone will show you the URL you’re about to navigate to before taking you there. Does it look like what you expect to see?

• Avoid scanning a QR code in an email or text message that you aren’t expecting

• Regularly updating your device’s operating system and the apps on your device