Damn, the internet chefs went hard this past week! They stirred up some serious chow in the VPN industry, then moved on to a data breach affecting roughly half of France - and that's not even the whole course! Let's start this week off with a few bite-size VPN appetizers.
Express VPN's Windows versions 12.23.1 – 12.72.0, published between May 19, 2022, and Feb. 7, 2024, had a bug that exposed domains visited by users, specifically those using the split tunnel feature. The bug caused the DNS requests to be directed to the user's ISP instead of the Express VPN infrastructure on apps that should have been routed through the VPN connection. Considering the length of time this bug existed, it may take time for the full scope of repercussions to be revealed.
Ivanti has a widely used (more than 40,000 customers) enterprise VPN, which is now seeing hackers mass exploiting the multiple vulnerabilities present in the software. This is the fourth recent disclosure of vulnerabilities from Ivanti, with fingers being pointed at a China-based hacking group "likely motivated by espionage."
WiinStar, the Oklahoma-based, self-proclaimed "world's biggest casino" (by square footage), left one of its logging databases on the internet without a password. This means that anyone with knowledge of its public IP address could access the WinStar customer data, all from the comfort of their web browser. Exposed data included: full names, phone numbers, email addresses, device IP addresses, and home addresses. Not a good look, WinsStar.
You read that right, nearly half of La Populace's data was exposed in a major security breach last week. Two third-party healthcare payment systems, Viamedis and Almerys, both experienced serious breaches in late January. An estimated 33 million customers are affected, with the exposed data including dates of birth, marital status, social security numbers, and insurance information. Allegedly, no banking info, medical data, or contact information was compromised.
TL;DR
- If you use Express VPN Split Tunneling on Windows, your DNS records have been leaking for years
- Enterprise Customers Be 'Ware, Ivanti VPN is seriously dropping the ball
- WinStar casino has a serious case of bad cybersecurity practices
- Nearly half the population of France was affected by a major data leak
This week the internet chefs really stepped up their game.; they're really on one with this year's theme. The latest assortment of delectable news bites has a distinctive chaotic aftertaste, indicating larger things for the rest of the year. One thing remains clear week after week: the time to start protecting yourself online was yesterday. If you're just getting started, we've laid out a lot of the basics for you.
