Another Day, Another Breach

Foxit Software, developer of a popular PDF software PhantomPDF and Foxit Reader PDF, has reset its customers passwords. This comes after a data breach at the company. In what appears to be the typical, let's ignore it and hopefully it will go away stance, the company has yet to announce anything publicly. This after customers received emails last week asking them to reset their passwords.

PDF Reader Biz Breached: Foxit Forces Password Reset
Unknown number of customers had personal data compromised

Another Open S3 Bucket

Teletext Holidays has left an open S3 bucket. This result in leaving more than 200,000 customer phone call recordings publicly exposed. The calls were recorded between April and August 2016. Some of these calls include personal details including partial payment card details such as expiration dates and the name on the card. While customers were not asked for the card number, they were asked to enter it via the touch tone on their phone. This does little to hide the actual card number, and is trivial to obtain the card number from the tones.

Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket
Get your grandparents to book with someone else

Facebook Lost Private Key

Facebook has lost control of its private key which is used to sign its Facebook Basics app. Now let's be clear, the private key is meant to be that, private. Leaking this means that it should no longer be trusted. Facebook doesn't seem to think that this is a big deal. To add to this, it appears that the same key is being used by other vendors to sign their own apps.

Facebook release a new version of its Facebook Basics app, signed by a new key. Yet they made no mention of this (presumably to try sweep it under the rug).

It should be noted that having this key could become very useful to those with malicious intent. They can create malicious applications which appear to be signed by a well known name, Facebook. Making it easier to dupe victims into trusting and installing the app.

Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps
Walled-garden Android platform security easily copied