Giant Tiger breach sees 2.8 million records leaked

Someone has posted a database of over 2.8 million records to a hacker forum, claiming they originated from a March 2024 hack at Canadian retail chain Giant Tiger. When asked, they posted a small snippet as proof. The download of the full database is practically free for other active members of that forum. In March, one of Giant Tiger‘s vendors, a company used to manage customer communications and engagement, suffered a cyberattack, which impacted Giant Tiger, as reported by CBC. The retailer first learned of the security incident on March 4, 2024, and concluded that customer information was involved by March 15, according to an email the company wrote to customers. Giant Tiger also noted that the security incident only impacted one of its vendors and didn’t affect the chain’s store systems or applications, saying that “there is no indication of any misuse of the information.”

Exclusive: Tech Companies Are Failing to Keep Elections Safe, Rights Groups Say

A quarter of the way into the most consequential election year in living memory, tech companies are failing their biggest test. Such is the charge that has been leveled by at least 160 rights groups across 55 countries, which are collectively calling on tech platforms to urgently adopt greater measures to safeguard people and elections amid rampant online disinformation and hate speech. “Despite our and many others’ engagement, tech companies have failed to implement adequate measures to protect people and democratic processes from tech harms that include disinformation, hate speech, and influence operations that ruin lives and undermine democratic integrity,” reads the organizations’ joint letter, shared exclusively with TIME by the Global Coalition for Tech Justice, a consortium of civil society groups, activists, and experts. “In fact, tech platforms have apparently reduced their investments in platform safety and have restricted data access, even as they continue to profit from hate-filled ads and disinformation.”

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

Security researchers have uncovered a “credible” takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project. “The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails,” OpenJS Foundation and Open Source Security Foundation (OpenSSF) said in a joint alert. According to Robin Bender Ginn, executive director of OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF, the email messages urged OpenJS to take action to update one of its popular JavaScript projects to remediate critical vulnerabilities without providing any specifics.

Why the US government’s overreliance on Microsoft is a big problem

When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world’s largest tech company. Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America’s cyber defense.

Cisco warns of large-scale brute-force attacks against VPN services

Cisco warns about a large-scale credential brute-forcing campaign targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide. A brute force attack is the process of attempting to log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to the internal network. According to Cisco Talos, this new brute force campaign uses a mix of valid and generic employee usernames related to specific organizations.

Telehealth firm Cerebral fined $7 million over ‘careless’ privacy violations

The Federal Trade Commission (FTC) is proposing a $7 million fine against Cerebral, a mental telehealth firm that it says not only was careless with patients’ data but actively shared it with third parties for advertising purposes. The company and its CEO, Kyle Robertson, are also accused of lying to customers about how their data is shared and of having a misleading cancellation policy. The FTC notes that Cerebral shared the sensitive data “of nearly 3.2 million consumers” with third parties like LinkedIn, TikTok, and Snapchat through trackers on its website or apps — something the company admitted to last year. That apparently included details like home and email addresses, phone numbers, pharmacy and health insurance details, and medical history. Many of Cerebral’s ads were misleading, promoting ADHD treatment by, for instance, linking ADHD to obesity.