AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 5/3/2024

Panda Restaurants discloses data breach after corporate systems hack 

Panda Restaurant Group, the parent company of Panda Express, Panda Inn, and Hibachi-San, disclosed a data breach after attackers compromised its corporate systems in March and stole the personal information of an undisclosed number of associates. Panda Express is the largest Chinese fast food chain in the United States, with over $3 billion in sales and 47,000 associates working in 2,300 branches. The company discovered a data security breach on March 10, 2024, which affected some of its corporate systems but left in-store systems, operations, and guest experience unaffected. 


Two years in, Google says passkeys now protect more than 400 million accounts 

Passkeys consist of two cryptographic keys, a public key that’s registered with the online service or app, and a private key that’s stored on a device, such as a smartphone or a computer. That might sound complicated, but passkeys have been designed to be easy to use. In fact, to log in with a passkey, you use your face, a fingerprint, or a PIN in much the same way that you unlock your smartphone. In a blog post, Google VP of Security Engineering Heather Adkins announced today that since Google launched passkeys on World Password Day 2022, over 400 million Google Accounts have been secured with passkeys. Furthermore, these users have collectively logged over 1 billion authentications, demonstrating growing adoption and usage of this relatively new security feature.    


1,400 GitLab Servers Impacted by Exploited Vulnerability 

A critical vulnerability in GitLab’s email verification process, which can lead to password hijacking, is being exploited in the wild, the US cybersecurity agency CISA warns. Tracked as CVE-2023-7028 (CVSS score of 10/10), the flaw allows for password reset messages to be sent to email addresses that have not been verified, enabling attackers to hijack the password reset process and take over accounts. GitLab patched the security defect in January 2024, warning that GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 to 16.7.1 are affected. Fixes were included in GitLab versions 16.5.6, 16.6.4, and 16.7.2 and backported to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. 


Microsoft bans US police departments from using enterprise AI tool for facial recognition 

Microsoft has reaffirmed its ban on U.S. police departments from using generative AI for facial recognition through Azure OpenAI Service, the company’s fully managed, enterprise-focused wrapper around OpenAI tech. Language added Wednesday to the terms of service for Azure OpenAI Service more obviously prohibits integrations with Azure OpenAI Service from being used “by or for” police departments for facial recognition in the U.S., including integrations with OpenAI’s current — and perhaps future — image-analyzing models. 


Florida man gets 6 years behind bars for flogging fake Cisco kit to US military 

Miami resident Onur Aksoy has been sentenced to six and a half years in prison for running a multi-million-dollar operation selling fake Cisco equipment that ended up in the US military. Counterfeiting computer parts is nothing new, though Aksoy’s scheme, which ran from 2014 to 2022, was innovative in its scale. He oversaw at least 19 companies in New Jersey and Florida, and had a significant online presence with 15 Amazon accounts and 10 eBay accounts. “Through an elaborate, years-long scheme, Aksoy created and ran one of the largest counterfeit-trafficking operations ever,” said Vikas Khanna, US attorney for the District of New Jersey. 

Related Posts