Mastodawn

In August 2020, @SchizoDuckie and I published what was to become the first of a series of articles or posts called "No Need to Hack When It's Leaking."

In today's installment, I bring you "No Need to Hack When It's Leaking: Brandt Kettwick Defense Edition." It chronicles efforts by @JayeLTee, @masek, and I to alert a Minnesota law firm to lock down their exposed files, some of which were quite sensitive.

Read the post and see how even the state's Bureau of Criminal Apprehension had trouble getting this law firm to respond appropriately.

https://databreaches.net/2025/07/04/no-need-to-hack-when-its-leaking-brandt-kettwick-defense-edition/

Great thanks to the Minnesota Bureau of Criminal Apprehension for their help on this one, and to @TonyYarusso and @bkoehn for their efforts.

#dataleak #misconfiguration #incidentresponse #incidentmanagement #responsibledisclosure #securityalert #infosec

The DefendOps Diaries May 14

A simple web form error left 670 sensitive documents exposed at the AHRC. How safe is your data when a tiny misconfiguration can unleash so much risk? Read on for a cautionary cybersecurity lesson.

https://thedefendopsdiaries.com/the-ahrc-data-breach-a-lesson-in-web-security-misconfigurations/

#data breach
#websecurity
#misconfiguration
#cybersecurity
#infosec

N-gated Hacker News Apr 14

So, you accidentally summoned an army of LLM bots to devour your server resources and send your finances into a death spiral? 🤖💸 Who would've thought that a simple 'misconfiguration' could make your bank account the real ghost in the machine? 🎭💀
https://metacast.app/blog/engineering/postmortem-llm-bots-image-optimization #LLMBots #Misconfiguration #ServerResources #GhostInTheMachine #FinancesFail #HackerNews #ngated

LLM bots + Next.js image optimization = recipe for bankruptcy (post-mortem) | Metacast Blog

A misconfiguration that might have cost us $7,000

Metacast: podcast app with transcripts

teufelswerk Mar 1

Zapier (NoCode-Software) informierte am Freitag Kunden darüber, dass ein Unbefugter Zugriff auf Code-Repositories u. Kundendaten erhalten habe. Der Unbefugte konnte aufgrund einer Fehlkonfiguration der Zwei-Faktor-Authentifizierung (2FA) im Konto eines Mitarbeiters auf die Repositories zugreifen. Die Repositories hätten aber keine Kundendaten enthalten dürfen. Diese wurden versehentlich von Zapier hineinkopiert...

https://www.theverge.com/news/622026/zapier-data-breach-code-repositories

#cybersecurity #mfa #2fa #leak #misconfiguration #zapier

Zapier says someone broke into its code repositories and may have accessed customer data

Zapier is notifying customers about a “security incident,” which involved an unauthorized user gaining access to the company’s code repositories and “certain custom information.”

The Verge

teufelswerk Feb 28

Modat Internet Index Solution führte Anfang 2025 eine umfassende Untersuchung durch und entdeckte 49.000 falsch konfigurierte, ungeschützte #Zugangsverwaltungssysteme (AMS) in mehreren Branchen und Ländern, die die Privatsphäre und die physische #Sicherheit in kritischen Sektoren gefährden könnten. Die #AMS waren nicht richtig für die sichere #Authentifizierung konfiguriert, so dass nahezu jeder darauf hätte zugreifen können.

#cybersecurity #config #misconfiguration #privacy #kritis

Hackread.com Feb 12

🚨 A massive 1.17TB unprotected database from IoT grow light company Mars Hydro has exposed billions of records, including Wi-Fi passwords, IPs, device IDs and more. 🔓

Read: https://hackread.com/1tb-data-leak-expose-billions-iot-grow-light-records/

#CyberSecurity #IoT #Misconfiguration #China

Massive 1.17TB Data Leak Exposes Billions of IoT Grow Light Records

Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News

Dissent Doe

Dec 9, 2024

About two hours after I posted our article on #KillSec3 trying to extort its victims using publicly leaked data, there was a #DDoS attack on my site.

Gosh, it must be just a coincidence, right? 🤔

If you didn't read the post yet, you can read it here:

https://databreaches.net/2024/12/08/is-killsec3-trying-to-extort-victims-using-publicly-leaked-data/

#databreach #ransomware #scam #fraud #infosec #cybersecurity #misconfiguration #exposed_data

@JayeLTee @chum1ng0 @bucketchallenge @amvinfe @lawrenceabrams @briankrebs

Dissent Doe

Dec 3, 2024

Bolton Walk-In Clinic in Ontario: lock down your backup already!

DataBreaches hates reporting on an incident when the entity has not yet secured misconfigured storage, but after four months of futile efforts to get a Canadian clinic to respond to responsible disclosures, maybe publication will help get them off the dime.

Do any personal injury lawyers in Ontario, Canada, or folks in the Information and Privacy Commissioner of Ontario follow me? Maybe they can get something done.

#misconfiguration #error #healthsec #dataleak #databreach #exposure #incidentresponse
#DontCallMeHoney

@brett

Chum1ng0 - Security Research

Nov 19, 2024

🇳🇿 Harbour Sport exposed 10,000 Files in accidental leak

More details here:

https://medium.com/@newschu.substack.com/nz-harbour-sport-exposed-10-000-in-accidental-leak-73f1935dfdf1

#infosec #news #cybersecurity #newzealand #auckland #misconfiguration #Cloud #Azure #Storage #incidentresponse #leak #privacy #dataprotection

Harbour Sport exposed 10K in accidental leak | Medium

In Auckland, New Zealand, entity called Harbour Sport exposed an Azure Blob Storage, the total of exposed files was 10,000 in this accidental leak

Medium

Show thread

Dissent Doe

Nov 19, 2024

@JayeLTee This is why sometimes it's not enough to just disclose responsibly to an entity. Did you let the data protection regulator know that although the entity is claiming 4-day exposure window, your research found it was almost a year? And did you tell the data protect regulator that the entity is reportedly telling some departments that their data was not exposed, when you found clear proof that it was?

@lfdi

#responsibledisclosure #transparency #accountability #dataprotection #misconfiguration #infosec