Found an unsecured Google Cloud storage bucket exposing PExL Participation Payment Receipts from Princeton University (Ivy League). Files contained student full names, handwritten signatures, UIDs, and payment amounts.

This was responsibly reported to the university's infosec email; however, I had problems because the email was blocked by administrator rules and I had to report it to people who have nothing to do with infosec.

I didn't get a response from anyone; it was just closed after January 28th.

Let's make the internet safer.

https://www.security-chu.com/2026/02/Princeton-experimental-laboratory-accident-breach.html

#misconfigurations #infosec #university #cybersecurity

🇨🇱 The Urological Diagnostic Institute (IDU) exposed 23GB of patient information on an unsecured server.

🔴15,000 PDF files contained patient exams with their data: patient name, age, national identification number (RUT), referring physician, sex, order number, admission date, review date, sample collection date, agreement, program, observations, and, of course, the exam results (in this case, for example, urinalysis).

🟢This was reported to the institution on November 4th via email. On January 13, 2026, I verified that the server appeared to be closed. I do not know if the institution notified the ANCI (National Agency).

https://www.security-chu.com/2026/01/Instituto-Diagnostico-Urologico-Expuso-informacion-de-pacientes.html

#databreach #misconfigurations #Healthcare #health #chile

@PogoWasRight

🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.

Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.

What data was exposed?

On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:

username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.

*I was able to confirm that some of the employee names were real.

Additional findings:

The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.

Notification:

All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:

Hi Chum1ng0,

Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.

We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.

Sincerely
Bondstein

-NOT REWARD-

#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein

DeepSec 2025 Talk: Offensive SIEM: When the Blue Team Switches Perspective – Erkan Ekici & Shanti Lindström

Traditional SIEM solutions focus on detecting attacks—but what if we flipped the script? Instead of waiting for adversaries to act, defenders can use SIEM proactively to

https://blog.deepsec.net/deepsec-2025-talk-offensive-siem-when-the-blue-team-switches-perspective-erkan-ekici-shanti-lindstrom/

#Conference #DeepSec2025 #misconfigurations #PrivilegeEscalation #SIEM #Talk

#Router #Vulnerability #Discovery for #Overseas #Systems. This article covers a large range of vulnerabilities in routers including #hardcoded #default #passwords and #router #misconfigurations with available #CVEs as well. Check it out and don’t miss a thing. Click the link below to learn more about it:

https://medium.com/@brotheralameen/discovery-of-a-vulnerability-on-routers-through-collaboration-with-a-scam-baiter-ce3901a1983c

#CVE #Common #Vulnerability and #Exposures #Routers #Improper #Access #Control #Router #Hacking #Critical #Vulnerability #WhiteHat #Hacker #Penetration #Testing #SecurityResearcher #Security #Cybersecurity #InformationSecurity

A misconfigured Azure Blob was exposed by the environmental management company 🇨🇱 🇵🇪 🇵🇾 Disal/Ambipar🇧🇷 with more than 300,000 internal files, this was reported to the company shortly after its Blob was blocked, more details on my substack.

📌 link: https://newschu.substack.com/p/misconfigurations-capitulo-8-un-azure

#Chile #infosec #disal #ambipar #cl #peru #paraguay #brasil #misconfigurations #privacy

Update:

Hundreds of 3D images of dental patients exposed without protection in a Bucket of two Italian companies.

Today, the bucket was closed, the medical director sent an email in one line expressing the following:

"I have taken immediate action with both the service provider and our designated DPO. I am leaving my direct contact number for future communications."

📌 link:

https://www.suspectfile.com/italy-exposed-database-puts-dental-clinic-patients-data-at-risk/

#infosec #privacy #Italy #Milan #bucket #healthcare #misconfigurations #DPO

Hundreds of 3D images of dental patients exposed without protection in a Bucket of two Italian companies.

link:
https://www.suspectfile.com/italy-exposed-database-puts-dental-clinic-patients-data-at-risk/

#infosec #Italy #Milan #privacy #cybersecurity #healthcare #bucket #misconfigurations

In an investigation by Cybernews, The Caja de Compensacion los Andes (cajalosandes.cl) left open an Apache Cassandra database with 10 million affiliates, which contained:

Names and surnames
Home addresses
Dates of birth
Phone numbers
Credit amounts
Places where payments were made
Details of credit use

link:
https://cybernews.com/security/caja-los-andes-chile-data-leak/

There is no comment from Caja Los Andes on its website or on its social networks about this misconfigurations that has left no less than 10 million of its members' data exposed.

Being the largest compensation fund in Chile!

#Chile #cl #cajalosandes #cybersecurity #latinoamerica #misconfigurations #apache #Cassandra

@cybernews

🔒Misconfigurations - Chapter 7:

A misconfigured database exposed 66,000 files from the digital healthcare solutions company IMED.

The company was contacted in early July via email, after which the MongoDB was no longer exposed.

🔗 Find the episode here:

https://newschu.substack.com/p/misconfigurations-capitulo-7-una

#infosec #misconfigurations #substack #cybersecurity #Chile #cl

Thank you for alerting me to the leak @JayeLTee