In August 2022, several companies experienced security breaches or other exploits that left user data exposed. While these breaches aren’t as severe as the headline ones from 2021, they’re still concerning.
Let’s quickly review the major security events that happened in August 2022 so you’re aware of what happened and can take action if you use any of these services.
1. Safari on Apple Devices
Apple released Safari 15.6.1 on August 18, 2022. This version fixed a problem with Safari’s WebKit engine where dangerous websites could execute code on devices using an out-of-bounds issue. This release fixes the flaw for Safari on Mac, iPhone, and iPad.
Safari is unique among browsers in that it receives patches through OS updates, not individual updates like Chrome, Edge, and other browsers. That means you have to update your entire Mac or iPhone to have the latest version of Safari, instead of only the browser.
This is a particular problem on iPhone and iPad. On those platforms, all browsers use the WebKit engine due to Apple’s requirements. Thus, you’re still at risk even if you use another browser.
If you haven’t already, you should update your Apple devices to fix this exploit.
On August 24, streaming app Plex announced that a third party was able to breach a database and obtained “limited data” such as emails, usernames, and encrypted passwords. Out of caution, the company has required all Plex users to reset their passwords. It’s said that “the majority of accounts” were affected, but didn’t give an exact number.
If you use Plex and haven’t reset your password yet, you should log in and set a new password now. Make sure to choose one you don’t use anywhere else—using a password manager is vital.
Speaking of password managers, even they aren’t immune to breaches. Around August 25, the company emailed users to report a similar issue as Plex: an unauthorized party used a compromised developer account to get into their systems.
Some source code and other company info was stolen, but no user info was taken, so user emails and passwords are safe. LastPass has said that users don’t need to take any action for now, but that the company is investigating what happened and implementing additional security measures.
If you use LastPass, it’s not a bad idea to consider switching to another password manager. These issues aren’t new to the tool, as it’s suffered from at least seven security incidents dating back to 2011. We recommend 1Password as its security and polish are worth a few dollars per month, but Bitwarden is a great free option if you don’t want to pay.
Food delivery app DoorDash also had a security incident that was reported on August 25. Using stolen employee credentials, a malicious party accessed internal company tools. They were able to take basic info like names, email addresses, delivery addresses, and phone numbers for some users.
For a smaller set of compromised users, the hackers also obtained incomplete payment info, like credit card provider and the last four card digits. Nothing complete was taken.
If you’re affected by this, DoorDash will reach out with further information. Unfortunately, there’s not much you can do about this for now, highlighting the trust we have in companies when we let them store our data.
5. Twilio (Authy)
Twilio is a communications company that provides web services relied on by companies that deal in phone calls and messaging. On August 4, it was revealed that an attacker breached Twilio’s internal network through an SMS phishing attack. They stole credentials and used them to access customer data.
This wasn’t the only company targeted; others like Mailchimp and Cloudflare were also hit by a similar SMS attack.
Authy, a two-factor authentication code generator app owned by Twilio, was part of this breach. The threat actors were able to access data for 93 users, which would allow them to add new devices to the accounts and access their 2FA codes.
Since the breach, the company has removed any unauthorized devices and contacted the affected users. It recommends that people watch their accounts for suspicious activity, review all devices tied to their Authy account, and disable the multi-device feature to prevent malicious actors from adding a device if an account is compromised.
This breach affected other apps, too. Secure messaging app Signal said its data was accessed, in some capacity, because of Twilio’s breach.
A Month of Breaches
These four breaches and one discovered exploit happened to companies across industries, highlighting how nobody is immune to security incidents like this. As a user, even using a strong password can’t protect you if a company is compromised. Thus, this is all a good reminder to keep current with updates on your devices, watch your accounts for suspicious behavior, and stay vigilant against phishing attacks.
For actionable help, see our recommended security steps everyone should take.