Summary:
"Progress MOVEit Transfer" is used by businesses to transfer file securely, but it was undermined by an SQL injection attack. The cl0p ransomware gang exploited this vigorously and threatened to release purloined information on June 14. Qualsys estimates that over half the sites were patched within 48 hours. Nonetheless, some corporate and banking giants were affected.

See also Number of Victims Breached Via MOVEit Zero-Day Keeps Climbing
Victim Count Is 378 Organizations, 20 Million Individuals - and It's Likely to Rise
Publisher: Bank Info Security
Date: July 18, 2023
By: Mathew J. Schwartz

Summary:
Reddit found itself faced with both a user revolt and an extortion attempt over stolen data after is announced plans to charge third party app developers for the right to offer the apps on Reddit. Although the extortion by the Black Cat ransomware gang is based on credible reports of having previously breached Reddit user's private data, observers were skeptical about the claims that the Black Cat gang cared about Reddit's pricing policies. The user revolt, however, shut down many subreddits.

Summary:
A recent piece of legislation in the UK would require that providers of end-to-end encryption provide back-door government access, and that has drawn sharp criticism from Apple and others. Apple had to reverse its plans to provide such a capability in the US in 2021, and it now strongly supports the idea that E2E has fundamental importance in messaging privacy. The UK legislation includes provisions for prosecuting executives of non-compliant companies, so much is at stake on both sides of this argument.

Summary:
A zero-day vulnerability in Microsoft authentication led to a breach of emails for some officials in the US Departments of Justice and Commerce. Although Microsoft discovered the problem and patched all customer systems, the incident was ongoing for several weeks. It has shaken trust in the systems. The problem was caused by a privilege escalation that let the user of a single compromised account to gain access to an entire organization's email account. The original compromised account was probably accessed via a phishing attack. There is likely to be quite a bit of fallout as the US considers the ease with which China seems to gain access to government systems.

Summary:
This press release from Microsoft Research has information about the authentication token forging and the company's response.

Summary:
It's hard to know what to say after "shocking breach of trust". At least 3 tax filing services have been forwarding sensitive user data to Facebook and/or Google, and those companies have been using the data to identify the users and to target advertising at them. This information "sharing" happened because the companies involved agreed to add code to their websites that would "improve the user experience." The result was that much of the data that customers entered into website forms was relayed to the tech giants where they felt free to make use of it for purposes far beyond what the tax companies realized.

Summary:
Facebook pushed back against statements by Senate members condemning the collection of sensitive taxpayer information. The problems have been exaggerated, says Facebook, and some of the blame lies with the tax filing companies for configuring their systems incorrectly.

One suspects this argument is far from over.

Summary:
JumpCloud provides identity management and access control to 5K customers representing 180K organizations. At some point, recently, its systems were infiltrated by actors who appeared to have nation-state capabilities or intentions. An internal investigation determined that only 5 customers and a few devices were impacted. Apparently the attack was initiated via spearphishing and was targeted narrowly. JumpCloud believes that they deflected the attack by forcing an update of all API keys.