Why Every Enterprise Needs a Risk Operations Center (ROC)

Enterprise security has long optimized for speed of response over prevention of risk. At Qualys, we recognized early that this left half the problem unsolved, and we have spent years building the operational frameworks to close that gap. The Risk Operations Center is the result. Here is a scenari...

Inside an Automotive Giant’s Data Leak — A Cloud Misconfiguration Lesson for AWS Users

70 TB+ of data, hard-coded keys, and weak IAM controls. For even the most experienced enterprises, one configuration decision can be enough to surface how interdependent and vulnerable modern cloud systems truly are. The recent data exposure incident at a large automotive firm highlights this...

CVE-2025-34064 OneLogin AD Connector Log S3 Bucket Hijack Leading to Cross-Tenant Data Leakage

A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket onelogin-adc-logs-production without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. The...

One Identity OneLogin AD Connector 安全漏洞

One Identity OneLogin AD Connector is a connector software from One Identity USA. A security vulnerability exists in the One Identity OneLogin AD Connector that stems from a misconfiguration of the cloud infrastructure leading to log data leakage...

CVS Health Records for 1.1 Billion Customers Exposed

More than 1 billion records for CVS Health customers were left in the database of a third-party, unnamed vendor – exposed, unprotected, online. Researchers said the data points revealed could be strung together to create an extremely personal snapshot of someones’s medical situation. The glitch i...

Hobby Lobby Exposes Customer Data in Cloud Misconfiguration

Arts-and-crafts retailer Hobby Lobby has suffered a cloud-bucket misconfiguration, exposing a raft of customer information, according to a report. An independent security researcher who goes by the handle “Boogeyman” uncovered the issue and reported it to Motherboard in an online chat, according ...

Securing Your Web App, One Robot at a Time

Modern web apps are two things: complex, and under persistent attack. Any publicly accessible web application can receive up to tens of thousands of attacks a month. While that sounds like a reason to immediately pull the plug and find a safe space to hide, these are likely spread across the...

Spotify Suffers Second Credential-Stuffing Cyberattack

Spotify streaming music aficionados are in the crosshairs of yet another credential-stuffing cyberattack, just three months after the last one. The service has forced password resets for impacted users. Cybercriminals carrying out credential-stuffing take advantage of people who reuse the same...

23M Gamer Records Exposed in VIPGames Leak

VIPGames.com, a free platform with a total of 56 available classic board and card games like Hearts, Crazy Eights, Euchre, Dominoes, Backgammon and others, has exposed the personal data of tens of thousands of users. In all, more than 23 million records for more than 66,000 users were left expose...

Cayman Islands Bank Records Exposed in Open Azure Blob

A Cayman Island investment firm has removed years of backups, which up until recently were easily available online thanks to a misconfigured Microsoft Azure blob. The blob’s single URL led to vast stores of files including personal banking information, passport data and even online banking PINs —...

This Week in Security News: Exploring Common Threats to Cloud Security and Zoom Removes Meeting IDs from App Title Bar to Improve Privacy

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about why Zoom has released an update for its Linux, Mac, and Windows apps that removes the meeting ID from the app's title bar. Also,...

Cloud Misconfig Mistakes Show Need For DevSecOps

Developers have become accustomed to deploying apps in data centers with what could be described as a “crunchy hard outer layer,” to keep their data center secure. But when it comes to the public cloud, “it just doesn’t exist that way,” said Ryan Olson, vice president of threat intelligence with...

Cloud Misconfig Mistakes Show Need For DevSecOps

Developers have become accustomed to deploying apps in data centers with what could be described as a “crunchy hard outer layer,” to keep their data center secure. But when it comes to the public cloud, “it just doesn’t exist that way,” said Ryan Olson, vice president of threat intelligence with...

MGM Grand Breach Leaked Details of 10.6 Million Guests Last Summer

A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer. The incident—revealed in a published report on ZDNet...

Honda Leaks Data of 26K North American Customers

An exposed database was discovered leaking the personal information of 26,000 North American Honda owners and their vehicles. The Elasticsearch database in question is owned by the American Honda Motor Co., a North American subsidiary of the Honda Motor Co. The cloud misconfiguration exposed the...

Birth Certificate Data Laid Bare on the Web in Multiple States

A third-party government supplier has exposed hundreds of thousands of applications containing birth-certificate data. The trove of information is owned by a company that provides an online platform to state governments – including California, New York and Texas – that allows residents to request...

Imperva: Data Breach Caused by Amazon Cloud Misconfiguration

Imperva, the security vendor, said this week that a misconfiguration of an Amazon Web Services AWS cloud instance allowed hackers to exfiltrate information on customers using its Cloud Web Application Firewall WAF product. Formerly known as Incapsula, the Cloud WAF analyzes requests coming into...

Former AWS Engineer Arrested as Capital One Admits Massive Data Breach

A massive breach of Capital One customer data has hit more than 100 million people in the U.S. and 6 million in Canada. Thanks to a cloud misconfiguration, a hacker was able to access to credit applications, Social Security numbers and bank account numbers in one of the biggest data breaches to...

Millions of Golfers Land in Privacy Hazard After Cloud Misconfig

Finding cloud databases with sensitive information left open to the internet has become par for the course these days – as a new exposure of millions of sensitive data points for the users of a golf app demonstrates. Millions of golfer records from the Game Golf app, including GPS details from...

Sensitive Enterprise Data Exposed in Amazon S3 Public Buckets

UPDATE – With companies flocking to cloud services such as Amazon Simple Storage Service S3 to store and serve static content on the cheap, naturally they’re making simple mistakes in doing so—and naturally, a savvy attacker is able to cash in. Researchers at Rapid7 today released data from a...