Security Affairs

APRIL 19, 2025

Arctic Wolf researchers warn that threat actors actively exploit a vulnerability, tracked as CVE-2021-20035 (CVSS score of 7.1), in SonicWall Secure Mobile Access (SMA) since at least January 2025. The vulnerability impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, the vendor addressed the vulnerability in September 2021.

Passwords 106

Passwords VPN Firewall Accountability 106

Krebs on Security

DECEMBER 19, 2024

codes in 2021 using the password “ ceza2003 ” [full disclosure: Constella is currently an advertiser on KrebsOnSecurity]. Archive.org’s history for that domain shows that in 2021 it featured a website for a then 18-year-old Altu ara from Ankara, Turkey. LinkedIn finds this same altugsara[.]com

Hacking 234

Hacking Cybercrime Advertising Data breaches 234

The Last Watchdog

MAY 26, 2021

We celebrated World Password Day on May 6, 2021. Every year, the first Thursday in May serves as a reminder for us to take control of our personal password strategies. Passwords are now an expected and typical part of our data-driven online lives. Password overhaul. Stolen passwords that can lead to data leaks.

Passwords 182

Passwords Password Management Accountability Authentication 182

Daniel Miessler

MARCH 24, 2021

Basically, how secure is someone’s current behavior with respect to passwords and authentication, and how can they improve? The idea here is for someone in the security community—or really any security-savvy user—to use this visual to help someone with poor password hygiene. Mar 24, 2021 — Thanks to Andrew R.

Authentication 363

Authentication Passwords Internet Internet 363

Troy Hunt

AUGUST 29, 2023

We provided similar support in 2021 with the Emotet botnet , although this time around with a grand total of 6.43M impacted email addresses. Further, the passwords from the malware will shortly be searchable in the Pwned Passwords service which can either be checked online or via the API.

Malware 357

Malware Passwords Password Management Antivirus 357

Troy Hunt

NOVEMBER 13, 2024

As I said, our IT department recently notified me that some of my data was leaked and a pre-emptive password reset was enforced as they didn't know what was leaked.    It would be good to see it as an informational notification in case there's an increase in attack attempts against my email address.

Data breaches 319

Data breaches Passwords B2B Technology 319

SecureWorld News

FEBRUARY 20, 2025

He urges enterprises to implement Privileged Access Management (PAM) solutions and multi-factor authentication (MFA) and to enforce robust password policies to reduce the risk of account compromise. Prioritize fixing vulnerabilities exploited by Ghost, such as ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

Ransomware 113

Ransomware IoT Encryption Social Engineering 113

Malwarebytes

OCTOBER 1, 2024

Ireland’s privacy watchdog Data Protection Commission (DPC) has fined Meta €91M ($101M) after the discovery in 2019 that Meta had stored 600 million Facebook and Instagram passwords in plaintext. Most of these passwords belonged to Facebook Lite users, but it affected other Facebook and Instagram users as well.

Passwords 145

Passwords Data breaches Media Phishing 145

Schneier on Security

MAY 19, 2022

After specifically crawling sites for password leaks in May 2021, the researchers also found 52 websites in which third parties, including the Russian tech giant Yandex, were incidentally collecting password data before submission. The group disclosed their findings to these sites, and all 52 instances have since been resolved.

Passwords 355

Passwords Marketing Data collection 355

Security Affairs

JULY 8, 2024

Threat actors leaked the largest password compilation ever, known as RockYou2024, on a popular hacking forum. The Cybernews researchers reported that threat actors leaked the largest password compilation ever, known as RockYou2024, on a popular hacking forum. billion passwords from various internet data leaks. RockYou2021 had 8.4

Passwords 131

Passwords Data breaches Hacking Accountability 131

Malwarebytes

APRIL 24, 2025

” The transmission of data took place between April 2021 and January 2024. Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else. Better yet, let a password manager choose one for you. Watch out for fake vendors.

Insurance 123

Insurance Data breaches Passwords Phishing 123

Troy Hunt

JANUARY 17, 2024

Website, username and password: That's just the first 20 rows out of 5 million in that particular file, but it gives you a good sense of the data. The question of how valid the accompanying passwords remain aside, time and time again the email addresses in the stealer logs checked out on the services they appeared alongside.

Passwords 363

Passwords Password Management Hacking Accountability 363

Troy Hunt

SEPTEMBER 3, 2021

let's link back to it here, just for Streisand's sake 🙂) 1 BILLION queries on Pwned Passwords in a month! let's link back to it here, just for Streisand's sake 🙂) 1 BILLION queries on Pwned Passwords in a month! I'm not even sure what the next milestone will be.)

Password Management 288

Password Management Passwords Data breaches 288

Krebs on Security

NOVEMBER 21, 2024

technology companies between 2021 and 2023, including LastPass , MailChimp , Okta , T-Mobile and Twilio. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. Image: Amitai Cohen twitter.com/amitaico.

Identity Theft 254

Identity Theft Phishing Cryptocurrency Accountability 254

SecureList

MARCH 12, 2024

Profile of participants and applications We collected the data from a sample of the application security assessment projects our team completed in 2021–2023. Mitigation: do not store files containing sensitive data, such as passwords or backups, in web application publish directories.

Passwords 139

Passwords Authentication Architecture Risk 139

Troy Hunt

MARCH 12, 2021

Home Assistant started telling people not to use Pwned Password, and people got pissed (this is nuts, and it deserved a dedicated blog post) Sponsored by safepass.me: Get a FREE password audit on your Active Directory users with pwncheck from safepass.me. But hey, at least the audio is spot on, hope you enjoy this week's video.

Passwords 294

Passwords IoT Hacking 294

eSecurity Planet

NOVEMBER 29, 2022

Group-IB cybersecurity researchers recently identified several Russian-speaking cybercrime groups offering infostealing malware-as-a-service (MaaS), resulting in the theft of more than 50 million passwords thus far. In 2021, leading targets were PayPal and Amazon login credentials. Don’t save passwords in browser.

Passwords 128

Passwords Cybercrime Malware Marketing 128

Troy Hunt

JANUARY 1, 2021

Ok, so these may not be 2021 breaches but I betcha that by next week's update there'll be brand new ones from the new year to discuss. I'll talk more about the last past of the trip then as well as those all new fresh 2021 data breaches I'm sure we'll have by Friday. It's a new year! With lots of breaches to discuss already ?

Data breaches 333

Data breaches Password Management Scams Passwords 333

Krebs on Security

JANUARY 31, 2025

We caught up with The Manipulaters again in 2021, with a story that found the core employees had started a web coding company in Lahore called WeCodeSolutions — presumably as a way to account for their considerable Heartsender income. “Presumably, these buyers also include Dutch nationals.

Phishing 254

Phishing Cybercrime Advertising Malware 254

eSecurity Planet

MARCH 24, 2025

The compromised database contains approximately 6 million lines of data, including critical assets such as JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. Immediate mitigation measures include: Resetting passwords, particularly for privileged LDAP accounts. (region-name).oraclecloud.com),

Risk 120

Risk Passwords Hacking Encryption 120

Malwarebytes

APRIL 29, 2022

CVE-2021-44228 , commonly referred to as Log4Shell or Logjam. The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. CVE-2021-40539.

Internet 142

Internet Internet Software Authentication 142

Krebs on Security

FEBRUARY 26, 2023

million customers, including website administrator passwords, sFTP credentials, and private SSL keys; -December 2022: Hackers gained access to and installed malware on GoDaddy’s cPanel hosting servers that “intermittently redirected random customer websites to malicious sites.”

Hacking 324

Hacking Social Engineering Phishing Scams 324

Krebs on Security

MARCH 4, 2021

In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords. On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. ” On Feb.

Cybercrime 364

Cybercrime Hacking Passwords Accountability 364

Krebs on Security

JANUARY 19, 2023

T-Mobile says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed. Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach.

Mobile 336

Mobile Accountability Data breaches Identity Theft 336

Security Affairs

DECEMBER 17, 2024

The threat actors attempted to exploit multiple vulnerabilities in DVRs, including CVE-2017-7921, CVE-2018-9995 , CVE-2020-25078, CVE-2021-33044 , and CVE-2021-36260. Attackers also attempted to exploit weak vendor-supplied passwords.

Architecture 107

Architecture Internet Internet Malware 107

Security Affairs

FEBRUARY 13, 2025

“ Since 2021, Seashell Blizzard’s subgroup has exploited vulnerable infrastructure using scanning tools, evolving TTPs for persistence and lateral movement. Since 2021, Seashell Blizzards subgroup has used web shells for persistence, the group was observed exploiting Microsoft Exchange (CVE-2021-34473) and Zimbra (CVE-2022-41352).

Telecommunications 107

Telecommunications DNS Passwords Hacking 107

Krebs on Security

APRIL 6, 2021

14, 2021 Twitter post from Under the Breach’s Alon Gal , the 533 million Facebook accounts database was first put up for sale back in June 2020, offering Facebook profile data from 100 countries, including name, mobile number, gender, occupation, city, country, and marital status. . — rely on that number for password resets.

Mobile 356

Mobile Accountability Passwords Authentication 356

Malwarebytes

MARCH 25, 2025

In 2023, not only did the company suffer a major data breach , it also placed some of the blame on the victims who, according to 23andMe, negligently recycled and failed to update their passwords. SCAN NOW If your data was exposed in the 23andMe breach, here is what you can do: Change your password. What is happening?

Passwords 115

Passwords Accountability Data breaches Phishing 115

Krebs on Security

SEPTEMBER 2, 2024

agency , a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords. KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K.

Accountability 297

Accountability Banking Passwords Scams 297

SecureWorld News

SEPTEMBER 6, 2023

Not one of them involves passwords. Multi-factor authentication If changing passwords is like the eating your veggies of the security world, multi-factor authentication (MFA) is more like eating fresh fruits. And since MFA already requires an established password, you're already halfway there. And guess what?

Passwords 127

Passwords Encryption Authentication Cyber Attacks 127

Security Affairs

JULY 12, 2022

Microsoft observed a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and bypass the authentication process even when the victim has enabled the MFA. The post Large-scale AiTM phishing campaign targeted +10,000 orgs since 2021? Pierluigi Paganini.

Phishing 144

Phishing Authentication Social Engineering Passwords 144

Krebs on Security

NOVEMBER 6, 2023

January 2021 posts on Verified show that Fearlless and his partner Universalo purchased the SWAT reshipping business from a Verified member named SWAT, who’d been operating the service for years. Apathyp told the proprietor that his chosen password on the service was “ 12Apathy.” ” But the triploo@mail.ru

Passwords 298

Passwords Cybercrime Accountability Hacking 298

Krebs on Security

NOVEMBER 19, 2021

In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member. CFPB-2021-0017 in the subject line of the message. Be sure to include Docket No.

Scams 361

Scams Banking Passwords Authentication 361

SecureWorld News

NOVEMBER 12, 2024

CVE-2023-20198 (Cisco IOS XE Web UI): This vulnerability allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with standard user access. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021.

Software 113

Software Passwords Cyber threats Risk 113

Troy Hunt

NOVEMBER 28, 2021

pic.twitter.com/IvUt6lBJRr — Troy Hunt (@troyhunt) November 24, 2021 No major things in this weeks update, but plenty of things on all the above topics and more. It's been a busy week with lots of little bits and pieces demanding my attention.

Password Management 295

Password Management IoT Passwords 295

Krebs on Security

APRIL 4, 2023

Several domain names tied to Genesis Market , a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. ” a cybercrime forum ad for Genesis enthused. Image: KrebsOnSecurity.

Marketing 362

Marketing Passwords Cybercrime Banking 362

Troy Hunt

JANUARY 28, 2021

Well, it kinda feels like we're back to the new normal that is 2021. I'm home, the kids are back at school and we're all still getting breached. We're breached so much that even when we're not breached but someone says we're breached, it genuinely looks like we're breached.

Password Management 296

Password Management Phishing IoT Data breaches 296