Accountability, Blog and Passwords - Cyber Security Informer

National Public Data Published Its Own Passwords

Krebs on Security

AUGUST 19, 2024

KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. But once we can, we will [be] with you, as we follow your blog. Very informative.”

Passwords

Passwords Data breaches Accountability Data privacy

Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!

Troy Hunt

DECEMBER 19, 2021

In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API. It looks like this: There are all sorts of amazing Pwned Passwords use cases out there. Fast forward to now and that ingestion pipeline is finally live.

Passwords

Passwords Cybercrime Accountability Risk

Home Assistant, Pwned Passwords and Security Misconceptions

Troy Hunt

MARCH 10, 2021

Pwned Passwords is a repository of 613M passwords exposed in previous data breaches, which makes them very poor choices for future use. They're totally free and they have a really cool anonymity API that ensures no useful information about the password being searched for is ever exposed.

Passwords

Passwords IoT Password Management Data breaches

‘War Dialing’ Tool Exposes Zoom’s Password Problems

Krebs on Security

APRIL 2, 2020

But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. zWarDial, an automated tool for finding non-password protected Zoom meetings.

Passwords

Passwords Media Technology Accountability

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. And all of them operate via Telegram , a cloud-based instant messaging system.

Passwords

Passwords Mobile Authentication Banking

Building Password Purgatory with Cloudflare Pages and Workers

Troy Hunt

MARCH 9, 2022

Last month as part of my blog post on How Everything We're Told About Website Identity Assurance is Wrong , I spun up a Cloudflare Pages website for the first time and hosted digicert-secured.com there (the page has a seal on it so you know you can trust it). All they have to do first is create a password.

Passwords

Passwords DNS Accountability Risk

Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts

Krebs on Security

FEBRUARY 4, 2021

Facebook, Instagram , TikTok , and Twitter this week all took steps to crack down on users involved in trafficking hijacked user accounts across their platforms. Facebook said it targeted a number of accounts tied to key sellers on OGUsers, as well as those who advertise the ability to broker stolen account sales. THE MIDDLEMEN.

Accountability

Accountability Hacking Media Mobile

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Krebs on Security

SEPTEMBER 22, 2023

The password manager service LastPass is now forcing some of its users to pick longer master passwords. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

Passwords

Passwords Encryption Password Management Cryptocurrency

Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

Troy Hunt

AUGUST 3, 2022

So, earlier this year I created Password Purgatory with the singular goal of putting spammers through the hellscape that is attempting to satisfy really nasty password complexity criteria. I opened-sourced it, took a bunch of PRs, built out the API to present increasingly inane password complexity criteria then left it at that.

Passwords

Passwords Accountability

Pwned Passwords, Open Source in the.NET Foundation and Working with the FBI

Troy Hunt

MAY 27, 2021

Both these announcements are being made at a time where Pwned Passwords is seeing unprecedented growth: Getting closer and closer to the 1B requests a month mark for @haveibeenpwned 's Pwned Passwords. Speaking of natural fits, Pwned Passwords is perfect for this model and that's why we're starting here.

Passwords

Passwords Accountability Cybercrime Authentication

Fintech Startup Offers $500 for Payroll Passwords

Krebs on Security

MAY 10, 2021

One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work. This ad, from workplaceunited[.]com,

Passwords

Passwords Mobile Accountability Marketing

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Troy Hunt

FEBRUARY 21, 2018

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. Here's what it's all about: There's Now 501,636,842 Pwned Passwords.

Passwords

Passwords Data breaches Mobile Risk

GUEST ESSAY: Until we eliminate passwords, follow these 4 sure steps to password hygiene

The Last Watchdog

NOVEMBER 22, 2021

With so much critical data now stored in the cloud, how can people protect their accounts? Until biometrics or a quantum solution change our everyday approach to encryption, passwords remain our first line of defense against data breaches, hackers, and thieves. Proper password hygiene doesn’t require a degree in rocket science.

Passwords

Passwords Password Management Accountability Data breaches

Pwned Passwords, Version 5

Troy Hunt

JULY 8, 2019

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. 3,768,890 passwords. 3,768,890 passwords.

Passwords

Passwords Accountability Authentication Data breaches

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Troy Hunt

NOVEMBER 14, 2018

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. This week, I wanted to focus on going beyond passwords and talk about 2FA.

Passwords

Passwords Authentication Accountability Mobile

Ad Network Sizmek Probes Account Breach

Krebs on Security

MARCH 13, 2019

[ NASDAQ: SZMK ] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers. He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns.

Accountability

Accountability Passwords Advertising Penetration Testing

Enhancing Pwned Passwords Privacy with Padding

Troy Hunt

MARCH 4, 2020

Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). They could be searching for any password whose SHA-1 hash begins with those characters. Very slick!

Passwords

Passwords Data breaches Risk Encryption

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Troy Hunt

SEPTEMBER 17, 2019

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway. 6 characters. for my *online banking*.

Banking

Banking Passwords Accountability Authentication

A Breach, or Just a Forced Password Reset?

Krebs on Security

DECEMBER 4, 2018

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. periodically). .” periodically).

Passwords

Passwords Authentication Accountability Password Management

GUEST ESSAY: Why automating distribution of strong passwords to employees is wise to do

The Last Watchdog

APRIL 28, 2022

Passwords have become ubiquitous with digital. The humble password is nothing more than a digital key that opens a door. And they use passwords to open a device, a system, an account, a file and so on. Which begs the question: why do people create their own passwords? Related: The coming of passwordless access.

Passwords

Passwords Encryption Phishing Social Engineering

GUEST ESSAY: Understanding the security limits of the static and dynamic passwords we rely on

The Last Watchdog

JANUARY 31, 2022

We all rely on passwords. For better or worse, we will continue to use passwords to access our computing devices and digital services for years to come. Related : The coming of password-less access. Passwords were static to begin with. They have since been modified in two directions: biometrics and dynamic passwords.

Passwords

Passwords Computers and Electronics Password Management Artificial Intelligence

I've Joined the 1Password Board of Advisers

Troy Hunt

OCTOBER 29, 2020

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember.

Password Management

Password Management Passwords Software Accountability

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. . But on Nov.

Cryptocurrency

Cryptocurrency Passwords Encryption Accountability

Analysing the (Alleged) Minneapolis Police Department "Hack"

Troy Hunt

JUNE 1, 2020

I've now seen several versions of the same set of email addresses and passwords albeit with different attribution up the top of the file. In other words, these accounts are breached way more than usual. There are 798 email addresses in the data set but only 689 unique ones.

Hacking

Hacking Passwords Data breaches Accountability

Inside the Massive Naz.API Credential Stuffing List

Troy Hunt

JANUARY 17, 2024

It's usually something to the effect of "hey, have you seen the Spotify breach", to which I politely reply with a link to my old No, Spotify Wasn't Hacked blog post (it's just the output of a small set of credentials successfully tested against their service), and we all move on. Until the Naz.API list appeared.

Passwords

Passwords Password Management Hacking Accountability

How BeerAdvocate Learned They'd Been Pwned

Troy Hunt

JULY 21, 2020

This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd account, logging my beer experiences as I (used to ??) Someone had registered a new Netflix account with my email / password associated with my BeerAdvocate account. Not even a password manager. I love beer.

Passwords

Passwords Accountability Password Management Backups

Expanding the Have I Been Pwned Volunteer Community

Troy Hunt

JUNE 8, 2021

Ever notice how there was a massive gap of almost 9 months between announcing the intention to start open sourcing Have I Been Pwned (HIBP) in August last year and then finally a couple of weeks ago, actually taking the first step with Pwned Passwords ? I was pretty excited when I saw PRs coming in right after launching that last blog post.

Passwords

Passwords Accountability

Can We Stop Pretending SMS Is Secure Now?

Krebs on Security

MARCH 16, 2021

Lucky225 showed how anyone could do the same after creating an account at a service called Sakari , a company that helps celebrities and businesses do SMS marketing and mass messaging. From there, the attacker can reset the password of any account which uses that phone number for password reset links.

Telecommunications

Telecommunications Mobile Accountability Wireless

Seized Genesis Market Data is Now Searchable in Have I Been Pwned, Courtesy of the FBI and "Operation Cookie Monster"

Troy Hunt

APRIL 5, 2023

Specific guidance prepared by the FBI in conjunction with the Dutch police on further steps you can take to protect yourself are detailed at the end of this blog post on the gold background. We block known breached passwords. Or that "data is the currency of the digital economy"? We implement two factor authentication.

Marketing

Marketing Passwords Authentication Accountability

Trezor’s Twitter account hijacked by cryptocurrency scammers via bogus Calendly invite

Graham Cluley

MARCH 27, 2024

Hardware wallet manufacturer Trezor has explained how its Twitter account was compromised - despite it having sensible security precautions in place, such as strong passwords and multi-factor authentication. Read more in my article on the Hot for Security blog.

Accountability

Accountability Cryptocurrency Manufacturing Passwords

The 773 Million Record "Collection #1" Data Breach

Troy Hunt

JANUARY 16, 2019

Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. There are 21,222,975 unique passwords. It'll be 99.x%

Data breaches

Data breaches Passwords Password Management Accountability

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

NOVEMBER 21, 2020

And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. . 2019 that wasn’t discovered until April 2020.

Cryptocurrency

Cryptocurrency VPN Scams Social Engineering

To Infinity and Beyond, with Cloudflare Cache Reserve

Troy Hunt

MARCH 9, 2023

that was out of a total of more than 166M requests in the same period: Yep, we just hit "five nines" of cache hit ratio on Pwned Passwords being 99.999%. It also means that the 48c per day cost is going to come way down 🙂 Every time the FBI feeds new passwords into the service , the impacted file is purged from cache.

Passwords

Passwords Accountability

More SolarWinds News

Schneier on Security

FEBRUARY 3, 2021

Details are in the Microsoft blog: We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices.

Computers and Electronics

Computers and Electronics Malware Software Government

Police forces pipe 225 million pwned passwords into ‘Have I Been Pwned?’

Malwarebytes

DECEMBER 21, 2021

On his blog , Troy Hunt has announced a major milestone in the ‘Have I Been Pwned?’ This enormous injection of used passwords has puffed up the world’s largest publicly available password database by 38%, according to Hunt. If it says a password you use has breached, you know to never use it again. Have I Been Pwned?’.

Passwords

Passwords Password Management Authentication Data breaches

How 1-Time Passcodes Became a Corporate Liability

Krebs on Security

AUGUST 30, 2022

Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. In a blog post earlier this month, Cloudflare said it detected the account takeovers and that no Cloudflare systems were compromised. Image: Cloudflare.com. 2, and Aug. ” On July 28 and again on Aug.

Mobile

Mobile Phishing Authentication Accountability

Ukraine warns of attacks aimed at taking over Telegram accounts

Security Affairs

APRIL 6, 2022

Ukraine’s technical security and intelligence service warns of threat actors targeting aimed at gaining access to users’ Telegram accounts. State Service of Special Communication and Information Protection (SSSCIP) of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts.

Accountability

Accountability Phishing Passwords Hacking

A firsthand perspective on the recent LinkedIn account takeover campaign

Malwarebytes

SEPTEMBER 1, 2023

Not long ago I wrote about a recent campaign to hold LinkedIn users' accounts to ransom. His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn't asked for a password reset. Rest assured, we're doing our best to assist you!

Accountability

Accountability Passwords Mobile Authentication

GoTrim Botnet Goes After WordPress Admin Accounts

Heimadal Security

DECEMBER 14, 2022

GoTrim, a new Go-based botnet malware, scans the internet for WordPress websites and attempts to brute force the administrator’s password and take control of the site. The post GoTrim Botnet Goes After WordPress Admin Accounts appeared first on Heimdal Security Blog. GoTrim […].

Accountability

Accountability Passwords Internet Internet

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Krebs on Security

SEPTEMBER 2, 2021

For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day. Why go after hotel or airline rewards?

Accountability

Accountability Authentication Passwords Hacking

A Closer Look at the LAPSUS$ Data Extortion Group

Krebs on Security

MARCH 23, 2022

In a blog post published Mar. Our investigation has found a single account had been compromised, granting limited access. “LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts—it operates solely via Telegram and email,” Flashpoint wrote in an analysis of the group.

Social Engineering

Social Engineering Accountability Mobile Passwords

Facebook Security Bug Affects 90M Users

Krebs on Security

SEPTEMBER 28, 2018

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles. That page also has an option to force a simultaneous logout of all devices connected to your account.

Accountability

Accountability Passwords Data breaches

Google Cybersecurity Action Team Threat Horizons Report #6 Is Out!

Anton on Security

APRIL 13, 2023

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our sixth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 and #5 ). You can have fun in the cloud!

Cybersecurity

Cybersecurity Passwords Accountability Ransomware

Uncovering & Remediating Dormant Account Risk

Duo's Security Blog

SEPTEMBER 5, 2024

Before diving into the specifics of dormant accounts, it's important to take a step back and discuss a prerequisite: gaining cross-platform visibility into identity and access management data. And finally, individual users often have multiple accounts (Gmail, Yahoo, etc.) Why are dormant accounts a risk?

Accountability

Accountability Risk Passwords Authentication

National Public Data Published Its Own Passwords

Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!

Trending Sources

Home Assistant, Pwned Passwords and Security Misconceptions

‘War Dialing’ Tool Exposes Zoom’s Password Problems

The Rise of One-Time Password Interception Bots

Building Password Purgatory with Cloudflare Pages and Workers

Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

Pwned Passwords, Open Source in the.NET Foundation and Working with the FBI

Fintech Startup Offers $500 for Payroll Passwords

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

GUEST ESSAY: Until we eliminate passwords, follow these 4 sure steps to password hygiene

Pwned Passwords, Version 5

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Ad Network Sizmek Probes Account Breach

Enhancing Pwned Passwords Privacy with Padding

Banks, Arbitrary Password Restrictions and Why They Don't Matter

A Breach, or Just a Forced Password Reset?

GUEST ESSAY: Why automating distribution of strong passwords to employees is wise to do

GUEST ESSAY: Understanding the security limits of the static and dynamic passwords we rely on

I've Joined the 1Password Board of Advisers

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Analysing the (Alleged) Minneapolis Police Department "Hack"

Inside the Massive Naz.API Credential Stuffing List

How BeerAdvocate Learned They'd Been Pwned

Expanding the Have I Been Pwned Volunteer Community

Can We Stop Pretending SMS Is Secure Now?

Seized Genesis Market Data is Now Searchable in Have I Been Pwned, Courtesy of the FBI and "Operation Cookie Monster"

Trezor’s Twitter account hijacked by cryptocurrency scammers via bogus Calendly invite

The 773 Million Record "Collection #1" Data Breach

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

To Infinity and Beyond, with Cloudflare Cache Reserve

More SolarWinds News

Police forces pipe 225 million pwned passwords into ‘Have I Been Pwned?’

How 1-Time Passcodes Became a Corporate Liability

Ukraine warns of attacks aimed at taking over Telegram accounts

A firsthand perspective on the recent LinkedIn account takeover campaign

GoTrim Botnet Goes After WordPress Admin Accounts

Gift Card Gang Extracts Cash From 100k Inboxes Daily

A Closer Look at the LAPSUS$ Data Extortion Group

Facebook Security Bug Affects 90M Users

Google Cybersecurity Action Team Threat Horizons Report #6 Is Out!

Uncovering & Remediating Dormant Account Risk

Stay Connected