Accountability and Passwords - Cyber Security Informer

Search:

DAY

WEEK

MONTH

YEAR

Dec 07 - Dec 13

Nov 30 - Dec 06

Nov 23 - Nov 29

Nov 16 - Nov 22

Nov 09 - Nov 15

September, 2024

MORE

MORE

MORE

MORE

Select your country:
Sign up | Log in

Accountability

Passwords

article thumbnail

IoT Devices in Password-Spraying Botnet

Schneier on Security

NOVEMBER 6, 2024

Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in “highly evasive” password spraying. The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.

Passwords IoT Accountability Internet

article thumbnail

National Public Data Published Its Own Passwords

Krebs on Security

AUGUST 19, 2024

KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. In April, a cybercriminal named USDoD began selling data stolen from NPD.

Passwords Data breaches Accountability Data privacy

Join 28,000+

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Trending Sources

article thumbnail

Cisco Can’t Stop Using Hard-Coded Passwords

Schneier on Security

OCTOBER 11, 2023

There’s a new Cisco vulnerability in its Emergency Responder product: This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system.

Passwords Accountability

article thumbnail

Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!

Troy Hunt

DECEMBER 19, 2021

In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API. It looks like this: There are all sorts of amazing Pwned Passwords use cases out there. Fast forward to now and that ingestion pipeline is finally live.

Passwords Cybercrime Accountability Risk

article thumbnail

How Coinbase Phishers Steal One-Time Passwords

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app.

Passwords Phishing Accountability Mobile

article thumbnail

Ubiquiti: Change Your Password, Enable 2FA

Krebs on Security

JANUARY 11, 2021

Ubiquiti , a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, security cameras and access control systems, is urging customers to change their passwords and enable multi-factor authentication. Change your password. In an email sent to customers today, Ubiquiti Inc. Enable 2FA.

Passwords Authentication Firmware Accountability

article thumbnail

Sendgrid Under Siege from Hacked Accounts

Krebs on Security

AUGUST 28, 2020

Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. “And I just am not seeing anything this egregious in terms of viruses and spams from the other email service providers.”

Accountability Hacking Authentication Marketing

article thumbnail

The Wages of Password Re-Use: Your Money or Your Life

Krebs on Security

MAY 4, 2021

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Our passwords can say a lot about us, and much of what they have to say is unflattering. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts.

Passwords Cybercrime Accountability Password Management

article thumbnail

Hacking Grindr Accounts with Copy and Paste

Troy Hunt

OCTOBER 2, 2020

The vulnerability allow an attacker to hijack any account. On a surface of it, things looked bad: complete account takeover with a very trivial attack. All I needed was for Scott to create an account and let me know the email address he used which in this case, was test@scotthelme.co.uk. Full account takeover.

Accountability Hacking Passwords InfoSec

article thumbnail

Home Assistant, Pwned Passwords and Security Misconceptions

Troy Hunt

MARCH 10, 2021

Pwned Passwords is a repository of 613M passwords exposed in previous data breaches, which makes them very poor choices for future use. They're totally free and they have a really cool anonymity API that ensures no useful information about the password being searched for is ever exposed.

Passwords IoT Password Management Data breaches

article thumbnail

Passwords Are Terrible (Surprising No One)

Schneier on Security

FEBRUARY 1, 2023

This is the result of a security audit: More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts. and ChangeItN0w!—were

Passwords Accountability Authentication Government

article thumbnail

‘War Dialing’ Tool Exposes Zoom’s Password Problems

Krebs on Security

APRIL 2, 2020

But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. zWarDial, an automated tool for finding non-password protected Zoom meetings.

Passwords Media Technology Accountability

article thumbnail

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. And all of them operate via Telegram , a cloud-based instant messaging system.

Passwords Mobile Authentication Banking

article thumbnail

Building Password Purgatory with Cloudflare Pages and Workers

Troy Hunt

MARCH 9, 2022

Which led me to a moment of clarity just yesterday as I was pondering revenge tactics and, in a flash of inspiration, came up with the idea of Password Purgatory: purgatory: a place or state of temporary suffering or misery You know how we all hate password complexity criteria? All they have to do first is create a password.

Passwords DNS Accountability Risk

article thumbnail

Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts

Krebs on Security

FEBRUARY 4, 2021

Facebook, Instagram , TikTok , and Twitter this week all took steps to crack down on users involved in trafficking hijacked user accounts across their platforms. Facebook said it targeted a number of accounts tied to key sellers on OGUsers, as well as those who advertise the ability to broker stolen account sales. THE MIDDLEMEN.

Accountability Hacking Media Mobile

article thumbnail

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Krebs on Security

SEPTEMBER 22, 2023

The password manager service LastPass is now forcing some of its users to pick longer master passwords. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

Passwords Encryption Password Management Cryptocurrency

article thumbnail

A Password Manager Isn't Just for Christmas, It's for Life (So Here's 50% Off!)

Troy Hunt

DECEMBER 7, 2021

He's not a techie (he runs a pizza restaurant), but somehow, we ended up talking about passwords. Change the password to one 1Password automatically generates c. Obviously, he still has a heap of accounts to set decent passwords on, but now he knows the pattern and he can repeat that over and over again.

Passwords Password Management Banking Accountability

article thumbnail

Pwned Passwords, Open Source in the.NET Foundation and Working with the FBI

Troy Hunt

MAY 27, 2021

Both these announcements are being made at a time where Pwned Passwords is seeing unprecedented growth: Getting closer and closer to the 1B requests a month mark for @haveibeenpwned 's Pwned Passwords. Speaking of natural fits, Pwned Passwords is perfect for this model and that's why we're starting here.

Passwords Accountability Cybercrime Authentication

article thumbnail

New T-Mobile Breach Affects 37 Million Accounts

Krebs on Security

JANUARY 19, 2023

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

Mobile

Mobile Accountability Data breaches Identity Theft

article thumbnail

Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

Troy Hunt

AUGUST 3, 2022

So, earlier this year I created Password Purgatory with the singular goal of putting spammers through the hellscape that is attempting to satisfy really nasty password complexity criteria. I opened-sourced it, took a bunch of PRs, built out the API to present increasingly inane password complexity criteria then left it at that.

Passwords Accountability

article thumbnail

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims

Krebs on Security

AUGUST 6, 2020

A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S.

Accountability Identity Theft Hacking Insurance

article thumbnail

Report: Big U.S. Banks Are Stiffing Account Takeover Victims

Krebs on Security

OCTOBER 7, 2022

consumers have their online bank accounts hijacked and plundered by hackers, U.S. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule. In the case of Zelle scams, the answer is yes. ” UNAUTHORIZED FRAUD.

Banking

Banking Accountability Scams Passwords

article thumbnail

Turn on MFA Before Crooks Do It For You

Krebs on Security

JUNE 19, 2020

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. Both are avid gamers on Microsoft’s Xbox platform, and for years their father managed their accounts via his own Microsoft account.

Authentication Accountability Passwords Mobile

article thumbnail

Failures in Twitter’s Two-Factor Authentication System

Schneier on Security

NOVEMBER 17, 2022

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. This is not a good sign.

Authentication Passwords Accountability Media

article thumbnail

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Krebs on Security

MARCH 26, 2024

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone.

Passwords Accountability Engineering Phishing

article thumbnail

Inside the Cit0Day Breach Collection

Troy Hunt

NOVEMBER 19, 2020

I'm going to highlight one particular row that used a Mailinator address simply because Mailinator accounts are public email addresses where there is no expectation whatsoever of privacy. txt" had a small number of email address and password hex pairs. The "Rejected.txt" file contained malformed email addresses and "Result(HEX).txt"

Passwords Password Management Accountability Risk

article thumbnail

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Troy Hunt

FEBRUARY 4, 2024

They sent me a file with 207k scraped records and a URL that looked like this: [link] But they didn't send me my account, in fact I didn't even have an account at the time and if I'm honest, I had to go and look up exactly what Spoutible was. Is that genuinely a bcrypt hash of my own password?

Passwords Accountability Backups Data breaches

article thumbnail

Service Rents Email Addresses for Account Signups

Krebs on Security

JUNE 6, 2023

One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts. However, far more interesting is their program for rewarding people who choose to sell Kopeechka usernames and passwords for working email addresses.

Accountability Scams Cryptocurrency Advertising

article thumbnail

Chinese threat actors use Quad7 botnet in password-spray attacks

Security Affairs

NOVEMBER 3, 2024

Microsoft warns Chinese threat actors are using the Quad7 botnet to carry out password-spray attacks and steal credentials. Chinese threat actors use the Quad7 botnet in password-spray attacks to steal credentials, Microsoft warns. These routers are used to relay brute-force attacks on Microsoft 365 accounts.

Passwords Wireless VPN Accountability

article thumbnail

Are You One of the 533M People Who Got Facebooked?

Krebs on Security

APRIL 6, 2021

To my mind, this just reinforces the need to remove mobile phone numbers from all of your online accounts wherever feasible. The HaveIBeenPwned project, which collects and analyzes hundreds of database dumps containing information about billions of leaked accounts, has incorporated the data into his service. According to a Jan.

Mobile

Mobile Accountability Passwords Authentication

article thumbnail

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. . But on Nov.

Cryptocurrency Passwords Encryption Accountability

article thumbnail

ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users

Krebs on Security

APRIL 12, 2021

Someone is selling account information for 21 million customers of ParkMobile , a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses. The breach comes at a tricky time for ParkMobile.

Mobile

Mobile Passwords Accountability Cybercrime

article thumbnail

How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication

Schneier on Security

DECEMBER 15, 2020

This is interesting : Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo.

Authentication Passwords Accountability Network Security

article thumbnail

Analysing the (Alleged) Minneapolis Police Department "Hack"

Troy Hunt

JUNE 1, 2020

I've now seen several versions of the same set of email addresses and passwords albeit with different attribution up the top of the file. In other words, these accounts are breached way more than usual. There are 798 email addresses in the data set but only 689 unique ones.

Hacking

Hacking Passwords Data breaches Accountability

article thumbnail

Microsoft Executives Hacked

Schneier on Security

JANUARY 29, 2024

The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. Microsoft is reporting that a Russian intelligence agency—the same one responsible for SolarWinds—accessed the email system of the company’s executives.

Hacking

Hacking Accountability Passwords Cybersecurity

article thumbnail

Experian, You Have Some Explaining to Do

Krebs on Security

JULY 10, 2022

Twice in the past month KrebsOnSecurity has heard from readers who’ve had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts.

Accountability Passwords Authentication Password Management

article thumbnail

When Security Locks You Out of Everything

Schneier on Security

JUNE 28, 2022

Thought experiment story of someone of someone who lost everything in a house fire, and now can’t log into anything: But to get into my cloud, I need my password and 2FA. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords. And, thus, get access to my accounts. I am in cyclic dependency hell.

Passwords Password Management Backups Risk

article thumbnail

Crime Shop Sells Hacked Logins to Other Crime Shops

Krebs on Security

JANUARY 21, 2022

Criminals ripping off other crooks is a constant theme in the cybercrime underworld; Accountz Club’s slogan — “the best autoshop for your favorite shops’ accounts” — just normalizes this activity by making logins stolen from users of various cybercrime shops for sale at a fraction of their account balances.

Hacking

Hacking Cybercrime Authentication Passwords

article thumbnail

Weekly Update 258

Troy Hunt

AUGUST 26, 2021

Lots of little things this week, hoping next week will be the big "hey, Pwned Passwords just passed 1 billion", stay tuned for that one 😊 References You probably should have an OnlyFans account (no, not in the way it sounds like you should.) Is the silver lining of Brexit an end to inane cookie warnings?

Password Management

Password Management Passwords Accountability

article thumbnail

Malicious Office 365 Apps Are the Ultimate Insiders

Krebs on Security

MAY 5, 2021

After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others. Image: Proofpoint.

Accountability Advertising Passwords Phishing

article thumbnail

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Troy Hunt

APRIL 26, 2021

Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet. Change your email account password. Turn on 2 factor authentication wherever available.

Malware

Malware Passwords Banking Password Management

article thumbnail

Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

Malwarebytes

NOVEMBER 5, 2024

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up. Cybercriminals could use your account to spread spam and phishing emails to your contacts.

Accountability Authentication Malware Banking

article thumbnail

New iPhone Security Features to Protect Stolen Devices

Schneier on Security

DECEMBER 27, 2023

For especially sensitive actions, including changing the password of the Apple ID account associated with the iPhone, the feature adds a security delay on top of biometric authentication. No passcode fallback is available in the event that the user is unable to complete Face ID or Touch ID authentication.

Authentication Passwords Accountability

article thumbnail

The Life Cycle of a Breached Database

Krebs on Security

JULY 29, 2021

Every time there is another data breach, we are asked to change our password at the breached entity. Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another.

Passwords Password Management Phishing Scams