Troy Hunt

DECEMBER 19, 2021

In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API. It looks like this: There are all sorts of amazing Pwned Passwords use cases out there. Fast forward to now and that ingestion pipeline is finally live.

Passwords 363

Passwords Cybercrime Accountability Risk 363

Malwarebytes

FEBRUARY 7, 2025

Post by emirking A translation of the Russian statement by the poster says: When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldnt stay hidden. I have more than 20 million access codes to OpenAI accounts. Monitor your account for any unusual activity or unauthorized usage.

Accountability 132

Accountability Phishing Passwords Authentication 132

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app.

Passwords 362

Passwords Phishing Accountability Mobile 362

Krebs on Security

JANUARY 7, 2025

Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. The phishers also abused legitimate Google services to send Tony an email from google.com, and to send a Google account recovery prompt to all of his signed-in devices.

Phishing 333

Phishing Cryptocurrency Accountability Social Engineering 333

Schneier on Security

FEBRUARY 1, 2023

This is the result of a security audit: More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts. and ChangeItN0w!—were

Passwords 286

Passwords Accountability Authentication Government 286

Malwarebytes

JANUARY 15, 2025

Table of contents Overview Criminals impersonate Google Ads Lures hosted on Google Sites Phishing for Google account credentials Victimology Who is behind these campaigns? The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages.

Advertising 134

Advertising Accountability Phishing Scams 134

Troy Hunt

MARCH 9, 2022

Which led me to a moment of clarity just yesterday as I was pondering revenge tactics and, in a flash of inspiration, came up with the idea of Password Purgatory: purgatory: a place or state of temporary suffering or misery You know how we all hate password complexity criteria? All they have to do first is create a password.

Passwords 355

Passwords DNS Accountability Risk 355

Krebs on Security

SEPTEMBER 22, 2023

The password manager service LastPass is now forcing some of its users to pick longer master passwords. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

Passwords 314

Passwords Encryption Password Management Cryptocurrency 314

Troy Hunt

DECEMBER 7, 2021

He's not a techie (he runs a pizza restaurant), but somehow, we ended up talking about passwords. Change the password to one 1Password automatically generates c. Obviously, he still has a heap of accounts to set decent passwords on, but now he knows the pattern and he can repeat that over and over again.

Passwords 349

Passwords Password Management Banking Accountability 349

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. And all of them operate via Telegram , a cloud-based instant messaging system.

Passwords 342

Passwords Mobile Authentication Banking 342

Troy Hunt

MAY 27, 2021

Both these announcements are being made at a time where Pwned Passwords is seeing unprecedented growth: Getting closer and closer to the 1B requests a month mark for @haveibeenpwned 's Pwned Passwords. Speaking of natural fits, Pwned Passwords is perfect for this model and that's why we're starting here.

Passwords 362

Passwords Accountability Cybercrime Authentication 362

Troy Hunt

AUGUST 3, 2022

So, earlier this year I created Password Purgatory with the singular goal of putting spammers through the hellscape that is attempting to satisfy really nasty password complexity criteria. I opened-sourced it, took a bunch of PRs, built out the API to present increasingly inane password complexity criteria then left it at that.

Passwords 363

Passwords Accountability 363

Krebs on Security

JANUARY 19, 2023

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

Mobile 335

Mobile Accountability Data breaches Identity Theft 335

Schneier on Security

FEBRUARY 19, 2025

Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.

Phishing 225

Phishing Authentication Accountability Passwords 225

Krebs on Security

NOVEMBER 1, 2024

Booking.com said it now requires 2FA , which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password. Booking.com did not respond to questions about that, and its current account security advice urges customers to enable 2FA.

Phishing 255

Phishing Accountability Artificial Intelligence Cybercrime 255

Krebs on Security

OCTOBER 7, 2022

consumers have their online bank accounts hijacked and plundered by hackers, U.S. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule. In the case of Zelle scams, the answer is yes. ” UNAUTHORIZED FRAUD.

Banking 285

Banking Accountability Scams Passwords 285

Malwarebytes

FEBRUARY 14, 2025

The data contains names, email addresses, usernames, passwords, phone numbers, addresses, company names, and additional personal information. Now, a cybercriminal using the monicker Jurak, leaked sensitive information related to roughly 12 million accounts, which allegedly stems from a breach that happened last year. Take your time.

Accountability 82

Accountability Data breaches Passwords Phishing 82

Krebs on Security

NOVEMBER 21, 2024

The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. Click to enlarge.

Identity Theft 245

Identity Theft Phishing Cryptocurrency Accountability 245

Krebs on Security

MARCH 14, 2025

In this scam, dubbed “ ClickFix ,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. Executing this series of keypresses prompts Windows to download password-stealing malware.

Phishing 247

Phishing Malware Scams Passwords 247

Schneier on Security

NOVEMBER 17, 2022

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. This is not a good sign.

Authentication 363

Authentication Passwords Accountability Media 363

Security Boulevard

NOVEMBER 10, 2024

Your internet account passwords are probably among the most guarded pieces of information you retain in your brain. With everything that has recently migrated to the digital realm, a secure password functions as the deadbolt to your private data.

Passwords 64

Passwords Accountability Internet Internet 64

eSecurity Planet

FEBRUARY 25, 2025

In a recent cybersecurity development, threat actors exploited weak security practices by targeting Microsoft accounts that lack two-factor authentication (2FA). As discussed on WindowsForum, this “password spray and pray” attack highlights the importance of robust authentication measures.

Passwords 59

Passwords Authentication Accountability Threat Detection 59

Malwarebytes

FEBRUARY 11, 2025

They dont crack into password managers or spy on passwords entered for separate apps. If enough victims unwittingly send their passwords, the cyber thieves may even bundle the login credentials for sale on the dark web. The requests are bogus and simply a method for harvesting passwords.

Phishing 128

Phishing Passwords Mobile Authentication 128

Krebs on Security

MARCH 26, 2024

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone.

Passwords 357

Passwords Accountability Engineering Phishing 357

Security Boulevard

JANUARY 29, 2025

Old accounts are often unmaintained and forgotten - which can be problematic when you want to "clean up" some of your digital footprint by deleting them or go back to secure them with stronger passwords/MFA. How do you find these old accounts when your recollection isn't enough? Some methods may be more effective for some users.

Accountability 52

Accountability Password Management Data breaches Passwords 52

The Last Watchdog

OCTOBER 10, 2024

Where a traditional threat intelligence or investigations tool may provide a small number of records directly correlated to the search input, IDLink expands the pool of results to include identity data correlated across shared usernames, emails, passwords, and PII – with flexible options around pivoting depth, confidence levels, and visualization.

Risk 286

Risk Cybercrime Identity Theft Phishing 286

Krebs on Security

FEBRUARY 4, 2025

The email address used for those accounts was f.grimpe@gmail.com. Constella says that email address is tied to a Twitter/X account for Shoppy Ecommerce in Israel. Indeed, both StarkRDP and FloraiN have posted to their accounts on Telegram that there were no charges levied against the proprietors of 1337 Services GmbH.

eCommerce 197

eCommerce Cybercrime Accountability Passwords 197

Hacker's King

DECEMBER 26, 2024

If your account falls into the wrong hands, it can lead to the loss of personal memories, private messages, or even a damaged online reputation. While hacking attempts continue to evolve, so do the strategies to secure your account. Unlike passwords or codes, biometric data is unique to you and cannot be easily replicated.

Accountability 52

Accountability Hacking Social Engineering Passwords 52

Security Affairs

OCTOBER 29, 2024

The two infostealers allowed operators to harvest usernames, passwords, contact info, and crypto-wallets from victims, the threat actors sold this data to criminals for financial theft and hacking. Use a password manager : Simplifies managing strong, unique passwords across accounts.

Identity Theft 127

Identity Theft Passwords Malware Banking 127

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. . But on Nov.

Cryptocurrency 360

Cryptocurrency Passwords Encryption Accountability 360

Hacker's King

DECEMBER 25, 2024

However, its immense popularity has made it a target for malicious actors seeking unauthorized access to user accounts. Tools designed for password cracking often exploit weak security practices, but understanding these methods is vital for safeguarding your account. Weak or simple passwords are particularly vulnerable.

Passwords 52

Passwords Social Engineering Accountability Scams 52

Krebs on Security

JANUARY 21, 2022

Criminals ripping off other crooks is a constant theme in the cybercrime underworld; Accountz Club’s slogan — “the best autoshop for your favorite shops’ accounts” — just normalizes this activity by making logins stolen from users of various cybercrime shops for sale at a fraction of their account balances.

Hacking 338

Hacking Cybercrime Passwords Authentication 338

Security Affairs

FEBRUARY 4, 2025

The investigation revealed that attackers had compromised an account associated with a third-party provider of support services. Then GrubHub locked out the attackers and removed the hacked account. Upon discovery, we promptly launched an investigation, identifying unauthorized access to an account associated with this provider.”

Data breaches 116

Data breaches Passwords Accountability Hacking 116

Troy Hunt

FEBRUARY 4, 2024

They sent me a file with 207k scraped records and a URL that looked like this: [link] But they didn't send me my account, in fact I didn't even have an account at the time and if I'm honest, I had to go and look up exactly what Spoutible was. Is that genuinely a bcrypt hash of my own password?

Passwords 363

Passwords Accountability Backups Data breaches 363

Krebs on Security

FEBRUARY 26, 2025

At the end of 2023, malicious hackers learned that many companies had uploaded sensitive customer records to accounts at the cloud data storage service Snowflake that were protected with little more than a username and password (no multi-factor authentication needed).

Hacking 232

Hacking Government Identity Theft Accountability 232

eSecurity Planet

NOVEMBER 6, 2024

Transcript Cookie theft is a cyberattack where hackers exploit session data stored in cookies, like login credentials, to gain unauthorized access to your accounts. Though cookies themselves don’t steal passwords, they can be hijacked to access sensitive data. In this video, we’ll show you how to stay safe.

Identity Theft 111

Identity Theft Passwords Phishing Accountability 111

Malwarebytes

FEBRUARY 25, 2025

Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage: Change your password. You can make a stolen password useless to thieves by changing it.

Passwords 145

Passwords Password Management Phishing Authentication 145