Troy Hunt

MARCH 9, 2022

Which led me to a moment of clarity just yesterday as I was pondering revenge tactics and, in a flash of inspiration, came up with the idea of Password Purgatory: purgatory: a place or state of temporary suffering or misery You know how we all hate password complexity criteria? All they have to do first is create a password.

Passwords 345

Passwords DNS Accountability Risk 345

Krebs on Security

AUGUST 5, 2019

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords.

Banking 258

Banking Passwords Risk Accountability 258

Troy Hunt

FEBRUARY 21, 2018

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. Here's what it's all about: There's Now 501,636,842 Pwned Passwords.

Passwords 279

Passwords Data breaches Mobile Risk 279

Troy Hunt

NOVEMBER 14, 2018

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. This week, I wanted to focus on going beyond passwords and talk about 2FA.

Passwords 256

Passwords Authentication Accountability Mobile 256

Krebs on Security

MARCH 13, 2019

[ NASDAQ: SZMK ] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers. He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns.

Accountability 230

Accountability Passwords Advertising Penetration Testing 230

Krebs on Security

MAY 7, 2022

Apple , Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. “I worry about forgotten password recovery for cloud accounts.”

Passwords 262

Passwords Authentication Accountability Mobile 262

Krebs on Security

JANUARY 7, 2020

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service.

Phishing 276

Phishing Passwords Accountability Authentication 276

Troy Hunt

SEPTEMBER 17, 2019

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway. This just feels wrong but I can’t come up with a strong argument against it.

Banking 234

Banking Passwords Accountability Authentication 234

Schneier on Security

DECEMBER 15, 2020

This is interesting : Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo.

Authentication 358

Authentication Passwords Accountability Network Security 358

Krebs on Security

OCTOBER 7, 2022

consumers have their online bank accounts hijacked and plundered by hackers, U.S. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule. In the case of Zelle scams, the answer is yes. ” UNAUTHORIZED FRAUD.

Banking 292

Banking Accountability Scams Passwords 292

Troy Hunt

JUNE 1, 2020

I've now seen several versions of the same set of email addresses and passwords albeit with different attribution up the top of the file. In other words, these accounts are breached way more than usual. There are 798 email addresses in the data set but only 689 unique ones.

Hacking 364

Hacking Passwords Data breaches Accountability 364

Troy Hunt

FEBRUARY 4, 2024

They sent me a file with 207k scraped records and a URL that looked like this: [link] But they didn't send me my account, in fact I didn't even have an account at the time and if I'm honest, I had to go and look up exactly what Spoutible was. Is that genuinely a bcrypt hash of my own password?

Passwords 363

Passwords Accountability Backups Data breaches 363

Schneier on Security

APRIL 2, 2020

million people: At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved: Contact Details (e.g., name, mailing address, email address, and phone number) Loyalty Account Information (e.g., linked airline loyalty programs and numbers).

Hacking 258

Hacking Accountability Data breaches Government 258

Malwarebytes

FEBRUARY 27, 2024

For the most popular operating system in the world—which is Android and it isn’t even a contest —there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker.

Banking 145

Banking Passwords Accountability Malware 145

Krebs on Security

JULY 29, 2021

Every time there is another data breach, we are asked to change our password at the breached entity. Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another.

Passwords 362

Passwords Password Management Phishing Scams 362

Penetration Testing

DECEMBER 13, 2023

LDAPWordlistHarvester A tool to generate a wordlist from the information present in LDAP, in order to crack non-random passwords of domain accounts. ... The post LDAPWordlistHarvester: generate a wordlist from the information present in LDAP appeared first on Penetration Testing.

Penetration Testing 111

Penetration Testing Passwords Accountability 111

CSO Magazine

AUGUST 30, 2021

Enterprise-class password managers have become one of the easiest and most cost-effective ways to help employees lock down their online accounts. Learn 12 tips for effectively presenting cybersecurity to the board and 6 steps for building a robust incident response plan. Sign up for CSO newsletters. ].

Password Management 145

Password Management Passwords CSO Accountability 145

Troy Hunt

JANUARY 16, 2019

Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. There are 21,222,975 unique passwords. It'll be 99.x%

Data breaches 280

Data breaches Passwords Password Management Accountability 280

Krebs on Security

FEBRUARY 19, 2020

The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. How would your organization hold up to a password spraying attack?

VPN 360

VPN Passwords Software Telecommunications 360

The Last Watchdog

MAY 24, 2022

This is one giant leap towards getting rid of passwords entirely. Excising passwords as the security linchpin to digital services is long, long overdue. Password abuse at scale arose shortly after the decision got made in the 1990s to make shared secrets the basis for securing digital connections. Our brains just won’t do it.”.

Authentication 342

Authentication Passwords Banking Digital transformation 342

Troy Hunt

APRIL 5, 2023

In its simplest form, the illegal data marketplace has long involved the exchange of currency for personal records containing attributes such as email addresses, passwords, names, etc. We block known breached passwords. So, we (the good guys) adapt and build better defences. We implement two factor authentication. It was that simple.

Marketing 352

Marketing Passwords Authentication Accountability 352

Daniel Miessler

MARCH 10, 2022

In that post we talked about 8 levels of password security, starting from using shared and weak passwords and going all the way up to passwordless. A growing percentage of malware packages now include prompts for not only a username and password, but also an MFA code. The answer is remarkably simple, actually— phishing.

Authentication 364

Authentication Phishing Passwords Accountability 364

Krebs on Security

SEPTEMBER 28, 2018

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles. That page also has an option to force a simultaneous logout of all devices connected to your account.

Accountability 265

Accountability Passwords Data breaches 265

Duo's Security Blog

NOVEMBER 20, 2023

Security professionals agree that passwords are low hanging fruit for cybercriminals and can even be the keys to the kingdom when the compromised passwords belong to privileged accounts. Add to this, the risks of weak authentication factors such as SMS one-time passcodes and dormant or inactive accounts.

Threat Detection 134

Threat Detection Authentication Accountability Data breaches 134

Krebs on Security

MARCH 17, 2019

Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me.

Accountability 264

Accountability Passwords Mobile Banking 264

Malwarebytes

MAY 17, 2022

A security researcher has disclosed how he chained together multiple bugs in order to take over Facebook accounts that were linked to a Gmail account. Linked accounts. Linked accounts were invented to make logging in easier. Linked accounts were invented to make logging in easier. How to unlink accounts.

Accountability 144

Accountability Passwords 144

Krebs on Security

JULY 21, 2021

Ann Billings was dating Mr. Herring and was present when the police surrounded his home. Herring said her husband — who was killed by people who wanted to steal his account — had a habit of registering new Instagram usernames as presents for friends and family members who’d just had children.

Accountability 358

Accountability Media Wireless Passwords 358

Krebs on Security

JUNE 1, 2023

According to cyber intelligence firm Intel 471 , Megatraffer has been active on more than a half-dozen crime forums from September 2009 to the present day. That same email address also is tied to two forum accounts for a user with the handle “ O.R.Z.” user account — this one on Verified[.]ru account on Carder[.]su

Malware 283

Malware Cybercrime Software Accountability 283

Krebs on Security

DECEMBER 1, 2022

While modern Microsoft Windows operating systems by default will ask users whether they want to run a downloaded executable file, many systems set up for remote administration by MSPs disable that user account control feature for this particular application. build and the then-canary 22.9

Phishing 284

Phishing Architecture Passwords Accountability 284

Krebs on Security

JULY 2, 2021

But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system. The researchers said Western Digital never responded to their reports.

Firmware 359

Firmware Passwords Internet Internet 359

Krebs on Security

AUGUST 16, 2018

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. On June 11, 2017, Terpin’s phone went dead. A copy of his complaint is here (PDF).

Mobile 249

Mobile Cryptocurrency Accountability Authentication 249

Malwarebytes

AUGUST 6, 2024

Men report facing more pressure than women—and more threats of retaliation—to grant access to their locations and online accounts when in a committed relationship, according to a new analysis of data released this summer by Malwarebytes. That rate was 12% for women.

Accountability 140

Accountability Education Media Passwords 140

Troy Hunt

FEBRUARY 26, 2018

Today, however, I came across something a bit different by way of a story from last week titled 3,000 Databases with 200 Million Unique accounts found on Dark Web. Almost all the files are just email addresses and plain text passwords (the occasional file has a username that's not an email address and a password).

Data breaches 240

Data breaches Passwords Accountability Password Management 240

Krebs on Security

AUGUST 3, 2020

A California company that helps telemarketing firms avoid getting sued for violating a federal law that seeks to curb robocalls has leaked the phone numbers, email addresses and passwords of all its customers, as well as the mobile phone numbers and other data on people who have hired lawyers to go after telemarketers.

Mobile 337

Mobile Marketing Consumer Protection Wireless 337

Krebs on Security

JULY 13, 2020

Data Viper , a security startup that provides access to some 15 billion usernames, passwords and other information exposed in more than 8,000 website breaches, has itself been hacked and its user database posted online. Password re-use becomes orders of magnitude more dangerous when website developers engage in this unsafe practice.

Hacking 354

Hacking Marketing Cybercrime Accountability 354

Krebs on Security

MAY 12, 2022

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov , which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.

Government 302

Government Authentication Passwords Mobile 302

Krebs on Security

NOVEMBER 6, 2018

Snippets from that fascinating conversation are recounted below, and punctuated by accounts from a recent victim who lost more than $100,000 after his mobile phone number was hijacked. Soon after, the attackers were able to use their control over his mobile number to reset his Gmail account password.

Mobile 243

Mobile Cryptocurrency Accountability Passwords 243