Troy Hunt

MAY 20, 2022

Data breaches, 3D printing and passwords - just the usual variety of things this week. More specifically, that really cool Pwned Passwords downloader that I know a bunch of people have been waiting on, and now we've finally released.

Passwords 59

Passwords Data breaches 59

Security Affairs

JANUARY 5, 2024

The MyEstatePoint Property Search app leaked data on nearly half a million of its users, exposing their names and plain-text passwords, the Cybernews research team has found. The app, developed by NJ Technologies, an India-based software developer, has over half a million downloads on the Google Play store and mainly serves the Indian market.

Passwords 142

Passwords Identity Theft Mobile Technology 142

Troy Hunt

NOVEMBER 19, 2020

txt" had a small number of email address and password hex pairs. I mean can we trust that both the email addresses and passwords from these alleged breaches represent actual accounts on those services? txt" and true to its name, it appears from the forgotten password email that they were never even hashed in the first place.

Passwords 363

Passwords Password Management Accountability Risk 363

Troy Hunt

AUGUST 29, 2023

Further, the passwords from the malware will shortly be searchable in the Pwned Passwords service which can either be checked online or via the API. Pwned Passwords is presently requested 5 and a half billion times each month to help organisations prevent people from using known compromised passwords.

Malware 325

Malware Passwords Password Management Antivirus 325

Troy Hunt

MAY 29, 2024

unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they've coined Operation Endgame. The only data we've been provided with is email addresses and disassociated password hashes, that is they don't appear alongside a corresponding address.

Passwords 325

Passwords Password Management Data breaches Cybercrime 325

The Hacker News

SEPTEMBER 14, 2023

A download manager site served Linux users malware that stealthily stole passwords and other sensitive information for more than three years as part of a supply chain attack. The modus operandi entailed establishing a reverse shell to an actor-controlled server and installing a Bash stealer on the compromised system.

Malware 141

Malware Passwords 141

Krebs on Security

SEPTEMBER 19, 2024

Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. Executing this series of keypresses prompts the built-in Windows Powershell to download password-stealing malware.

Phishing 320

Phishing Scams Malware Passwords 320

Krebs on Security

SEPTEMBER 13, 2023

USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems. So take special care when downloading software to ensure that you are in fact getting the program from the original, legitimate source whenever possible.

Cybercrime 323

Cybercrime Passwords Authentication Malware 323

Security Affairs

SEPTEMBER 14, 2023

Researchers discovered a free download manager site that has been compromised to serve Linux malware to users for more than three years. Researchers from Kaspersky discovered a free download manager site that has been compromised to serve Linux malware. org subdomain. org subdomain. ” reported Kasperksy. freedownloadmanager[.]org

Malware 139

Malware Software Cryptocurrency Passwords 139

Malwarebytes

NOVEMBER 2, 2023

At Malwarebytes we’ve been telling people for years not to reuse passwords, and that a password manager is a secure way of remembering all the passwords you need for your online accounts. But we also know that a password manager can be overwhelming, especially when you’re just getting started. Encryption.

Passwords 144

Passwords Password Management Data breaches Authentication 144

Malwarebytes

OCTOBER 7, 2024

which includes a fix for a bug that could allow a user’s saved passwords to be read aloud by its VoiceOver feature. Unfortunately, that also included an audible description of a user’s saved passwords, effectively reading aloud someone’s passwords. Apple has issued security updates for iOS 18.0.1

Passwords 136

Passwords Mobile Software Risk 136

Troy Hunt

JUNE 30, 2022

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Actually, the multiple problems, the first of which is that it's just way too fast for storing user passwords in an online system.

Passwords 309

Passwords Identity Theft Consumer Services Password Management 309

Malwarebytes

NOVEMBER 29, 2023

A new study that examines the current state of password policies across the internet shows that many of the most popular websites allow users to create weak passwords. For the Georgia Tech study , the researchers designed an algorithm that automatically determined a website’s password policy.

Passwords 141

Passwords Password Management Authentication Internet 141

Schneier on Security

DECEMBER 17, 2020

About 18,000 private and government users downloaded a Russian tainted software update –­ a Trojan horse of sorts ­– that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised. The New York Times has more details. That last sentence is important, yes.

Software 361

Software Passwords Cybercrime Government 361

Malwarebytes

DECEMBER 12, 2023

As if password authentication’s coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.

Passwords 145

Passwords Artificial Intelligence Password Management Cybercrime 145

NetSpi Technical

NOVEMBER 14, 2024

Running PowerHuntShares I’ve provided more details on the GitHub page, but PowerHuntShares is a simple PowerShell script that can be downloaded and run using PowerShell 5.1 Download PowerHuntShares here. You can download the template file here , and then use it to search for things you care about using the command below.

Passwords 145

Passwords Risk Data collection Backups 145

Bleeping Computer

JULY 24, 2024

Google Chrome now warns when downloading risky password-protected files and provides improved alerts with more information about potentially malicious downloaded files. [.]

Passwords 104

Passwords 104

Troy Hunt

APRIL 5, 2023

In its simplest form, the illegal data marketplace has long involved the exchange of currency for personal records containing attributes such as email addresses, passwords, names, etc. We block known breached passwords. So, we (the good guys) adapt and build better defences. We implement two factor authentication.

Marketing 352

Marketing Passwords Authentication Accountability 352

Security Affairs

DECEMBER 8, 2023

An Android app with over 100k Google Play downloads and a 4.5-star Barcode to Sheet has over 100k downloads on the Google Play store and focuses on e-commerce clients. Meanwhile, user passwords were stored in the MD5 hash format. star average rating has let an open instance go unchecked, leaving sensitive user data up for grabs.

Passwords 138

Passwords Identity Theft Phishing Hacking 138

Malwarebytes

DECEMBER 12, 2023

As if password authentication’s coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.

Passwords 141

Passwords Artificial Intelligence Password Management Cybercrime 141

Malwarebytes

FEBRUARY 27, 2024

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Keep threats off your devices by downloading Malwarebytes today. So, what’s a cybercriminal to do?

Banking 145

Banking Passwords Accountability Malware 145

Krebs on Security

MARCH 12, 2020

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by John Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. .”

Malware 364

Malware Passwords Cybercrime Software 364

Krebs on Security

FEBRUARY 19, 2020

The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. How would your organization hold up to a password spraying attack? As the Citrix hack shows, if you don’t know you should probably check, and then act on the results accordingly.

VPN 360

VPN Passwords Software Telecommunications 360

Troy Hunt

APRIL 10, 2020

this was just super good fun, it's now all hooked up to Alexa too) Pwned Passwords is getting bigger and bigger (more than half a billion queries in a month now) I hate spam and I hate being asked to link to spammy articles (but I love the outcome of this blog post!) Download the guide by Duo Security.

Passwords 284

Passwords 284

Schneier on Security

MAY 23, 2022

A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data. This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.

Encryption 307

Encryption Backups Passwords 307

Krebs on Security

DECEMBER 1, 2022

When a support technician wants to use it to remotely administer a computer, the ConnectWise website generates an executable file that is digitally signed by ConnectWise and downloadable by the client via a hyperlink. ” A composite of screenshots researcher Ken Pyle put together to illustrate the ScreenConnect vulnerability.

Phishing 284

Phishing Architecture Passwords Accountability 284

Daniel Miessler

MAY 14, 2020

Use unique, strong passwords, and store them in a password manager. Many people get hacked from having guessable or previously compromised passwords. Good passwords are long, random, and unique to each account, which means it’s impossible for a human to manage them on their own. Automatic Logins Using Lastpass.

Risk 345

Risk Password Management Passwords Accountability 345

Krebs on Security

JULY 12, 2024

AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). Earlier this year, AT&T reset passwords for millions of customers after the company finally acknowledged a data breach from 2018 involving approximately 7.6

Data breaches 336

Data breaches Passwords Authentication Accountability 336

The Hacker News

JULY 24, 2024

Google said it's adding new security warnings when downloading potentially suspicious and malicious files via its Chrome web browser. "We

Passwords 141

Passwords 141

Troy Hunt

JANUARY 23, 2022

Immediately, I knew what this correlated to - the launch of the Pwned Passwords ingestion pipeline for the FBI along with hundreds of millions of new passwords provided by the NCA. By now, I was starting to get a pretty good idea of what was chewing up the bandwidth: the downloadable hashes in Pwned Passwords.

Passwords 363

Passwords Accountability Firewall Risk 363

Troy Hunt

DECEMBER 25, 2022

Hope yours has been amazing too, see you from home next week 😊 References LastPass has added an update re their recent security incident (if keychains have been downloaded - even fully encrypted ones - that's bad news) Personally, I quite like the public view count on all tweets (if you dislike it just purely because it was introduced (..)

Password Management 245

Password Management Encryption Passwords 245

Troy Hunt

MAY 14, 2022

I'll leave you with this tweet which was a bit of a highlight for me, having Ari alongside me at the event and watching his enthusiasm being part of the industry I love 😊 At #AusCERT with Ari for “take your son to work” day 🙂 I’m up next on stream 2 at 14:45 talking about Pwned Passwords, the FBI, the NCA and (..)

Passwords 232

Passwords 232

Krebs on Security

DECEMBER 2, 2020

The hack was acknowledged by the forum’s current administrator, who assured members that their passwords were protected with a password obfuscation technology that was extremely difficult to crack. In the wake of both incidents, the compromised OGUsers databases were made available for public download.

Accountability 326

Accountability Hacking Scams Media 326

Krebs on Security

MARCH 23, 2022

22, Microsoft said it interrupted the LAPSUS$ group’s source code download before it could finish, and that it was able to do so because LAPSUS$ publicly discussed their illicit access on their Telegram channel before the download could complete. In a blog post published Mar.

Social Engineering 327

Social Engineering Accountability Mobile Passwords 327

Krebs on Security

FEBRUARY 28, 2024

The file that Doug ran is a simple Apple Script (file extension “ scpt”) that downloads and executes a malicious trojan made to run on macOS systems. But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline).

Malware 309

Malware Cryptocurrency Software Phishing 309

The Last Watchdog

DECEMBER 6, 2021

For IT leaders, passwords no longer cut it. Every new account you sign up for, application you download, or device you purchase requires a password. Every new account you sign up for, application you download, or device you purchase requires a password. Lowering password use. So why are they still around?

Authentication 251

Authentication Passwords Mobile Phishing 251

Krebs on Security

APRIL 15, 2024

“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”

Software 325

Software Mobile Marketing Engineering 325