Krebs on Security

AUGUST 19, 2024

KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. In April, a cybercriminal named USDoD began selling data stolen from NPD.

Passwords 357

Passwords Data breaches Accountability Data privacy 357

Schneier on Security

OCTOBER 11, 2023

This is not the first time Cisco products have had hard-coded passwords made public. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. You’d think it would learn.

Passwords 361

Passwords Accountability 361

Troy Hunt

FEBRUARY 25, 2025

We've also added 244M passwords we've never seen before to Pwned Passwords and updated the counts against another 199M that were already in there. The file in the image above contained over 36 million rows of data consisting of website URLs and the email addresses and passwords entered into them.

Passwords 338

Passwords Accountability VPN Malware 338

Security Affairs

JANUARY 15, 2025

A previously unknown threat actor released config files and VPN passwords for Fortinet FortiGate devices on a popular cybercrime forum. A previously unknown threat actor named Belsen Group published configuration files and VPN passwords for over 15,000 Fortinet FortiGate appliances. “2025 will be a fortunate year for the world.

VPN 128

VPN Passwords Firewall Firmware 128

NetSpi Technical

NOVEMBER 14, 2024

Username domainuser -Password password Note: I’ve tried to provide time stamps and output during run-time, so you know what it’s doing. Hopefully the functionality will help people better understand where there may be risk of password exposure, data exposure, or command execution. They are all run automatically.

Passwords 145

Passwords Risk Data collection Backups 145

Security Boulevard

DECEMBER 18, 2024

The post Ground Rule of Cyber Hygiene: Keep Your Password Policy Up to Date appeared first on Security Boulevard. Research shows that most organizations and users fail to follow the simple practices that make computing safe. In 2024, organizations reported a.

Passwords 116

Passwords Internet Internet 116

Tech Republic Security

FEBRUARY 13, 2025

Hackers can crack weak passwords in seconds, while strong ones may take years. Learn about the time to crack your password and boost security.

Passwords 198

Passwords Password Management 198

Krebs on Security

JANUARY 7, 2025

In the first step of the attack, they peppered the target’s Apple device with notifications from Apple by attempting to reset his password. The target told Michael that someone was trying to change his password, which Michael calmly explained they would investigate. “Password is changed,” the man said.

Phishing 337

Phishing Cryptocurrency Accountability Social Engineering 337

eSecurity Planet

FEBRUARY 25, 2025

As discussed on WindowsForum, this “password spray and pray” attack highlights the importance of robust authentication measures. Understanding the password spray and pray attack Attackers employing this technique use a list of common passwords, attempting them across numerous Microsoft accounts in rapid succession.

Passwords 59

Passwords Authentication Accountability Threat Detection 59

The Last Watchdog

OCTOBER 23, 2024

Tip 2: Implementing Strong Password Policies Weak passwords can be easily compromised, giving attackers access to sensitive systems and data. LastPass reports that 80% of all hacking-related breaches leveraged either stolen and/or weak passwords.

Small Business 162

Small Business Data breaches Backups Passwords 162

Krebs on Security

MARCH 14, 2025

In this scam, dubbed “ ClickFix ,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. Executing this series of keypresses prompts Windows to download password-stealing malware.

Phishing 246

Phishing Malware Scams Passwords 246

Schneier on Security

SEPTEMBER 18, 2023

Remember last November, when hackers broke into the network for LastPass—a password database—and stole password vaults with both encrypted and plaintext data for over 25 million users? Look, I know that online password databases are more convenient. This is why my Password Safe is local only. (I

Cryptocurrency 333

Cryptocurrency Hacking Passwords Encryption 333

Malwarebytes

FEBRUARY 25, 2025

If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage: Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else. Enable two-factor authentication (2FA).

Passwords 145

Passwords Password Management Phishing Authentication 145

Troy Hunt

MAY 29, 2024

unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they've coined Operation Endgame. The only data we've been provided with is email addresses and disassociated password hashes, that is they don't appear alongside a corresponding address.

Passwords 338

Passwords Password Management Data breaches Cybercrime 338

Troy Hunt

JANUARY 17, 2024

Website, username and password: That's just the first 20 rows out of 5 million in that particular file, but it gives you a good sense of the data. The question of how valid the accompanying passwords remain aside, time and time again the email addresses in the stealer logs checked out on the services they appeared alongside.

Passwords 359

Passwords Password Management Hacking Accountability 359

Malwarebytes

FEBRUARY 11, 2025

They dont crack into password managers or spy on passwords entered for separate apps. If enough victims unwittingly send their passwords, the cyber thieves may even bundle the login credentials for sale on the dark web. The requests are bogus and simply a method for harvesting passwords.

Phishing 129

Phishing Passwords Mobile Authentication 129

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

Cryptocurrency 361

Cryptocurrency Passwords Encryption Accountability 361

Troy Hunt

NOVEMBER 13, 2024

As I said, our IT department recently notified me that some of my data was leaked and a pre-emptive password reset was enforced as they didn't know what was leaked.    It would be good to see it as an informational notification in case there's an increase in attack attempts against my email address.

Data breaches 294

Data breaches Passwords B2B Technology 294

Troy Hunt

FEBRUARY 4, 2024

That's not unprecedented, but this is: password: "$2y$10$B0EhY/bQsa5zUYXQ6J.NkunGvUfYeVOH8JM1nZwHyLPBagbVzpEM2", No way! Is that genuinely a bcrypt hash of my own password? Yep, that's exactly what it is : The Spoutible API enabled any user to retrieve the bcrypt hash of any other user's password.

Passwords 363

Passwords Accountability Backups Data breaches 363

Schneier on Security

FEBRUARY 19, 2025

These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts.

Phishing 218

Phishing Authentication Accountability Passwords 218

Krebs on Security

MARCH 26, 2024

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone.

Passwords 359

Passwords Accountability Engineering Phishing 359

Malwarebytes

FEBRUARY 21, 2025

In recent news, security researcher Jeremiah Fowler, who specializes in finding unprotected databases, uncovered a non-password-protected database that contained over 1.6 Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else.

Healthcare 115

Healthcare Data breaches Passwords Phishing 115

Troy Hunt

AUGUST 30, 2023

Data accumulated by the malicious activity spanned from October 2022 until just last week.

Phishing 346

Phishing Password Management Passwords Banking 346

Krebs on Security

MARCH 7, 2025

In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing…

Password Management 254

Password Management Hacking Passwords 254

Security Affairs

OCTOBER 29, 2024

The two infostealers allowed operators to harvest usernames, passwords, contact info, and crypto-wallets from victims, the threat actors sold this data to criminals for financial theft and hacking. Use a password manager : Simplifies managing strong, unique passwords across accounts.

Identity Theft 123

Identity Theft Passwords Malware Banking 123

Security Affairs

MARCH 10, 2025

This aligns with prior findings that cybercriminals cracked master passwords from LastPass to carry out major heists. DoJ, threat actors may have used private keys extracted by cracking the victim’s password vault stolen from the 2022 security breach suffered by an online password manager. ” reads the complaint.

Password Management 85

Password Management Cryptocurrency Passwords Data breaches 85

Security Affairs

OCTOBER 11, 2024

31M records breached The breach exposed user records including email addresses, screen names and bcrypt password hashes. HIBP confirmed that the stolen archive had 31M records, including email address, screen name, bcrypt password hash, and timestamps for password changes. Internet Archive hacked.

Data breaches 119

Data breaches Internet Internet DDOS 119

Adam Shostack

JANUARY 2, 2025

The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. But then, after I went to reset the password, the bank emailed me a one time code. Which is a fine practice, and brings me to the question: Why expire the first passwords at all? Why make it harder?

Banking 130

Banking Passwords Password Management Authentication 130

Malwarebytes

JANUARY 27, 2025

Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else. Better yet, let a password manager choose one for you. Some forms of two-factor authentication (2FA) can be phished just as easily as a password.

Data breaches 126

Data breaches Healthcare Passwords Insurance 126

Security Affairs

FEBRUARY 4, 2025

.” Compromised data include names, emails, phone numbers, partial card info for some campus diners, and hashed passwords from legacy systems. The company reset affected passwords. The data breach did not expose passwords, merchant logins, full card numbers, bank details, or Social Security numbers.

Data breaches 113

Data breaches Passwords Accountability Hacking 113

Penetration Testing

NOVEMBER 11, 2024

This issue arises from an insecure initial password... The post Unpatched Epson Devices at Risk: CVE-2024-47295 Allows Easy Hijacking appeared first on Cybersecurity News.

Risk 123

Risk Passwords Cybersecurity 123

Schneier on Security

JANUARY 9, 2024

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

Malware 318

Malware Banking Passwords Authentication 318

eSecurity Planet

NOVEMBER 6, 2024

Though cookies themselves don’t steal passwords, they can be hijacked to access sensitive data. Adopt Strong Password Policies Promote the use of strong, unique passwords and enforce regular password updates. Then, invalidate active sessions, update passwords and security keys, and then refresh the website software.

Identity Theft 111

Identity Theft Passwords Phishing Accountability 111

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

Hacking 331

Hacking Phishing Cybercrime Passwords 331

Schneier on Security

JANUARY 18, 2024

After 175 million failed password guesses, a judge rules that the Canadian police must return a suspect’s phone. Judge] Carter said the investigation can continue without the phones, and he noted that Ottawa police have made a formal request to obtain more data from Google.

Passwords 308

Passwords 308

Schneier on Security

DECEMBER 27, 2023

For especially sensitive actions, including changing the password of the Apple ID account associated with the iPhone, the feature adds a security delay on top of biometric authentication. No passcode fallback is available in the event that the user is unable to complete Face ID or Touch ID authentication.

Authentication 335

Authentication Passwords Accountability 335

Krebs on Security

NOVEMBER 12, 2024

Satnam Narang , senior staff research engineer at Tenable , says the danger with stolen NTLM hashes is that they enable so-called “pass-the-hash” attacks, which let an attacker masquerade as a legitimate user without ever having to log in or know the user’s password.

Authentication 256

Authentication Engineering Malware Passwords 256