SecureList

MAY 30, 2025

Most common published exploits Distribution of published exploits by platform, Q4 2024 ( download ) Distribution of published exploits by platform, Q1 2025 ( download ) In the first quarter of 2025, operating systems among the most complex types of software continued to account for the highest number of published exploits.

Software 95

Software Malware Authentication Accountability 95

Schneier on Security

DECEMBER 18, 2020

The NSA has published an advisory outlining how “malicious cyber actors” are “are manipulating trust in federated authentication environments to access protected data in the cloud.” From the summary : Malicious cyberactors are abusing trust in federated authentication environments to access protected data.

Authentication 363

Authentication Hacking Accountability Cybersecurity 363

Krebs on Security

FEBRUARY 10, 2020

Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. ” A copy of the indictment is available here.

Hacking 337

Hacking Identity Theft Government Accountability 337

Krebs on Security

MARCH 10, 2020

FBI officials last week arrested a Russian computer security researcher on suspicion of operating deer.io , a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores. also is a favored marketplace for people involved in selling phony social media accounts.

Accountability 359

Accountability Hacking Advertising Cybercrime 359

Krebs on Security

AUGUST 1, 2018

What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security. APP-BASED AUTHENTICATION. “We point this out to encourage everyone here to move to token-based 2FA.”

Authentication 238

Authentication Mobile Passwords Accountability 238

Krebs on Security

NOVEMBER 11, 2023

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. So once again I sought to re-register as myself at Experian.

Accountability 351

Accountability Authentication Passwords Identity Theft 351

Krebs on Security

APRIL 26, 2021

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian , one of the big three consumer credit bureaus in the United States. ” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account.

Authentication 357

Authentication Accountability Identity Theft Account Security 357

Krebs on Security

JULY 10, 2022

Twice in the past month KrebsOnSecurity has heard from readers who’ve had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts.

Accountability 350

Accountability Passwords Authentication Password Management 350

Krebs on Security

JULY 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by Yubico. a mobile device). a mobile device).

Phishing 252

Phishing Authentication Mobile Passwords 252

Krebs on Security

MARCH 8, 2019

Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal , it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday. Getting an account at myequifax.com was easy.

Accountability 279

Accountability Identity Theft Authentication Passwords 279

Krebs on Security

JULY 1, 2021

Equifax’s 2017 megabreach that exposed the personal and financial details of 145.5 million Americans may have shocked the public, but it did little to stop more than a million employers from continuing to sell Equifax their employee payroll data, Bloomberg found in late 2017. Intuit’s FAQ on the changes is here.

Small Business 362

Small Business Financial Services Government Media 362

Krebs on Security

APRIL 11, 2019

Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. and higher can now be used as Security Keys , an additional authentication layer that helps thwart phishing sites and password theft. a one-time token, key fob or mobile device).

Mobile 277

Mobile Authentication Passwords Accountability 277

Krebs on Security

AUGUST 12, 2020

Several stories here have highlighted the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. ” In short, although you may not be required to create online accounts to manage your affairs at your ISP, the U.S. .”

Accountability 361

Accountability Mobile Banking Passwords 361

Security Affairs

DECEMBER 19, 2020

The two techniques reported in the NSA’s advisory are related to the possibility to forge Security Assertion Markup Language (SAML) tokens used single sign-on (SSO) authentication processes. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.” ” continues the alert.

Authentication 145

Authentication Hacking Government Accountability 145

Krebs on Security

JANUARY 19, 2022

If you created an online account to manage your tax records with the U.S. account and share the experience here. account). prompts users to choose a multi-factor authentication (MFA) option. even mention the need to lift or thaw that security freeze to complete the authentication process. After confirmation, ID.me

Mobile 364

Mobile Accountability Insurance Government 364

Krebs on Security

FEBRUARY 26, 2023

The general manager of Escrow.com found himself on the phone with one of the GoDaddy hackers, after someone who claimed they worked at GoDaddy called and said they needed him to authorize some changes to the account. “He was literally reading off the tickets to the notes of the admin panel inside GoDaddy.”

Hacking 346

Hacking Social Engineering Phishing Scams 346

Krebs on Security

AUGUST 27, 2019

“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” wrote Heli Erickson , director of analyst relations at Imperva. Earlier today, Imperva told customers that it learned on Aug.

Cybersecurity 279

Cybersecurity Firewall Passwords Data breaches 279

The Last Watchdog

OCTOBER 15, 2019

Related: The Internet of Things is just getting started The technology to get rid of passwords is readily available; advances in hardware token and biometric authenticators continue apace. The hitch, of course, is that password-enabled account logins are too deeply engrained in legacy network infrastructure.

Authentication 164

Authentication Passwords Data breaches Internet 164

Security Affairs

JULY 2, 2019

US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook. Yesterday I was using Twitter when I noticed the following alert issued by the account managed by the US Cyber Command : USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching.

Energy and Utilities 110

Energy and Utilities Malware InfoSec Advertising 110

Security Affairs

FEBRUARY 17, 2020

The popular hacker group OurMine has hacked the official Twitter account of the FC Barcelona, along with the accounts of Olympics and the International Olympic Committee (IOC). The popular hacker group has hacked the official Twitter account of the FC Barcelona, along with the accounts of and the International Olympic Committee (IOC).

Accountability 133

Accountability Hacking Advertising Media 133

Krebs on Security

AUGUST 19, 2020

According to interviews with several sources, this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or “bounties,” where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.

Phishing 364

Phishing VPN Social Engineering Accountability 364

Krebs on Security

AUGUST 12, 2018

The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

Banking 238

Banking Accountability Phishing Authentication 238

Krebs on Security

FEBRUARY 12, 2019

11, when the company’s Twitter account started fielding reports from users who said they were no longer receiving messages. VFEmail’s Twitter account responded that “external facing systems, of differing OS’s and remote authentication, in multiple data centers are down.” Just attack and destroy.”

Hacking 279

Hacking DDOS Backups Accountability 279

Krebs on Security

JANUARY 9, 2023

Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address. ” Sen.

Identity Theft 359

Identity Theft Accountability Authentication Web Fraud 359

Adam Levin

DECEMBER 18, 2018

The report issued by the Inspector General’s office details several basic lapses in security protocols at five separate locations, including: A lack of multifactor authentication to access BMDS technical information. Known and unpatched network vulnerabilities dating back as far as 1990. No physical locks on server racks.

Risk 199

Risk Cybersecurity Surveillance Government 199

Krebs on Security

JANUARY 7, 2020

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. com sometime around Dec.

Phishing 308

Phishing Passwords Accountability Authentication 308

Krebs on Security

AUGUST 25, 2023

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards. Why do I suggest this?

Mobile 245

Mobile Cyber Risk Cryptocurrency Data breaches 245

eSecurity Planet

OCTOBER 5, 2021

Passwords are the most common authentication tool used by enterprises, yet they are notoriously insecure and easily hackable. At this point, multi-factor authentication (MFA) has permeated most applications, becoming a minimum safeguard against attacks. Jump to: What is multi-factor authentication? MFA can be hacked.

Authentication 104

Authentication Passwords Mobile Accountability 104

Malwarebytes

MARCH 22, 2021

Since 2017 desktop users have had the opportunity to use physical security keys to log in to their Facebook accounts. Two-factor authentication (2FA). Authentication factors are commonly divided into three groups: Something you know , such as a password. Most of them use an open authentication standard, called FIDO U2F.

Authentication 109

Authentication Passwords Wireless Accountability 109

Security Affairs

NOVEMBER 3, 2018

Cybercriminals offered for sale private messages from at least 81,000 Facebook accounts claiming of being in possession of data from 120 million accounts. Crooks are offering for sale Criminals are selling the private messages of 81,000 hacked Facebook accounts for 10 cents per account. ” states the BBC.

Accountability 111

Accountability Advertising Cybercrime Hacking 111

Krebs on Security

JUNE 17, 2020

The CIA produced the report in October 2017, roughly seven months after Wikileaks began publishing Vault 7 — reams of classified data detailing the CIA’s capabilities to perform electronic surveillance and cyber warfare. Developing baselines for user and network activity so that deviations from the norm stand out more prominently.

Data breaches 358

Data breaches Security Awareness Surveillance Media 358

The Security Ledger

NOVEMBER 1, 2022

Six decades in, password use has tipped into the absurd, while two-factor authentication is showing its limits. We talk with Matt Salisbury of Honeybadger HQ, which is using AI and machine learning to re-imagine knowledge-based authentication. Imagining the Future of Authentication. AI juices knowledge-based authentication.

Authentication 98

Authentication Passwords Technology Accountability 98

Krebs on Security

JULY 25, 2018

The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company. According to LifeLock’s marketing literature as of January 2017, the company has more than 4.5

Identity Theft 201

Identity Theft Consumer Protection Phishing Marketing 201

Security Affairs

NOVEMBER 28, 2020

A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account. Access to the email accounts of hundreds of C-level executives is available on the Exploit.in for $100 to $1500 per account. Exploit.in ” reported ZDNet. Pierluigi Paganini.

Accountability 117

Accountability Cybercrime Hacking Antivirus 117

Troy Hunt

JANUARY 8, 2019

Here's a perfect example of what I'm talking about, this one eventually triggering an email to me just last week: Let's imagine you're the first person on the list; you get a notification from HIBP, you check out the paste and see your Hotmail account listed there alongside your Spotify password and the plan you're subscribed to.

Hacking 263

Hacking Passwords Accountability Data breaches 263

Security Affairs

FEBRUARY 11, 2022

One of the vulnerabilities is an elevation of privilege vulnerability in Microsoft Windows SAM (Security Accounts Manager) vulnerability. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.An ” reads the advisory published by Microsoft.

IoT 140

IoT Accountability Authentication Hacking 140

The Last Watchdog

AUGUST 18, 2021

billion in 2017; Avast acquired AVG for $1.3 There are simple steps consumers can take today, for free, to lower their overall risk of a cyber attack, including using multi-factor authentication for their accounts and using strong passwords. A lot of water has flowed under the bridge since then. billion in 2016, for instance.

Antivirus 223

Antivirus Marketing Identity Theft Social Engineering 223