Troy Hunt

AUGUST 3, 2022

So, earlier this year I created Password Purgatory with the singular goal of putting spammers through the hellscape that is attempting to satisfy really nasty password complexity criteria. I opened-sourced it, took a bunch of PRs, built out the API to present increasingly inane password complexity criteria then left it at that.

Passwords 363

Passwords Accountability 363

Krebs on Security

MARCH 26, 2024

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone.

Passwords 345

Passwords Accountability Engineering Phishing 345

Bleeping Computer

NOVEMBER 23, 2022

At least 34 distinct Russian-speaking cybercrime groups using info-stealing malware like Raccoon and Redline have collectively stolen 50,350,000 account passwords from over 896,000 individual infections from January to July 2022. [.].

Passwords 118

Passwords Cybercrime Accountability Malware 118

SecureWorld News

JUNE 21, 2023

Cybersecurity firm Group-IB recently uncovered a significant security breach involving ChatGPT accounts. These compromised accounts pose a serious risk to businesses, especially in the Asia-Pacific region, which has experienced the highest concentration of ChatGPT credentials for sale.

Accountability 121

Accountability Data collection Cyber threats Cybersecurity 121

The Hacker News

DECEMBER 22, 2022

The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company. Also stolen is "basic customer account

Passwords 99

Passwords Encryption Data breaches Password Management 99

Hacker Combat

JULY 25, 2022

When activated on the impacted products, Questions for Confluence generates a user account with the username disabledsystemuser and a hardcoded password. This security flaw is tracked as CVE-2022-26138. The user account has access to all non-restricted sites in Confluence because it has been added to the confluence-users group.

Passwords 109

Passwords Accountability 109

Troy Hunt

AUGUST 30, 2023

Data accumulated by the malicious activity spanned from October 2022 until just last week.

Phishing 339

Phishing Password Management Passwords Banking 339

Security Affairs

MAY 3, 2023

Google announced the introduction of the passwordless secure sign-in with Passkeys for Google Accounts on all platforms. Google is rolling out the passwordless secure sign-in with Passkeys for Google Accounts on all platforms. In 2022, Google announced it would begin work to support passkeys on its platform to replace passwords.

Accountability 92

Accountability Passwords Password Management Phishing 92

SecureList

DECEMBER 19, 2022

The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability – CVE-2022-41082. After CVE-2022-41040 and CVE-2022-41082 were revealed, Microsoft provided mitigation guidance followed by a few updates.

Malware 140

Malware Passwords Authentication Internet 140

Security Affairs

JANUARY 29, 2024

A flaw in Microsoft Outlook can be exploited to access NTLM v2 hashed passwords by tricking users into opening a specially crafted file. The vulnerability CVE-2023-35636 impacting Microsoft Outlook is a Microsoft Outlook information disclosure issue that could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords.

Passwords 114

Passwords Authentication Hacking Accountability 114

Security Affairs

AUGUST 6, 2022

Slack is resetting passwords for approximately 0.5% of its users after a bug exposed salted password hashes when users created or revoked a shared invitation link for their workspace. Slack announced that it is resetting passwords for about 0.5% The post Slack resets passwords for about 0.5% Pierluigi Paganini.

Passwords 91

Passwords Password Management Antivirus Encryption 91

SecureList

MAY 16, 2023

Download the full version of the report (PDF) Kaspersky Incident Response in various regions and industries In 2022, 45.9% Key trends in 2022: initial attack vectors and impact In 2022, attackers most often penetrated organizations’ infrastructure by exploiting various vulnerabilities in public-facing applications (42.9%).

Ransomware 108

Ransomware Encryption Security Awareness Authentication 108

Krebs on Security

JANUARY 30, 2024

technology companies during the summer of 2022. stole at least $800,000 from at least five victims between August 2022 and March 2023. 2022 that an intrusion had exposed a “limited number” of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

Social Engineering 318

Social Engineering Mobile Cybercrime Passwords 318

Duo's Security Blog

SEPTEMBER 6, 2023

But conventional protection solutions, like password security, fall short when it comes to efficacy. We have a lot of thoughts on passkeys – some of which we’ve shared in other posts in this passkey blog series – and today we’re going to explore how passkeys stack up against passwords from the perspective of cloud platforms.

Passwords 96

Passwords Password Management Authentication Threat Detection 96

The Hacker News

APRIL 1, 2022

DevOps platform GitLab has released software updates to address a critical security vulnerability that, if potentially exploited, could permit an adversary to seize control of accounts. Tracked as CVE-2022-1162, the issue has a CVSS score of 9.1 A hardcoded password was set for accounts registered using an

Accountability 95

Accountability Passwords Software 95

Security Affairs

JULY 15, 2022

Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files. The password cracking software also acts as a dropper for the Sality P2P bot. Pierluigi Paganini.

Passwords 113

Passwords Software Firmware Malware 113

Thales Cloud Protection & Licensing

OCTOBER 4, 2022

Cybersecurity Awareness Month: Resilient Multi-factor Authentication (MFA) and Strong Passwords. Tue, 10/04/2022 - 05:20. Use strong passwords. The 2022 Thales Consumer Digital Trust Index data , based on an Opinium survey conducted in 11 countries with more than 21K participants, attempts to answer these questions.

Authentication 127

Authentication Passwords Cybersecurity Data breaches 127

Malwarebytes

MAY 4, 2023

Back in October 2022, I wrote an article called Why (almost) everything we told you about passwords was wrong. Most damningly of all, the vast effort involved in dispensing this advice over decades has generated little discernible improvement in people’s password choices. OK, it’s time for me to keep a promise.

Passwords 98

Passwords Authentication Password Management Accountability 98

Malwarebytes

APRIL 29, 2022

According to Twitter , it’s supposed to let people know “that an account of public interest is authentic.” ” That’s great, so long as the account is authentic, but what if, one day, it suddenly isn’t? pic.twitter.com/cCCLDUUj7y — Kevin Collier (@kevincollier) April 28, 2022.

Accountability 90

Accountability Passwords Scams Authentication 90

SecureList

FEBRUARY 16, 2023

Fake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. The pandemic The COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. “Promotional campaigns by major banks” were a popular bait in 2022.

Phishing 90

Phishing Scams Accountability Energy and Utilities 90

Malwarebytes

JANUARY 20, 2022

The impact so far: almost seven million accounts “breached and ransomed” back in August. New breach: Open Subtitles had almost 7M accounts breached and ransomed in Aug. Data included email and IP addresses, usernames and unsalted MD5 password hashes. Read more: [link] — Have I Been Pwned (@haveibeenpwned) January 19, 2022.

Passwords 80

Passwords Accountability Social Engineering Password Management 80

Schneier on Security

DECEMBER 26, 2022

Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.

Passwords 271

Passwords Encryption Backups Password Management 271

Security Affairs

JULY 22, 2022

Starting with Windows 11 Microsoft introduce by default an account lockout policy that can block brute force attacks. Starting with Windows 11 Insider Preview build 22528.1000 the OS supports an account lockout policy enabled by default to block brute force attacks. Follow me on Twitter: @securityaffairs and Facebook.

Accountability 92

Accountability Passwords Ransomware Hacking 92

Security Affairs

APRIL 30, 2023

Threat actors are gaining access to AT&T email accounts in an attempt to hack into the victim’s cryptocurrency exchange accounts. Hackers are breaking into the AT&T email accounts and then using the access they are logging into the victim’s cryptocurrency exchange accounts to drain their crypto funds, TechCrunch reported.

Cryptocurrency 77

Cryptocurrency Accountability Passwords Hacking 77

Krebs on Security

SEPTEMBER 13, 2023

In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “ USDoD ” had infiltrated the FBI ‘s vetted information sharing network InfraGard , and was selling the contact information for all 80,000 members.

Cybercrime 286

Cybercrime Passwords Authentication Malware 286

Security Affairs

DECEMBER 5, 2023

Microsoft warns that the Russia-linked APT28 group is actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts. ” reads trhe announcement published by DKWOC. “Activities using CVE-2023-23397 were first discovered by CERT-UA[2] and publicly described by Microsoft[3].

Accountability 105

Accountability Government Phishing Authentication 105

Security Affairs

MARCH 2, 2023

Compromised customers’ data include full names, home addresses, email addresses, plaintext passwords, and telephone numbers. At the end of 2022, a security researcher discovered the stolen data on an unsecured server belonging to a group of hackers. New breach: GunAuction[.]com 83% were already in @haveibeenpwned.

Accountability 81

Accountability Hacking Data breaches Passwords 81

CyberSecurity Insiders

NOVEMBER 26, 2021

In this article, we’ll focus on what businesses have learned over the past twelve months, and how this can help us to turn 2022 into a safer and more successful year. What to expect from email security threats in 2022? How will remote working affect email security in 2022? How can SMEs prepare for email security threats in 2022?

Digital transformation 119

Digital transformation Phishing Social Engineering Passwords 119

SecureList

SEPTEMBER 6, 2022

According to the analytical agency Newzoo, in 2022, the global gaming market will exceed $ 200 billion , with 3 billion players globally. One of the most outstanding examples involves $2 million ‘s worth of CS:GO skins stolen from a user’s account , which means that losses can get truly grave.

Mobile 96

Mobile Passwords Software Accountability 96

Malwarebytes

AUGUST 11, 2022

Slack, the workplace communication platform, has notified some of its users that their hashed passwords have been subject to exposure for the last five years. The flaw exposed hashed passwords of users when creating or revoking shared invitation links for workspaces. Hashed passwords could still be revered by brute force methods.

Passwords 63

Passwords Accountability Encryption Authentication 63

Malwarebytes

SEPTEMBER 26, 2022

Twitter says it has fixed a bug that meant users weren't logged out of active sessions on all devices after manually resetting their passwords. Writing on its blog , Twitter said: "We want to let you know that we recently fixed a bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset.

Passwords 61

Passwords Accountability Risk 61

Krebs on Security

FEBRUARY 26, 2023

million customers, including website administrator passwords, sFTP credentials, and private SSL keys; -December 2022: Hackers gained access to and installed malware on GoDaddy’s cPanel hosting servers that “intermittently redirected random customer websites to malicious sites.”

Hacking 268

Hacking Social Engineering Phishing Scams 268

Security Affairs

AUGUST 22, 2023

The company, with reported revenue of $950 million in 2022, is a trusted strategic partner to more than 40 US Federal agencies. In this case, it could take attackers as long as 22 years to crack a very strong admin password. If the password is weaker and susceptible to vocabulary attacks, it could be cracked in just a few days.

Passwords 82

Passwords Penetration Testing Engineering Manufacturing 82

Malwarebytes

JULY 25, 2022

Word is spreading of a compromise claimed to have accessed around 69 million user accounts. Back in 2014, “tens of millions” of Neopets accounts were said to have been traded on underground forums. In 2020, there were claims of ways to potentially gain access to user accounts. Tips to keep your Neopets account safe.

Data breaches 75

Data breaches Accountability Passwords Password Management 75

Krebs on Security

JULY 10, 2022

Twice in the past month KrebsOnSecurity has heard from readers who’ve had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts.

Accountability 315

Accountability Passwords Authentication Password Management 315

Security Affairs

APRIL 6, 2022

Ukraine’s technical security and intelligence service warns of threat actors targeting aimed at gaining access to users’ Telegram accounts. State Service of Special Communication and Information Protection (SSSCIP) of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts.

Accountability 102

Accountability Phishing Passwords Hacking 102

Security Affairs

MAY 2, 2024

Threat actors breached the Dropbox Sign production environment and accessed customer email addresses and hashed passwords Cloud storage provider DropBox revealed that threat actors have breached the production infrastructure of the DropBox Sign eSignature service and gained access to customer information and authentication data.

Hacking 98

Hacking Authentication Passwords Accountability 98