Schneier on Security

DECEMBER 15, 2020

This is interesting : Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo.

Authentication 331

Authentication Passwords Accountability Network Security 331

Security Boulevard

APRIL 12, 2021

Earlier this month, our team wrote about the latest Facebook data breach and offered suggestions on how to improve your account security. Let's now walk through the steps you can take to enable two-factor authentication on your accounts.

Authentication 124

Authentication Accountability Data breaches Account Security 124

Security Affairs

APRIL 12, 2024

Roku announced that 576,000 accounts were compromised in a new wave of credential stuffing attacks. Roku announced that 576,000 accounts were hacked in new credential stuffing attacks, threat actors used credentials stolen from third-party platforms. Then, they enter those accounts to abuse permissions, siphoning out data, or both.

Accountability 108

Accountability Passwords Data breaches Authentication 108

Bleeping Computer

MARCH 25, 2024

Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [.]

Phishing 143

Phishing Accountability Authentication 143

Security Affairs

MAY 30, 2023

PyPI is going to enforce two-factor authentication (2FA) for all project maintainers by the end of this year over security concerns. Due to security concerns, PyPI will be mandating the use of two-factor authentication (2FA) for all project maintainers by the end of this year. ” reads the announcement.

Authentication 85

Authentication Accountability Hacking Malware 85

Security Affairs

SEPTEMBER 15, 2021

Microsoft announced that users can access their consumer accounts without providing passwords and using more secure authentication methods. Microsoft says the feature will be rolled out over the coming weeks, it already provides passwordless methods to enterprise users since March 2021, and plans to roll out it for Azure AD accounts.

Authentication 96

Authentication Accountability Passwords Phishing 96

Malwarebytes

JANUARY 11, 2024

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password. Go to your Google Account.

Accountability 145

Accountability Authentication Passwords Malware 145

Schneier on Security

DECEMBER 18, 2020

The NSA has published an advisory outlining how “malicious cyber actors” are “are manipulating trust in federated authentication environments to access protected data in the cloud.” From the summary : Malicious cyberactors are abusing trust in federated authentication environments to access protected data.

Authentication 357

Authentication Hacking Accountability Cybersecurity 357

Bleeping Computer

DECEMBER 29, 2023

Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users' accounts, even if an account's password was reset. [.]

Accountability 141

Accountability Malware Authentication Passwords 141

Heimadal Security

AUGUST 13, 2021

According to the cloud-based hosting service provider GitHub, as of August 13th, 2021, account passwords are no longer accepted for validating Git operations. The announcement is not new as in July 2020 GitHub declared that all authenticated Git operations will necessitate the use of a private access token, OAuth token, or SSH key.

Authentication 118

Authentication Passwords Accountability Cybersecurity 118

Bleeping Computer

NOVEMBER 7, 2023

Microsoft has introduced a new protective feature in the Authenticator app to block notifications that appear suspicious based on specific checks performed during the account login stage. [.]

Authentication 136

Authentication Accountability 136

Tech Republic Security

NOVEMBER 16, 2020

Follow these steps to better protect your Zoom account with a second layer of authentication.

Authentication 163

Authentication Accountability 163

Graham Cluley

MARCH 27, 2024

Hardware wallet manufacturer Trezor has explained how its Twitter account was compromised - despite it having sensible security precautions in place, such as strong passwords and multi-factor authentication. Read more in my article on the Hot for Security blog.

Accountability 111

Accountability Cryptocurrency Manufacturing Authentication 111

Bleeping Computer

AUGUST 12, 2021

GitHub has announced today that account passwords will no longer be accepted for authenticating Git operations starting tomorrow. [.].

Authentication 113

Authentication Passwords Accountability 113

The Hacker News

FEBRUARY 15, 2024

Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization's network environment was compromised via an administrator account belonging to a former employee.

Government 123

Government Accountability VPN Authentication 123

Security Boulevard

OCTOBER 2, 2021

October is Cybersecurity Awareness Month so in this episode we discuss multi-factor authentication and the use of authenticator apps. Multi-factor authentication is one of the most important things that you can enable to secure your online accounts but its unfortunately overlooked by most people.

Authentication 121

Authentication Accountability Cybersecurity 121

Security Boulevard

AUGUST 21, 2022

The post Multi-Factor Authentication Fatigue Attack, Signal Account Twilio Hack, Facebook and Instagram In-App Browser appeared first on The Shared Security Show. The post Multi-Factor Authentication Fatigue Attack, Signal Account Twilio Hack, Facebook and Instagram In-App Browser appeared first on The Shared Security Show.

Authentication 98

Authentication Accountability Hacking Ransomware 98

The Last Watchdog

MAY 24, 2022

Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations. Fortifications, such as multi-factor authentication (MFA) and password managers, proved to be mere speed bumps. Our brains just won’t do it.”. Coming advances.

Authentication 292

Authentication Passwords Banking Digital transformation 292

Malwarebytes

JANUARY 10, 2024

We have seen several high-profile accounts that were taken over on X (formerly Twitter) only to be used for cryptocurrency related promotional activities, like expressing the approval of exchange-traded funds (ETFs). The @SECGov X account was compromised, and an unauthorized post was posted. .” You’re all set.

Accountability 95

Accountability Scams Hacking Cryptocurrency 95

Tech Republic Security

MARCH 9, 2023

Over the next nine months, the largest internet hosting service for software development and collaboration will make all code contributors add another layer of electronic evidence to their accounts. The post GitHub rolling out two-factor authentication to millions of users appeared first on TechRepublic.

Authentication 147

Authentication Internet Internet Software 147

Malwarebytes

FEBRUARY 29, 2024

A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all. In his search for an account takeover vulnerability, the four times Meta Whitehat award receiver started by looking at the uninstall and reinstall process on Android. There was one caveat.

Accountability 125

Accountability Passwords Authentication Risk 125

The Last Watchdog

FEBRUARY 3, 2022

I currently have over 450 accounts that use passwords combined with a variety of two-factor authentication methods. Related: How the Fido Alliance enables password-less authentication. Only a dozen or so of my accounts get authenticated via self-hosted services. the address book web app). Scale to come.

Authentication 212

Authentication Passwords Accountability Technology 212

Security Boulevard

OCTOBER 25, 2023

Security flaws in the implementation of the OAuth authentication standard left hundreds of millions of users to at least three popular online sites exposed to possible account takeover by bad actors, according to researchers at Salt Security.

Accountability 117

Accountability Authentication Mobile Cybersecurity 117

The Hacker News

JANUARY 18, 2022

Cybersecurity researchers have disclosed details of a now-patched bug in Box's multi-factor authentication (MFA) mechanism that could be abused to completely sidestep SMS-based login verification.

Authentication 99

Authentication Accountability Cybersecurity 99

The Last Watchdog

JULY 24, 2023

Not only are passwords vulnerable to brute force attacks, but they can also be easily forgotten and reused across multiple accounts. The next big thing is passwordless authentication. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users. They are simply not good enough.

Authentication 202

Authentication Passwords Phishing Social Engineering 202

Malwarebytes

NOVEMBER 7, 2023

After 1Password, BeyondTrust, and Cloudflare detected unauthorized log-in attempts to their in-house Okta administrator accounts, they reported the incidents to Okta who started an investigation. To gain access to that service account, the attacker compromised an Okta employee. Enable two-factor authentication (2FA).

Accountability 127

Accountability Passwords Data breaches Phishing 127

Security Boulevard

MARCH 29, 2023

Customer identity and access management (CIAM) is a major cybersecurity component of any company that maintains customer accounts. Online fraud and authentication attack attempts have grown significantly in the past several years, with attackers increasingly turning their attention to customers rather than companies.

Authentication 105

Authentication Accountability Cybersecurity 105

The Last Watchdog

MAY 26, 2020

Doing authentication well is vital for any company in the throes of digital transformation. Related: Locking down ‘machine identities’ At the moment, companies are being confronted with a two-pronged friction challenge, when it comes to authentication. LW: Can you frame the separate issue of securing service accounts?

Authentication 218

Authentication Cloud Migration Accountability Digital transformation 218

Malwarebytes

FEBRUARY 19, 2024

An attacker managed to compromise network administrator credentials through the account of a former employee of the organization. CISA suspects that the account details fell in the hands of the attacker through a data breach. CISA suspects that the account details fell in the hands of the attacker through a data breach.

Accountability 78

Accountability VPN Authentication Phishing 78

Troy Hunt

OCTOBER 2, 2020

The vulnerability allow an attacker to hijack any account. I asked for technical detail so I could validated the authenticity of his claim and the info duly arrived. On a surface of it, things looked bad: complete account takeover with a very trivial attack. Full account takeover.

Accountability 363

Accountability Hacking Passwords InfoSec 363

Malwarebytes

JANUARY 16, 2024

The vulnerability allows a successful attacker to easily take over users’ accounts without any interaction. in which user account password reset emails could be delivered to an unverified email address. GitLab supports as a second factor of authentication: Time-based one-time passwords (TOTP). prior to 16.1.6, before 16.7.2,

Accountability 112

Accountability Passwords Authentication Password Management 112

Bleeping Computer

JUNE 20, 2023

Microsoft has addressed an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the target's account. [.]

Accountability 134

Accountability Authentication 134

Bleeping Computer

OCTOBER 5, 2023

Amazon will require all privileged AWS (Amazon Web Services) accounts to use multi-factor authentication (MFA) for stronger protection against account hijacks leading to data breaches, starting in mid-2024. [.]

Accountability 120

Accountability Data breaches Authentication Technology 120

Malwarebytes

OCTOBER 6, 2023

Recently, Amazon announced that it will require all privileged Amazon Web Services (AWS) accounts to use multi-factor authentication (MFA) , starting in mid-2024. Our regular readers will know that we feel that passwords alone are not adequate protection , especially not for your important accounts. Get a free trial below.

Authentication 128

Authentication Passwords Social Engineering Accountability 128

Adam Levin

OCTOBER 8, 2019

The FBI is warning businesses about a new series of cyberattacks that can circumvent multi-factor authentication (MFA). In a Private Industry Notification (PIN), the FBI warned businesses that “cyber actors” had been observed, “circumventing multi-factor authentication through common social engineering and technical attacks.”

Authentication 210

Authentication Cyber Attacks Social Engineering Engineering 210

Krebs on Security

FEBRUARY 4, 2021

Facebook, Instagram , TikTok , and Twitter this week all took steps to crack down on users involved in trafficking hijacked user accounts across their platforms. Facebook said it targeted a number of accounts tied to key sellers on OGUsers, as well as those who advertise the ability to broker stolen account sales. THE MIDDLEMEN.

Accountability 291

Accountability Hacking Media Mobile 291

Security Boulevard

MARCH 28, 2024

The post Apple OTP FAIL: ‘MFA Bomb’ Warning — Locks Accounts, Wipes iPhones appeared first on Security Boulevard. Rethink different: First, fatigue frightened users with multiple modal nighttime notifications. Next, call and pretend to be Apple support.

Accountability 132

Accountability Social Engineering Authentication Data privacy 132