Security Affairs

JANUARY 24, 2024

Thousands of GitLab servers are vulnerable to zero-click account takeover attacks exploiting the flaw CVE-2023-7028. GitLab has recently released security updates to address two critical vulnerabilities impacting both the Community and Enterprise Edition. The flaw can be exploited to hijack an account without any interaction.

Accountability 132

Accountability Passwords Internet Internet 132

Security Affairs

OCTOBER 18, 2023

A vulnerability in Synology DiskStation Manager ( DSM ) could be exploited to decipher an administrator’s password. The issue resides in the insecure Javascript Math.random() function that is used to generate the administrator’s password for the NAS device. ” reads the advisory published by the company.

Accountability 124

Accountability Passwords Hacking Internet 124

Security Affairs

JANUARY 13, 2024

GitLab addressed two critical flaws impacting both the Community and Enterprise Edition, including a critical zero-click account hijacking vulnerability GitLab has released security updates to address two critical vulnerabilities impacting both the Community and Enterprise Edition. prior to 16.1.6, prior to 16.2.9, prior to 16.3.7,

Accountability 119

Accountability Passwords Hacking Information Security 119

Security Boulevard

FEBRUARY 5, 2023

The attacks on password managers and their users continue as Bitwarden and 1Password users have reported seeing paid ads for phishing sites in Google search results for the official login page of the password management vendors.

Password Management 98

Password Management Passwords Accountability Phishing 98

Security Affairs

MARCH 2, 2023

Compromised customers’ data include full names, home addresses, email addresses, plaintext passwords, and telephone numbers. The popular data breach notification service HaveIBeenPwned reported that the hack took place in December and impacted 565k user accounts, it also added that 83% of the records were already in HIBP database.

Accountability 83

Accountability Hacking Data breaches Passwords 83

Security Affairs

APRIL 14, 2020

Quidd , the online marketplace for trading stickers, cards, toys, and other collectibles, discloses a data breach in has suffered in 2019, it is also recommending users to change their passwords. The data breach was first reported by Risk Based Security last week, since then, Quidd has never disclosed any data breach recent security incident.

Accountability 140

Accountability Hacking Data breaches Passwords 140

Security Affairs

AUGUST 17, 2020

The Treasury Board of Canada Secretariat confirmed that thousands of user accounts for online Canadian government services were recently hacked. According to a press release issued by the Treasury Board of Canada Secretariat, thousands of user accounts for online government services were recently hacked.

Government 135

Government Accountability Hacking Advertising 135

Security Affairs

NOVEMBER 15, 2020

million Pluto TV user accounts on a hacking forum for free, he claims they were stolen by ShinyHunters threat actor. million Pluto TV user records, he also added that the service was hacked by ShinyHunters. SecurityAffairs – hacking, ShinyHunters). The post ShinyHunters hacked Pluto TV service, 3.2M

Accountability 101

Accountability Hacking Data breaches Passwords 101

Krebs on Security

JULY 18, 2023

[This is Part III in a series on research conducted for a recent Hulu documentary on the 2015 hack of marital infidelity website AshleyMadison.com.] com , a service that sold access to billions of passwords and other data exposed in countless data breaches. An administrator account Xerx3s on Abusewithus. Abusewith[.]us

Hacking 190

Hacking Accountability Data breaches Marketing 190

Security Affairs

JANUARY 4, 2024

An internet outage impacted Orange Spain after a hacker gained access to the company’s RIPE account to misconfigure BGP routing. The hacker, who uses the moniker ‘Snow’, gained access to the RIPE account of Orange Spain and misconfigured the BGP routing causing an internet outage. I have fixed your RIPE admin account security.

Internet 113

Internet Internet Accountability Passwords 113

Security Affairs

JANUARY 7, 2022

million accounts. Threat actors compromised the FlexBooker accounts of more than 3.7 The threat actors claim the stolen database contains customer information, including names, emails, phone numbers, hashed passwords, and password salt. million accounts. SecurityAffairs – hacking, IKEA).

Data breaches 138

Data breaches Accountability Passwords Cybercrime 138

Security Affairs

AUGUST 24, 2022

The streaming media platform Plex is urging its users to reset passwords after threat actors gained access to its database. Exposed data includes emails, usernames, and encrypted passwords. The company is urging all users to immediately reset account passwords and log out of all devices connected to its service.

Data breaches 111

Data breaches Passwords Media Accountability 111

Security Affairs

MAY 6, 2020

Hackers have breached the online learning platform Unacademy and are selling the account information for close to 22 million users. Online learning platform Unacademy has suffered a data breach after a hacker gained access to their database and started selling the account information for close to 22 million users.

Accountability 103

Accountability Hacking Data breaches Advertising 103

Security Affairs

JANUARY 29, 2024

A flaw in Microsoft Outlook can be exploited to access NTLM v2 hashed passwords by tricking users into opening a specially crafted file. The vulnerability CVE-2023-35636 impacting Microsoft Outlook is a Microsoft Outlook information disclosure issue that could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords.

Passwords 117

Passwords Authentication Hacking Accountability 117

Security Affairs

MAY 29, 2021

The FBI is going to share compromised passwords discovered during investigations with Have I Been Pwned (HIBP)’s ‘Pwned Passwords’ service. The Pwned Passwords service allows users to search for known compromised passwords and discover how many times they have been found in past data breaches.

Passwords 113

Passwords Data breaches Cybercrime Hacking 113

Security Affairs

NOVEMBER 1, 2020

A threat actor is offering for sale account databases containing an aggregate total of 34 million user records stolen from 17 companies. A data breach broker is selling account databases containing a total of 34 million user records stolen from 17 companies. SecurityAffairs – hacking, account databases). million (8.1

Data breaches 145

Data breaches Accountability Advertising Passwords 145

Security Affairs

MAY 3, 2023

Google announced the introduction of the passwordless secure sign-in with Passkeys for Google Accounts on all platforms. Google is rolling out the passwordless secure sign-in with Passkeys for Google Accounts on all platforms. ” reads the announcement published by the company. face recognition, fingerprints).

Accountability 94

Accountability Passwords Password Management Phishing 94

Security Affairs

APRIL 30, 2023

Threat actors are gaining access to AT&T email accounts in an attempt to hack into the victim’s cryptocurrency exchange accounts. Some users with AT&T email addresses wrote on Reddit that they have been hacked, and some of them claim they had the same issue for months.

Cryptocurrency 79

Cryptocurrency Accountability Passwords Hacking 79

Security Affairs

DECEMBER 10, 2019

Microsoft revealed that 44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking. Microsoft discovered that 44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking because of using of compromised passwords. Pierluigi Paganini.

Accountability 82

Accountability Hacking Passwords Advertising 82

Security Affairs

NOVEMBER 20, 2021

The annual study on top-used passwords published by Nordpass revealed that we are still using weak credentials that expose us to serious risks. Nordpass has published its annual report, titled “Top 200 most common passwords,” on the use of passwords. The report shows that we are still using weak passwords.

Passwords 107

Passwords Password Management Data breaches Authentication 107

Security Affairs

JANUARY 6, 2022

million of their customers have had their user accounts compromised in credential stuffing attacks. million accounts of their customers were compromised in credential stuffing attacks. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services. Every company did so.”

Accountability 131

Accountability Retail Passwords Data breaches 131

Security Affairs

SEPTEMBER 25, 2022

For users with TOTP-based two-factor authentication (2FA) enabled, the phishing site also relays any TOTP codes to the threat actor and GitHub in real time, allowing the threat actor to break into accounts protected by TOTP-based 2FA. Accounts protected by hardware security keys are not vulnerable to this attack.”

Accountability 108

Accountability Phishing Authentication Passwords 108

Security Affairs

SEPTEMBER 15, 2021

Microsoft announced that users can access their consumer accounts without providing passwords and using more secure authentication methods. “One of our recent surveys found that 15 percent of people use their pets’ names for password inspiration. . SecurityAffairs – hacking, passwordless authentication).

Authentication 100

Authentication Accountability Passwords Phishing 100

Security Affairs

AUGUST 22, 2023

While the leaked information highlights Belcan’s commitment to information security through the implementation of penetration tests and audits, attackers could exploit the lapse in leaving the tests’ results open, together with admin credentials hashed with bcrypt.

Passwords 84

Passwords Penetration Testing Engineering Manufacturing 84

Security Affairs

JANUARY 19, 2022

A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed threat actors to take over accounts. A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victim’s phone, Varonis researchers reported.

Accountability 117

Accountability Authentication Passwords Data breaches 117

SecureList

AUGUST 14, 2023

Another tactic, popular with scammers big and small, phishers included, is hacking websites and placing malicious content on those, rather than registering new domains. Besides tucking a phishing page inside the website they hack, scammers can steal all of the data on the server and completely disrupt the site’s operation.

Phishing 74

Phishing Hacking Banking Scams 74

Security Affairs

JULY 3, 2023

Microsoft denied the data breach after the collective of hacktivists known as Anonymous Sudan claimed to have hacked the company. However, Anonymous Sudan has announced to have stolen credentials for 30 million customer accounts. BleepingComputer requested a comment from the company that denied any data breach claims.

Accountability 89

Accountability DDOS Data breaches Hacking 89

Security Affairs

NOVEMBER 17, 2023

Toyota Financial Services discloses unauthorized activity on systems after the Medusa ransomware gang claimed to have hacked the company. Medusa Toyota has set the deadline for November 26 and has published a sample of the stolen data as proof of the hack.

Financial Services 125

Financial Services Hacking Ransomware Data breaches 125

Security Affairs

AUGUST 6, 2022

Slack is resetting passwords for approximately 0.5% of its users after a bug exposed salted password hashes when users created or revoked a shared invitation link for their workspace. Slack announced that it is resetting passwords for about 0.5% SecurityAffairs – hacking, Slack). Pierluigi Paganini.

Passwords 93

Passwords Password Management Antivirus Encryption 93

Security Affairs

MAY 2, 2024

Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. prior to 16.1.6, prior to 16.2.9,

Passwords 119

Passwords Accountability Hacking Risk 119

Security Affairs

APRIL 2, 2022

GitLab has addressed a critical vulnerability, tracked as CVE-2022-1162 (CVSS score of 9.1), that could allow remote attackers to take over user accounts. The CVE-2022-1162 vulnerability is related to the set of hardcoded static passwords during OmniAuth-based registration in GitLab CE/EE. SecurityAffairs – hacking, CVE-2022-1162 ).

Accountability 100

Accountability Passwords Hacking Information Security 100

Security Affairs

JANUARY 18, 2021

The attack took place on Saturday, around 04:00 (GMT), when threat actors compromised an administrator account and downloaded a copy of the list of users. “Around 0400 GMT on 16 Jan 2021, an administrator account on the OpenWrt forum ( [link] ) was breached. SecurityAffairs – hacking, data breach). Pierluigi Paganini.

Hacking 131

Hacking Data breaches Passwords Accountability 131

Security Affairs

JULY 21, 2019

The airline company WizzAir informed its customers that it had reset the account passwords due to a technical issue in the system. The airline company WizzAir had reset the account passwords of its users due to a technical issue in its system. Fortunately, it seems that the company was not hacked.

Passwords 75

Passwords Accountability Advertising Hacking 75

Security Affairs

JULY 3, 2023

The malware also targets crypto wallet extensions, password managers, and 2FA extensions. The malware also collects a variety of data, including system info, browser info, password manager info, miner related registry info, and installed games info. The malware admin declared that their operations do not involve any ransom activities.

Password Management 84

Password Management Passwords Malware Antivirus 84

Security Affairs

DECEMBER 5, 2023

Microsoft warns that the Russia-linked APT28 group is actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini ( SecurityAffairs – hacking, APT28) ” reads trhe announcement published by DKWOC.

Accountability 108

Accountability Government Phishing Authentication 108

Security Affairs

DECEMBER 31, 2021

The Have I Been Pwned data breach notification service now includes credentials for 441K accounts that were stolen by RedLine malware. The service now includes credentials for 441K accounts stolen by the popular info-stealer. The data included usernames, email addresses and plain text passwords.” Pierluigi Paganini.

Accountability 134

Accountability Malware Data breaches Passwords 134

Security Affairs

JULY 15, 2022

Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files. The password cracking software also acts as a dropper for the Sality P2P bot. Pierluigi Paganini.

Passwords 115

Passwords Software Firmware Malware 115