Krebs on Security

MAY 4, 2021

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Our passwords can say a lot about us, and much of what they have to say is unflattering. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts.

Passwords 347

Passwords Security IT Ransomware 347

Krebs on Security

SEPTEMBER 22, 2023

The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. Nor was he ever forced to improve his master password.

Passwords 304

Passwords Encryption Mining Security 304

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. An ad for the OTP interception service/bot “SMSRanger.”

Passwords 352

Passwords Authentication Phishing Access 352

Krebs on Security

MAY 10, 2021

One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work. This ad, from workplaceunited[.]com, Image: Argyle.com.

Passwords 303

Passwords Access Marketing IT 303

Krebs on Security

MAY 7, 2022

Apple , Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. “I worry about forgotten password recovery for cloud accounts.” Image: Blog.google.

Passwords 262

Passwords Authentication Phishing Cloud 262

Data Breach Today

OCTOBER 21, 2022

Poor Credential Hygiene Leaves Remote Services at Risk of Brute Force Attacks If remote access to corporate networks is only as secure as the weakest link, only some dreadfully weak passwords now stand between hackers and many organizations' most sensitive data, according to new research from Rapid7 into the two most widely used remote access protocols (..)

Passwords 274

Passwords Risk Access Security 274

Data Breach Today

JULY 2, 2021

Agency Warns of Impact on National Security Failure to take basic security steps - such as avoiding using end-of-life software and default passwords - can create serious national security risks, CISA stresses. The agency is in the early stages of developing a catalog of "bad practices" that should be avoided.

Security 312

Security Passwords Risk 312

Krebs on Security

MARCH 16, 2021

SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else. “Regulators really need to get involved.” ” WHAT CAN YOU DO?

Security 363

Security Passwords Authentication Communications 363

Data Breach Today

APRIL 29, 2024

Law Bans Universal Default Passwords; Requires Bug-Reporting Channels, Update Plan Say goodbye to buying internet of things devices in Britain with a default or hardcoded password set to "12345," as the country has banned manufacturers from shipping internet-connected and network-connected devices that don't comply with minimum cybersecurity standards. (..)

Cybersecurity 306

Cybersecurity IoT Manufacturing Passwords 306

Data Breach Today

FEBRUARY 4, 2024

Company Says Problem Remediated, All Security-Related Certificates Revoked Remote desktop application provider AnyDesk acknowledged hackers recently gained unauthorized access to the company's production systems in a cyberattack.

Passwords 276

Passwords Access Security IT 276

Data Breach Today

FEBRUARY 5, 2024

Company Says Problem Remediated, All Security-Related Certificates Revoked Remote desktop application provider AnyDesk acknowledged hackers recently gained unauthorized access to the company's production systems in a cyberattack.

Passwords 264

Passwords Access Security IT 264

Krebs on Security

JULY 15, 2024

“And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. What’s more, Monahan said, Squarespace did not require email verification for new accounts created with a password. It’s easier to secure one account than two.”

Security 294

Security Passwords Access Phishing 294

Data Breach Today

FEBRUARY 20, 2024

1Password CEO Says Acquisition Will Help Customers Achieve Zero Trust Objectives Jeff Shiner, CEO of the popular password management company 1Password, said Monday that the company is acquiring leading device security platform Kolide in response to the "historic transformation of the workplace that demands transformative and intuitive new security (..)

Security 243

Security Passwords 243

Security Affairs

NOVEMBER 3, 2024

Microsoft warns Chinese threat actors are using the Quad7 botnet to carry out password-spray attacks and steal credentials. Chinese threat actors use the Quad7 botnet in password-spray attacks to steal credentials, Microsoft warns. “Microsoft assesses that a threat actor located in China established and maintains this network.

Passwords 139

Passwords Access Cloud Government 139

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals.

Passwords 362

Passwords Encryption Blockchain Data breaches 362

Krebs on Security

OCTOBER 28, 2020

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually. Acting on a tip from Milwaukee, Wis.-based

Security 361

Security Ransomware Agriculture Cybersecurity 361

Krebs on Security

APRIL 12, 2021

The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses. “You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread.

Passwords 363

Passwords Sales Cybersecurity Encryption 363

Data Breach Today

SEPTEMBER 16, 2024

New Security Measures Follow High-Profile Hacks of Snowflake Customers Data warehousing platform Snowflake rolled out default MFA - as well as a 14-character password minimum - to shore up security in the wake of a series of cyberattacks in June that hit high-profile customers including Santander Bank, Advance Auto Parts, LA Unified School District (..)

Passwords 162

Passwords Security 162

Krebs on Security

JUNE 19, 2020

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account.

IT 363

IT Authentication Passwords Access 363

Krebs on Security

MARCH 26, 2024

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone.

Passwords 362

Passwords Phishing Authentication Mining 362

The Last Watchdog

MAY 24, 2022

This is one giant leap towards getting rid of passwords entirely. Excising passwords as the security linchpin to digital services is long, long overdue. Security + efficiency. Password abuse at scale arose shortly after the decision got made in the 1990s to make shared secrets the basis for securing digital connections.

Authentication 342

Authentication Passwords Digital transformation Cloud 342

Data Breach Today

AUGUST 26, 2022

Security Experts Continue to Recommend Password Managers As Security Best Practice Password manager stalwart LastPass acknowledged Thursday that a threat actor gained unauthorized access to its source code and proprietary technical information.

Passwords 315

Passwords Encryption Access Security 315

Krebs on Security

JULY 29, 2021

Every time there is another data breach, we are asked to change our password at the breached entity. Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another.

Passwords 362

Passwords Phishing Mining Data breaches 362

Krebs on Security

MAY 6, 2024

But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP protocol so that other users on the local network are forced to connect to a rogue DHCP server. VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications.

IT 306

IT Security Encryption Passwords 306

Schneier on Security

SEPTEMBER 27, 2024

Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords. not truncate it).

Passwords 122

Passwords Authentication Access IT 122

Security Affairs

JULY 26, 2024

Google addressed a Chrome’s Password Manager bug that caused user credentials to disappear temporarily for more than 18 hours. Google has addressed a bug in Chrome’s Password Manager that caused user credentials to disappear temporarily. Users can save passwords, however it was not visible to them.

Passwords 143

Passwords IT Information Security Security 143

The Last Watchdog

OCTOBER 23, 2024

22, 2024, CyberNewswire — INE Security offers essential advice to protect digital assets and enhance security. Warn “Small businesses face a unique set of cybersecurity challenges and threats and must be especially proactive with cybersecurity training,” said Dara Warn, CEO of INE Security. “At Cary, NC, Oct.

Security 162

Security Data breaches Passwords Cybersecurity 162

Krebs on Security

APRIL 6, 2021

. — rely on that number for password resets. From there, the bad guys can reset the password of any account to which that mobile number is tied, and of course intercept any one-time tokens sent to that number for the purposes of multi-factor authentication.

Passwords 360

Passwords Authentication Privacy Sales 360

Krebs on Security

JULY 12, 2024

AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or text message sent. c) of the SEC Rule, due to potential risks to national security and/or public safety.

Data breaches 336

Data breaches Passwords Authentication Cloud 336

WIRED Threat Level

OCTOBER 14, 2024

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

Passwords 141

Passwords Authentication Security Privacy 141

Security Affairs

JULY 17, 2024

A vulnerability in Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers allows threat actors to change any user’s password. The issue is due to an improper implementation in the password-change process. “This vulnerability is due to improper implementation of the password-change process. .

Passwords 142

Passwords Authentication Access Security 142

Krebs on Security

FEBRUARY 19, 2020

The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. Among the VPN flaws available to attackers is a recently-patched vulnerability ( CVE-2019-19781 ) in Citrix VPN servers dubbed “Shitrix” by some in the security community.

Passwords 360

Passwords Access Insurance Government 360

Security Affairs

SEPTEMBER 28, 2024

The Irish Data Protection Commission (DPC) fined Meta €91 million for storing the passwords of hundreds of millions of users in plaintext. In 2019, Meta disclosed that it had inadvertently stored some users’ passwords in plaintext on its internal systems, without encrypting them. ” reported Meta. ” reported Meta.

Passwords 138

Passwords Encryption GDPR Access 138

Data Breach Today

OCTOBER 16, 2024

Advisory Warns Iranian Threat Actors Use 'Push Bombing' to Target Critical Sectors Iranian cyber actors are increasingly using brute force techniques, such as password spraying and multifactor authentication push bombing, to target critical infrastructure sectors, according to a cybersecurity advisory released Wednesday by the Cybersecurity and Infrastructure (..)

Passwords 296

Passwords Authentication Cybersecurity Security 296

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS. That leaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.

Phishing 311

Phishing Passwords Authentication Encryption 311

Krebs on Security

JULY 10, 2022

In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.

Passwords 347

Passwords Authentication Security Privacy 347

Krebs on Security

MARCH 15, 2021

com , a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. For several years, WeLeakInfo was the largest of several services selling access to hacked passwords. A little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com

Passwords 328

Passwords Mining Data breaches Access 328