The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: account hacking

Researchers Demonstrate How to Hack Any TikTok Account by Sending SMS

Researchers Demonstrate How to Hack Any TikTok Account by Sending SMS
January 08, 2020Mohit Kumar
TikTok , the 3rd most downloaded app in 2019, is under intense scrutiny over users' privacy, censoring politically controversial content and on national-security grounds—but it's not over yet, as the security of billions of TikTok users would be now under question. The famous Chinese viral video-sharing app contained potentially dangerous vulnerabilities that could have allowed remote attackers to hijack any user account just by knowing the mobile number of targeted victims. In a report privately shared with The Hacker News, cybersecurity researchers at Check Point revealed that chaining multiple vulnerabilities allowed them to remotely execute malicious code and perform unwanted actions on behalf of the victims without their consent. The reported vulnerabilities include low severity issues like SMS link spoofing, open redirection, and cross-site scripting (XSS) that when combined could allow a remote attacker to perform high impact attacks, including: delete any videos

Fortnite Flaws Allowed Hackers to Takeover Gamers' Accounts

Fortnite Flaws Allowed Hackers to Takeover Gamers' Accounts
January 16, 2019Swati Khandelwal
Check Point researchers have discovered multiple security vulnerabilities in Fortnite, a massively popular online battle game, one of which could have allowed remote attackers to completely takeover player accounts just by tricking users into clicking an unsuspectable link. The reported Fortnite flaws include a SQL injection, cross-site scripting (XSS) bug, a web application firewall bypass issue, and most importantly an OAuth account takeover vulnerability. Full account takeover could be a nightmare, especially for players of such a hugely popular online game that has been played by 80 million users worldwide, and when a good Fortnite account has been sold on eBay for over $50,000. The Fortnite game lets its players log in to their accounts using third-party Single Sign-On (SSO) providers, such as Facebook, Google, Xbox, and PlayStation accounts. According to the researchers, the combination of cross-site scripting (XSS) flaw and a malicious redirect issue on the Epic Games&

Pokémon GO Creator's Twitter Account Hacked — Pika, Pikaaaa!

Pokémon GO Creator's Twitter Account Hacked — Pika, Pikaaaa!
August 01, 2016Swati Khandelwal
Twitter account of another high-profile CEO has been hacked! This time, it's Niantic CEO John Hanke , the developer behind the world's most popular game Pokémon GO . And it seems like Hanke is so busy with its newly launched game Pokémon GO that he hasn't noticed or took any measures against it even after over 12 hours of the hack, as the tweets made by hackers are still displaying on his Twitter timeline (at the time of writing). OurMine claimed responsibility for the hack, which was spotted after the hacking group managed to post a series of messages on Hanke's Twitter timeline. OurMine is the same group of Saudi Arabian hackers that previously compromised social media accounts of other CEOs including: Google's CEO Sundar Pichai Facebook's CEO Mark Zuckerberg Twitter CEO Jack Dorsey Twitter's ex-CEO Dick Costolo Facebook-owned virtual reality company Oculus CEO Brendan Iribe It appears that OurMine managed to post on Hanke's Twi

QRLJacking — Hacking Technique to Hijack QR Code Based Quick Login System

QRLJacking — Hacking Technique to Hijack QR Code Based Quick Login System
July 28, 2016Swati Khandelwal
Do you know that you can access your WeChat, Line and WhatsApp chats on your desktop as well using an entirely different, but fastest authentication system? It's SQRL , or Secure Quick Response Login, a QR-code-based authentication system that allows users to quickly sign into a website without having to memorize or type in any username or password. QR codes are two-dimensional barcodes that contain a significant amount of information such as a shared key or session cookie. A website that implements QR-code-based authentication system would display a QR code on a computer screen and anyone who wants to log-in would scan that code with a mobile phone app. Once scanned, the site would log the user in without typing in any username or password. Since passwords can be stolen using a keylogger, a man-in-the-middle (MitM) attack, or even brute force attack, QR codes have been considered secure as it randomly generates a secret code, which is never revealed to anybody else.

Uh-Oh! Pokémon GO grants itself 'Full Access' to your Google Account — Fix It NOW

Uh-Oh! Pokémon GO grants itself 'Full Access' to your Google Account — Fix It NOW
July 12, 2016Swati Khandelwal
Nintendo's new location-based augmented reality game Pokémon GO has been making rounds since its launch just a few days ago. People are so excited to catch 'em all that brought Nintendo's market-value gains to $7.5 Billion (£5.8 Billion) in just two days – the highest surge since 1983. Due to the huge interest surrounding Pokémon GO, even hackers are using the game's popularity to distribute malicious versions of Pokémon GO that could install DroidJack malware on Android phones, allowing them to compromise user's devices completely. However, the latest threat is related to the privacy concerns raised about the iOS version of the official Pokémon GO app. Pokémon GO – A Huge Security Risk Adam Reeve labeled the game "malware," saying that Pokémon GO is a "huge security risk" as the game, for some reason, grants itself "full account access" to your Google account when you sign into the app via Google on iPhone or iPad. Ye

BitTorrent Forum Hacked; Change your Password Immediately

BitTorrent Forum Hacked; Change your Password Immediately
June 08, 2016Mohit Kumar
If you are a torrent lover and have registered on  BitTorrent community forum website, then you may have had your personal details compromised, along with your hashed passwords. The BitTorrent team has announced that its community forums have been hacked, which exposed private information of hundreds of thousands of its users. As of now, BitTorrent is the most visited torrent client around the world with more than 150 Million monthly active users. Besides this, BitTorrent also has a dedicated community forum that has over hundreds of thousands of registered members with tens of thousands of daily visitors. A recent security alert by the team says the forum database has been compromised by hackers who were able to get their hands on its users' passwords, warning its users to update their passwords as soon as possible. The vulnerability is believed to be originated at one of its vendors, who alerted the BitTorrent team about the issue earlier this week. "The vulnera

Hacker puts up 167 Million LinkedIn Passwords for Sale

Hacker puts up 167 Million LinkedIn Passwords for Sale
May 18, 2016Mohit Kumar
LinkedIn's 2012 data breach was much worse than anybody first thought. In 2012, LinkedIn suffered a massive data breach in which more than 6 Million users accounts login details, including encrypted passwords, were posted online by a Russian hacker. Now, it turns out that it was not just 6 Million users who got their login details stolen. Latest reports emerged that the 2012's LinkedIn data breach may have resulted in the online sale of sensitive account information, including emails and passwords, of about 117 Million LinkedIn users. Almost after 4 years, a hacker under the nickname "Peace" is offering for sale what he/she claims to be the database of 167 Million emails and hashed passwords, which included 117 Million already cracked passwords, belonging to LinkedIn users. The hacker, who is selling the stolen data on the illegal Dark Web marketplace " The Real Deal " for 5 Bitcoins (roughly $2,200), has spoken to Motherboard, confirming th

Top 4 Data Breaches reported in last 24 Hours

Top 4 Data Breaches reported in last 24 Hours
May 10, 2016Wang Wei
There is no doubt that data breaches are on the rise. Hardly a day goes without headlines about any significant data breach. According to the latest ' Cyber Security Breaches Survey 2016 ' report published by UK government, two-thirds of the biggest firm in the UK have experienced at least a cyber attacks or data breaches within the past 12 months. Here's today, I am writing about top 4 data breaches reported in last 24 hours, threatened your data privacy and online security. 1. Kiddicare Hacked! 794,000 Accounts Leaked Kiddicare has admitted that the company has suffered a data breach, which led to the theft of sensitive data belonging to 794,000 users, including phone numbers and residential addresses. Kiddicare, company that sells child toys and accessories across the United Kingdom, became aware of the data breach after its customers started receiving suspicious text messages – most likely part of a phishing campaign – that attempted to pilfer them to click on a li

In-Brief: Spotify Hack, Secret of Chrome OS, MIT Bug Bounty, Nanowire Batteries

In-Brief: Spotify Hack, Secret of Chrome OS, MIT Bug Bounty, Nanowire Batteries
April 26, 2016Mohit Kumar
1. Spotify Hacked! Change your Password ASAP If you are one of the millions of people around the world who love to listen to music on Spotify, you may need to change your password immediately. Has Spotify been hacked? The company says no, but some Spotify users have claimed their profiles were hijacked, and details were changed without knowledge, including passwords and email addresses, TC  reported . Spotify apparently suffered a security breach that leaked hundreds of Spotify accounts details, including emails, usernames, passwords and account type, which was published last week to the popular anonymous file sharing website Pastebin. Spotify is investigating the Pastebin leaks of Spotify user information. 2. Over 1 Million Android Apps Are Coming to Chrome OS Google is ready to integrate millions of Android applications onto its Chrome OS platform by bringing the entire Play Store to it. Redditor 'TheWiseYoda' first spotted a new option to "Enable And

These Top 30 Ashley Madison Passwords are just as Terrible as You'd Think

These Top 30 Ashley Madison Passwords are just as Terrible as You'd Think
September 12, 2015Khyati Jain
Yes, you heard it correct! First the Password Cracking Team 'CynoSure Prime'  cracked more than 11 Million Ashley Madison's passwords in just 10 days ( quite an achievement, though ), now a member of the team shares the same list of passwords with few calculations. The calculations are... ... What passwords are mostly used and by how many users? Terrible? Out of 11 million passwords, only 4.6 million passwords were unique, and the rest were such weak and horrible ones that one could even think. ArsTechnica to whom CynoSure Prime updated the news published the calculations and say that this is expected to change as they still left with 3.7 million passwords to decrypt. While going through the list of password, top 5 used were: 123456 by 120511 users 12345 by 48452 users password by 39448 users DEFAULT by 34275 users 123456789 by 26620 users for more s ee the list of passwords in above image. AND, Even a 5th grader can literally guess th

This 20-year-old Student Has Written 100 Malware Programs in Two Years

This 20-year-old Student Has Written 100 Malware Programs in Two Years
July 04, 2015Swati Khandelwal
Security firm Trend Micro has identified a 20-year-old Brazilian college student responsible for developing and distributing over 100 Banking Trojans selling each for around US$300 . Known online as ' Lordfenix ', ' Hacker's Son ' and ' Filho de Hacker ', the computer science student first began his career by posting in forums, asking for programming help for a Trojan he was developing, researchers said. Developed More than 100 Trojans However, Lordfenix has "grown quite confident in his skills" and began developing and distributing malware tailored to pilfer financial information since at least 2013. "Based on our research, Lordfenix has created more than 100 different banking Trojans , not including his other malicious tools, since April 2013," Trend Micro says . "With each Trojan costing around R$1,000 (roughly $320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture." Trend Mi

This Simple Trick Requires Only Your Phone Number to Hack your Email Account

This Simple Trick Requires Only Your Phone Number to Hack your Email Account
June 20, 2015Wang Wei
We all have been receiving spam phone calls and messages on almost daily basis from scammers who want to pilfer your money and personal information, but a new type of social engineering hack that makes use of just your mobile number to trick you is a little scarier. Security firm Symantec is warning people about a new password recovery scam that tricks users into handing over their webmail account access to the attackers. In order to get into your email account, an attacker does not need any coding or technical skills. All an attacker needs your email address in question and your cell phone number. Since the process to reset the password is almost similar to all mail services, this new password recovery scam affects all popular webmail services including Gmail, Yahoo, and Outlook among others. Symantec has provided a video explanation of how this new hack attack works. The trick is as simple as it sounds: if you want to reset someone's email account password, all y

Taylor Swift's Twitter and Instagram Accounts Hacked

Taylor Swift's Twitter and Instagram Accounts Hacked
January 27, 2015Mohit Kumar
The very popular Pop star Taylor Swift became the latest celebrity to have their social media accounts hacked on Tuesday. The 25-year-old " Shake It Off " singer, who has the fourth-most popular Twitter account with 51.4 million followers, appeared to be asking her millions of followers to follow @veriuser and @lizzard. Swift confirmed that her Twitter and Instagram accounts were hacked on Tuesday afternoon, and also that the rogue posts were quickly removed from the social media websites. " My Twitter got hacked but don't worry, Twitter is deleting the hacker tweets and locking my account until they can figure out how this happened and get me new passwords ," said a statement posted on Swift's personal Tumblr page. The accounts were taken for just 15 minutes, but when it belongs to Taylor Swift, that makes it a big hit. At the time, a Tweet went out from @TaylorSwift13 to her millions of fans, saying, " go follow my boy, @lizzard :) " Yes Li

Minecraft hacked! More than 1800 Minecraft account Credentials Leaked

Minecraft hacked! More than 1800 Minecraft account Credentials Leaked
January 20, 2015Swati Khandelwal
A sad reality for gamers all around the world who enjoy playing the very popular game Minecraft on their PCs. If you are one of them, you'll want to pay attention here. A plain text file containing over 1,800 Minecraft account usernames and passwords has just been leaked online, German media reports . The details available in the leak has been posted to Pastebin, which would allow anyone to log into a legitimate user's account in order to play online and download the full version of the game to their own computers. However, the more serious implication of the leaked credentials would be for those affected users who had used the same username and password combination for other online services, like shopping site, banking site, email service or for any social networking site. Minecraft is an incredibly popular online game bought by Microsoft just few months back for $2.5 billion. The game has more than 100 million registered accounts for its PC version alone, and

Namecheap Accounts Compromised in Data Breach

Namecheap Accounts Compromised in Data Breach
September 03, 2014Wang Wei
LA-based domain name registrar and hosting company Namecheap warned its customers on Monday that cybercriminals have begun accessing their accounts by using the list of credentials gathered from third-party websites. The Hosting company confirmed the security breach and informed that the hackers have compromised some of its customers' accounts, probably using the " biggest-ever " password theft via Russian Hackers that disclosed list of 1.2 billion usernames and passwords compiled by Russian CyberVor Gang . RUSSIAN GROUP BEHIND THE ATTACK - CYBERVOR The CyberVor Gang allegedly stolen a vast cache of compromised login credentials for " 1.2 billion " accounts, belonging to over half a billion e-mail addresses, warned Hold Security , a Milwaukee-based security company that tracks stolen data on underground cybercriminal forums. The gang appears to have broken into at least 420,000 websites vulnerable to SQL injection attacks, among other techniques,

Hacking Fiverr.com Accounts — Vulnerability Puts $50 Million Company At Risk

 Hacking Fiverr.com Accounts — Vulnerability Puts $50 Million Company At Risk
August 16, 2014Swati Khandelwal
Fiverr.com, a global online marketplace which provides a platform for people to sell their services for five dollars per job, is vulnerable to a critical web application vulnerability that puts its millions of users at risk. Fiverr recently raised $30 million in a third round of institutional funding to continue supporting the new version of its marketplace, but the company ignored the advance warning of the critical bug reported responsibly by a vulnerability hunter and fails to patch up their website before his public release. There are endless numbers of people providing services on Fiverr website, such as graphic design, language translation, illustration, blogging and a lot more that start from just $5 but can go much higher, depending on complexity, seller rating, and type of work. According to a security researcher Mohamed Abdelbaset, an Information Security Evangelist from Egypt, told The Hacker News that Fiverr website is vulnerable to CSRF (Cross-site reque

Warning — Facebook Color Changer App is Just a Scam, Infects 10000 Users

Warning — Facebook Color Changer App is Just a Scam, Infects 10000 Users
August 09, 2014Swati Khandelwal
Scammers have again targeted more than one billion active users of the popular social networking giant Facebook, to infect as many victims as possible. This time, an old Facebook scam is back in action once again! Malicious Facebook "Color Changer" app has resurfaced again on the popular social networking site Facebook, this time compromising more than 10,000 people worldwide. The malicious app promises users to change the characteristic blue colour of Facebook's header and interface to one of nine other colours including pink, purple, green, yellow, orange and black, in order to infect users' phones and computers with malicious software. Researchers at China-based Internet company Cheetah Mobile have detected the " Facebook colour changer " that tricks Facebook users into downloading the app via a malicious phishing site. The phishing website targets users in two ways: First of all, it steals the users' Facebook Access Tokens by asking them

Spotify Hacked, Urges Android Users to Upgrade app and Change Password

Spotify Hacked, Urges Android Users to Upgrade app and Change Password
May 27, 2014Swati Khandelwal
Today, the popular Music streaming service Spotify said the company has suffered a Data breach and warned users of its Android app to upgrade it in the wake of a potential data breach in their servers. Spotify is a commercial music streaming service launched in October 2008 by Swedish start-up Spotify AB and is freely available for Android and iOS devices as well as for desktop computers with more than 40 million active users, out of which about 10 million users are its paid subscribers. It offers offline listening and ad-free playback are also available for Premium subscribers of the service. The company announced that a hacker had allegedly broken into its systems and gained unauthorized access to the internal company data. So far only one of its users' accounts has been accessed in the data breach, but the company believes that there is no harm to the financial information, payment details or password of the affected user. " Our evidence shows that only one Spot

Facebook Hacker received $33,500 reward for Remote code execution vulnerability

Facebook Hacker received $33,500 reward for Remote code execution vulnerability
January 23, 2014Mohit Kumar
Facebook has paid out its largest Bug Bounty ever of $33,500 to a Brazilian security researcher for discovering and reporting a critical Remote code execution vulnerability, which potentially allows the full control of a server. In September, ' Reginaldo Silva' found an XML External Entity Expansion vulnerability affecting the part of Drupal that handled OpenID, which allows attacker to read any files on the webserver. As a feature, Facebook allows users to access their accounts using OpenID in which it receives an XML document from 3rd service and parse it to verify that it is indeed the correct provider or not i.e. Receives at https://www.facebook.com/openid/receiver.php  In November 2013, while testing Facebook's ' Forgot your password ' functionality, he found that the OpenID process could be manipulated to execute any command on the Facebook server remotely and also allows to read arbitrary files on the webserver. In a Proof-of-Concept ,

Biggest American Bank 'JPMorgan Chase' hacked; 465,000 card users' data stolen

Biggest American Bank 'JPMorgan Chase' hacked; 465,000 card users' data stolen
December 05, 2013Anonymous
JPMorgan Chase , one of the world's biggest Banks has recently announced that it was the victim of a cyber attack and warned round 465,000 of its holders of prepaid cash cards on the possible exposure of their personal information. In the Security Breach that took place on the bank's website www.ucard.chase.com  in July, around 465,000 accounts are compromised i.e. 2% of the overall 25 million UCard users. JPMorgan confirmed that there is no risk for holders of debit cards, credit cards or prepaid Liquid cards. They informed the law enforcement in September, and till now no information on how attackers have conducted the attack has been disclosed. The JPMorgan spokesman Michael Fusco declared that the investigation allowed the identification of victim accounts and the data stolen, the bank already notifying the cardholders of the incident. JPMorgan representative also remarked that hackers haven't stolen money from any user's account, due this reason the company is not i
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.