account takeover | Breaking Cybersecurity News | The Hacker News

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively.  The State of API Security in 2024 Report  from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls. What's more, a typical enterprise site saw an average of 1.5 billion API calls in 2023. The expansive volume of internet traffic that passes through APIs should be concerning for every security professional. Despite best efforts to adopt shift-left frameworks and SDLC processes, APIs are often still pushed into production before they're cataloged, authenticated, or audited. On average, organizations have 613 API endpoints in production, but that number is rapidly expanding as pressure grows to deliver digital services to customers more quickly and efficiently. Over time, these APIs can become risky, vulnerable endpoints.  In their report, Imperva concludes that APIs are now a

Critical security flaws have been disclosed in the Open Authorization (OAuth) implementation of popular online services such as Grammarly, Vidio, and Bukalapak, building upon previous shortcomings uncovered in  Booking[.]com and Expo . The weaknesses, now addressed by the respective companies following responsible disclosure between February and April 2023, could have allowed malicious actors to obtain access tokens and potentially hijack user accounts. OAuth is a  standard  that's commonly used as a mechanism for cross-application access, granting websites or applications access to their information on other websites, such as Facebook, but without giving them the passwords. "When OAuth is used to provide service authentication, any security breach in it can lead to identity theft, financial fraud, and access to various personal information including credit card numbers, private messages, health records, and more, depending on the specific service being attacked," Sa

The need for vCISO services is growing. SMBs and SMEs are dealing with more third-party risks, tightening regulatory demands and stringent cyber insurance requirements than ever before. However, they often lack the resources and expertise to hire an in-house security executive team. By outsourcing security and compliance leadership to a vCISO, these organizations can more easily obtain cybersecurity expertise specialized for their industry and strengthen their cybersecurity posture. MSPs and MSSPs looking to meet this growing vCISO demand are often faced with the same challenge. The demand for cybersecurity talent far exceeds the supply. This has led to a competitive market where the costs of hiring and retaining skilled professionals can be prohibitive for MSSPs/MSPs as well. The need to maintain expertise of both security and compliance further exacerbates this challenge. Cynomi, the first AI-driven vCISO platform , can help. Cynomi enables you - MSPs, MSSPs and consulting firms

Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user's mobile device doesn't impact their account. "Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages," the Meta-owned company said in an announcement. Called  Device Verification , the security measure is designed to help prevent account takeover (ATO) attacks by blocking the threat actor's connection and allowing targets of the malware infection to use the app without any interruption. In other words, the goal is to deter attackers' use of malware to steal WhatsApp authentication keys and hijack victim accounts, and subsequently impersonate them to distribute spam and phishing links to other contacts. This, in turn, is achieved by introducing a security-token th

It appears that at least the United States has started taking the threat of Sim Swapping attacks very seriously. Starting with the country's first-ever conviction for 'SIM Swapping' this February, U.S. Department of Justice has since then announced charges against several individuals for involving in the scheme to siphon millions of dollars in cryptocurrency from victims. In the latest incident, the U.S. authorities on Thursday arrested two more alleged cybercriminals from Massachusetts, charging them with stealing $550,000 in cryptocurrency from at least 10 victims using SIM swapping between November 2015 and May 2018. SIM Swapping, or SIM hijacking, is a technique that typically involves the social engineering of a target's mobile phone provider. An attacker makes a phony call posing as their targets and convinces the mobile phone provider to port the target's phone number to a SIM card belonging to the attacker. Once successful, the attacker can t

A popular gaming platform used by hundreds of millions of people worldwide has been found vulnerable to multiple security flaws that could have allowed remote hackers to takeover players' accounts and steal sensitive data. The vulnerabilities in question reside in the "Origin" digital distribution platform developed by Electronic Arts (EA)—the world's second-largest gaming company with over 300 million users—that allows users to purchase and play some of the most popular video games including Battlefield, Apex Legends, Madden NFL, and FIFA. The Origin platform also manages users EA Games account authentication and allows them to find friends, join games, and manage their profiles. Discovered by researchers at Check Point and CyberInt, the vulnerabilities when chained together could have allowed attackers to hijack gamer's EA account just by convincing them into opening an official webpage from the EA Games website. To perform this attack, as shown in th