The Hacker News — Cyber Security, Hacking, Technology News

It was not just Yahoo among "Fortune 500" companies who tried to keep a major data breach incident secret.

Reportedly, Microsoft had also suffered a data breach four and a half years ago (in 2013), when a "highly sophisticated hacking group" breached its bug-reporting and patch-tracking database, but the hack was never made public until today.

According to five former employees of the company, interviewed separately by Reuters, revealed that the breached database had been "poorly protected with access possible via little more than a password."

This incident is believed to be the second known breach of such a corporate database after a critical zero-day vulnerability was discovered in Mozilla's Bugzilla bug-tracking software in 2014.

As its name suggests, the bug-reporting and patch-tracking database for Windows contained information on critical and unpatched vulnerabilities in some of the most widely used software in the world, including Microsoft's own Windows operating system.

The hack was believed to be carried out by a highly-skilled corporate espionage hacking group known by various names, including Morpho, Butterfly and Wild Neutron, who exploited a JAVA zero-day vulnerability to hack into Apple Mac computers of the Microsoft employees, "and then move to company networks."

With such a database in hands, the so-called highly sophisticated hacking group could have developed zero-day exploits and other hacking tools to target systems worldwide.

There's no better example than WannaCry ransomware attack to explain what a single zero-day vulnerability can do.

"Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world," said Eric Rosenbach, who was American deputy assistant secretary of defence for cyber at the time of the breach.

When Microsoft discovered the compromised database in earlier 2013, an alarm spread inside the company.

Following the concerns that hackers were using stolen vulnerabilities to conduct new attacks, the tech giant conducted a study to compare the timing of breaches with when the bugs had entered the database and when they were patched.

Although the study found that the flaws in the stolen database were used in cyber attacks, Microsoft argued the hackers could have obtained the information elsewhere, and that there's "no evidence that the stolen information had been used in those breaches."

Former employees also confirmed that the tech giant tightened up its security after the 2013 hacking incident and added multiple authentication layers to protect its bug-reporting system.

However, three of the employees believes the study conducted by Microsoft did not rule out stolen vulnerabilities being used in future cyber attacks, and neither the tech giant conducted a thorough investigation into the incident.

On being contacted, Microsoft declined to speak about the incident, beyond saying: "Our security teams actively monitor cyber threats to help us prioritise and take appropriate action to keep customers protected."

Another day, Another data breach disclosure.

This time the popular commenting system has fallen victim to a massive security breach.

Disqus, the company which provides a web-based comment plugin for websites and blogs, has admitted that it was breached 5 years ago in July 2012 and hackers stole details of more than 17.5 million users.

The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text for all 17.5 million users.

What's more? Hackers also got their hands on passwords for about one-third of the affected users, which were salted and hashed using the weak SHA-1 algorithm.

The company said the exposed user information dates back to 2007 with the most recently exposed from July 2012.

According to Disqus, the company became aware of the breach Thursday (5th October) evening after an independent security researcher Troy Hunt, who obtained a copy of the site's information, notified the company.

Within about 24 hours, Disqus disclosed the data breach and started contacting its affected users, forcing them to reset their passwords as soon as possible.

"No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared," Disqus' CTO Jason Yan said in a blog post.

However, since late 2012 Disqus has made other upgrades to improve its security and changed its password hashing algorithm to Bcrypt—a much stronger cryptographic algorithm which makes it difficult for hackers to obtain user's actual password.

"Since 2012, as part of normal security enhancements, we have made significant upgrades to our database and encryption to prevent breaches and increase password security, Yan said. "Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt."

In addition to resetting your password, you are also advised to change your passwords on other online services and platforms as well, if you share the same credentials.

It is most likely that hackers could use this stolen information in tandem with social engineering techniques to gain further information on victims. So, you are advised to beware of spam and phishing emails carrying malicious file attachments.

It is still unclear how hackers get hands-on Disqus data. San Francisco-based Disqus is still actively investigating this security incident.

We will update you as soon as more details surface.

This is yet another embarrassing breach disclosed recently, after Equifax’s disclosure of a breach of potentially 145.5 million US customers, U.S. Securities and Exchange Commission (SEC) disclosure of a breach that profited hackers, and recent Yahoo’s disclosure that 2013 data breach affected all of its 3 Billion users.

The largest known hack of user data in the history just got tripled in size.

Yahoo, the internet company that's acquired by Verizon this year, now believes the total number of accounts compromised in the August 2013 data breach, which was disclosed in December last year, was not 1 billion—it's 3 Billion.

Yes, the record-breaking Yahoo data breach affected every user on its service at the time.

Late last year, Yahoo revealed the company had suffered a massive data breach in August 2013, which affected 1 billion user accounts.

The 2013 hack exposed user account information, including names, email addresses, telephone numbers, dates of births, hashed passwords (using MD5), and, in some cases, "encrypted or unencrypted security questions and answers," Yahoo said in 2016.

At that time, Yahoo did confirm that hackers did not obtain bank account details or credit card information tied to the Yahoo accounts.

The data breach was attributed to state-sponsored hackers. Since the disclosure of the breach last year, there have been many developments in the incident.

However, the recent announcement by Yahoo makes it clear that if you had an email account on Yahoo, you were part of the infamous data breach.

Oath, the Verizon subsidiary into which Yahoo was merged, made the announcement in a filing with the SEC on Tuesday, which reads:

"Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft."

The statement clearly suggests that if you had an account on Yahoo in 2013, you were affected by the data breach.

So for whatever reason you did not change your password last year after the disclosure of this massive breach, you should now change your passwords immediately and enable two-factor authentication (2FA).

Also, if you are using the same password and answers to security questions somewhere else, change them too.

Deleting Yahoo account may not be a good option to opt for, as Yahoo recycles deleted accounts after 30 days, which would allow anyone to hijack it. So, even if you don't want to use your Yahoo account, just enable 2FA and leave it.

Yahoo has also started notifying the affected account holders, requiring them to change their passwords immediately, and assuring them that the stolen data "did not include passwords in clear text, payment card data, or bank account information."

One should note that this breach is separate from the 2014 breach disclosed by Yahoo in September last year, affecting as many as 500 Million user accounts.

Yahoo attributed the 2014 breach to a state-sponsored hacking group. In March 2016, US federal prosecutors charged two Russian intelligence officers and two criminal hackers in connection with the breach.

Recently, credit reporting service Equifax also announced that an additional 2.5 million American consumers were also impacted by the massive breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million.

Equifax data breach was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed.

Credit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million.

Equifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses.

In addition, credit card information for nearly 209,000 customers was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers.

The breach was due to a critical vulnerability (CVE-2017-5638) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident.

Equifax was even informed by the US-CERT on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [PDF] to the House Committee on Energy and Commerce.

"It appears that the breach occurred because of both human error and technology failures," Smith said. "Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability."

In the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results "promptly."

Mandiant said a total of 145.5 million consumers might now potentially have been impacted by the breach, which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of "new attacker activity."

"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables," Equifax said in a Monday press release. 

"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."

The forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm.

However, Equifax said that this figure "was preliminary and did not materialize."

"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices," newly appointed interim CEO, Paulino do Rego Barros, Jr. said.

"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements."

Equifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.

How to become a Professional Hacker? This is one of the most frequently asked queries we came across on a daily basis. Do you also want to learn real-world hacking techniques but don’t know where [...]

Another day, another data breach. This time Amazon-owned grocery chain has fallen victim to a credit card security breach.

Whole Foods Market—acquired by Amazon for $13.7 billion in late August—disclosed Thursday that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores.

Whole Foods Market has around 500 stores in the United States, United Kingdom, and Canada.

The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details.

The company also said people who only shopped for groceries at Whole Foods were not affected, neither the hackers were able to access Amazon transactions in the security breach.

Instead, only certain venues such as taprooms and table-service restaurants located within its stores—which use a separate POS system—were impacted.

Whole Foods Market has hired a cybersecurity firm to help it investigate the credit card breach and contacted law enforcement authorities of this incident.

"When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cybersecurity forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue," Whole Foods said in a statement on its website.

The company is also encouraging its customers to closely monitor their credit card statements and "report any unauthorized charges to the issuing bank."

According to Whole Foods Market, none of the affected systems being investigated are, in any way, connected to Amazon.com systems.

Whole Foods Market has become the latest of the victim of the high-profile cyber attack. Earlier this month, Global tax and auditing firm Deloitte suffered a cyber attack that resulted in the theft of private emails and documents of some of its clients.

Also last week, the U.S. Securities and Exchange Commission (SEC) also disclosed that unknown hackers managed to hack its financial document filing system and illegally profited from the stolen information.

Last month, credit rating agency Equifax publicly disclosed a breach of its systems that exposed personal details, including names, addresses, birthdays and Social Security numbers, of potentially 143 million US customers.

Another day, another data breach. This time one of the world's "big four" accountancy firms has fallen victim to a sophisticated cyber attack.

Global tax and auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.

Deloitte is one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies and large Fortune 500 multinationals, among others.

The global accountancy firm said Monday that its system had been accessed via an email platform from October last year through this past March and that "very few" of its clients had been affected, the Guardian reports.

The firm discovered the cyber attack in March, but it believes the unknown attackers may have had access to its email system since October or November 2016.

Hackers managed to gain access to the Deloitte's email server through an administrator account that wasn't secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte's Microsoft-hosted email mailboxes.

Besides emails, hackers also may have had potential access to "usernames, passwords, IP addresses, architectural diagrams for businesses and health information."

"In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte," a Deloitte spokesperson told the newspaper.

"As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators."

Deloitte's internal investigation into the cyber incident is still ongoing, and the firm has reportedly informed only six of its clients that their information was "impacted" by the breach.

Deloitte has become the latest of the victim of the high-profile cyber attack. Just last month, Equifax publicly disclosed a breach of its systems that exposed personal data of as many as 143 million US customers.

Moreover, last week the U.S. Securities and Exchange Commission (SEC) also disclosed that hackers managed to hack its financial document filing system and illegally profited from the stolen information.

Viacom—the popular entertainment and media company that owns Paramount Pictures, Comedy Central, MTV, and hundreds of other properties—has exposed the keys to its kingdom on an unsecured Amazon S3 server.

A security researcher working for California-based cyber resiliency firm UpGuard has recently discovered a wide-open, public-facing misconfigured Amazon Web Server S3 cloud storage bucket containing roughly a gigabyte's worth of credentials and configuration files for the backend of dozens of Viacom properties.

These exposed credentials discovered by UpGuard researcher Chris Vickery would have been enough for hackers to take down Viacom's internal IT infrastructure and internet presence, allowing them to access cloud servers belonging to MTV, Paramount Pictures and Nickelodeon.

Among the data exposed in the leak was Viacom's master key to its Amazon Web Services account, and the credentials required to build and maintain Viacom servers across its many subsidiaries and dozens of brands.

"Perhaps most damaging among the exposed data are Viacom's secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate's cloud-based servers in the hands of hackers," an UpGuard blog post says. 

"Such a scenario could enable malicious actors to launch a host of damaging attacks, using the IT infrastructure of one of the world's largest broadcast and media companies."

In other words, the access key and secret key for the company's AWS account would have allowed hackers to compromise Viacom's servers, storage, and databases under the AWS account.
According to the analysis performed by UpGuard, a number of cloud instances used within the media company's IT toolchain, including Docker, Splunk, New Relic, and Jenkins, could have "thus been compromised in this manner."

In addition to these damaging leaks, the unprotected server also contained GPG decryption keys, which can be used to unlock sensitive data. However, the server did not contain any customer or employee information.

Although it is unclear whether hackers were able to exploit this information to access important files belonging to Viacom and the firms it owns, the media giant said there's no evidence anyone had abused its data.

"We have analyzed the data in question and determined there was no material impact," the company said in a statement.

"Once Viacom became aware that information on a server—including technical information, but no employee or customer information—was publicly accessible, we rectified the issue."

All the credentials have now been changed after UpGuard contacted Viacom executives privately, and the server was secured shortly afterwards.

This is not the first time when Vickery has discovered a company's sensitive information stored on an unprotected AWS C3 server.

Vickery has previously tracked down many exposed datasets on the Internet, including personal details of over 14 million Verizon customers, a cache of 60,000 documents from a US military, information of over 191 Million US voter records, and 13 Million MacKeeper users.

OurMine is in headlines once again—this time for breaching the popular video streaming service Vevo.

After hunting down social media accounts of HBO and defacing WikiLeaks website, the infamous self-proclaimed group of white hat hackers OurMine have hacked Vevo and leaked about 3.12 TB worth of internal files.

Vevo is a joint venture between Sony Music Entertainment, Universal Music Group, Abu Dhabi Media, Warner Music Group, and Google's parent company Alphabet Inc.

OurMine managed to get hold of Vevo's "sensitive" data including its internal office documents, videos and promotional materials after the hacking collective successfully hacked into the Vevo servers.

The group then posted the stolen documents (approximately 3.12 terabytes) from Vevo on its website on late Thursday, though OurMine removed the stolen information from its website on Vevo's request.

Although it's not clear what prompted OurMine to hack Vevo, the group noted on its website that it initially tried to alert Vevo of the breach privately, but when one of the Vevo's employees responded, "F*** off, you don't have anything," it went public with the data breach and leaked Vevo files.

According to Variety, the stolen files included notes on around 90 artists, including Britney Spears, Jennifer Lopez, Taylor Swift, Justin Bieber, Katy Perry, Madonna, Calvin Harris, Ariana Grande, Florida Georgia Line, One Direction, Sia, The Weeknd, and U2.

The breach was first reported by Dell Cameron of Gizmodo, who said the leaked Vevo content seems "pretty mild," which contained "weekly music charts, pre-planned social media content, and various details about the artists under the record companies' management."

It’s not clear for how long the hackers have been accessing the Vevo system, how they managed to gain access to its server, or whether they have held on other additional information, like financial, emails, and passwords.

Vevo has confirmed the security incident, saying the company "can confirm that Vevo experienced a data breach as a result of a phishing scam via Linkedin. We have addressed the issue and are investigating the extent of exposure."

The company also confirmed the breach had not impacted the security of its United Kingdom office.

OurMine is the same group of hackers who are known for hacking high-profile figures and companies, including Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, Twitter CEO Jack Dorsey, Game of Thrones, Sony's PlayStation Network (PSN), Netflix, the WWE, HBO, and the most recently WikiLeaks.

OurMine is a Saudi Arabian group of self-proclaimed white hat hackers which markets itself by taking over sites and social media accounts of high-profile targets and then encourages them to contact them to buy their IT security service in an effort to protect themselves from future cyber attacks.

The massive Equifax data breach that exposed highly sensitive data of as many as 143 million people was caused by exploiting a flaw in Apache Struts framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed.

Credit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies.

Rated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1.

This flaw is separate from CVE-2017-9805, another Apache Struts2 vulnerability that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13.

Right after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its proof-of-concept (PoC) exploit code was uploaded to a Chinese site.

Despite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of nearly half of the US population.

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted," the company officials wrote in an update on the website with a new "A Progress Update for Consumers." 

"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

CVE-2017-5638 was a then-zero-day vulnerability discovered in the popular Apache Struts web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw.

The issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.

At the time, Apache warned it was possible to perform a remote code execution attack with "a malicious Content-Type value," and if this value is not valid "an exception is thrown which is then used to display an error message to a user."

Also Read: Steps You Should Follow to Protect Yourself From Equifax Breach

For those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

Since the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also initiated an investigation into its products against four newly discovered security vulnerabilities in Apache Struts2.

Other companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities.

Equifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information.

While the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.

Good news for you is that this week's THN Deals brings Ethical Hacking A to Z Bundle that let you get started regardless of your experience level.

After Equifax massive data breach that was believed to be caused due to a vulnerability in Apache Struts, Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework.

Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

However, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities—one discovered earlier this month, and another in March—one of which is believed to be used to breach personal data of over 143 million Equifax users.

Some of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws.

Cisco Launches Apache Struts Vulnerability Hunting

Cisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) we reported on September 5 and the remaining three also disclosed last week.

However, the remote code execution bug (CVE-2017-5638) that was actively exploited back in March this year is not included by the company in its recent security audit.

The three vulnerabilities—CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805—included in the Cisco security audit was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues.

The fourth vulnerability (CVE-2017-12611) that is being investigated by Cisco was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system.

Apache Struts Flaw Actively Exploited to Hack Servers & Deliver Malware

Coming on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them.

This could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco's Threat intelligence firm Talos has observed that this flaw is under active exploitation to find vulnerable servers.

Security researchers from data centre security vendor Imperva recently detected and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload.

The majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe.

Out of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to "insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application."

This flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems.

The last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts.

Cisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services.

At the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the Cisco Bug Search Tool.

Since the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.

Equifax has suffered one of the largest data breaches in history that has left highly sensitive data of as many as 143 million people—that's nearly half of the US population—in the hands of hackers.

Based on the company's investigation, some unknown hackers managed to exploit a security flaw on the Equifax website and gained unauthorized access to certain files between mid-May and July 2017.

The information accessed primarily include full names, birth dates, Social Security numbers, addresses and, in some cases, driver's license numbers—most of the information that's banks, insurance companies, and other businesses use to confirm a consumer identity.

The company added that 209,000 credit card numbers were also obtained by the attackers, along with "certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

Equifax is one of the three major organizations in the United States that calculates credit scores, which means the company has access to an extraordinary amount of personal and financial information for virtually all American adults.

Here's How Roughly Equifax Handled the Massive Data Breach

For a second, keep aside the scope and severity of the data breach, and let's talk about the how Equifax handled the breach after discovering it and what all it did for its customers.

First of all, the third largest U.S. credit reporting firm took over five weeks to publically disclose the data breach, which began in mid-May that means the data of 143 million people were exposed for over 3 months.

What's more? Reportedly, three senior Equifax executives, namely John Gamble (CFO), Joseph Loughran and Rodolfo Ploder, were permitted to sell almost $2 million worth of their shares just days after the company learned of this massive hack.

However, the company officials told Bloomberg that the employees were unaware of the data breach at the time of the sale.

Wait there's even more: After revealing the data breach on Thursday, Equifax did not contact everyone who was affected, rather it asked customers to go to its special website to figure out whether they were affected by entering the last 6 digits of their SSN and last name.

But it's not that simple. The website is not giving a clear answer about whether or not your data may have been affected, but making it clear to those who were not exposed. It's confusing.

What Would Be Hackers Next Move?

With this data in hand, it's most likely that hackers are already selling your personal information on the dark web or attempting to extort the company, like cyber criminals do in most massive data breach cases.

The Game of Thrones hackers did the same by leaking upcoming episodes of the widely watched show after HBO refused to their $6 Million ransom demand for the 1.5 terabytes of data they claimed to have stolen from the company.

Same happened to Netflix in April this year when the company refused to meet 50 Bitcoins ransom demand of a hacking group calling itself The Dark Overlord, which then leaked 10 back-to-back episodes of the Season 5 premiere of Netflix's "Orange Is the New Black."

Although Equifax has not yet confirmed whether the hackers have contacted the company for any demand or not, the breach is major, and all 143 Million Americans quickly need to take action to protect themselves and their loved ones.

Here's what all you can do to Protect Yourself:

1. Enroll in TrustedID Premier

Equifax is offering a year of free credit monitoring and identity theft protection program for free for one year through TrustedID Premier that you should sign up if you are a US resident—the service is free whether or not you have been affected by the breach.

The program offers services such as Equifax credit report, 3 bureau credit file monitoring, Equifax credit report lock, Social Security number monitoring and up to $1M identity theft insurance.

However, Equifax's own identity protection service is not enough, you must follow below steps to help ensure you're doing everything to protect your identity.

2. Monitor your accounts

In upcoming days, the personal and payment cards details are likely to be sold in underground black markets, resulting in financial loss and identity theft to millions of customers.

So, users are advised to be vigilant in reviewing their bank account statements, checking for any changes in their personal information and reporting any unauthorized transactions to the respective bank.

3. Freeze Your Credit Report

Since your stolen Social Security number can be misused by hackers to open new accounts in your name or ruin your credit score, you should consider placing a credit freeze request.

Freezing your credit will make it difficult for anyone to open a new account in your name, as you (or anyone masquerading as you) will need the PIN that you got when you froze your credit to unfreeze your account.

To freeze your credit, contact these credit bureaus: Equifax: 1-800-349-9960, Experian: 1‑888‑397‑3742, and TransUnion: 1-888-909-8872.

4. Change your Passwords and Logins

Meanwhile, all customers are advised to reset their account passwords and login information on the website.

5. Watch out for tax season

It's important for you to know that identity thieves can use your stolen social security number to file fraudulent tax returns and get refunds.

So, you should consider filing your taxes early.

6. Watch Out for Scams

Users are strongly advised to be cautious if they receive any suspicious or unrecognised phone call, text message, or email from anyone saying you must pay taxes or a debt immediately—even if they provide your personal information.

7. Already Experienced Identity Theft? Here's what to do now:

If you have already a victim to the identity theft, visit the FTC Identity Theft Recovery website and fill in the form. The Federal Trade Commission will provide you with a specific identity theft report and "to-do" recovery plans.

It's ironic—the company that offers credit monitoring and ID theft protection solutions has itself been compromised, exposing personal information of as many as 143 million Americans—that's almost half the country.

Equifax, one of the three largest credit reporting firm in the United States, admitted today that it had suffered a massive data breach somewhere between mid-May and July this year, which it actually discovered on July 29—that means the data of 143 million people were exposed for over 3 months.

Exclusive — If you have an account on Taringa, also known as "The Latin American Reddit," your account details may have compromised in a massive data breach that leaked login details of almost all of its over 28 million users.

Taringa is a popluar social network geared toward Latin American users, who create and share thousands of posts every day on general interest topics like life hacks, tutorials, recipes, reviews, and art.

The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users.

The hashed passwords use an ageing algorithm called MD5 – which has been considered outdated even before 2012 – that can easily be cracked, making Taringa users open to hackers.

Wanna know how weak is MD5?, LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days.

LeakBase has shared a dump of 4.5 million Taringa users with The Hacker News to help us verify the authenticity of the leaked database.

Using email addresses in the dump, we contacted a few random Taringa users with their plain text passwords, who acknowledged the authenticity of their credentials.

The data breach reportedly occurred last month, and the company then alerted its users via a blog post, sharing more information about the incident.

"It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says.

"At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."

To protect its users, Taringa is currently sending a password reset link via an email to its users as soon as they access their account with an old password.
One of the contacted users has also shared a screenshot of the notice with The Hacker News, as shown above.

"We've made a massive password reset strategy and also increased the encryption of the passwords from MD5 to SHA256. We've also been in contact with our community via our customer support team," a Taringa spokesperson told The Hacker News.

Leaked Database Analysis

Here below we have a brief analysis of the leaked database, which suggests that even after countless warnings, most people are continuously using deadly-simple passwords to safeguard their most sensitive data.

As you can see in the image given below, LeakBase team managed to crack 26,939,351 out of 28,722,877 passwords hashed using the MD5 algorithm, out of which over 15 Million were unique passwords.

The vast majority of the cracked passwords were alpha and lower case alpha and did not contain any special characters or symbols.


Here below we have the list of most popular/common passwords chosen by Taringa users that also includes top worst passwords such as 123456789, 123456, 1234567890, 000000, 12345, and 12345678.

The most popular length of the password was six characters long, followed closely by eight characters, nine and ten characters. Expectedly, the percentages drop drastically as you go higher in length.


Besides the cracked passwords, LeakBase also take a look at the email addresses contained in the leaked data dump, and the most common email domains are as follows:

But, are Taringa users entirely responsible for choosing weak passwords?

Not completely. It's also the fault of the company, who failed to enforce a strong password policy on their users, eventually allowing them to sign up with weak passwords.

After data breaches, the organisations tend to blame the end users for poor password security, but they forget to provide them one.

So far, it has not been clear who is behind the attack on Taringa, neither how the attackers managed to breach into its servers.

Meanwhile, in a separate news,we reported about an unknown hacker selling personal details on more than 6 million high-profile Instagram accounts on an online website, Doxagram, after the hacker breached the Facebook-owned photo sharing service using a flaw in its API.

How to Help Protect Yourself from Data Breaches

Of course, if you are one of those potentially affected users, you are strongly recommended to change your passwords immediately.

Also, change passwords for other online accounts for which you are using the same password as for Taringa account.

Even if any website allows you to create an account with a weak password, you should always choose a complex password. Use a good password manager, if you find following best practices difficult.

Moreover, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source correctly.

It's now official, Instagram has suffered a massive data breach, and reportedly an unknown hacker has stolen personal details of more than 6 million Instagram accounts.

Just yesterday, we reported that Instagram had patched a critical API vulnerability that allowed the attacker to access phone numbers and email addresses for high-profile verified accounts.

However, Instagram hack now appears to be more serious than initially reported.

Not just a few thousands of high-profile users—it's more than 6 million Instagram users, including politicians, sports stars, and media companies, who have had their Instagram profile information, including email addresses and phone numbers, available for sale on a website, called Doxagram.

The suspected Instagram hacker has launched Doxagram, an Instagram lookup service, where anyone can search for stolen information only for $10 per account.

A security researcher from Kaspersky Labs, who also found the same vulnerability and reported it to Instagram, told The Hacker News that the issue actually resided in the Instagram's mobile API, specifically in the password reset option, which apparently exposed mobile numbers and email addresses of the users in the JSON response—but not passwords.
Instagram has not confirmed the hacker's claims yet, but the company said Friday it is investigating the data breach.

The news comes three days after an unknown hacker hijacked most-followed-account on Instagram belonged to Selena Gomez—with over 125 Million followers—and posted her ex-boyfriend Justin Bieber's full-frontal nude photographs.

However, Instagram did not confirm if the recent data breach was related to Selena's hacked account.

The company had already notified all of its verified users of the issue via emails and also encouraged them to be cautious if they receive any suspicious or unrecognised phone call, text message, or email.

With email addresses and phone numbers in hand, the hacker's next step could be used the stolen info in tandem with social engineering techniques to gain access to verified Instagram accounts and post on their behalves in order to embarrass them.

Instagram users are also highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.

Additionally, avoid clicking on suspicious links and attachments you receive in an email and providing your personal or financial details without verifying the source properly.

Instagram has recently suffered a possibly serious data breach with hackers gaining access to the phone numbers and email addresses for many "high-profile" users.

The 700 million-user-strong, Facebook-owned photo sharing service has currently notified all of its verified users that an unknown hacker has accessed some of their profile data, including email addresses and phone numbers, using a bug in Instagram.

The flaw actually resides in Instagram's application programming interface (API), which the service uses to communicate with other apps.

Although the company did not reveal any details about the Instagram's API flaw, it assured its users that the bug has now been patched and its security team is further investigating the incident.

"We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information—specifically email address and phone number—by exploiting a bug in an Instagram API," Instagram said in a statement. 

"No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation."

Instagram declined to name the high-profile users targeted in the breach, but the news comes two days after some unknown hacker hijacked most followed Instagram account belonged to Selena Gomez and posted her ex-boyfriend Justin Bieber's nude photographs.

Selena's Instagram account with over 125 Million followers was restored later in the day and the photos were removed.

However, Instagram did not mention if the recent data breach was related to Selena's hacked account.

With email addresses and phone numbers in their hands, the hackers next step could be used the information in tandem with social engineering techniques in an effort to gain access to verified users' Instagram accounts to embarrass them.

The company notified all verified users of the issue via an email and also encouraged them to be cautious if they receive suspicious or unrecognised phone calls, text messages, or emails.

Instagram users are also highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.

Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.

The FBI has arrested a Chinese citizen for allegedly distributing malware used in the 2015 massive OPM breach that resulted in the theft of personal details of more than 25 Million U.S. federal employees, including 5.6 Million federal officials' fingerprints.

Yu Pingan, identified by the agency as the pseudonym "GoldSun," was arrested at Los Angeles international airport on Wednesday when he was arrived in the United States to attend a conference, CNN reported.

The 36-year-old Chinese national is said to face charges in connection with the Sakula malware, which was not only used to breach the US Office of Personnel Management (OPM) but also breached Anthem health insurance firm in 2015.

The Anthem breach resulted in the theft of personal medical records of around 80 million current and former customers of the company.

Sakula is a sophisticated remote access Trojan (RAT) that was known to be developed by Deep Panda, a China-based advanced persistent threat group (known as APT19) and could allow an attacker to remotely gain control over a targeted system.
However, after a few months of the discovery of the OPM breach, Chinese government arrested a handful of hackers within its borders in connection with the OPM hack, dismissing its own involvement.

Pingan's arrest was similar to that of Marcus Hutchins, a 22-year-old British security researcher who has been accused of creating and distributing the infamous Kronos banking Trojan between 2014 and 2015.

According to an indictment filed in the US District Court for the Southern District of California on 21 August, Pingan has been charged with one count of the Computer Fraud and Abuse Act and is also accused of conspiracy to commit offence or defraud the United States.

The indictment suggests Pingan collaborated with two unnamed hackers to acquire and use malware to conduct cyber attacks against at least 4 unnamed US companies from April 2011 through January 2014.

"Defendant YU and co-conspirators in the PRC [People's Republic of China] would establish an infrastructure of domain names, IP addresses, accounts with internet service providers, and websites to facilitate hacks of computer networks operated by companies in the United States and elsewhere," the indictment reads.

Although the indictment filed doesn't name the companies that were targeted, it does note that the affected companies were headquartered in San Diego, California; Massachusetts; Arizona; and Los Angeles, California.

Pingan's role in those cyber attacks was to supply advanced malware to other unnamed Chinese crooks for hacks against United States organisations.

Pingan remains behind bars pending a court hearing on his detention next week.

Over the past few years, massive data breaches have become more frequent and so common that pretty much every week we heard about some organisation being hacked or hacker dumping tens of millions of users records.

But even after this wide range of data breach incidents, many organisations fail to grasp the importance of data protection, leaving its users' sensitive data vulnerable to hackers and cyber criminals.

Not now! At least for organisations in Britain, as the UK government has committed to updating and strengthening its data protection laws through a new Data Protection Bill.

The British government has warned businesses that if they fail to take measures to protect themselves adequately from cyber attacks, they could face fines of up to £17 Million (more than $22 Million), or 4% of their global turnover—whichever amount is higher.

However, the financial penalties would be a last resort, and will not be applied to those organisations taking proper security measures and assessing the risks adequately, but unfortunately become a victim of cyber attack.

The penalties would be issued by the data protection regulator, the Information Commissioner's Office (ICO).

"Our measures are designed to support businesses in their use of data and give consumers the confidence that their data is protected and those who misuse it will be held to account," Digital Minister Matt Hancock said in a government press release.

Hancock said this newly-proposed Data Protection Bill would:

• Make it easier and simpler to withdraw consent for the use of personal data
• Allow people to ask for their personal information held by organisations to be erased
• Enable parents to give consent for their child's data to be used
• Require "explicit" consent to be necessary for processing user's sensitive data
• Expand the definition of "personal data" to include IP addresses, DNA and internet cookies
• Strengthen and update Data Protection Law to reflect the changing nature and scope of the country's digital economy
• Make it easier and free for users to require companies to disclose the personal data they hold on them
• Make it easier for users to move data between service providers

The proposal is being considered as part of a government consultation launched on Tuesday by the Department for Digital, Culture, Media and Sport for deciding how to implement the Network and Information Systems (NIS) Directive from next May.

This is separate from the General Data Protection Regulations (GDPR) that are aimed at protecting data rather than services.

The GDPR will replace the British Data Protection Act 1998 from 25 May 2018 and the government have confirmed that Brexit will not change this.

This new proposal is mainly focused on ensuring critical infrastructures, like transport, health, energy, and water are protected from cyber attacks that could result in major disruption to services, as was seen in Ukraine last year.

The proposal will also cover other cyber threats affecting IT infrastructures such as power failures, hardware failures and environmental hazards.

The move comes after the British NHS ( National Health Service) became the highest-profile victim of the recent WannaCry ransomware attack, which resulted in the shutdown of hospitals and operations, patient records being made unavailable and ambulances being diverted.

The hacking group that recently hacked HBO has just dropped its second trove of documents, including a month emails of one of the company's executives, and a detailed script of the upcoming fifth episode of "Game of Thrones" Season 7, set to be aired on August 13.

The latest release is the second leak from the hackers who claimed to have obtained around 1.5 terabytes of information from HBO, following the release of upcoming episodes of "Ballers" and "Room 104," and a script of the fourth episode of "Game of Thrones."

With the release of another half-gigabyte sample of its stolen HBO data, the hacking group has finally demanded a ransom worth millions of dollars from the entertainment giant in order to prevent further leaks.

The latest HBO data dump includes company's several internal documents, including emails, employment agreements, financial balance sheets, and marketing-strategy PDFs, along with the script of the yet-to-air 5th episode of Game of Thrones, all watermarked with "HBO is Falling."

The hackers reportedly sent a video message to HBO President and CEO Richard Plepler and demanded his "six-month salary in Bitcoin" — which is almost $6 Million — as a ransom for the stolen data otherwise they'll continue to leak.
In the video letter, written by "Mr. Smith" posing as the group of hackers behind the leak, the hackers demanded an unspecified amount of money from Plepler.

"We successfully breached into your huge network. HBO was one of our difficult targets to deal with, but we succeeded (it took about 6 months)," the letter reads as quoted by Wired. 

"Our demand is clear and Non-Negotiable: We want XXXX dollars to stop leaking your Data. HBO spends 12 million for Market Research and 5 million for GOT7 advertisements. So consider us another budget for your advertisements!"

Last week when the hackers released the first batch of stolen data, HBO confirmed the cyber attack on its network but did not confirm how much data the hackers have stolen and whether it included upcoming episodes of the widely watched Game Of Thrones.

The ransom note adds that the deadline for that payment is only 3 days, but does not include a date. The video letter ends with an image of the "Night King" villain from Game of Thrones with his arms raised—the word "standing" in one hand and "falling" in the other.

Data Breaches also published some parts of the ransom demand the hackers, which call themselves white hats, sent to HBO.

In an internal email sent to to the HBO staff last week, Plepler said: "Many people have expressed particular concern about our e-mail system. At this time, we do not believe that our email system as a whole has been compromised, but the forensic review is ongoing."

HBO spokesperson Jeff Cusson told the publication that the company had been expecting more data to emerge from its data breach, but that the company's "forensic review is ongoing."

"The review to date has not given us a reason to believe that our email system as a whole has been compromised," Cusson says. "We continue to work around the clock with outside cyber security firms and law enforcement to resolve the incident."

If hackers have indeed stolen 1.5 terabytes of data from HBO and the company refuse to pay the ransom, users should expect more leaks of upcoming episodes from their favourite shows.

At this moment, it is still unclear who is behind the hack. We will update the story with the latest information.

Reportedly, at least one senior cyber security analyst working with Mandiant, a Virginia-based cybersecurity firm owned by the FireEye, appears to have had its system compromised by hackers, exposing his sensitive information on the Internet.

On Sunday, an anonymous group of hackers posted some sensitive details allegedly belonged to Adi Peretz, a ‎Senior Threat Intelligence Analyst at Mandiant, claiming they have had complete access to the company's internal networks since 2016.

The recent hack into Mandiant has been dubbed Operation #LeakTheAnalyst.

Further Leaks from Mandiant Might Appear

The hackers have leaked nearly 32 megabytes of data—both personal and professional—belonging to Peretz on Pastebin as proof, which suggests they have more Mandiant data that could be leaked in upcoming days.

"It was fun to be inside a giant company named “Mandiant” we enjoyed watching how they try to protect their clients and how their dumb analysts are trying to reverse engineer malware and stuff," the Pastebin post reads. 

"This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future."

Hackers dumped a treasure trove of sensitive information, which includes:

• Peretz's Microsoft account login details
• Peretz's Contacts
• Screenshots of the Windows Find My Device Geolocator, linked to Peretz's Surface Pro laptop.
• Client correspondence
• Presentations
• Contents of his email inbox
• Several internal Mandiant and FireEye documents
• Threat intelligence profiles for the Israeli Defence Force (IDF)

Besides leaks, the anonymous hackers also reportedly broke into Peretz's LinkedIn page and defaced it. His profile has since been deleted from the professional media network.

Although the motives behind the hack are not known at this moment, Mandiant has yet to comment on the incident.

In response to the leak, Mandiant's parent company, FireEye issued a statement, blaming the employee's social media accounts for the leak. The statement reads:

We are aware of reports that a Mandiant employee's social media accounts were compromised. We immediately began investigating this situation, and took steps to limit further exposure. Our investigation continues, but thus far, we have found no evidence FireEye or Mandiant systems were compromised.

More Ethereum Stolen!

An unknown hacker has just stolen nearly $8.4 Million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – in yet another Ethereum hack that hit Veritaseum's Initial Coin Offering (ICO).

This incident marks as the fourth Ethereum hack this month and second cyber attack on an ICO, following a theft of $7 Million worth of Ether tokens during the hack of Israeli startup CoinDash's initial coin offering last week.

A few days ago, a hacker also stole nearly $32 Million worth of Ethereum from wallet accounts by exploiting a critical vulnerability in Parity's Ethereum Wallet software, which followed a $1 Million worth of Ether and Bitcoins heist in crypto currency exchange Bithumb earlier this month.

Now, Veritaseum has confirmed that a hacker stole $8.4 Million in Ether (ETH) from its ICO this Sunday, July 23.

"We were hacked, possibly by a group. The hack seemed to be very sophisticated, but there's at least one corporate partner that may have dropped the ball and be liable. We will let the lawyers sort that out if it goes that far," Veritaseum founder Reggie Middleton confirmed the theft on the BitcoinTalk forum.

Middleton has called the recent Ethereum hack "inconsequential," saying some of his partners (unnamed corporate third party services) may be responsible for the attack.

Middleton said that due to the high demand of the VERI tokens during the ICO held over the weekend, the hacker first managed to steal those tokens and then immediately sold them to other buyers "within a few hours" for the cryptocurrency.

The hacker made off an estimated $8.4 million in ETH during that a relatively short period of time. The stolen funds were first dumped into two separate Ethereum wallets and then were moved to other accounts.

It looks like around 37,000 VERI tokens were stolen out of 100 Million in the recent theft, though the good news is that the Ethereum theft does not affect actual ICO investors, as Middleton says the stolen tokens belonged to him and his team members.

"There are 100M tokens issued; the hackers stole about 37k. As I said, it is quite disconcerting, but it is not the end [of] the world. In the scheme of things, this is small," Middleton says. 

"The tokens were stolen from me, not the token buyers. I am not downplaying the seriousness of the heist either, but I am looking at the heist for what it is. A company that we use was compromised, the vulnerability was closed, and we are investigating whether we should move against that company or not."

At the moment, Middleton did not disclose the attack vector that was exploited to sweep out $8.4 Million in ETH, though he assured users that his team had taken necessary measures to prevent the attack from happening in the future.