The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: hacking passwords

Hacker Breaches Dozens of Sites, Puts 127 Million New Records Up for Sale

Hacker Breaches Dozens of Sites, Puts 127 Million New Records Up for Sale

February 15, 2019Swati Khandelwal
A hacker who was selling details of nearly 620 million online accounts stolen from 16 popular websites has now put up a second batch of 127 million records originating from 8 other sites for sale on the dark web. Last week, The Hacker News received an email from a Pakistani hacker who claims to have hacked dozens of popular websites (listed below) and selling their stolen databases online. During an interview with The Hacker News, the hacker also claimed that many targeted companies have probably no idea that they have been compromised and that their customers' data have already been sold to multiple cyber criminal groups and individuals. Package 1: Databases From 16 Compromised Websites On Sale In the first round, the hacker who goes by online alias "gnosticplayers" was selling details of 617 million accounts belonging to the following 16 compromised websites for less than $20,000 in Bitcoin on dark web marketplace Dream Market : Dubsmash — 162 million acco
Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities

Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities

March 13, 2018Mohit Kumar
Samba maintainers have just released new versions of their networking software to patch two critical vulnerabilities that could allow unprivileged remote attackers to launch DoS attacks against servers and change any other users' passwords, including admin's. Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS. Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system. The denial of service vulnerability, assigned CVE-2018-1050 , affects all versions of Samba from 4.0.0 onwards and could be exploited "when the RPC spoolss service is configured to be run as an external daemon." "Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.
Pre-Installed Password Manager On Windows 10 Lets Hackers Steal All Your Passwords

Pre-Installed Password Manager On Windows 10 Lets Hackers Steal All Your Passwords

December 16, 2017Swati Khandelwal
If you are running Windows 10 on your PC, then there are chances that your computer contains a pre-installed 3rd-party password manager app that lets attackers steal all your credentials remotely. Starting from Windows 10 Anniversary Update (Version 1607), Microsoft added a new feature called Content Delivery Manager that silently installs new "suggested apps" without asking for users’ permission. According to a blog post published Friday on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called "Keeper," on his freshly installed Windows 10 system which he downloaded directly from the Microsoft Developer Network. Ormandy was not the only one who noticed the Keeper Password Manager. Some Reddit users complained about the hidden password manager about six months ago, one of which reported Keeper being installed on a virtual machine created with Windows 10 Pro. Critical Flaw In Keeper Pas
Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password

Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password

May 04, 2017Mohit Kumar
WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances. The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version. The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable. "This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website," Golunski wrote in an advisory published today. "As there has been no progress, in this case, this advisory is finally released to the public without an official patch." Golunski
Facebook Buys Leaked Passwords From Black Market, But Do You Know Why?

Facebook Buys Leaked Passwords From Black Market, But Do You Know Why?

November 10, 2016Mohit Kumar
Facebook is reportedly buying stolen passwords that hackers are selling on the underground black market in an effort to keep its users' accounts safe. On the one hand, we just came to know that Yahoo did not inform its users of the recently disclosed major 2014 hacking incident that exposed half a billion user accounts even after being aware of the hack in 2014. On the other hand, Facebook takes every single measure to protect its users' security even after the company managed to avoid any kind of security scandal, data breach or hacks that have recently affected top notch companies. Speaking at the Web Summit 2016 technology conference in Portugal, Facebook CSO Alex Stamos said that over 1.3 Billion people use Facebook every day, and keeping them secure is building attack-proof software to keep out hackers, but keeping them safe is actually a huge task. Stamos said there is a difference between 'security' and 'safety,' as he believes that his team
Github accounts Hacked in 'Password reuse attack'

Github accounts Hacked in 'Password reuse attack'

June 17, 2016Swati Khandelwal
Popular code repository site GitHub is warning that a number of users' accounts have been compromised by unknown hackers reusing email addresses and passwords obtained from other recent data breaches . Yes, GitHub has become the latest target of a password reuse attack after Facebook CEO Mark Zuckerberg and Twitter . According to a blog post published by Shawn Davenport, VP of Security at GitHub, an unknown attacker using a list of email addresses and passwords obtained from the data breach of " other online services " made a significant number of login attempts to GitHub's repository on June 14. After reviewing the logins, administrators at GitHub found that the attacker had gained access to a number of its users’ accounts in order to gain illicit access to their accounts’ data. Although the initial source of the leaked credentials isn't clear, the recent widespread "megabreaches" of LinkedIn , MySpace , Tumblr , and the dating site Fling,
You Wouldn't Believe that Too Many People Still Use Terrible Passwords

You Wouldn't Believe that Too Many People Still Use Terrible Passwords

January 21, 2016Wang Wei
Some things online can never change like -- Terrible Passwords by Humans . When it's about various security measures to be taken in order to protect your Internet security, like installing a good anti-virus or running Linux on your system doesn’t mean that your work gets over here, and you are safe enough from online threats. However, even after countless warnings, most people are continuously using deadly-simple passwords, like '123456' or 'password,' to safeguard their most sensitive data. Evidence suggests that weak passwords are as popular now as they ever were, and the top 25 passwords of 2015 are very easy to guess. Password management firm SplashData on Tuesday released its annual " Worst Passwords List ". The 2015 list almost resembled the 2014 list of the worst password, but there are some interesting new entries, including the Star Wars-inspired ' solo ,' and ' starwars .' Also Read:  Best Password Manager —
How to Hack WiFi Password from Smart Doorbells

How to Hack WiFi Password from Smart Doorbells

January 13, 2016Mohit Kumar
The buzz around The Internet of Things (IoT) is growing, and it is growing at a great pace. Every day the technology industry tries to connect another household object to the Internet. One such internet-connected household device is a Smart Doorbell. Gone are the days when we have regular doorbells and need to open the door every time the doorbell rings to see who is around. However, with these Internet-connected Smart Doorbells, you get an alert on your smartphone app every time a visitor presses your doorbell and, in fact, you can also view who's in front of your door. Moreover, you can even communicate with them without ever opening the door. Isn’t this amazing? Pretty much. But what if your doorbell Reveals your home's WiFi password ? Use Smart Doorbell to Hack WiFi Password Until now, we have seen how hackers and researchers discovered security holes in Smart Cars , Smart refrigerators , Smart kettles and Internet-connected Toys , raising
ALERT: This New Ransomware Steals Passwords Before Encrypting Files

ALERT: This New Ransomware Steals Passwords Before Encrypting Files

December 04, 2015Swati Khandelwal
You should be very careful while visiting websites on the Internet because you could be hit by a new upgrade to the World's worst Exploit Kit – Angler , which lets hackers develop and conduct their own drive-by attacks on visitors' computers with relative ease. Many poorly-secured websites are targeting Windows users with a new "Cocktail" of malware that steals users' passwords before locking them out from their machines for ransom. Yes, stealing Windows users' passwords before encrypting their data and locking their PCs for ransom makes this upgrade to the Angler Exploit Kit nastier. Here's How the New Threat Works: Once the Angler exploit kit finds a vulnerable application, such as Adobe Flash, in visitor's computer, the kit delivers its malicious payloads, according to a blog post published by Heimdal Security. The First Payload infects the victim's PC with a widely used data thief exploit known as Pony that systematic
11 Million Ashley Madison Passwords Cracked In Just 10 Days

11 Million Ashley Madison Passwords Cracked In Just 10 Days

September 10, 2015Mohit Kumar
Last month, when hackers leaked nearly 100 gigabytes of sensitive data belonging to the popular online casual sex and marriage affair website ' Ashley Madison ', there was at least one thing in favor of 37 Million cheaters that their Passwords were encrypted . But, the never ending saga of Ashley Madison hack could now definitely hit the cheaters hard, because a group of crazy Password Cracking Group, which calls itself CynoSure Prime , has cracked more than 11 Million user passwords just in the past 10 days, not years. Yes, the hashed passwords that were previously thought to be cryptographically protected using Bcrypt, have now been cracked successfully. Bcrypt is a cryptographic algorithm that makes the hashing process so slow that it would literally take centuries to brute-force all of the Ashley Madison account passwords. How do they Crack Passwords? The Password cracking team identified a weakness after reviewing the leaked data, which included u
Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

August 04, 2015Swati Khandelwal
Hackers have their hands on something of your concern. A severe zero-day vulnerability in the latest, fully patched version of Apple's Mac OS X is reportedly being exploited in the wild by the hackers. The vulnerability could allow attackers to install malware and adware onto a target Mac, running OS X 10.10 (Yosemite) operating system, without requiring victims to enter system passwords , a new report says. The zero-day bug came over a week after security researcher Stefan Esser discovered a privilege escalation zero-day vulnerability in the latest version of Apple's OS X Yosemite that caused due to environment variable DYLD_PRINT_TO_FILE and dynamic linker dyld , new error-logging features added to the operating system. The developers failed to implement standard safeguards that are needed while adding support for new environment variables to the OS X dynamic linker dyld, allowing hackers to create or modify files with root privileges that can fit anywhere i
This 3D Printed Robot Cracks Combination Locks in Less than 30 Seconds

This 3D Printed Robot Cracks Combination Locks in Less than 30 Seconds

May 16, 2015Mohit Kumar
Be careful while leaving your important and valuable stuff in your lockers. A 3D printed robot has arrived that can crack a combination lock in as little as 30 seconds. So, it’s time to ditch your modern combination locks and started keeping your valuable things in a good old-fashioned locker with keys. A well-known California hacker Samy Kamkar who is expert in cracking locks has built a 3D-printed machine, calling his gadget the " Combo Breaker ," that can crack Master Lock combination padlocks – used on hundreds of thousands of school lockers – in less than 30 seconds. A couple of weeks ago, Kamkar introduced the world how a manufacturing flaw in Master Lock combination locks can easily reveal the full combination by carefully measuring the dial interaction with the shackle in eight or fewer attempts. However, it requires some software and things to do, and who has that much of time? So to make it simple for everyone – On Thursday, the hacker showe
London Railway System Passwords Exposed During TV Documentary

London Railway System Passwords Exposed During TV Documentary

May 02, 2015Mohit Kumar
The Weakest Link In the Information Security Chain is still – Humans. And this news has ability to prove this fact Right. One of London's busiest railway stations has unwittingly exposed their system credentials during a BBC documentary. The sensitive credentials printed and attached to the top of a station controller's monitor were aired on Wednesday night on BBC. What could be even worse? If you think that the credentials might have been shown off in the documentary for a while or some seconds, then you are still unaware of the limit of their stupidity. The login credentials were visible for about 44 minute in the BBC documentary " Nick and Margaret: The Trouble with Our Trains " on Wednesday night, which featured Nick Hewer and Margaret Mountford – the two business experts, both famous for their supporting role on The Apprentice. The documentary was available on the YouTube , but have now been removed due to security concerns. While
PayPal Wants To Integrate Password with Human Body

PayPal Wants To Integrate Password with Human Body

April 18, 2015Swati Khandelwal
You would have been holding a number of online accounts for different services, but how many of you hold a different and unique password for every single account? Probably a very few of you. The majority of people have one or two passwords that are quite simple and easy to remember and comfortably manage on their own. However, you need not worry as the Future of identification would not rely on Passwords , according to PayPal’s global head of developer evangelism Jonathan Leblanc . Neither it will depend on the old Biometric identification technologies, such as Fingerprint scanners and IRIS scanners , Rather depends on something More Secure and Easier to Use … ...Embeddable, Injectable and Ingestible Devices Yes, the next generation of identification for mobile payments and other sensitive online interactions will depend on embeddable, injectable, and ingestible devices, completely replacing passwords with the identification of your body. KILL ALL PASSWORDS
Dangerous 'Vawtrak Banking Trojan' Harvesting Passwords Worldwide

Dangerous 'Vawtrak Banking Trojan' Harvesting Passwords Worldwide

March 25, 2015Mohit Kumar
Security researcher has discovered some new features in the most dangerous Vawtrak , aka Neverquest , malware that allow it to send and receive data through encrypted favicons distributed over the secured Tor network . The researcher, Jakub Kroustek from AVG anti-virus firm, has provided an in-depth analysis ( PDF ) on the new and complex set of features of the malware which is considered to be one of the most dangerous threats in existence. Vawtrak is a sophisticated piece of malware in terms of supported features. It is capable of stealing financial information and executing transactions from the compromised computer remotely without leaving traces. The features include videos and screenshots capturing and launching man-in-the-middle attacks. HOW VAWTRAK SPREADS ? AVG anti-virus firm is warning users that it has discovered an ongoing campaign delivering Vawtrak to gain access to bank accounts visited by the victim and using the infamous Pony module in order to ste
'TweetDeck Teams' Allows Managing Multiple Twitter Accounts Without Sharing Passwords

'TweetDeck Teams' Allows Managing Multiple Twitter Accounts Without Sharing Passwords

February 18, 2015Swati Khandelwal
Many times organizations, companies and groups of people come across the problem when their social media teams have to work within a single Twitter account or maintain multiple twitter accounts. In this case, either they need to use some third party API-based services or they use TweetDeck software, the official free alternative tool to manage multiple twitter accounts. But the major problem with TweetDeck service is that everyone in the team need to have access to the same TweetDeck account password or multiple Twitter account passwords in order to use multiple accounts at one interface, and this is a known password sharing security issue from past few years. To cope up with these issues, Twitter has started rolling out a new feature called TweetDeck Teams , a new way to let you share your Twitter accounts on TweetDeck to multiple users without sharing passwords. ROLE OF ADMINISTRATORS TweetDeck Teams, which is rolling out to TweetDeck for the web, TweetDeck for Chro
Researcher Publishes 10 Million Usernames and Passwords from Data Breaches

Researcher Publishes 10 Million Usernames and Passwords from Data Breaches

February 10, 2015Swati Khandelwal
A security researcher has publicly released a set of 10 Million usernames and passwords, which he collected from multiple data breaches over the last decade for the purpose of his research. These 10 million usernames and passwords are collective of leaked database dumps those were already available publicly on the Internet. However, Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, marked his decision to publish the password dump as legally risky, but necessary to help security researchers. WHY IS THE RESEARCHER WILLING TO SHARE PASSWORDS ? The researcher says the released set of passwords and usernames is like a sample data, which is important for other researchers to analyze and provide great insight into user behavior and is valuable for encouraging password security . Also, the researcher was frequently receiving lots of requests from students and other security researchers to submit a copy
New Citadel Trojan Targets Your Password Managers

New Citadel Trojan Targets Your Password Managers

November 21, 2014Mohit Kumar
Unless we are a human supercomputer, remembering password is not an easy task and that too, if you have a different password for every different site. But luckily to make the whole process easy, there is a growing market for password managers which provides an extra layer of protection. Wait! Wait! Seriously?? Security researchers have discovered a new variant of data-stealing Citadel Trojan program used by cybercriminals to slurp up users' master passwords for a number of password management applications and other authentication programs, which will let you think twice before using one. Citadel Trojan malware program has typically been used to steal online banking credentials and other financial information by masquerading itself as legitimate banking sites when victims open it in their local browser, which is also known as a man-in-the-browser attack . The malware has previously targeted users’ credentials stored in the password management applications included
5 Million Gmail Usernames and Passwords Leaked online, Check Yours Now

5 Million Gmail Usernames and Passwords Leaked online, Check Yours Now

September 11, 2014Swati Khandelwal
Gmail credentials leaked online? Oh my God! Again I have to change my password…!! Yes, you heard right. Millions of Gmail account credentials (email address and password) have been stolen and made publicly available through an online forum, causing a large number of users worldwide to change their Gmail password again. The website that published the email addresses with matching passwords is Russian. The credentials seem to be old and likely sourced from multiple data breaches. It is believed that the leaked passwords are not necessarily those used to access Gmail accounts, but seem to have been gathered from other websites where users used their Gmail addresses to register. 5 MILLION GMAIL CREDENTIALS LEAKED ONLINE The news broke when a user posted a link to the log-in credentials on Reddit frequented by hackers, professional and aspiring. But the archive file containing nearly 5 million Gmail addresses and plain text passwords was posted on Russian Bitcoin secur
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.