The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: password hacking

Five Critical Password Security Rules Your Employees Are Ignoring

Five Critical Password Security Rules Your Employees Are Ignoring

July 19, 2021The Hacker News
According to Keeper Security's Workplace Password Malpractice Report, many remote workers aren't following best practices for password security. Password security was a problem even before the advent of widespread remote work. So, what happened post-pandemic?  Keeper Security's Workplace Password Malpractice Report  sought to find out. In February 2021, Keeper surveyed 1,000 employees in the U.S. about their work-related password habits -- and discovered that a lot of remote workers are letting password security go by the wayside. Here are 5 critical password security rules they're ignoring. 1 — Always use strong passwords Strong passwords are at least eight characters long (preferably more) and consist of random strings of letters, numerals, and special characters. Passwords should never include dictionary words, which are easy to guess, or personal details, which cybercriminals can scrape off social media channels. 37% of respondents to Keeper's survey sai
U.S. Authorities Shut Down Slilpp—Largest Marketplace for Stolen Logins

U.S. Authorities Shut Down Slilpp—Largest Marketplace for Stolen Logins

June 10, 2021Ravie Lakshmanan
The U.S. Department of Justice (DoJ) Thursday said it disrupted and took down the infrastructure of an underground marketplace known as " Slilpp " that specialized in trading stolen login credentials as part of an international law enforcement operation. Over a dozen individuals have been charged or arrested in connection with the illegal marketplace. The cyber crackdown, which involved the joint efforts of the U.S., Germany, the Netherlands, and Romania, also commandeered a set of servers hosting its infrastructure as well as the multiple domains the group operated. Operational since 2012, Slilpp was a marketplace for allegedly stolen online account login credentials belonging to 1,400 companies worldwide, offering for sale more than 80 million plundered usernames and passwords for bank accounts, online payment accounts, mobile phone accounts, retailer accounts, and other online accounts, which were abused to conduct unauthorized transactions, such as wire transfers, fro
Hackers Breached Colonial Pipeline Using Compromised VPN Password

Hackers Breached Colonial Pipeline Using Compromised VPN Password

June 07, 2021Ravie Lakshmanan
The ransomware cartel that masterminded the  Colonial Pipeline attack  early last month crippled the pipeline operator's network using a compromised virtual private network (VPN) account password, the latest investigation into the incident has revealed. The development, which was  reported  by Bloomberg on Friday, involved gaining an initial foothold into the networks as early as April 29 through the VPN account, which allowed employees to access the company's networks remotely. The VPN login — which didn't have multi-factor protections on — was unused but active at the time of the attack, the report said, adding the password has since been discovered inside a batch of leaked passwords on the dark web, suggesting that an employee of the company may have reused the same password on another account that was previously breached. It's, however, unclear how the password was obtained, Charles Carmakal, senior vice president at the cybersecurity firm Mandiant, was quoted a
Why Password Hygiene Needs a Reboot

Why Password Hygiene Needs a Reboot

May 17, 2021The Hacker News
In today's digital world, password security is more important than ever. While biometrics, one-time passwords (OTP), and other emerging forms of authentication are often touted as replacements to the traditional password, today, this concept is more marketing hype than anything else. But just because  passwords aren't going anywhere anytime soon  doesn't mean that organizations don't need to modernize their approach to password hygiene right now.  The Compromised Credential Crisis As Microsoft's  security team put it , "All it takes is one compromised credential…to cause a data breach." Coupled with the rampant problem of password reuse, compromised passwords can have a significant and long-lasting impact on enterprise security. In fact, researchers from Virginia Tech University found that over 70% of users employed a compromised password for other accounts up to a year after it was initially leaked, with 40% reusing passwords that were leaked over three years ago. Wh
Passwordless: More Mirage Than Reality

Passwordless: More Mirage Than Reality

April 19, 2021The Hacker News
The concept of "passwordless" authentication has been gaining significant industry and media attention. And for a good reason. Our digital lives are demanding an ever-increasing number of online accounts and services, with security best practices dictating that each requires a strong, unique password in order to ensure data stays safe. Who wouldn't want an easier way? That's the premise behind one-time passwords (OTP), biometrics, pin codes, and other authentication methods presented as passwordless security. Rather than remembering cumbersome passwords, users can authenticate themselves using something they own, know, or are. Some examples include a smartphone, OTP, hardware token, or biometric marker like a fingerprint. While this sounds appealing on the surface, the problem is that, when you dig deeper, these passwordless solutions are still reliant on passwords. This happens in two primary ways: Passwordless Solutions Rely on Passwords as a Fallback If you ha
A $50,000 Bug Could've Allowed Hackers Access Any Microsoft Account

A $50,000 Bug Could've Allowed Hackers Access Any Microsoft Account

March 03, 2021Ravie Lakshmanan
Microsoft has awarded an independent security researcher $50,000 as part of its bug bounty program for reporting a flaw that could have allowed a malicious actor to hijack users' accounts without their knowledge. Reported by Laxman Muthiyah, the vulnerability aims to brute-force the seven-digit security code that's sent to a user's email address or mobile number to corroborate his (or her) identity before resetting the password in order to recover access to the account. Put differently, the account takeover scenario is a consequence of privilege escalation stemming from an authentication bypass at an endpoint which is used to verify the codes sent as part of the  account recovery process . The company addressed the issue in November 2020, before details of the flaw came to light on Tuesday. Although there are encryption barriers and rate-limiting checks designed to prevent an attacker from repeatedly submitting all the 10 million combinations of the codes in an automa
A Successful Self-Service Password Reset (SSPR) Project Requires User Adoption

A Successful Self-Service Password Reset (SSPR) Project Requires User Adoption

September 10, 2020The Hacker News
IT help desks everywhere are having to adjust to the 'new normal' of supporting mainly remote workers. This is a major shift away from visiting desks across the office and helping ones with traditional IT support processes. Many reasons end-users may contact the helpdesk. However, password related issues are arguably the most common. Since the onset of the global pandemic that began earlier this year, help desks are now dealing with password resets of users who are working remotely. Servicing users who are working remotely and assisting with password resets can be cumbersome and expose organizations to potential security risks. Self-service password reset (SSPR) solutions can significantly assist in providing the tools that remote workers need to service their accounts. However, there can be challenges with enrollment and other issues. Let's take a look at SSPR and see how businesses can manage enrollment compliance. What is Self-Service Password Reset (SSPR)
DoorDash Breach Exposes 4.9 Million Users' Personal Data

DoorDash Breach Exposes 4.9 Million Users' Personal Data

September 27, 2019Swati Khandelwal
Do you use DoorDash frequently to order your food online? If yes, you are highly recommended to change your account password right now . DoorDash—the popular on-demand food-delivery service—today confirmed a massive data breach that affects almost 5 million people using its platform, including its customers, delivery workers, and merchants as well. DoorDash is a San Francisco-based on-demand food delivery service (just like Zomato and Swiggy in India) that connects people with their local restaurants and get delivered food on their doorsteps with the help of contracted drivers, also known as "Dashers." The service operates in more than 4,000 cities across the United States and Canada. What happened? In a blog post published today, DoorDash said the company became aware of a security intrusion earlier this month after it noticed some "unusual activity" from a third-party service provider. Immediately after detecting the security intrusion, the comp
Some D-Link and Comba WiFi Routers Leak Their Passwords in Plaintext

Some D-Link and Comba WiFi Routers Leak Their Passwords in Plaintext

September 10, 2019Swati Khandelwal
What could be worse than your router leaking its administrative login credentials in plaintext? Cybersecurity researchers from Trustwave's SpiderLabs have discovered multiple security vulnerabilities in some router models from two popular manufacturers—D-Link and Comba Telecom—that involve insecure storage of credentials, potentially affecting every user and system on that network. Researcher Simon Kenin told The Hacker News that he discovered a total of five vulnerabilities—two in a D-Link DSL modem typically installed to connect a home network to an ISP, and three in multiple Comba Telecom WiFi devices. These flaws could potentially allow attackers to change your device settings, extract sensitive information, perform MitM attacks, redirect you to phishing or malicious sites and launch many more types of attacks. "Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled
Hostinger Suffers Data Breach – Resets Password For 14 Million Users

Hostinger Suffers Data Breach – Resets Password For 14 Million Users

August 26, 2019Swati Khandelwal
Popular web hosting provider Hostinger has been hit by a massive data breach, as a result of which the company has reset passwords for all customers as a precautionary measure. In a blog post published on Sunday, Hostinger revealed that "an unauthorized third party" breached one of its servers and gained access to "hashed passwords and other non-financial data" associated with its millions of customers. The incident occurred on August 23 when unknown hackers found an authorization token on one of the company's servers and used it to gain access to an internal system API, without requiring any username and password. Immediately after the breach discovery, Hostinger restricted the vulnerable system, making this access no longer available, and contacted the respective authorities. "On August 23rd, 2019 we have received informational alerts that one of our servers has been accessed by an unauthorized third party," Hostinger said. "This
Citrix Data Breach – Iranian Hackers Stole 6TB of Sensitive Data

Citrix Data Breach – Iranian Hackers Stole 6TB of Sensitive Data

March 11, 2019Swati Khandelwal
Popular enterprise software company Citrix that provides services to the U.S. military, the FBI, many U.S. corporations, and various U.S. government agencies disclosed last weekend a massive data breach of its internal network by "international cyber criminals." Citrix said it was warned by the FBI on Wednesday of foreign hackers compromising its IT systems and stealing "business documents," adding that the company does not know precisely which documents the hackers obtained nor how they got in. However, the FBI believes that the miscreants likely used a "password spraying" attack where the attackers guessed weak passwords to gain an early foothold in the company's network in order to launch more extensive attacks. "While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent
Over 92 Million New Accounts Up for Sale from More Unreported Breaches

Over 92 Million New Accounts Up for Sale from More Unreported Breaches

February 17, 2019Swati Khandelwal
All these numbers…. "More than 5 billion records from 6,500 data breaches were exposed in 2018" — a report from Risk Based Security says. "More than 59,000 data breaches have been reported across the European since the GDPR came into force in 2018" — a report from DLA Piper says. …came from data breaches that were reported to the public, but in reality, more than half of all data breaches actually go unreported. Just last week, we disclosed the existence of some massive unreported data breaches in two rounds, which a hacker has now started monetizing by selling stolen user databases publicly. Now, a new set of databases containing millions of hacked accounts from several websites has been made available for sale on the dark web marketplace by the same hacker who goes by online alias Gnosticplayers. Gnosticplayers last week made two rounds of stolen accounts up for sale on the popular dark web marketplace called Dream Market , posting details of near
Hacker Breaches Dozens of Sites, Puts 127 Million New Records Up for Sale

Hacker Breaches Dozens of Sites, Puts 127 Million New Records Up for Sale

February 15, 2019Swati Khandelwal
A hacker who was selling details of nearly 620 million online accounts stolen from 16 popular websites has now put up a second batch of 127 million records originating from 8 other sites for sale on the dark web. Last week, The Hacker News received an email from a Pakistani hacker who claims to have hacked dozens of popular websites (listed below) and selling their stolen databases online. During an interview with The Hacker News, the hacker also claimed that many targeted companies have probably no idea that they have been compromised and that their customers' data have already been sold to multiple cyber criminal groups and individuals. Package 1: Databases From 16 Compromised Websites On Sale In the first round, the hacker who goes by online alias "gnosticplayers" was selling details of 617 million accounts belonging to the following 16 compromised websites for less than $20,000 in Bitcoin on dark web marketplace Dream Market : Dubsmash — 162 million acco
Google's New Tool Alerts When You Use Compromised Credentials On Any Site

Google's New Tool Alerts When You Use Compromised Credentials On Any Site

February 05, 2019Mohit Kumar
With so many data breaches happening almost every week, it has become difficult for users to know if their credentials are already in possession of hackers or being circulated freely across the Internet. Thankfully, Google has a solution. Today, February 5, on Safer Internet Day, Google launches a new service that has been designed to alert users when they use an exact combination of username and password for any website that has previously been exposed in any third-party data breach. The new service, which has initially been made available as a free Chrome browser extension called Password Checkup , works by automatically comparing the user's entered credential on any site to an encrypted database that contains over 4 billion compromised credentials. If the credentials are found in the list of compromised ones, Password Checkup will prompt users to change their password. Wondering if Google can see your login credentials? No, the company has used a privacy-oriented i
Widespread Instagram Hack Locking Users Out of Their Accounts

Widespread Instagram Hack Locking Users Out of Their Accounts

August 15, 2018Mohit Kumar
Instagram has been hit by a widespread hacking campaign that appears to stem from Russia and have affected hundreds of users over the past week, leaving them locked out of their accounts. A growing number of Instagram users are taking to social media, including Twitter and Reddit, to report a mysterious hack which involves locking them out of their account with their email addresses changed to .ru domains. According to victims, their account names, profile pictures, passwords, email addresses associated with their Instagram accounts, and even connected Facebook accounts are being changed in the attack. Many of the affected Instagram users are also complaining about their profile photos replaced with stills from popular films, including Despicable Me 3 and Pirates of the Caribbean. Although it is still unknown who is behind the widespread hack of Instagram accounts, the use of the email addresses originating from Russian email provider mail.ru may indicate a Russian hacker or
Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

July 09, 2018Mohit Kumar
And the hacks just keep on coming. Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users. Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago. The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts. "We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website. Social Media OAuth2 Tokens Also Compromised Moreover, the attackers also got th
Password-Guessing Was Used to Hack Gentoo Linux Github Account

Password-Guessing Was Used to Hack Gentoo Linux Github Account

July 05, 2018Swati Khandelwal
Maintainers of the Gentoo Linux distribution have now revealed the impact and "root cause" of the attack that saw unknown hackers taking control of its GitHub account last week and modifying the content of its repositories and pages. The hackers not only managed to change the content in compromised repositories but also locked out Gentoo developers from their GitHub organisation. As a result of the incident, the developers were unable to use GitHub for five days. What Went Wrong? Gentoo developers have revealed that the attackers were able to gain administrative privileges for its Github account, after guessing the account password. The organisation could have been saved if it was using a two-factor authentication, which requires an additional passcode besides the password in order to gain access to the account. "The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on on
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.