password hacking | Breaking Cybersecurity News | The Hacker News

Tumblr posted a blog post Tuesday night warning users to change their passwords and released a very important security update for iOS users after identifying a breach that compromised their passwords. It seems that, under certain circumstances, the prior versions of the iPhone and iPad apps would allow an individual with malicious intent to sniff or intercept passwords as they are in transit across a local network. The problem arose because the iPad and iPhone apps fail to log users in through a secure server.  The vulnerability does not seem to have affected Tumblr's Android app. The company urged users to download the latest version of the Tumblr app, which is available in the Apple iTunes Store. The company did not provide further details on the breach. It's also good practice to use different passwords across different services by using an app like 1Password or LastPass. It doesn't appear that any passwords got in the hands of malicious individuals, though you

Japanese video game maker Nintendo recently revealed that one of its main fan sites Club Nintendo got hacked and Out of 15.5 million login attempts in brute-force process, almost 24,000 user accounts have been hijacked early last month. Nintendo said it first became aware of the illicit logins on Tuesday evening after a large number of access errors on the site. However the security team believe that the hackers obtained the logins and passwords from an outside resource. The fan site, Club Nintendo, allows 3DS and Wii owners, as well as other fans of Nintendo games and hardware to answer survey questions and register their products. Members can do all this in exchange for "coins" or points. These can later be traded for other goods or services on the site. The site is open to users from all over the world, about four million of which are located in Japan. These accounts contain secure data of users' real names, addresses, phone numbers and email information. " The

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

The ability to turn your iPhone into a Wi-Fi hotspot is a fantastically useful little tool in and of itself. When setting up a personal hotspot on their iPad or iPhone, users have the option of allowing iOS to automatically generate a password. According to a new study by Researchers at the University of Erlangen in Germany, iOS-generated passwords use a very specific formula one which the experienced hacker can crack in less than a minute. Using an iOS app written in Apple's own Xcode programming environment, the team set to work analyzing the words that Apple uses to generate its security keys . Apple's hotspot uses a standard WPA2 -type process, which includes the creation and passing of pre-shared keys (PSK). They found that the default passwords are made up of a combination of a short dictionary words followed by a series of random numbers and this method actually leaves them vulnerable to  brute force attack . The word list Apple uses contains approximately 52,500

Another day, Another verified twitter account with over 900,000 followers hacked by 'Colin'. Hacker hacked into a Sky News Twitter account earlier today, and left a semi-permanent mark on the internet's consciousness. The mysterious Colin soon began to trend on Twitter as #ColinWasHere hashtag. However, the tweet which simply said " Colin was here " - has now been deleted, with Sky blaming the tweet on a hack. The post was retweeted more than 7,500 times before it was removed half an hour later. The Syrian Electronic Army in the recent past has been accused of hacking social media feeds of a number of well known Twitter handles, such as AP , The Guardian and even for some bizarre reason, the satire news agency ' The Onion ' UPDATE:  The Sky News press office has informed that Colin was, in fact, " a 'disaster recovery' test message which accidently went live " and that "no Colin was harmed in the making of this message".

The hacktivist group Syrian Electronic Army (SEA) briefly took over the Twitter account of the satirical news publication The Onion, posting a series of anti-Israeli joke stories and an anti-Obama meme image. In a post on The Onion tech team's GitHub blog , the fake news site explains that the Syrian Electronic Army didn't wrestle control of its Twitter account using some advanced hacker scheme. The hack attack penetrated the publication with at least three methods of phishing attacks, where a false e-mail redirected people to a fake Website which then asked for Google Apps credentials. Previously the Syrian Electronic Army (SEA) has shanghaied its way into the official Twitter feeds of AP and the Guardian, using the former to post a tweet falsely claiming that there had been an explosion at the white House. Exposing details about an attack is not the normal approach companies take after they are hacked. The New York Times revealed earlier this year how Chinese hackers breac

' Nir Goldshlager ' known as Facebook hacker and founder of Break Security  , who reported many critical bugs in Facebook OAuth mechanism in past few months, today disclose a critical  vulnerability in Instagram Oauth that allow an attacker to hack any account. Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos. Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog. During his bug hunting Nir found loopholes in Instagram's security parameters i.e redirect_uri , that allows  attacker to pass the access token to his own domain with mx as suffix i.e code straight to breaksec.com.mx . POC :  https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec

It seems that 2013 is the " Data Leakage Year "! Many customers' information and confidential data have been published on the internet coming from government institutions, famous vendors, and companies too. Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor who found a high severity vulnerability in " Avira license daemon " days ago, is on the news again, but this time for finding and reporting Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications. SQL Injection vulnerabilities are ranked as Critical vulnerabilities, because if used by Hackers it will cause a database breach which will lead to confidential information leakage. A time based blind SQL Injection web vulnerability is detected in the official Yahoo! TW YSM Marketing Application Service. The vulnerability allows remote attackers to inject own SQL commands to breach the database of that vulnerable application and get access to the user data.

Another phishing campaign come in action recently targeting Facebook accounts and company pages with millions of followers. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. Not a new method, but very creative phishing example in Facebook hacking scene, where hacker host a phishing page on Facebook app sub domain itself. Designed very similar to Facebook Security team with title ' Facebook Page Verification ' and using Facebook Security Logo as shown in the screenshot posted above. Phishing app URL: https://apps.facebook.com/verify-pages/ Application hosted on:   https://talksms.co.uk/ The phishing page asking users to enter Page URL and Page Name that victim own and his Facebook login email ID with password. Once victim trapped in hacker web, the phisher records your information. Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verified SSL from GeoTrust

In recent The Hacker News updates, we have reported about some major hacking events and critical vulnerabilities i.e Cyber attack and spying on The New York Times and Wall Street Journal by Chinese Hackers,  Security Flaws in UPnP protocol , Botnet attack hack 16,000 Facebook accounts, 700,000 accounts hacked in Africa and new android malware that infect more that 620,000 users . Today Twitter also announced that they have recorded some unusual access patterns that is identified as unauthorized access attempts to Twitter user data. Unknown hackers breach Twitter this week and may have gained access to passwords and other information for as many as 250,000 user accounts " the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords " said Bob Lord ,Director of Information Security, at Twitter. For security reasons twitter have reset passwords and revoked session tokens

GitHub is a source code repository which lets developers work on programs together as a team, even when they are in different locations. Each repository on the site is a public folder designed to hold the software code that a developer is working on. This Tuesday GitHub announced a major upgrades to the site's search engine, " Finding great code on GitHub just got a whole lot easier, ". Yesterday few twitter users pointed out that there is no shortage of embedded private SSH keys and passwords that can easily be found via GitHub new feature. If you upload security information (keys/passwords etc) to a public repository, new search feature will allow anyone to find them. Today, GitHub's search function stopped working , though the site didn't acknowledge the cause. Updated message is " Search remains unavailable. The cluster is recovering slowly and we continue to monitor its progress. We'll provide further updates as they become available

Twenty-four hours a day, seven days a week, 365 days each year – it's happening. Whether you are awake or asleep, in a meeting or on vacation, they are out there probing your network, looking for a way in. A way to exploit you; a way to steal your data, a place to store illegal content, a website they can deface, or any of a hundred other ways to mess with you for the simple joy of it all. And they can do this with relative ease, even in an automated fashion, with simple tools that are readily available to all. I'm talking about network scanners. The bad guys use them all day every day to assess networks around the world because a network scanner is one of the easiest and most efficient ways to find the cracks in your armor. If you want to see your network the same way an attacker would, then you want to use a network scanner. Network scanners perform automated tests of systems over the network. They don't require agents or any other software to be installed on the "target"

Hacker found a way to hack and change your password like, just he used to change his own password. Confused ? Recently Facebook fix a very critical vulnerability on the tip of ' Sow Ching Shiong ' , an independent vulnerability researcher. Flaw allows anyone to reset the password of any Facebook user without knowing his last password. At Facebook, there is an option for compromised accounts at " https://www.facebook.com/hacked " , where Facebook ask one to change his password for further protection. This compromised account recovery page, will redirect you to another page at " https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked " . Researcher notice that the URL of the page having a parameter called "f" which represents your user ID and replacing the user ID with victim's user ID allow him to get into next page where attacker can reset the password of victim without knowing his last password. The  Vulnera

Many be many of you are not aware about this, but Facebook having a Secure Files Transfer service for their Employees at https://files.fb.com  and Hacker reported a very critical password reset vulnerability. Nir Goldshlager , a researcher told ' The Hacker News ' that how he defeat Facebook 's Secure Files Transfer service and help Facebook by reporting them about this issue in a responsible non-disclosure way till patch. After analyzing the site, he found that the script Facebook is using is actually " Accellion Secure File Sharing Service " script and so next he download the demo version of service from Accellion website and explore the source codes and file locations. He found that, there is a user registration page also available in source, that was also on files.fb.com. Unfortunately Facebook had removed the Sign up option (link) from homepage, but forget to remove the registration page from its actual location i.e (/courier/web/1000@/wmReg.html)