#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

password hacking | Breaking Cybersecurity News | The Hacker News

Hacker Selling 65 Million Passwords From Tumblr Data Breach

Hacker Selling 65 Million Passwords From Tumblr Data Breach

May 31, 2016
Earlier this month Tumblr revealed that a third party had obtained access to a set of e-mail addresses and passwords dating back from early 2013, before being acquired by Yahoo. At that time, Tumblr did not reveal the number of affected users, but in reality, around 65,469,298 accounts credentials were leaked in the 2013 Tumblr data breach, according to security expert Troy Hunt, who runs the site Have I Been Pwned . "As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts," read Tumblr's blog . A Hacker, who is going by "peace_of_mind," is selling the Tumblr data for 0.4255 Bitcoin ($225) on the darknet marketplace The Real Deal . The compromised data includes 65,469,298 unique e-mail addresses and "salted & hashed passwords." The Same hacker is also selling the compromised login account data from Fling, Li
Google Trust API plans to replace your Passwords with Trust Score

Google Trust API plans to replace your Passwords with Trust Score

May 24, 2016
The importance of increasing online security around personal information has risen due to the increase in cyber attacks and data breaches over recent years. I find it hilarious people are still choosing terrible passwords to protect their online accounts. The massive LinkedIn hack is the latest in the example that proves people are absolutely awful at picking passwords. The data breach leaked 167 Million usernames and passwords online, out of which "123456" was used by more than 750,000 accounts, followed by "LinkedIn" ( 172,523 accounts ), and "password" ( 144,458 accounts ). In a typical authentication mechanism, two-factor verification is the second layer of security that is designed to ensure that you are the only person who can access your account, even if someone knows your password. Project Abacus: Password-free Logins Now Instead of just relying on uniquely generated PINs, Google intends to use your biometrics data – like your typi
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Bug Hunter Found Ways to Hack Any Instagram Accounts

Bug Hunter Found Ways to Hack Any Instagram Accounts

May 21, 2016
How to hack an Instagram account? The answer to this question is difficult to find, but a bug bounty hunter just did it without too many difficulties. Belgian bug bounty hunter Arne Swinnen discovered two vulnerabilities in image-sharing social network Instagram that allowed him to brute-force Instagram account passwords and take over user accounts with minimal efforts. Both brute-force attack issues were exploitable due to Instagram's weak password policies and its practice of using incremental user IDs. "This could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones," Swinnen wrote in a blog post describing details of both vulnerabilities. Brute-Force Attack Using Mobile Login API Swinnen discovered that an attacker could have performed brute force attack against any Instagram account via its Android authentication API URL, due to improper security implementations. According to his blog post , fo
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
FBI paid Hacker $1.3 Million to Unlock San Bernardino Shooter's iPhone

FBI paid Hacker $1.3 Million to Unlock San Bernardino Shooter's iPhone

Apr 22, 2016
In Brief Guess how much the FBI has paid an unknown grey-hat hacker to break into San Bernardino Shooter's iPhone? FBI Director James Comey hinted during an interview that the FBI spent more than $1.3 Million for breaking into the iPhone of a suspected terrorist and found nothing useful on it. Apple's  legal battle with the Federal Bureau of Investigation (FBI) ended following the bureau's announcement last month that it bought a hacking tool to break into the locked iPhone 5C belonging to the alleged San Bernardino shooter Syed Farook. At the time, the FBI did not disclose the name of the third party neither it revealed the cost of the hacking tool. But yesterday while speaking at the Aspen Security Forum in London, FBI Director James Comey gave a hint on the price it gave to the unnamed "outside party" for the hacking solution after Apple refused to help the agency bypass the iPhone's security mechanisms. The FBI Paid Over $1.3 MILLION f
Instagram Adds Two-Step Verification to Prevent Account from being Hacked

Instagram Adds Two-Step Verification to Prevent Account from being Hacked

Feb 17, 2016
Hijacking an online account is not a complicated procedure, not at least in 2016. Today, Instagram confirmed that the company is in the process to roll out two-factor authentication for its 400 Million users. It is impossible to make your online accounts hack-proof, but you can make them less vulnerable. Then what you can do to protect yourselves from hackers? Several companies provide more enhanced steps like Encrypted Channel Services, Security Questions, Strict Password Policy and so on. But, what would you do if a hacker had somehow managed to access your accounts' passwords? Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match. Hence the concept of Two-Factor Authentication (2FA) born out! Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking. 2-F
Oh Snap! Lenovo protects your Security with '12345678' as Hard-Coded Password in SHAREit

Oh Snap! Lenovo protects your Security with '12345678' as Hard-Coded Password in SHAREit

Jan 27, 2016
What do you expect a tech giant to protect your backdoor security with? Holy Cow! It's " 12345678 " as a Hard-Coded Password . Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password. The Chinese largest PC maker made a number of headlines in past for compromising its customers security. It had shipped laptops with the insecure  SuperFish adware , it was  caught using Rootkit  to secretly install unremovable software, its  website was hacked , and it was  caught pre-installing Spyware  on its laptops. Any of these incidences could have been easily prevented. Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in: Information leaks Security protocol bypas
Someone Just Leaked Hard-Coded Password Backdoor for Fortinet Firewalls

Someone Just Leaked Hard-Coded Password Backdoor for Fortinet Firewalls

Jan 13, 2016
Are millions of enterprise users, who rely on the next-generation firewalls for protection, actually protected from hackers? Probably Not. Just less than a month after an unauthorized backdoor found in Juniper Networks firewalls, an anonymous security researcher has discovered highly suspicious code in FortiOS firewalls from enterprise security vendor Fortinet. According to the leaked information, FortiOS operating system, deployed on Fortinet's FortiGate firewall networking equipment, includes an SSH backdoor that can be used to access its firewall equipment. Anyone can Access FortiOS SSH Backdoor Anyone with " Fortimanager_Access " username and a hashed version of the " FGTAbc11*xy+Qqz27 " password string, which is hard coded into the firewall, can login into Fortinet's FortiGate firewall networking equipment. However, according to the company's product details, this SSH user is created for challenge-and-response authenti
Simple Yet Effective eBay Bug Allows Hackers to Steal Passwords

Simple Yet Effective eBay Bug Allows Hackers to Steal Passwords

Jan 12, 2016
A simple, yet effective flaw discovered on eBay's website exposed hundreds of millions of its customers to an advance  Phishing Attack . An Independent Security Researcher reported a critical vulnerability to eBay last month that had the capability to allow hackers to host a fake login page, i.e. phishing page, on eBay website in an effort to steal users' password and harvest credentials from millions of its users. The researchers, nicknamed MLT , said anyone could have exploited the vulnerability to target eBay users in order to take over their accounts or harvest thousands, or even millions, of eBay customers credentials by sending phishing emails to them. MLT published a blog post about the eBay flaw on Monday, demonstrating how easy it is to exploit the flaw like this and steal customers' passwords. Here's How ebay Hack Works The flaw actually resided in the URL parameter that allowed the hacker to inject his iFrame on the legitimate eBay
Toymaker VTech Hack Exposes 4.8 Million Customers, including Photos of Children

Toymaker VTech Hack Exposes 4.8 Million Customers, including Photos of Children

Dec 01, 2015
Earlier this month, a massive data breach at VTech – the maker of tablets and gadgets aimed at children – exposed the personal details of about 4.8 Million parents and photos of more than 200,000 Children. If that was not bad enough… …it turns out that the massive cyber attack against the toymaker company also left hundreds of thousands of snaps of parents and children , as well as a year worth of chat logs kept online in a way easily accessible to hackers. VTech Data Breach In a statement released Monday, the toymaker company VTech said the hacked database included victim's profile information including: Customers' names Email addresses Passwords ( One-way encrypted using MD5 hash that can be cracked in no time ) Secret questions and answers for password retrieval IP addresses Residential addresses Download history The database also included information on children including names, genders and date of births. Also Read: Caution! Hackers Ca
Mr. Grey Hacker (Wanted by FBI) Steals 1.2 BILLION Login Passwords

Mr. Grey Hacker (Wanted by FBI) Steals 1.2 BILLION Login Passwords

Nov 26, 2015
That's a lot of Login credentials fetch by a single hacker. The FBI believes a single hacker who goes by the moniker Mr.Grey has stolen login credentials for over 1.2 Billion online accounts – apparently the biggest heist of log-in credentials the FBI has investigated thus far. Yeah, that's not Fifty, but 1.2 Billion Shades of Grey . The information came from the court documents the federal agents submitted to support its search warrant request in 2014, Reuters reported . The cyber security firm ' Hold Security ' initially reported the theft of the credentials last year. It found out that Russian hacking group CyberVor has stolen 1.2 Billion login details and an additional 500 Million email accounts. Botnet Breach These data were said to have been harvested from over 420,000 websites via botnets looking for SQL injection flaws ; the same technique recently used to hack TalkTalk . Botnets are usually employed to attack an individual targ
Researcher releases Free Hacking Tool that Can Steal all Your Secrets from Password Manager

Researcher releases Free Hacking Tool that Can Steal all Your Secrets from Password Manager

Nov 04, 2015
Unless we are a human supercomputer, remembering a different password for every different site is not an easy task. But to solve this problem, there is a growing market of best password manager and lockers, which remembers your password for every single account and simultaneously provides an extra layer of protection by keeping them strong and encrypted. However, it seems to be true only until a hacker released a hacking tool that can silently decrypt and extract all usernames, passwords, as well as notes stored by the popular password manager KeePass . Dubbed KeeFarce , the hacking tool is developed by Kiwi hacker Denis Andzakovic and is available on GitHub  for free download. Hackers can execute KeeFarce on a computer when a user has logged into their KeePass vault, which makes them capable of decrypting the entire password archive and then dumping it to a file that attackers can steal remotely. How Does KeeFarce Work? KeeFarce obtains passwords by lever
TalkTalk Hack: Police Arrest Second Teenager in London

TalkTalk Hack: Police Arrest Second Teenager in London

Oct 30, 2015
British Police have arrested a second teenage boy in relation to the major hack on the servers of UK-based telco 'TalkTalk' last week. On Monday, a 15-year-old boy (first arrest) from County Antrim, Northern Ireland, was arrested in connection with the TalkTalk Data Breach. On Thursday, The Metropolitan Police Cyber Crime Unit (MPCCU) arrested this second unnamed 16-year-old boy from Feltham in west London on suspicion of Computer Misuse Act offences. Latest TalkTalk Data breach put the Bank details and Personally Identifiable Information (PII) of millions of customers at risk, including: Nearly 21,000 Bank Accounts Almost 28,000 obscured Credit and Debit card details Less than 15,000 customer dates of birth Names, Email Addresses, and Phone Numbers of 1.2 Million Customers TalkTalk has confessed that " Not all of the data was encrypted "... yeah, its' too bad. However, " Investigations so far show that the information that may have bee
New Attack Targeting Microsoft Outlook Web App (OWA) to Steal Email Passwords

New Attack Targeting Microsoft Outlook Web App (OWA) to Steal Email Passwords

Oct 06, 2015
Researchers have unearthed a dangerous backdoor in Microsoft's Outlook Web Application (OWA) that has allowed hackers to steal e-mail authentication credentials from major organizations. The Microsoft Outlook Web Application or OWA is an Internet-facing webmail server that is being deployed in private companies and organisations to provide internal emailing capabilities. Researchers from security vendor Cybereason discovered a suspicious DLL file loaded into the company's OWA server that siphoned decrypted HTTPS server requests. Although the file had the same name as another benign DLL file, the suspicious DLL file was unsigned and loaded from another directory. Hackers Placed Malicious DLL on OWA Server According to the security firm, the attacker replaced the OWAAUTH.dll file ( used by OWA as part of the authentication mechanism ) with one that contained a dangerous backdoor. Since it ran on the OWA server, the backdoored DLL file allowed hacker
Data Breach Day — Patreon (2.3M), T-Mobile (15M) and Scottrade (4.6M) — HACKED!

Data Breach Day — Patreon (2.3M), T-Mobile (15M) and Scottrade (4.6M) — HACKED!

Oct 03, 2015
This week, three high-profile data breaches took place, compromising personal and sensitive details of millions of people. Telecommunication giant T-Mobile Crowdfunding website Patreon US brokerage firm Scottrade In T-Mobile's case, its credit application processor Experian was hacked , potentially exposing highly sensitive details of 15 Million people who applied for its service in the past two years. The stolen data includes home addresses, birth dates, driver's license number, passport number, military I.D. numbers and – most unfortunately – the Social Security numbers, among other information. Patreon Hack Hits 2.3 Million Users In Patreon's case, hackers managed to steal almost 15 gigabytes' worth of data including names, shipping addresses and email addresses of 2.3 Million users . In a post published late Wednesday, Patreon CEO Jack Conte confirmed that the crowdfunding firm had been hacked and that the personal data of its users h
Beware Coffee Lovers! StarBucks Exposed you to 3 Critical Vulnerabilities

Beware Coffee Lovers! StarBucks Exposed you to 3 Critical Vulnerabilities

Sep 18, 2015
Ever registered on StarBucks website? Change your passwords now! If you are one of those Millions Starbucks customers who have registered their accounts and credit card details on StarBucks website, then your banking details are vulnerable to hackers. An Independent Security Researcher, Mohamed M. Fouad from Egypt, has found three critical vulnerabilities on StarBucks website that could have allowed attackers to take over your account in just one click. The vulnerabilities include: Remote Code Execution Remote File Inclusion lead to Phishing Attacks CSRF (Cross Site Request Forgery) Stealing Credit Cards Details In case of Remote File Inclusion flaw, an attacker can inject a file from any location into the target page, which includes as a source code for parsing and execution, allowing attacker to perform: Remote Code Execution on the company's web server Remote Code Execution on the client-side, potentially allowing attacker to perform othe
These Top 7 Brutal Cyber Attacks Prove 'No One is Immune to Hacking' — Part II

These Top 7 Brutal Cyber Attacks Prove 'No One is Immune to Hacking' — Part II

Sep 08, 2015
In Part I of this  two-part series from The Hacker News , the First Four list of Top Brutal Cyber Attacks shows that whoever you are, Security can never be perfect. As attackers employ innovative hacking techniques and zero-day exploits, the demand for increased threat protection grows. In this article, I have listed another three cyber attacks, as following: #5 Car Hacking Driving a car is a network's game now! ' Everything is hackable ,' but is your car also vulnerable to Hackers ? General Motors' OnStar application and cars like Jeep Cherokee, Cadillac Escalade, Toyota Prius, Dodge Viper, Audi A8 and many more come equipped with more advanced technology features. These cars are now part of the technology very well known as the " Internet of Things ". Recently two Security researchers, Chris Valasek and Charlie Miller demonstrated that Jeep Cherokee could be hacked wirelessly over the internet to hijack its steering, brakes, and transmi
These Top 7 Brutal Cyber Attacks Prove 'No One is Immune to Hacking' — Part I

These Top 7 Brutal Cyber Attacks Prove 'No One is Immune to Hacking' — Part I

Sep 08, 2015
If you believe that your organization is not at real risk of cyber attack, then you are absolutely wrong. Incidents of massive data breaches, advanced cyber attacks coming from China , groups like Syrian Electronic Army , Hacking Point of Sale machines at retailers such as Target have splashed across the news in the last one year. Whether a Government Agency or Private Company, Small or a Large Tech Company.... ...It's no secret that No one is Immune to Cyber Attacks . This article is the first in a two-part series from The Hacker News , listing first four out of  Top 7 Brutal Cyber Attacks. And here we go... #1 "Hacking Team" Data Breach Hacking Team , the controversial spyware company, recently been hacked by some unidentified hackers that exposed over 400 gigabytes of its internal sensitive data on the Internet. Milan (Italy) based IT firm 'Hacking Team' sells intrusion and surveillance software solutions to Governments and Law Enforcement agen
Cybersecurity Resources