#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

password hacking | Breaking Cybersecurity News | The Hacker News

Breach Database Site 'LeakedSource' Goes Offline After Alleged Police Raid

Breach Database Site 'LeakedSource' Goes Offline After Alleged Police Raid

Jan 27, 2017
The biggest mistake companies make with data security is leaving all their secrets unprotected at one place, which if attacked, they are all gone in one shot. An unnamed law enforcement agency has reportedly accessed billions of compromised usernames, email IDs, and their passwords, collected by LeakedSource, a popular breach notification service. LeakedSource, launched in late 2015, that exposed some of the largest data breaches in 2016, including LinkedIn , DailyMotion , Rambler.ru , Last.fm , VK.com , Weebly, and Foursquare , might be facing a permanent shut down after law enforcement officers allegedly raided its operator. The LeakedSource website that allowed visitors to look up for their account details that had been collected from multiple data breaches has suddenly disappeared, and its associated social media accounts have been suspended. The data breach aggregation service had always been criticized for its unethical policy of allowing anyone to look up hacked acco
Over 43 Million Weebly Accounts Hacked; Foursquare Also Hit By Data Breach

Over 43 Million Weebly Accounts Hacked; Foursquare Also Hit By Data Breach

Oct 20, 2016
2016 is the year of data breaches that has made almost every major companies victims to the cyber attacks, resulting in compromise of over billion of online users accounts. Weebly and Foursquare are the latest victims of the massive data breach, joining the list of "Mega-Breaches" revealed in recent months, including LinkedIn , MySpace , VK.com , Tumblr , Dropbox , and the biggest one -- Yahoo . Details for over 43 Million users have been stolen from the San Francisco-based website building service Weebly, according to breach notification site LeakedSource, who had already indexed a copy of the stolen data that it received from an anonymous source. In addition, LeakedSource posted details of the cyber attack in its blog post on Thursday explaining what happened. The attack believed to have been carried out in February 2016. "Unlike nearly every other hack, the Co-founder and CTO of Weebly Chris Fanini fortunately did not have his head buried deeply in the san
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Download: 68 Million Hacked Dropbox Accounts are Just a Click Away!

Download: 68 Million Hacked Dropbox Accounts are Just a Click Away!

Oct 04, 2016
Over a month ago, The Hacker News reported about the Dropbox Hack , where hackers had managed to steal more than 68 Million Dropbox accounts in a data breach that was initially disclosed by the online cloud storage platform in 2012. Although the initial announcement failed to reveal the true scale of the data breach, it was in late August when the breach notification service LeakBase obtained files containing details on over 68 million accounts, which contains email addresses and hashed passwords for Dropbox users. Last month, a hacker was selling this Dropbox data dump on a Dark Web marketplace known as TheRealDeal for around $1200 . However, Motherboard recently discovered that a researcher has just uploaded the full dump of hacked Dropbox database online. Download DropBox Data Dump Here: Thomas White, known online as The Cthulhu, uploaded Monday the full Dropbox data dump onto his website in a move, as he claims, to help security researchers examine the data breach.
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Dropbox Hacked — More Than 68 Million Account Details Leaked Online

Dropbox Hacked — More Than 68 Million Account Details Leaked Online

Aug 31, 2016
Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach. Dropbox has confirmed the breach and already notified its customers of a potential forced password resets, though the initial announcement failed to specify the exact number of affected users. However, in a selection of files obtained through sources in the database trading community and breach notification service Leakbase , Motherboard found around 5GB of files containing details on 68,680,741 accounts, which includes email addresses and hashed (and salted) passwords for Dropbox users. An unnamed Dropbox employee verified the legitimacy of the data. Out of 68 Million, almost 32 Million passwords are secured using the strong hashing function " BCrypt , " making difficult for hackers to obtain users' actual passwords, while the rest of the passwords are hashed with the SHA-1 hashing algorithm . These password hashes als
LastPass Bug Lets Hackers Steal All Your Passwords

LastPass Bug Lets Hackers Steal All Your Passwords

Jul 27, 2016
A critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely. LastPass is one of the best password manager that also available as a browser extension that automatically fills credentials for you. All you need is to remember one master password to unlock all other passwords of your different online accounts, making it much easier for you to use unique passwords for different sites. However, the password manager isn't as secure as it promises. Also Read:  Popular Password Managers Are Not As Secure As You Think Google Project Zero Hacker Tavis Ormandy discovered several security issues in the software that allowed him to steal passwords stored with LastPass. " Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap ," Ormandy revealed on Twitter . Once compromise a v
Ubuntu Linux Forum Hacked! Once Again

Ubuntu Linux Forum Hacked! Once Again

Jul 15, 2016
No software is immune to being Hacked! Not even Linux. The Ubuntu online forums have been hacked, and data belonging to over 2 Million users have been compromised, Canonical just announced. The compromised users' data include their IP addresses, usernames, and email addresses, according to the company, who failed to apply a patch to secure its users' data. However, users should keep in mind that the hack did not affect the Ubuntu operating system, or it was not due to a vulnerability or weakness in the OS. Instead, the breach only affected the Ubuntu online forums that people use to discuss the OS, said BetaNews, who initially reported the news. "There has been a security breach on the Ubuntu Forums site," Jane Silber, Chief Executive Officer at Canonical wrote in a blog post . "We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation." "C
Google CEO Sundar Pichai's Quora Account Hacked

Google CEO Sundar Pichai's Quora Account Hacked

Jun 27, 2016
Nobody is immune to being Hacked! After hacking Mark Zuckerberg's Twitter and Pinterest accounts, Hacking group OurMine has successfully hacked the Quora account Google CEO Sundar Pichai and then cross-posted to his Twitter account. The hack became apparent when OurMine posted messages on Quora through Pichai's account, which then appeared on his official Twitter feed late Sunday night — Thanks to the two accounts being linked. All the tweets in question have since been removed from Pichai's Twitter feed. Unlike Mark Zuckerberg, the three-man team Saudi hackers group did not use password exposed by 2012 LinkedIn data breach; rather they claimed to have discovered a vulnerability in Quora, which is a Q&A community launched in 2010. The group behind OurMine claims it is "testing security" of accounts and teaching people to secure their online accounts better. "We are just testing people security (sic), we never change their passwords, we did it
Warning! 32 Million Twitter Passwords May Have Been Hacked and Leaked

Warning! 32 Million Twitter Passwords May Have Been Hacked and Leaked

Jun 09, 2016
The world came to know about massive data breaches in some of the most popular social media websites including LinkedIn , MySpace , Tumblr , Fling, and VK.com when an unknown Russian hacker published the data dumps for sale on the underground black marketplace. However, these are only data breaches that have been publicly disclosed by the hacker. I wonder how much more stolen data sets this Russian, or other hackers are holding that have yet to be released. The answer is still unknown, but the same hacker is now claiming another major data breach, this time, in Twitter. Login credentials of more than 32 Million Twitter users are now being sold on the dark web marketplace for 10 Bitcoins (over $5,800). LeakedSource, a search engine site that indexes leaked login credentials from data breaches, noted in a blog post that it received a copy of the Twitter database from Tessa88, the same alias used by the hacker who provided it hacked data from Russian social network VK.com
VK.com HACKED! 100 Million Clear Text Passwords Leaked Online
Hacker Selling 65 Million Passwords From Tumblr Data Breach

Hacker Selling 65 Million Passwords From Tumblr Data Breach

May 31, 2016
Earlier this month Tumblr revealed that a third party had obtained access to a set of e-mail addresses and passwords dating back from early 2013, before being acquired by Yahoo. At that time, Tumblr did not reveal the number of affected users, but in reality, around 65,469,298 accounts credentials were leaked in the 2013 Tumblr data breach, according to security expert Troy Hunt, who runs the site Have I Been Pwned . "As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts," read Tumblr's blog . A Hacker, who is going by "peace_of_mind," is selling the Tumblr data for 0.4255 Bitcoin ($225) on the darknet marketplace The Real Deal . The compromised data includes 65,469,298 unique e-mail addresses and "salted & hashed passwords." The Same hacker is also selling the compromised login account data from Fling, Li
Google Trust API plans to replace your Passwords with Trust Score

Google Trust API plans to replace your Passwords with Trust Score

May 24, 2016
The importance of increasing online security around personal information has risen due to the increase in cyber attacks and data breaches over recent years. I find it hilarious people are still choosing terrible passwords to protect their online accounts. The massive LinkedIn hack is the latest in the example that proves people are absolutely awful at picking passwords. The data breach leaked 167 Million usernames and passwords online, out of which "123456" was used by more than 750,000 accounts, followed by "LinkedIn" ( 172,523 accounts ), and "password" ( 144,458 accounts ). In a typical authentication mechanism, two-factor verification is the second layer of security that is designed to ensure that you are the only person who can access your account, even if someone knows your password. Project Abacus: Password-free Logins Now Instead of just relying on uniquely generated PINs, Google intends to use your biometrics data – like your typi
Bug Hunter Found Ways to Hack Any Instagram Accounts

Bug Hunter Found Ways to Hack Any Instagram Accounts

May 21, 2016
How to hack an Instagram account? The answer to this question is difficult to find, but a bug bounty hunter just did it without too many difficulties. Belgian bug bounty hunter Arne Swinnen discovered two vulnerabilities in image-sharing social network Instagram that allowed him to brute-force Instagram account passwords and take over user accounts with minimal efforts. Both brute-force attack issues were exploitable due to Instagram's weak password policies and its practice of using incremental user IDs. "This could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones," Swinnen wrote in a blog post describing details of both vulnerabilities. Brute-Force Attack Using Mobile Login API Swinnen discovered that an attacker could have performed brute force attack against any Instagram account via its Android authentication API URL, due to improper security implementations. According to his blog post , fo
FBI paid Hacker $1.3 Million to Unlock San Bernardino Shooter's iPhone

FBI paid Hacker $1.3 Million to Unlock San Bernardino Shooter's iPhone

Apr 22, 2016
In Brief Guess how much the FBI has paid an unknown grey-hat hacker to break into San Bernardino Shooter's iPhone? FBI Director James Comey hinted during an interview that the FBI spent more than $1.3 Million for breaking into the iPhone of a suspected terrorist and found nothing useful on it. Apple's  legal battle with the Federal Bureau of Investigation (FBI) ended following the bureau's announcement last month that it bought a hacking tool to break into the locked iPhone 5C belonging to the alleged San Bernardino shooter Syed Farook. At the time, the FBI did not disclose the name of the third party neither it revealed the cost of the hacking tool. But yesterday while speaking at the Aspen Security Forum in London, FBI Director James Comey gave a hint on the price it gave to the unnamed "outside party" for the hacking solution after Apple refused to help the agency bypass the iPhone's security mechanisms. The FBI Paid Over $1.3 MILLION f
Instagram Adds Two-Step Verification to Prevent Account from being Hacked

Instagram Adds Two-Step Verification to Prevent Account from being Hacked

Feb 17, 2016
Hijacking an online account is not a complicated procedure, not at least in 2016. Today, Instagram confirmed that the company is in the process to roll out two-factor authentication for its 400 Million users. It is impossible to make your online accounts hack-proof, but you can make them less vulnerable. Then what you can do to protect yourselves from hackers? Several companies provide more enhanced steps like Encrypted Channel Services, Security Questions, Strict Password Policy and so on. But, what would you do if a hacker had somehow managed to access your accounts' passwords? Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match. Hence the concept of Two-Factor Authentication (2FA) born out! Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking. 2-F
Oh Snap! Lenovo protects your Security with '12345678' as Hard-Coded Password in SHAREit

Oh Snap! Lenovo protects your Security with '12345678' as Hard-Coded Password in SHAREit

Jan 27, 2016
What do you expect a tech giant to protect your backdoor security with? Holy Cow! It's " 12345678 " as a Hard-Coded Password . Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password. The Chinese largest PC maker made a number of headlines in past for compromising its customers security. It had shipped laptops with the insecure  SuperFish adware , it was  caught using Rootkit  to secretly install unremovable software, its  website was hacked , and it was  caught pre-installing Spyware  on its laptops. Any of these incidences could have been easily prevented. Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in: Information leaks Security protocol bypas
Someone Just Leaked Hard-Coded Password Backdoor for Fortinet Firewalls

Someone Just Leaked Hard-Coded Password Backdoor for Fortinet Firewalls

Jan 13, 2016
Are millions of enterprise users, who rely on the next-generation firewalls for protection, actually protected from hackers? Probably Not. Just less than a month after an unauthorized backdoor found in Juniper Networks firewalls, an anonymous security researcher has discovered highly suspicious code in FortiOS firewalls from enterprise security vendor Fortinet. According to the leaked information, FortiOS operating system, deployed on Fortinet's FortiGate firewall networking equipment, includes an SSH backdoor that can be used to access its firewall equipment. Anyone can Access FortiOS SSH Backdoor Anyone with " Fortimanager_Access " username and a hashed version of the " FGTAbc11*xy+Qqz27 " password string, which is hard coded into the firewall, can login into Fortinet's FortiGate firewall networking equipment. However, according to the company's product details, this SSH user is created for challenge-and-response authenti
Simple Yet Effective eBay Bug Allows Hackers to Steal Passwords

Simple Yet Effective eBay Bug Allows Hackers to Steal Passwords

Jan 12, 2016
A simple, yet effective flaw discovered on eBay's website exposed hundreds of millions of its customers to an advance  Phishing Attack . An Independent Security Researcher reported a critical vulnerability to eBay last month that had the capability to allow hackers to host a fake login page, i.e. phishing page, on eBay website in an effort to steal users' password and harvest credentials from millions of its users. The researchers, nicknamed MLT , said anyone could have exploited the vulnerability to target eBay users in order to take over their accounts or harvest thousands, or even millions, of eBay customers credentials by sending phishing emails to them. MLT published a blog post about the eBay flaw on Monday, demonstrating how easy it is to exploit the flaw like this and steal customers' passwords. Here's How ebay Hack Works The flaw actually resided in the URL parameter that allowed the hacker to inject his iFrame on the legitimate eBay
Toymaker VTech Hack Exposes 4.8 Million Customers, including Photos of Children

Toymaker VTech Hack Exposes 4.8 Million Customers, including Photos of Children

Dec 01, 2015
Earlier this month, a massive data breach at VTech – the maker of tablets and gadgets aimed at children – exposed the personal details of about 4.8 Million parents and photos of more than 200,000 Children. If that was not bad enough… …it turns out that the massive cyber attack against the toymaker company also left hundreds of thousands of snaps of parents and children , as well as a year worth of chat logs kept online in a way easily accessible to hackers. VTech Data Breach In a statement released Monday, the toymaker company VTech said the hacked database included victim's profile information including: Customers' names Email addresses Passwords ( One-way encrypted using MD5 hash that can be cracked in no time ) Secret questions and answers for password retrieval IP addresses Residential addresses Download history The database also included information on children including names, genders and date of births. Also Read: Caution! Hackers Ca
Mr. Grey Hacker (Wanted by FBI) Steals 1.2 BILLION Login Passwords

Mr. Grey Hacker (Wanted by FBI) Steals 1.2 BILLION Login Passwords

Nov 26, 2015
That's a lot of Login credentials fetch by a single hacker. The FBI believes a single hacker who goes by the moniker Mr.Grey has stolen login credentials for over 1.2 Billion online accounts – apparently the biggest heist of log-in credentials the FBI has investigated thus far. Yeah, that's not Fifty, but 1.2 Billion Shades of Grey . The information came from the court documents the federal agents submitted to support its search warrant request in 2014, Reuters reported . The cyber security firm ' Hold Security ' initially reported the theft of the credentials last year. It found out that Russian hacking group CyberVor has stolen 1.2 Billion login details and an additional 500 Million email accounts. Botnet Breach These data were said to have been harvested from over 420,000 websites via botnets looking for SQL injection flaws ; the same technique recently used to hack TalkTalk . Botnets are usually employed to attack an individual targ
Researcher releases Free Hacking Tool that Can Steal all Your Secrets from Password Manager

Researcher releases Free Hacking Tool that Can Steal all Your Secrets from Password Manager

Nov 04, 2015
Unless we are a human supercomputer, remembering a different password for every different site is not an easy task. But to solve this problem, there is a growing market of best password manager and lockers, which remembers your password for every single account and simultaneously provides an extra layer of protection by keeping them strong and encrypted. However, it seems to be true only until a hacker released a hacking tool that can silently decrypt and extract all usernames, passwords, as well as notes stored by the popular password manager KeePass . Dubbed KeeFarce , the hacking tool is developed by Kiwi hacker Denis Andzakovic and is available on GitHub  for free download. Hackers can execute KeeFarce on a computer when a user has logged into their KeePass vault, which makes them capable of decrypting the entire password archive and then dumping it to a file that attackers can steal remotely. How Does KeeFarce Work? KeeFarce obtains passwords by lever
Cybersecurity Resources