#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

password reset | Breaking Cybersecurity News | The Hacker News

Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users

Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users

Aug 06, 2022
Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces. "When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members," the enterprise communication and collaboration platform  said  in an alert on 4th August. Hashing refers to a cryptographic technique that transforms any form of data into a fixed-size output (called a hash value or simply hash).  Salting  is designed to add an extra security layer to the hashing process to make it resistant to brute-force attempts. The Salesforce-owned company, which reported more than  12 million daily active users  in September 2019, didn't reveal the exact  hashing algorithm  used to safeguard the passwords. The bug is said to have impacted all users who created or revoked shared invitation links between 17 April 2017 and 17 July 20
Instagram Launches 'Security Checkup' to Help Users Recover Hacked Accounts

Instagram Launches 'Security Checkup' to Help Users Recover Hacked Accounts

Jul 17, 2021
Instagram earlier this week introduced a new " Security Checkup " feature that aims to keep accounts safe and help users—whose accounts may have been compromised—to recover them. In order to gain access to accounts, users will be prompted to perform a series of steps, which include checking recent login activity, reviewing profile information, and updating contact details such as phone numbers or email. Additionally, the Facebook-owned company is also "strongly" recommending users to turn on two-factor authentication for extra security and preventing unauthorized logins. On that front, Instagram also said it would allow users in select countries to use their WhatsApp numbers to authenticate their accounts. Stressing that "Instagram will never send you a [direct message]," the social media platform cautioned users to be on the lookout for scams, wherein malicious accounts reach out via DMs to try and access sensitive information like account passwo
Cost of Account Unlocks, and Password Resets Add Up

Cost of Account Unlocks, and Password Resets Add Up

Apr 22, 2021
There are many labor-intensive tasks that the IT service desk carries out on a daily basis. None as tedious and costly as resetting passwords. Modern IT service desks spend a significant amount of time both unlocking and resetting passwords for end-users. This issue has been exacerbated by the COVID-19 pandemic. Causes of account lockouts and password resets End-user password policies, such as those found in Microsoft Active Directory Domain Services (ADDS), typically define a  password age . The password age is the length of time an end-user can keep their current password. While  new guidance from NIST  recommends against the long-held notion of forced password changes, it is still a common and required security mechanism across other compliance standards and industry certifications such as PCI and HITRUST. When the password age is reached for the user account, the user must change their account password. It is generally prompted at the next login on their workstation. This sce
cyber security

Protecting Your Organization From Insider Threats - All You Need to Know

websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.
What's the Right EDR for You?

What's the Right EDR for You?

May 10, 2024Endpoint Security / Threat Detection
A guide to finding the right endpoint detection and response (EDR) solution for your business' unique needs. Cybersecurity has become an ongoing battle between hackers and small- and mid-sized businesses. Though perimeter security measures like antivirus and firewalls have traditionally served as the frontlines of defense, the battleground has shifted to endpoints. This is why endpoint detection and response (EDR) solutions now serve as critical weapons in the fight, empowering you and your organization to detect known and unknown threats, respond to them quickly, and extend the cybersecurity fight across all phases of an attack.  With the growing need to defend your devices from today's cyber threats, however, choosing the right EDR solution can be a daunting task. There are so many options and features to choose from, and not all EDR solutions are made with everyday businesses and IT teams in mind. So how do you pick the best solution for your needs? Why EDR Is a Must Because of
Using the Manager Attribute in Active Directory (AD) for Password Resets

Using the Manager Attribute in Active Directory (AD) for Password Resets

Jan 27, 2021
Creating workflows around verifying password resets can be challenging for organizations, especially since many have shifted work due to the COVID-19 global pandemic. With the numbers of cyberattacks against businesses exploding and compromised credentials often being the culprit, companies have to bolster security around resetting passwords on user accounts. How can organizations bolster the security of password resets for remote workers? One security workflow might involve having manager approval before IT helpdesk technicians can change a remote worker's password. In this way, the user's manager is involved in the process. Additionally, some organizations might opt to allow managers themselves the ability to change end-user passwords. How can this be configured in Active Directory? Also, is there a more seamless solution for requiring manager approval for password resets? Why password reset security is critical This past year has undoubtedly created many IT helpdesk st
How to Use Password Length to Set Best Password Expiration Policy

How to Use Password Length to Set Best Password Expiration Policy

Dec 17, 2020
One of the many features of an Active Directory Password Policy is the  maximum password age . Traditional Active Directory environments have long using password aging as a means to bolster password security. Native password aging in the default Active Directory Password Policy is relatively limited in configuration settings. Let's take a look at a few best practices that have changed in regards to password aging. What controls can you enforce in regards to password aging using the default Active Directory Password Policy? Are there better tools that organizations can use regarding controlling the maximum password age for Active Directory user accounts? What password aging best practices have changed? Password aging for Active Directory user accounts has long been a controversial topic in security best practices. While many organizations still apply more traditional password aging rules, noted security organizations have provided updated password aging guidance. Microsoft has 
How Organizations Can Prevent Users from Using Breached Passwords

How Organizations Can Prevent Users from Using Breached Passwords

Dec 04, 2020
There is no question that attackers are going after your sensitive account data. Passwords have long been a target of those looking to compromise your environment. Why would an attacker take the long, complicated way if they have the keys to the front door? No matter how extensive your security solutions are, protecting the various systems in your environment, your organization may likely be an easy target without proper password security. An especially vulnerable type of password is a  breached password , a.k.a "pwned" password. What is a breached password? How do you discover breached passwords in your environment? How can organizations effectively protect their end-users from using these types of passwords? The Danger of Compromised Accounts The  IBM Cost of a Data Breach Report  2020 noted compromised credentials as one of the primary contributors to malicious data breaches in the report's key findings. It noted: "Stolen or compromised credentials were the
A Self-Service Password Reset Project Can Be A Quick Win For IT

A Self-Service Password Reset Project Can Be A Quick Win For IT

Oct 12, 2020
Since the beginning of this year, organizations' IT staff have faced numerous challenges and an increased workload as a result of the global pandemic and shift to a mainly remote workforce. Supporting end-users that are now working from home has introduced new challenges in troubleshooting since it isn't as simple as visiting an end user's desk to resolve issues as they arise. One support issue common to both on-premises and remote end-users is password resets and other account-related activities. These include accounts that are locked out, passwords that have expired, and password changes. Implementing a  self-service password reset (SSPR)  solution can be a quick win for IT staff who are now supporting both on-premises and remote workers and taking care of other normal daily tasks. Let's look at why SSPR solutions can lead to quick results in lowering the overall support burden on IT staff. Increased Strain On IT Staff The global pandemic this year has been challenging for
Hostinger Suffers Data Breach – Resets Password For 14 Million Users

Hostinger Suffers Data Breach – Resets Password For 14 Million Users

Aug 26, 2019
Popular web hosting provider Hostinger has been hit by a massive data breach, as a result of which the company has reset passwords for all customers as a precautionary measure. In a blog post published on Sunday, Hostinger revealed that "an unauthorized third party" breached one of its servers and gained access to "hashed passwords and other non-financial data" associated with its millions of customers. The incident occurred on August 23 when unknown hackers found an authorization token on one of the company's servers and used it to gain access to an internal system API, without requiring any username and password. Immediately after the breach discovery, Hostinger restricted the vulnerable system, making this access no longer available, and contacted the respective authorities. "On August 23rd, 2019 we have received informational alerts that one of our servers has been accessed by an unauthorized third party," Hostinger said. "This
Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities

Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities

Mar 13, 2018
Samba maintainers have just released new versions of their networking software to patch two critical vulnerabilities that could allow unprivileged remote attackers to launch DoS attacks against servers and change any other users' passwords, including admin's. Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS. Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system. The denial of service vulnerability, assigned CVE-2018-1050 , affects all versions of Samba from 4.0.0 onwards and could be exploited "when the RPC spoolss service is configured to be run as an external daemon." "Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.
Rootpipe — Critical Mac OS X Yosemite Vulnerability Allows Root Access Without Password

Rootpipe — Critical Mac OS X Yosemite Vulnerability Allows Root Access Without Password

Nov 04, 2014
A Swedish Security researcher has discovered a critical vulnerability in Apple's OS X Yosemite that gives hackers the ability to escalate administrative privileges on a compromised machine, and allows them to gain the highest level of access on a machine, known as root access. The vulnerability, dubbed as " Rootpipe ", was uncovered by Swedish white-hat hacker Emil Kvarnhammar , who is holding on the full details about the privilege escalation bug until January 2015, as Apple needs some time to prepare a security patch. " Details on the #rootpipe exploit will be presented, but not now. Let's just give Apple some time to roll out a patch to affected users, " Emil Kvarnhammar, IT specialist and hacker security company Truesec, tweeted from his twitter account. By exploiting the vulnerability in the Mac OS X Yosemite , an attacker could bypass the usual safeguard mechanisms which are supposed to stop anyone who tries to root the operating system through a tempora
Hacking Gmail accounts with password reset system vulnerability

Hacking Gmail accounts with password reset system vulnerability

Nov 22, 2013
Oren Hafif , a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account. He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass. In a proof of concept video demonstration, the attacker sends his victim a fake " Confirm account ownership " email, claiming to come from Google. The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password. The link from the email apparently points to a HTTPS  google.com URL, but it actually leads the victim to the attacker's website because of CSRF attack with a customized email address. The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then will ask to res
Hacking Facebook Passwords like changing your own Password

Hacking Facebook Passwords like changing your own Password

Jan 08, 2013
Hacker found a way to hack and change your password like, just he used to change his own password. Confused ? Recently Facebook fix a very critical vulnerability on the tip of ' Sow Ching Shiong ' , an independent vulnerability researcher. Flaw allows anyone to reset the password of any Facebook user without knowing his last password. At Facebook, there is an option for compromised accounts at " https://www.facebook.com/hacked " , where Facebook ask one to change his password for further protection. This compromised account recovery page, will redirect you to another page at " https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked " . Researcher notice that the URL of the page having a parameter called "f" which represents your user ID and replacing the user ID with victim's user ID allow him to get into next page where attacker can reset the password of victim without knowing his last password. The  Vulnera
Password reset Vulnerability in Facebook Employees Secure Files Transfer service

Password reset Vulnerability in Facebook Employees Secure Files Transfer service

Jan 07, 2013
Many be many of you are not aware about this, but Facebook having a Secure Files Transfer service for their Employees at https://files.fb.com  and Hacker reported a very critical password reset vulnerability. Nir Goldshlager , a researcher told ' The Hacker News ' that how he defeat Facebook 's Secure Files Transfer service and help Facebook by reporting them about this issue in a responsible non-disclosure way till patch. After analyzing the site, he found that the script Facebook is using is actually " Accellion Secure File Sharing Service " script and so next he download the demo version of service from Accellion website and explore the source codes and file locations. He found that, there is a user registration page also available in source, that was also on files.fb.com. Unfortunately Facebook had removed the Sign up option (link) from homepage, but forget to remove the registration page from its actual location i.e (/courier/web/1000@/wmReg.html)
Cybersecurity
Expert Insights
Cybersecurity Resources