The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: password security

Android Cookie-Stealing Malware Found Hijacking Facebook Accounts

Android Cookie-Stealing Malware Found Hijacking Facebook Accounts

March 13, 2020Ravie Lakshmanan
A new simple but dangerous strain of Android malware has been found in the wild that steals users' authentication cookies from the web browsing and other apps, including Chrome and Facebook, installed on the compromised devices. Dubbed " Cookiethief " by Kaspersky researchers, the Trojan works by acquiring superuser root rights on the target device, and subsequently, transfer stolen cookies to a remote command-and-control (C2) server operated by attackers. "This abuse technique is possible not because of a vulnerability in the Facebook app or browser itself," Kaspersky researchers said. "Malware could steal cookie files of any website from other apps in the same way and achieve similar results." Cookiethief: Hijacking Accounts Without Requiring Passwords Cookies are small pieces of information that's often used by websites to differentiate one user from another, offer continuity around the web, track browsing sessions across different
LifeLabs Paid Hackers to Recover Stolen Medical Data of 15 Million Canadians

LifeLabs Paid Hackers to Recover Stolen Medical Data of 15 Million Canadians

December 18, 2019Mohit Kumar
LifeLabs, the largest provider of healthcare laboratory testing services in Canada, has suffered a massive data breach that exposed the personal and medical information of nearly 15 million Canadians customers. The company announced the breach in a press release posted on its website, revealing that an unknown attacker unauthorizedly accessed its computer systems last month and stole customers' information, including their: Names Addresses Email addresses Login information Passwords, for their LifeLabs account Dates of birth Health card numbers Lab test results The Toronto-based company discovered the data breach at the end of October, but the press release does not say anything about the identity of the attacker(s) and how they managed to infiltrate its systems. However, LifeLabs admitted it paid an undisclosed amount of ransom to the hackers to retrieve the stolen data, which indicates that the attack might have been carried out using a ransomware style malw
UNIX Co-Founder Ken Thompson's BSD Password Has Finally Been Cracked

UNIX Co-Founder Ken Thompson's BSD Password Has Finally Been Cracked

October 11, 2019Mohit Kumar
A 39-year-old password of Ken Thompson , the co-creator of the UNIX operating system among, has finally been cracked that belongs to a BSD-based system, one of the original versions of UNIX, which was back then used by various computer science pioneers. In 2014, developer Leah Neukirchen spotted an interesting " /etc/passwd " file in a publicly available source tree of historian BSD version 3, which includes hashed passwords belonging to more than two dozens Unix luminaries who worked on UNIX development, including Dennis Ritchie, Stephen R. Bourne, Ken Thompson, Eric Schmidt, Stuart Feldman, and Brian W. Kernighan. Since all passwords in that list are protected using now-depreciated DES-based crypt(3) algorithm and limited to at most 8 characters, Neukirchen decided to brute-force them for fun and successfully cracked passwords (listed below) for almost everyone using password cracking tools like John the Ripper and hashcat. The ones that she wasn't able to crack
DoorDash Breach Exposes 4.9 Million Users' Personal Data

DoorDash Breach Exposes 4.9 Million Users' Personal Data

September 27, 2019Swati Khandelwal
Do you use DoorDash frequently to order your food online? If yes, you are highly recommended to change your account password right now . DoorDash—the popular on-demand food-delivery service—today confirmed a massive data breach that affects almost 5 million people using its platform, including its customers, delivery workers, and merchants as well. DoorDash is a San Francisco-based on-demand food delivery service (just like Zomato and Swiggy in India) that connects people with their local restaurants and get delivered food on their doorsteps with the help of contracted drivers, also known as "Dashers." The service operates in more than 4,000 cities across the United States and Canada. What happened? In a blog post published today, DoorDash said the company became aware of a security intrusion earlier this month after it noticed some "unusual activity" from a third-party service provider. Immediately after detecting the security intrusion, the comp
XKCD Forum Hacked – Over 562,000 Users’ Account Details Leaked

XKCD Forum Hacked – Over 562,000 Users' Account Details Leaked

September 03, 2019Mohit Kumar
XKCD —one of the most popular webcomic platforms known for its geeky tech humor and other science-laden comic strips on romance, sarcasm, math, and language—has suffered a data breach exposing data of its forum users. The security breach occurred two months ago, according to security researcher Troy Hunt who alerted the company of the incident, with unknown hackers stealing around 562,000 usernames, email and IP addresses, as well as hashed passwords. However, the leaked data was actually discovered by security researcher and data analyst Adam Davies, who shared a copy of it with Hunt. At the time of writing, XKCD has taken down its forum and posted a short notice on its homepage, as shared below, urging its users to change their passwords immediately. "The xkcd forums are currently offline. We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashe
Foxit PDF Software Company Suffers Data Breach—Asks Users to Reset Password

Foxit PDF Software Company Suffers Data Breach—Asks Users to Reset Password

August 30, 2019Swati Khandelwal
If you have an online account with Foxit Software, you need to reset your account password immediately—as an unknown attacker has compromised your personal data and log-in credentials. Foxit Software, a company known for its popular lightweight Foxit PDF Reader and PhantomPDF applications being used by over 525 million users, today announced a data breach exposing the personal information of 'My Account' service users. Though for using free versions of any Foxit PDF software doesn't require users to sign up with an account, the membership is mandatory for customers who want to access "software trial downloads, order histories, product registration information, and troubleshooting and support information." According to a blog post published today by Foxit, unknown third-parties gained unauthorized access to its data systems recently and accessed its "My Account" registered users' data, including their email addresses, passwords, users' n
Android Users Can Now Log in to Google Services Using Fingerprint

Android Users Can Now Log in to Google Services Using Fingerprint

August 12, 2019Swati Khandelwal
If you're using Chrome on Android, you can now sign-in to your Google account and some of the other Google services by simply using your fingerprint, instead of typing in your password every time. Google is rolling out a new feature, called " local user verification ," that allows you to log in to both native applications and web services by registering your fingerprint or any other method you've set up to unlock your Android device, including pins, pattern or password. The newly introduced mechanism, which has also been named "verify it's you," takes advantage of Android's built-in FIDO2 certified security key feature that Google rolled out earlier this year to all devices running Android version 7.0 Nougat or later. Besides FIDO2 protocol, the feature also relies on W3C WebAuthn (Web Authentication API) and FIDO Client to Authenticator Protocol (CTAP), which are designed to provide simpler and more secure authentication mechanism that sit
Slack Resets Passwords For Users Who Hadn't Changed It Since 2015 Breach

Slack Resets Passwords For Users Who Hadn't Changed It Since 2015 Breach

July 18, 2019Swati Khandelwal
If you use Slack, a popular cloud-based team collaboration server, and recently received an email from the company about a security incident, don't panic and read this article before taking any action. Slack has been sending a "password reset" notification email to all those users who had not yet changed passwords for their Slack accounts since 2015 when the company suffered a massive data breach. For those unaware, in 2015, hackers unauthorisedly gained access to one of the company's databases that stored user profile information, including their usernames, email addresses, and hashed passwords. At that time, attackers also secretly inserted code, probably on the login page, which allowed them to capture plaintext passwords entered by some Slack users during that time. However, immediately following the security incident, the company automatically reset passwords for those small number of Slack users whose plaintext passwords were exposed, but asked other aff
A New Ransomware Is Targeting Network Attached Storage (NAS) Devices

A New Ransomware Is Targeting Network Attached Storage (NAS) Devices

July 10, 2019Mohit Kumar
A new ransomware family has been found targeting Linux-based Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' important data hostage until a ransom is paid, researchers told The Hacker News. Ideal for home and small business, NAS devices are dedicated file storage units connected to a network or through the Internet, which allow users to store and share their data and backups with multiple computers. Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities. Dubbed " QNAPCrypt " by Intezer and " eCh0raix " by Anomali, the new ransomware is written in the Go programming language and encrypts files with targeted extensions using AES encryption and appends .encrypt extension to each. However, if a compromised NAS devic
Google Stored G Suite Users' Passwords in Plain-Text for 14 Years

Google Stored G Suite Users' Passwords in Plain-Text for 14 Years

May 22, 2019Swati Khandelwal
After Facebook and Twitter, Google becomes the latest technology giant to have accidentally stored its users' passwords unprotected in plaintext on its servers—meaning any Google employee who has access to the servers could have read them. In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature. G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses. It's basically a business version of everything Google offers. The flaw, which has now been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their
Bluetooth Flaw Found in Google Titan Security Keys; Get Free Replacement

Bluetooth Flaw Found in Google Titan Security Keys; Get Free Replacement

May 16, 2019Swati Khandelwal
A team of security researchers at Microsoft discovered a potentially serious vulnerability in the Bluetooth-supported version of Google's Titan Security Keys that could not be patched with a software update. However, users do not need to worry as Google has announced to offer a free replacement for the affected Titan Security Key dongles. In a security advisory published Wednesday, Google said a "misconfiguration in the Titan Security Keys Bluetooth pairing protocols" could allow an attacker who is physically close to your Security Key (~within 30 feet) to communicate with it or the device to which your key is paired. Launched by Google in August last year, Titan Security Key is a tiny low-cost USB device that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks. Titan Security Key, which sells for $50 in the Google Store, includes two keys—a USB-A security key with NFC, and a
New York, Canada, Ireland Launch New Investigations Into Facebook Privacy Breaches

New York, Canada, Ireland Launch New Investigations Into Facebook Privacy Breaches

April 27, 2019Swati Khandelwal
Facebook has a lot of problems, then there are a lot of problems for Facebook—and both are not going to end anytime sooner. Though Facebook has already set aside $5 billion from its revenue to cover a possible fine the company is expecting as a result of an FTC investigation over privacy violations, it seems to be just first installment of what Facebook has to pay for continuously ignoring users' privacy. This week, Facebook has been hit with three new separate investigations from various governmental authorities—both in the United States and abroad—over the company's mishandling of its users' data . New York Attorney General to Investigate Facebook Email Collection Scandal New York Attorney General is opening an investigation into Facebook's unauthorized collection of the email contacts of more than 1.5 million users during site registration without their permission. Earlier this month, Facebook was caught practicing the worst ever user-verification mechanism
Facebook Mistakenly Stored Millions of Users' Passwords in Plaintext

Facebook Mistakenly Stored Millions of Users' Passwords in Plaintext

March 21, 2019Mohit Kumar
Holy moly, Facebook is again at the center of a new privacy controversy after revealing today that its platform mistakenly kept a copy of passwords for "hundreds of millions" users in plaintext. What's more? Not just Facebook, Instagram users are also affected by the latest security incident. So, if you are one of the affected users, your Facebook or Instagram password was readable to some of the Facebook engineers who have internal access to the servers and the database. Though the social media company did not mention exactly what component or application on its website had the programmatic error that caused the issue, it did reveal that the company discovered the security blunder in January this year during a routine security check. In a blog post published today, Facebook's vice president of engineering Pedro Canahuati said an internal investigation of the incident found no evidence of any Facebook employee abusing those passwords. "To be clear, t
Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins

Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins

February 25, 2019Swati Khandelwal
Great news. If you have already installed the latest update of Google Play Services released earlier today, and your Android device is running Android version 7.0 Nougat or above—Congratulations! Your device is now FIDO2 Certified. Are you thinking… what the heck that actually means? It means, instead of remembering complex passwords for your online accounts, you can now actually use your Android's built-in fingerprint sensor or FIDO security keys for secure password-less access to log into apps and websites that support the FIDO2 protocols, Google and the FIDO Alliance—a consortium that develops open source authentication standards—announced Monday. FIDO2 (Fast Identity Online) protocol offers strong passwordless authentication based on standard public key cryptography using hardware FIDO authenticators like security keys, mobile phones, and other built-in devices. FIDO2 protocol is a combination of W3C's WebAuthn API that allows developers to integrate FIDO aut
Google's New Tool Alerts When You Use Compromised Credentials On Any Site

Google's New Tool Alerts When You Use Compromised Credentials On Any Site

February 05, 2019Mohit Kumar
With so many data breaches happening almost every week, it has become difficult for users to know if their credentials are already in possession of hackers or being circulated freely across the Internet. Thankfully, Google has a solution. Today, February 5, on Safer Internet Day, Google launches a new service that has been designed to alert users when they use an exact combination of username and password for any website that has previously been exposed in any third-party data breach. The new service, which has initially been made available as a free Chrome browser extension called Password Checkup , works by automatically comparing the user's entered credential on any site to an encrypted database that contains over 4 billion compromised credentials. If the credentials are found in the list of compromised ones, Password Checkup will prompt users to change their password. Wondering if Google can see your login credentials? No, the company has used a privacy-oriented i
Instagram Accidentally Exposed Some Users' Passwords In Plaintext

Instagram Accidentally Exposed Some Users' Passwords In Plaintext

November 19, 2018Swati Khandelwal
Instagram has recently patched a security issue in its website that might have accidentally exposed some of its users' passwords in plain text. The company recently started notifying affected users of a security bug that resides in a newly offered feature called "Download Your Data" that allows users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on the platform. To prevent unauthorized users from getting their hands on your personal data, the feature asks you to reconfirm your password before downloading the data. However, according to Instagram, the plaintext passwords for some users who had used the Download Your Data feature were included in the URL and also stored on Facebook's servers due to a security bug that was discovered by the Instagram internal team. The company said the stored data has been deleted from the servers owned by Facebook, Instagra
Finland's 3rd Largest Data Breach Exposes 130,000 Users' Plaintext Passwords

Finland's 3rd Largest Data Breach Exposes 130,000 Users' Plaintext Passwords

April 06, 2018Mohit Kumar
Over 130,000 Finnish citizens have had their credentials compromised in what appears to be third largest data breach ever faced by the country, local media reports . Finnish Communications Regulatory Authority (FICORA) is warning users of a large-scale data breach in a website maintained by the New Business Center in Helsinki ("Helsingin Uusyrityskeskus"), a company that provides business advice to entrepreneurs and help them create right business plans. Unknown attackers managed to hack the website ( https://liiketoimintasuunnitelma.com ) and stole over 130,000 users' login usernames and passwords, which were stored on the site in plain-text without using any cryptographic hash. Right after knowing of the breach on 3rd April, the company took down the affected website, which is currently showing "under maintenance" notice with a press release about the incident on its homepage. "We are very sorry for all the people who have been subjected to crime a
Cardiac Scan Authentication — Your Heart As Your Password

Cardiac Scan Authentication — Your Heart As Your Password

September 27, 2017Swati Khandelwal
Forget fingerprint authentication, retinal scanning or advanced facial recognition that has recently been implemented by Apple in its iPhone X—researchers developed a new authentication system that doesn't require any of your interaction, as simply being near your device is more than enough. A group of computer scientists at the University of Buffalo, New York, have developed a new cardiac-scan authentication system that uses your heart's shape and size as a unique biometric to identify and authenticate you. Dubbed Cardiac Scan , the new authentication system makes use of low-level Doppler radar to wirelessly and continuously map out the dimensions of your beating heart, granting you access to your device so long as you're near it. In simple words, your office device should be able to recognise that it is you sitting in front of the computer, and sign you in without any password or interaction, and automatically should log you out if you step away from your compute
9 Popular Password Manager Apps Found Leaking Your Secrets

9 Popular Password Manager Apps Found Leaking Your Secrets

March 01, 2017Wang Wei
Is anything safe? It's 2017, and the likely answer is NO. Making sure your passwords are secure is one of the first line of defense – for your computer, email, and information – against hacking attempts, and Password Managers are the one recommended by many security experts to keep all your passwords secure in one place. Password Managers are software that creates complex passwords, stores them and organizes all your passwords for your computers, websites, applications and networks, as well as remember them on your behalf. But what if your Password Managers itself are vulnerable? Well, it's not just an imagination, as a new report has revealed that some of the most popular password managers are affected by critical vulnerabilities that can expose user credentials. The report, published on Tuesday by a group of security experts from TeamSIK of the Fraunhofer Institute for Secure Information Technology in Germany, revealed that nine of the most popular Android pass
Password Manager Pro — Easiest Way to Keep Enterprises Secure

Password Manager Pro — Easiest Way to Keep Enterprises Secure

November 30, 2016Swati Khandelwal
Recent corporate breaches have taught us something important — the average enterprise user is spectacularly bad at choosing good passwords. As modern enterprise is becoming a hybrid organization with infrastructure spread across on-premises data centers as well as in the cloud, security of information, applications, and assets has become a paramount concern. Cyber security is no longer an optional strategy for businesses, where limited visibility into the password practices of employees and ineffective monitoring of privileged credentials could end up an organization with a serious security breach and identity theft. The first line of defense for any organization or company is passwords, but most organizations grossly underestimate the need to comply with corporate password policies and meet IT regulatory requirements. Large enterprises have a policy in place that requires end users to choose strong passwords that can withstand dictionary and brute-force attacks, but it come
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.