500 Million Users Affected by Yahoo Data Breach
Yahoo today confirmed that state-sponsored attackers compromised the company’s network in 2014, stealing data belonging to 500 million users. The stolen data includes names, email addresses, phone numbers, hashed passwords, dates of birth, and security questions and answers, some of which were unencrypted. Yahoo officials said it doesn’t believe that bank account data, payment card […]
Nearly All Top Global Companies Have Leaked Credentials Online
Many CSOs live in fear of waking up to an email reporting a data breach at their company, but the threat to an enterprise isn’t limited to a compromise of that specific organization. A new report shows that there are leaked employee credentials online for 97 percent of the top 1,000 global companies, many of which […]
macOS Sierra Release Fixes Dozens of Security Flaws
Apple has fixed nearly 20 code-execution vulnerabilities in macOs, including a number that could allow an attacker to run code with kernel privileges. The patches come as part of the release of macOs Sierra, a major update of the Mac operating system released Tuesday. Many of the more serious flaws fixed in Sierra are memory […]
Fighting Account Takeover Attacks With AuthTables
The goal of many attackers is taking over a target account. That can be the account of an admin at a large enterprise, the bank account of a high net-worth victim, or the email account of a human rights activist. While banks and financial services companies are aware of the problem, many other organizations aren’t, […]
Bypassing the CA Restrictions in Android Nougat
One of the new security features Google added to Android Nougat is a function that prevents the OS from trusting by default any user-installed certificate authorities. The goal is to protect the traffic to and from apps, but a researcher has found a way around that protection and a method to intercept HTTPS traffic from […]
Employee Password Compromise Leads to Breach at OneLogin
A password compromise of an employee at OneLogin, the identity and access management company, has led to a breach at the company that affected stored customer data that was supposed to be encrypted but was actually available in plaintext. The attack happened earlier this summer, and OneLogin officials say the attacker may have been on their […]
Fake Ransomware Targets Redis Instances
UPDATE–Researchers have found that more than 18,000 instances of the Redis data store service are exposed to the Internet and open to complete compromise by remote attackers using simple commands. Duo Labs researchers set up a Redis honeypot and ran it for a month, looking for attack patterns and quickly found that attackers are actively […]
68 Million Hashed Dropbox Passwords Dumped Online
The scope of a compromise of Dropbox four years ago that the company initially said only involved customer email addresses being stolen has now expanded, with more than 68 million user passwords dumped online. The cache comprises passwords that are hashed with either SHA-1 or bcrypt and none of them are in plaintext. When Dropbox […]
Google Login Issue Allows Credential Theft
Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, […]