Troy Hunt Gets Phished

In case you need proof that anyone , even someone who does cybersecurity for a living, can fall for a phishing attack, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. EDITED TO ADD 4/14: Commentary from Adam Shostack and Cory Doctorow...

Security expert Troy Hunt hit by phishing attack

Internet security expert and educator Troy Hunt disclosed this week that he had been hit by one of the oldest—and most proven—scams in the online world: A phishing attack. Through an automated attack disguised as a notice from Hunt’s chosen newsletter provider Mailchimp, scammers stole roughly...

NationalPublicData.com Hack Exposes a Nation’s Data

A great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach...

JavaScript Fraud: More Than Just Magecart and Skimming

The global pandemic has driven a sharp rise in online traffic that provides fertile ground for attackers to execute a growing number of more sophisticated client-side attacks. For example, Magecart-style attacks are used to steal sensitive information by skimming data either through a first-party...

Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested

A hacker accused of selling hundreds of millions of stolen credentials from last year’s “Collection 1” data dump on the dark web has been arrested in the Ukraine. The Security Service of Ukraine SSU took into custody a threat actor known as “Sanix,” who they claim posted 773 million e-mail...

CISO MAG Honors KrebsOnSecurity

CISO MAG, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of "Cybersecurity Person of the Year" in its December 2019 issue. KrebsOnSecurity is grateful for the unexpected honor...

Google Adds Password Checkup Feature to Chrome Browser

Google will soon alert Chrome browser users of weak or compromised passwords. The checks will be in real time as Chrome users visit a password protected website. Bad passwords will trigger a red dialogue box alerting users to take action to better protect their account. The move integrates a...

Troy Hunt Looks to Sell Have I Been Pwned

Citing overwhelming demands on his time, Troy Hunt is looking for a buyer for his site, Have I Been Pwned HIBP. HIBP offers a free service for consumers wanting to know if their user names and passwords have been compromised in a data breach; it also offers commercial services that include alerts...

Malwarebytes Labs wins best cybersecurity vendor blog at InfoSec’s European Security Blogger Awards

Infosec Europe is now well underway, and last night was the annual EU Security Blogger Awards, where InfoSecurity Magazine: …recognises the best blogs in the industry as first nominated by peers and then judged by a panel of mostly respected industry experts. Malwarebytes Labs was announced as...

773M Password ‘Megabreach’ is Years Old

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessl...

Troy Hunt on Passwords

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why insert thing here isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have...

Public Shaming of Companies for Bad Security

Troy Hunt makes some good points, with good examples...

Revamp of ‘Pwned Passwords’ Boosts Privacy and Size of Database

Researcher Troy Hunt announced a major revamp of his Pwned Passwords tool that includes more passwords, added features and tightened privacy for organizations who want to check if their in-use passwords can easily be cracked. In V2 of Pwned Passwords, launched last week, Hunt updated his password...

Leaky RootsWeb Server Exposes Some Ancestry.com User Data

Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet. In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com...

Hacked Password Service Leakbase Goes Dark

Leakbase, a Web site that indexed and sold access to billions of usernames and passwords stolen in some of the world largest data breaches, has closed up shop. A source close to the matter says the service was taken down in a law enforcement sting that may be tied to the Dutch police raid of the...

This Retail Website Considers Password Security Optional

Most gaping security holes are terrible mistakes. But for one major Hong Kong-based online retailer called Strawberrynet, its security shortcomings are a feature. Like many ecommerce sites, registered users have an option for express checkout. What makes beauty-products website Strawberrynet uniq...

pwned - A command-line tool for querying the 'Have I been pwned?' service

A command-line tool for querying Troy Hunt 's Have I been pwned? service using the hibp Node.js module. Installation npm install pwned -g Usage Usage: pwned option | command Commands: ba options get all breaches for an account username or email address breaches options get all breaches in the...

Nextcloud: help.nextcloud Email Address/Username enumeration

Hello nextcloud, i have another findings, i found that email address enumeration and or username enumeration is possible in signup/registration and forgot password under https://help.nextcloud.com/ , email/username enumeration can be use in any malicious intent by a malicious minded user. - For...

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

Hackers are peddling roughly 427 million passwords belonging to users of MySpace, a social network that in its heyday was one of the most visited sites on the internet. The same service that claimed to have information on 164 million LinkedIn users earlier this month is now boasting to have...

LinkedIn Latest Contributor to Breach Fatigue

The obvious takeaway from last week’s LinkedIn data breach revelation where we learned hackers were selling 117 million LinkedIn usernames, email addresses and passwords from a 2012 breach is, change your passwords-and often. The not so obvious takeaways come from noted security expert Troy Hunt,...