security breach

Scary to see details of the World’s Biggest Data Breaches

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/   No worries, the chart is very interactive and you can select what you want to see by changing the filter: The problem is that if you select like the screenshot below, you will not see anything anymore. This is scary!   Statistics? Actually, the data is scary: it seems that at any point in time there was a breach.     Here is the source of the data: https://docs.google.com/spreadsheet/ccc?key=0AmenB57kGPGKdHh6eGpTR2lPQl9NZmo3RlVzQ1N2Ymc&single=true&gid=2&range=A1%3AW400    

Read More

Yahoo was hacked in 2014 and lost the credentials of over 500Mil accounts

Oh boy…. they were hacked two years ago and they say it was a “state sponsored attack”. What the hack is that ?! How do you differentiate a hack done by an employee from a state sponsored attack? Let’s take it step by step: Yahoo has started to write to all affected customers this email: https://s.yimg.com/sf/support/en-us-security-notice-content.pdf Below is the text of the email notice sent by Yahoo to potentially affected users. Please note that the email from Yahoo about this issue does not ask you to click on any links or contain attachments and does not request your personal information. If an email you receive about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails. Nice… considering that many fraudsters will make use of it.       This is what you get when you login: First link is: https://help.yahoo.com/kb/account/SLN27925.html Here are all details of the breach, or whatever this was. Now the real stuff, observe the bold sentences: Account Security Issue FAQs We have confirmed, based…


BMW and cybersecurity

Not a month passes without seeing some major car manufacturer that has cybersecurity issues. This month we have seen made public a report from February 2016 related to BMW. The short story   The BMW ConnectedDrive Web portal was found to contain a vulnerability that could result in a compromise of registered or valid vehicle identification numbers, Vulnerability Lab warns. The security bug, affecting the BMW ConnectedDrive online service web-application, is a VIN (Vehicle Identification Number) session vulnerability, security researcher Benjamin Kunz Mejri reveals. VIN, also known as chassis number, is a unique code used in the automotive industry to identify individual vehicles. The security flaw was discovered in February this year, when the researcher also found a client-side cross site scripting vulnerability in the official BMW online service web-application. By exploiting this issue, an attacker could inject malicious script codes to the client-side of the affected module context, the researcher says. The longer story In February 2016, when the ADAC’s security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card. BMW said it had taken steps to eliminate possible breaches by…


Quoted in SecurityWeek.com: 45 Million Potentially Impacted by VerticalScope Hack

Source: http://www.securityweek.com/45-million-potentially-impacted-verticalscope-hack Author: Ionut Arghire, Security Week     Here is my longer comment:   LeakedSource writes on their website about a massive breach of VerticalScope.com and all its affiliated websites from February 2016. However, neither VerticalScope.com nor any of the websites mentioned in the LeakedSource page mention anything related to a hack. Even if denial of a breach is not something unseen before, after reading the Summary of the dump on LeakedSource I am starting to see here a pattern:  “Each record may contain an email address, a username, an IP address, one password and in some cases a second password”. This is exactly the same as in the Myspace breach:”Each record may contain an email address, a username, one password and in some cases a second password.” How come that two completely unrelated breaches share the dump format? Could it be that they are converted somehow into a single format before they are put on sale? The assumption regarding the VerticalScope hack is that they used some vulnerable vBulletin software. I have verified this myself and this is why I found on a couple of their websites: Doing a search on “vulnerabilities for vBulletin 3.8.7 Patch Level 3” can…


How clever social engineering can overcome two-factor authentication… or not?

If you have a Google account you must have two-factor authentication enabled in order to prevent anyone to use your account by just having your username and password. If you don’t know how to do that, check my free eBook here. 2FA requires something that you know (username and password) and something that you have (smartphone) in order to allow access to your account.Unless somebody gets all of them, they simply can’t steal your account. Until now… Alex MacCaw has published screenshots from a new scam appeared that is targeting Google users who have two-factor authentication enabled (2FA). It works like this: You receive an SMS pretending to come from Google requesting you to reply via SMS immediately with the code you receive from the real Google. Or, if you were not convinced, there is even a better version available:   I will try to hack my own GMAIL account, just to see how hard it is.   This is how Google tries to help to get your password reset: Select option 1 2. Select a recovery email address to receive a code: 3. Click on “Verify your identity” above Whoa… I don’t remember the second one …  But the first one is definitely…


Quoted on SecurityWeek.com over the 32,8 M Twitter accounts leaked

Source: http://www.securityweek.com/32-million-twitter-credentials-emerge-dark-web Author: Ionut Arghire, Security Week   The cybercriminal behind the claimed Twitter leak is the same hacker who was previously attempting to sell stolen data from Myspace, Tumblr and VK user accounts, namely Tessa88@exploit.im. The Twitter credentials have already made it online on paid search engine for hacked data LeakedSource, which says it received a total of 32,888,300 records, each containing user’s email address, username, possibly a second email, and a password. [..] What is yet unclear is how old the supposedly leaked data is, since LeakedSource doesn’t provide specific details on that, although they do suggest that some credentials might be only a couple of years old. Furthermore, IT Security expertSorin Mustaca tells SecurityWeek that the manner in which these credentials were stolen isn’t that clear either. “Interesting enough, Leakedsource writes that they “very strong evidence that Twitter was not hacked”, rather the users got infected with some malware which stole credentials directly from the browsers of any account, not only Twitter’s,” Mustaca says. “However, there is no clear evidence presented that this is indeed the case. Their explanation for malware stealing credentials from browser is not entirely valid.” Although malware that targets browsers to steal user…


LinkedIn Legal : “Important information about your LinkedIn account”

Yeah, they’ve been hacked 4 years ago and now their data is everywhere … well, almost everywhere. The LinkedIn hack of 2012 is  now being sold on the dark web. It was allegedly 167 million accounts and for a mere 5 bitcoins (about US$2.2k) you could jump over to the Tor-based trading site, pay your Bitcoins and retrieve what is one of the largest data breaches ever to hit the airwaves. Until this week, when Myspace.com leak from 2013 (or 2008!) released data of over 360Mil users.   LinkedIn’s Legal wrote :   Notice of Data Breach You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you. What Happened? On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since…


I was right about the Myspace.com data: it is indeed old

You may have heard reports recently about a security incident involving Myspace. We would like to make sure you have the facts about what happened, what information was involved and the steps we are taking to protect your information. WHAT HAPPENED? Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum. The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform. Source: https://myspace.com/pages/blog   But there is more: WHAT INFORMATION WAS INVOLVED? Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk. As you know, Myspace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and Myspace username and password.   Troy Hunt writes also his own analysis and not surprisingly, he thinks that the data is actually around 8 years old . Additionally, he thinks that an insider…


Quoted in SecurityWeek.com on the Myspace.com leak

Ionut Arghire of SecurityWeek wrote a very good article about the potential breach of Myspace.com: 427 Million MySpace Passwords Appear For Sale and I was quoted a lot! Thanks, Ionut! I wrote more extensively about what I think of this leak: Myspace.com was apparently hacked, 360Mil accounts on sale and nobody knows any details There are many things that aren’t right with this breach. Read the article above… Another question, after reading the above article: how come that Troy Hunt didn’t get it? Maybe because it is only available for money? The data hasn’t been tested at all and according to Troy’s article it is not valid data: no sql dump Too many yahoo.com and hotmail.com email addresses   1 @yahoo.com 126,053,325 2 @hotmail.com 79,747,231 According to Troy, Gmail should be the top email provider these days (and also 3 years ago) Partial username, partial email address, partial password -> can it get worse than this?


Myspace.com was apparently hacked, 360Mil accounts on sale and nobody knows any details

“Myspace was hacked” writes LeakedSource on their dedicated page for MySpace.com. They do not add any kind of details about this hack except that they received a copy of the data from an email address (not from the hacker). As a matter of fact, there is nowhere on the web any kind of details, not to even say proof, that this has indeed happened. This includes Myspace’s site as well. Leakedsource appears to be the only entity that knows something about these over 427 Mil passwords (for 360 Mil users). But then, Leakedsource only retweets on their wall what two other websites have written about them. There is not a single commend written by them about this hack. One of the articles even writes more details about some steps that Leakedsource took to check the validity of the data. If this is so, why is this not written in their blog? If this is true, then I can’t imagine how come they miss the opportunity to write about the possibly biggest leak of accounts (email + password) of all times?   There is something wrong here. What is actually going on? On one side, what I see there is a…


%d bloggers like this: