Search This Blog

Showing posts with label Password. Show all posts

20M User Data Breach Reported by PeopleConnect

Hackers stole a 2019 backup database holding the personal details of millions of users, PeopleConnect, the company behind the background check services TruthFinder and Instant Checkmate, acknowledged that they experienced a data breach.

Customers can run background checks on others using subscription-based services like TruthFinder and Instant Checkmate. Access to numerous databases containing personal data, including email addresses, physical addresses, social media profiles, arrest histories, and phone numbers, is offered.

Data for 20.22 million potential TruthFinder and Instant Checkmate users who utilized the services up to April 16th, 2019, were allegedly leaked on January 21 by a member of the Breached cybercrime and data breach forum.

When Have I Been Pwned's Troy Hunt informed PeopleConnect of the data leak, the business promptly initiated an investigation and reiterated that it intended to make the situation official? TruthFinder and Instant Checkmate received notifications from PeopleConnect stating that there had been a data breach on both sites.

"The list, which appears to cover all client accounts created between 2011 and 2019, was made, as we have confirmed, several years ago. Our organization produced the list that was published. Although our investigation is ongoing, it looks that this was an accidental list release or theft. It does not appear that any user activity, such as reports or queries on our system, was involved in the published list in question, and it does not appear that payment information, passwords that can be read or used, or other methods of breaching user accounts were involved," the data security firm told.

The business hired a cybersecurity organization from outside to look into the event, but there was no sign that their network had been compromised. PeopleConnect advises that targeted phishing attempts are to be on the lookout for and will provide more updates as new information becomes available.



Password Changes are Required for LastPass Customers

 


Despite being one of the most popular password managers on the market, LastPass has suffered another major breach, putting the passwords of customers risk as well as their personal information.  

It was established just over a year ago that LastPass, a popular password manager that stores customers' passwords and other sensitive information in encrypted vaults, had been compromised by cybercriminals as a result of a data breach. 

Karim Toubba, the CEO of LastPass who announced the hack, explained that the attackers took a copy of a backup of the information stored in a customer's vault as part of their intrusion. A LastPass employee used stolen cloud storage keys to access the data, which enabled them to steal keys from the company. 

There are several different ways in which the cache of customer password vaults is kept. However, the specific technical and security details of this proprietary format were not disclosed. The data is stored in both an unencrypted and encrypted format.   

It has been discovered that some of the web addresses that are stored in the vault, in the data that was not encrypted, are unencrypted. At this point, it is not known exactly when on the calendar the backups were stolen.
 
As a result of an unauthorized party gaining access to the LastPass subscriber account, it was discovered that unencrypted personal data from subscribers' accounts including LastPass user names, company names, billing addresses, email addresses, and phone numbers, as wetland l as IP addresses had been accessed by the unauthorized party. As far as Toubba is concerned, this is certainly the case. As a result of this same unauthorized party gaining access to the vault data of customers, a copy of that data was also stolen. The data stored in the vault by customers is both encrypted and unencrypted. This includes URLs of websites and usernames and passwords for all of the sites that are stored in the vault by customers. 

Password vaults on LastPass are encrypted and can be accessed only with the customer's master password. It is worth mentioning that the company has warned that the cybercriminals who are the culprits of this intrusion may try to decrypt the copies that they took of the vault data by using brute force to guess your master password. 

Besides the names, email addresses, phone numbers, and some billing information of more than 300,000 of Toubba's customers, the cybercriminals took vast amounts of information from their accounts as well. 

For storing your passwords, password managers are overwhelmingly a smart idea as they enable you to create long, complex, and unique passwords for each website or service you are using. If you do not already do so, you should. However, security incidents like this remind us that not all password managers are created equal. This may mean that different ways can be used to attack, or compromise, password managers. It is very significant to take into consideration that everyone's threat model differs, so no one's requirements will be the same as someone else's. 

There are some rare circumstances (not typos) like this in which a bad actor may be able to access encrypted password vaults of customers, and if he or she does, then “all they need is the master password” of the victim if the bad actor gets access to those vaults. It is only as strong as the encryption used to scramble a password vault that has been exposed or compromised. 

As a LastPass user, the most helpful thing you can do for yourself is to update your current master password from the one you currently have to one that is written down, preferably in a safe place and unique from the old password (or passphrase). As a result, you can rest assured that your current LastPass vault is protected. 

You must begin changing all of the passwords stored in your LastPass vault as soon as you suspect your LastPass vault might be compromised - for instance, if your master password is weak or if you have used it elsewhere - such as your master password is weak. Identify the most critical accounts first, such as your email account, your mobile phone account, your bank account, and your social media account. These are the ones that you use most frequently. Start at the top of the priority list and work your way down from there. 

There is a possibility that if you are a subscriber to LastPass, you may want to look for another password manager in light of the severity of this breach. There is a serious risk of exposing your passwords and personal information if your computer is hacked by an unauthorized person.   

Is there anything LastPass customers should do?

If you are a LastPass subscriber, here's what you need to do right now to make sure that you have the latest version: 

1. Look for a new password manager to keep track of your passwords

The severity of the latest breach and the history of security incidents with LastPass bring more reasons than ever to consider a different alternative, especially when you consider the company's history of security incidents. 

2. The most important password on your site should be changed immediately

Several passwords are frequently forgotten, such as those used for online banking, financial records, internal company logins, as well as medical records.

CNET asked LastPass to answer additional questions it had regarding the breach. However, the company failed to respond to the questions, and the company would not clarify how many users were affected by the breach. However, if you are a LastPass subscriber, you have to live with the fact that nobody knows who has access to your user and vault data. You are putting your trust in that party. 

Ahead of Data Privacy Day, Here are Best Password Practices to Safeguard Yourself

 

This week is Data Privacy Day, a day dedicated to raising awareness about how to protect your data and information online. The risks associated with the collection, processing, and storage of personal data are increasing, both on an individual and corporate level. 

Even today, most people are unsure how to respond when their rights are violated as a result of a data breach or leak. Keeper Security is sharing password best practices in order to keep accounts and data safe from threat actors. The goal is to educate consumers and businesses about privacy and to assist them in protecting themselves from the growing threat of data breaches.

Even when so-called passwordless options such as biometrics are used, the security of an individual's identity, data, and online accounts is heavily reliant on the strength of their passwords. Individuals must understand the difference between weak and strong passwords, especially since a breach could affect the organization for which they work, causing millions of dollars in damages. Data shows that stolen or weak passwords are responsible for 81% of hacking-related data breaches.

"Data Privacy Day provides an opportunity to elevate the critical importance of cybersecurity in all of our lives. The digital transformation shows no signs of slowing down, and with ever more connected devices from smartphones to smart fridges, we must all take concrete steps to protect ourselves," said Darren Guccione, CEO, and Co-founder at Keeper Security. 

He further added, "it is imperative everyone utilize strong and unique passwords for all of their accounts and store those passwords in a secure, encrypted vault to reduce their risk of an attack. The existential reality is that anyone can become a victim of cybercrime."

Think before you share, open, or click

One critical step to online safety is to avoid sharing personal information with anyone unless absolutely necessary. Keep an eye out for links in emails from suspicious or unknown senders, and learn how to spot phishing attempts. Download attachments only when you are certain they are safe.

Because it is human nature to believe what we see, aesthetics and user interface frequently trick users into clicking on a malicious, incorrect URL. The important thing is to make sure the URL matches the authentic website. When a password manager is used, it detects when the URL of a site does not match what is in the user's vault. This is an essential tool for preventing the most common types of attacks, such as phishing scams.

Improve your password habits by doing the following:
  • Do not use any easy-to-guess character combinations.
  • Prevent using the same password for multiple accounts and incorporating any personal information.
  • Keystroke patterns and short passwords should also be avoided.
  • As a password, avoid using repeated letters or numbers.
  • Use long combinations of letters, symbols, and numbers instead.
  • Creating a memorable phrase called a passphrase by randomly replacing certain letters with numbers or symbols.
  • Creating mnemonic passwords, for example, based on significant events.
Implementing a secure password manager is the best way for online users to secure their passwords. Individuals can use an effective password manager to generate random character combinations for their passwords and save them in a password vault. Users will no longer need to write them down or remember them, which makes them more vulnerable to breaches.

A password manager with zero trust and zero knowledge creates an even more secure environment for users to store their passwords. Even in the worst-case scenario of a breach, the stored data is encrypted in cypher text, which means it cannot be accessed or read by a human or machine.

What Are Rainbow Table Attacks and How to Safeguard Against Them?

 

We all use password protection, which is an effective access control method. It is likely to continue to be a crucial component of cybersecurity for years to come. On the contrary hand, cybercriminals use a variety of techniques to break passwords and gain access without authorization. This includes attacks using rainbow tables. How dangerous are rainbow table attacks, though, and what are they? What can you do, more importantly, to defend yourself from them?

Passwords are never stored in plain text on any platform or application that takes security seriously. In other words, if your password is "password123" (which it should not be for obvious reasons), it won't be stored as such and will instead be stored as a string of letters and numbers.

Password hashing is the process of transforming plain text into an apparently random string of characters. And algorithms, which are automated programs that make use of mathematical formulas to randomize and obfuscate plain text, are used to hash passwords. The most popular hashing formulas include MD5, SHA, Whirlpool, BCrypt, and PBKDF2.

The result of running the password "password123" through the MD5 algorithm is 482c811da5d5b4bc6d497ffa98491e38. The hashed version of "password123" is represented by this string of characters, which is how your password would be stored online.

Therefore, let's assume that you are logging into your email account. You enter the password after entering your username or email address. When you enter plain text into the email service, it automatically converts it to its hashed value and compares it to the hashed value it initially stored when you set up your password. You are authenticated and given access to your account if the values match.
Then, what would happen in a typical rainbow table attack? 

The threat actor would need to acquire password hashes first. They would either conduct a cyberattack or figure out a way to get around a company's security measures to accomplish this. Or they might spend money on a dark web dump of stolen hashes.

Rainbow Table Attacks and How They Work

The hashes would then be converted to plain text. Obviously, in a rainbow table attack, the attacker would use a rainbow table to accomplish this. Philippe Oechslin, an IT expert, invented rainbow tables based on the research of cryptologist and mathematician Martin Hellman. Rainbow tables, named after the colors that represent different functions within a table, reduce the time required to convert a hash to plain text, permitting the cybercriminal to carry out the attack more effectively.

In a typical brute force attack, the threat actor would have to decode each hashed password separately, calculate thousands of word combinations, and then compare them. This trial-and-error method still works and will probably always work, but it is time-consuming. An attacker would only need to run an obtained password hash through a database of hashes, then repeatedly split and reduce it until the plain text is revealed in a rainbow table attack.

This is how rainbow table attacks work in a nutshell. After cracking a password, a threat actor has a plethora of options for what to do next. They can target their victim in a variety of ways, gaining unauthorized access to a wide range of sensitive data, including information related to online baking and other similar activities.

How to Prevent Rainbow Table Attacks

Rainbow table attacks are less common than they once were, but they continue to pose a significant threat to organizations of all sizes, as well as individuals.  Here are five things you can do to prevent a rainbow table attack.

1. Set Up Complex Passwords
2. Use Multi-Factor Authentication
3. Diversify Your Passwords
4. Avoid Weak Hashing Algorithms

Password security is critical in preventing unauthorized access and various types of cyberattacks. However, it entails more than just coming up with a memorable phrase.

To improve your overall cybersecurity, you must first understand how password protection works before taking steps to safeguard your accounts. This may be overwhelming for some, but using dependable authentication methods and a password manager can make a significant difference.

5 Updates to Secure Data as Workers Return to Work

According to an Adastra survey, more than 77% of IT decision-makers in the U.S. and Canada estimate their organizations will likely experience a data breach over the next three years.

Employees should be aware of data security practices since the 2022 Verizon Data Breach Investigations Report states, 82% of data breaches are caused by human error, placing companies of all sizes at risk.

5 Upgrades to Data Security


1. Protect data, not simply the barrier

With approximately 90% of security resources going toward firewall technology, it appears that many firms are focusing on protecting the walls around their data. However, there are potential ways for firewalls, including via clients, partners, and staff. Such individuals can all get beyond external cyber security and abuse sensitive data. 

2. Be aware of threats

Insider threats can be challenging to identify and stop due to their nature. It might be as simple as a worker opening an email attachment that is from a credible source and activating a ransomware worm. Threats of this nature are the most frequent and expensive worldwide.

3. Encrypt each device

A growing number of individuals prefer to work on personal devices. A solid, unchangeable data backup strategy might aid a business in making a speedy incident recovery. 

4. Create secure passwords

Most firms tend to display weak password policies, resulting in basic, generic, and hackable passwords for vital accounts that have access to private and priceless data. Passwords should be fairly complex; they should be updated every 90 days. 

5. Develop a company safety strategy

Each person who has a username and password is responsible for data security. IT administrators must regularly remind managers and employees that they are never permitted to share their login information with any third parties.

Data security is identified as the largest disruptor in 2023 by researchers as businesses continue to boost their cybersecurity resilience. According to the poll, 68% of managers say that the company has a cybersecurity unit and another 18% indicate companies are in process of building one. Only 6% of participants claimed to have no cybersecurity section.

A breach could cost significantly more than an audit from a data security firm. The estimated cost of a data breach in the US increased from $9 million to $9.4 million in 2022, as per Statista.

Goodbye, Passwords; Here is What Will Happen Next

 

We all have way too many passwords, and they probably are not nearly as secure as we believe. Passkeys are the next step in the evolution of passwords and aim to make passwords obsolete in favour of a more secure system. 

Password issues

We have been logging into websites, apps, and devices using usernames and passwords for a very long time. The idea is straightforward: You choose a username — often just your email address — and pair it with a special password that (ideally) only you know. 

Passwords pose a significant problem, and almost exclusively their creators are to blame. It's simple to fall into the trap of using real words or phrases because you have to remember the password. Instead of using different passwords for each website or app, it's also very common to use the same password in multiple places. 

Using your birthdate or the name of your pet as a password is obviously not very secure, but many people still do it. Then, if they succeed, they can try it in all the other places you used the same password. Because of this, it is critical to use two-factor authentication and unique passwords. This problem has been addressed by password managers, which generate random strings of characters for you and remember them for you. Although that is an improvement over creating your own plain language passwords, there is still room for growth. bring up passkeys. 

Difference between a passkey and a password

The username and password system hasn't changed much over the years. Consider passkeys to be a complete replacement for the antiquated password system. To sign into apps and websites, you basically use the same method you use to unlock your phone. 

That is one of the most significant differences between traditional passwords and passkeys. Your Facebook password is valid everywhere Facebook is accessible. A passkey, on the other hand, is tied to the device on which it was created. Because you're not creating a password that can be used anywhere, the passkey is much more secure. 

You can use the same security procedure to authenticate a QR code scanned from your phone to sign in on another device. Nothing can be leaked or stolen because there are no passwords used. You don't need to be concerned about a stranger across the country using your password because you must sign in with your phone in hand. 

Passkeys are an industry standard that is based on WebAuthn. Apple, Google, and Microsoft have joined the FIDO Alliance to work on eliminating passwords for authentication. Passkeys are the way of the future. 

 Should You Use Passkeys? 

Passkey usage is only now beginning to become more common as of the time of this writing. As previously mentioned, passkeys are supported by Apple, Google, and Microsoft. In addition, 1Password, Dashlane, PayPal, eBay, Best Buy, Kayak, and GoDaddy support them. Support is continually being added by more businesses. 

But the situation is more complex than that. You also need a browser that is compatible with websites. You'll need to use Apple Safari or Google Chrome to create a passkey for Best Buy.

You also need a password manager and an operating system that are both compatible. That is Keychain in the Apple universe. It is Password Manager or a third-party app for Google. Windows Hello is Microsoft's. 

As you can see, there are a number of layers of compatibility required, but passkey adoption is still in its infancy. You do not need to worry about any of that as a user. If a service supports the feature and you are using a compatible device, the service will ask you if you'd like to create a passkey. 

It's simple to decide to try using a passkey if you have the option. It is not only much simpler to use, but also more secure. It is more convenient to scan your fingerprint or use your Face ID to log into a website than it is to type cumbersome passwords. A passwordless future is here.

LastPass Data Leak: Data of 30 Million Users at Risk


What is LastPass Breach?

On 22nd December 2022, online password management service LastPass revealed that threat actors can steal sensitive information from user accounts like billing, end-user names, email IDs, IP address info, and telephone numbers. 

The leak also includes customer vault data, which consists of both unencrypted data like website URLs and encrypted data like website usernames and passwords, form-filled data, and secure notes. An earlier hack of customer data in August 2022 led to this more severe data breach. 

Risks for LastPass Users

The data of all 30 million LastPass users stored on the company servers as of August 2022 is at risk. Hackers possess a copy of your entire pad vault. In case a hacker manages to crack your master password, they can take full control of your online life. It means full access to your bank accounts, emails, tax information, healthcare data, social media accounts, and much more. 

As per LastPass, hackers may try using brute force for finding out your master password and decode the copies of vault data they have stolen. But, LastPass says it is highly unlikely- to brute force and guess master passwords can take up to a million years if a user has strong secured passwords. But do users really have safe passwords?

Experts doubts claims by LastPass

Experts have raised doubts about LastPass' recent updates. “The statement is full of omissions, half-truths, and outright lies," says Wladimir Palant, security researcher and creator of AdBlock Plus. "The hack a far more grave threat than reported – both to individual users as well as companies that employ LastPass for corporate password management," said senior security researcher John Scott Railton.

Jeremi Gosney, a senior information security engineer at Yahoo has also been very critical of the response received from LastPass, and the company's approach to security. He said "in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7." 

Another password service competitor 1Password doubts the "millions of years" claim made by LastPass, the former believes that the claim lies on the assumption 12 character passwords of LastPass users are generated via an entirely random process. However, in today's age, threat actors can crack your passwords in just 30 minutes if they happen to have the latest tools and technology. 

Lessons learned from LastPass- How to protect your online life?

  • If you're a LastPass user, it is highly likely that your online data is at risk. The following steps can however help users maintain internet security:
  • Update passwords of important accounts immediately.
  • Prioritize banking, email accounts, secure document storage, and other things as suggested by TechCrunch. 
  • Consider changing your password manager. You can go for other services like Bitwarden, Dashlane, and 1Password, these companies offer similar features and have a history of better track records in protecting user data.
  • Choose a strong master password while creating an account, make sure it's new. An ideal password should be 12-16 random characters. 
  • Create an account on the hacking alert website Have I Been Pwned? which will send you updates in case your account has been breached. 






 Find Out if Your Email Address Is Being Sold on the Dark Web


Almost everybody uses email. You have probably had a data breach if your private information, like your email address, is discovered on the dark web. There are numerous methods to sell and use your personal information.  

The portion of the Internet that is hidden and inaccessible with a standard web browser is known as the dark web.  The dark web's material is encrypted and needs special permission to access. The most popular method for accessing the black web is Tor, a program that masks IP addresses and locations. Additionally, hackers can easily purchase and sell identity-related information on the dark web, including credit card data, Social Security numbers, medical records, passports, etc. 

How to search for your email on the dark web

1. Launch a computer scan

Unusual or suspicious activity is a certain indication that your email account has been hijacked. Monitoring your laptop for viruses. For instance, it is very likely that your account has been hijacked if you find that your recovery email address or phone number has changed. 

2. Search Have I Been PWned?

You can utilize the website Have I Been Pwned to determine whether your data has been exposed as a result of a breach. The free tool gathers data while searching the internet for database dumps.

3. Employ a password manager

The entire objective of password managers is to assist users with all aspects of password management. A built-in password generator is typically included with password managers, allowing you to create complicated, secure passwords right away. 

4. Make use of two-factor authentication

A hacker will have a much harder time gaining access thanks to the additional layer of security provided by two-factor authentication. 

You must confirm the login attempt after providing your normal information. Usually, to do this, you will get a text message with a random number that you must enter in order to access your account. By doing this, even someone who knows your email and password cannot access your accounts.  

In some circumstances, opening a new email account could be the best and safest choice. From social media to banking, disconnect all of the accounts from the compromised address and link them to a new one.  

Users ought to use more than one email account to achieve optimal security. Decentralizing your online presence and protecting your devices from cyber risks can be accomplished in large part by setting up distinct accounts for work, banking services, social networking, and newsletter subscriptions. Users must ensure they are aware of cybersecurity fundamentals because maintaining online safety takes more than just securing their email account.

Use different Passwords for Different Accounts to Avoid Security Risks

 


Most people repeat the same password across several of their accounts or, what is more serious, set the same password for all their accounts in any way. There is no doubt that this is not a safe practice at all. Cybercriminals are gaining access to databases stolen from breached websites, according to Checkpoint, a provider of cybersecurity solutions. There is an underground market for databases that exist as a result of this lax behavior from cyber criminals. 

Harish Kumar, Head of Enterprise at Checkpoint wrote a blog post in which he warns that using the same password for personal and corporate accounts can be very dangerous since if hackers find a way to obtain credentials for personal accounts, they could potentially gain admin-level access to an organization. 

The report goes on to add that even though people know about the risks of recycling passwords, many of them continue to do so because they find it difficult to manage and memorize many passwords and they do not feel safe doing so. 

The state of passwords in India 

A report regarding password usage by Nordpass found that Indians struggle badly when it comes to passwords. According to the report, "password" was rated as the most popular password in the country, as well as "123456" and "12345678." Each of these password codes took less than a second to crack. This could be one of the reasons why, as of 2017, India ranks as the fourth country in the world when it comes to consumer losses due to cybercrime. However, it is not the only one. 

Several data theft cases have also been reported in India in the past few months. The rise in digital adoption is largely responsible for a jump like this. This can be attributed largely to the pandemic in general and its resultant push toward studying and working online. According to the cyber-security company, many new users of the Internet and companies are unaware of cybersecurity, which is increasing cybercrimes. 

According to Checkpoint, tougher security policies that impose stronger passwords are also counterproductive and, paradoxically, are viewed negatively. 

The benefits of lax cybersecurity for cybercriminals 

This is an extremely crucial point to note that Checkpoint's report emphasizes that attackers were able to quickly identify this negligence. They became aware that they could better utilize these resources on smaller websites with weaker security. 

There is an official requirement from the National Institute of Standards and Technology (NISST) that all passwords should be salted with at least 32 bits and hashed using a one-way key derivation function according to the report. However, many websites fail to adhere to this law, and some even store passwords in plain text. In this manner, hackers can then use the credentials they have stolen from those sites to log into more valuable websites and online services.

Furthermore, Checkpoint adds to note that cybercriminals who hack websites and steal passwords are more likely to be the ones who use them most effectively. This is compared to those who hack websites and take passwords. A more likely option for them would be to sell stolen credentials instead. Depending on whether they unlock admin-level access to an organization, some of these can sell for as much as $120,000 each. 

"Combination lists," which are vast compilations of many databases of stolen email addresses and passwords, are used to compile stolen passwords, a large number of which have already been compromised. There has been a report that describes the largest combo of usernames and passwords of all time, named RockYou2021. This combo contained over 8 billion unique sets of usernames and passwords, as of August 2016. 

Checkpoint states that these stolen credentials are utilized in credential-stuffing attacks against organizations. Cyberterrorists use credentials retrieved from one site after a data breach to log in to another that has been attacked, thus carrying out this type of cyberattack. An extremely common method of committing such attacks involves large-scale automated login requests that are carried out to access accounts such as those set up by users, banking, social media, and a variety of online accounts. 

Staying safe is easy if you know what to do 

A simple way to help keep your passwords safe is to make sure that you do not use them under any circumstances. A compromise of one account can easily lead to a compromise of the other, which will then lead to a chain of attacks. 

It is important to try to come up with creative word combinations. This is because special characters by themselves do not make highly secure passwords if one is a common keyword. A password such as "pass@123" contains letters, numbers, and a symbol, yet according to the Indian Government, it is the sixth most popular password out of the top 100. Also, if possible, you should use two-factor authentication to increase security.

Data From Honeypots Shows Bot Attack Trends Against RDP, SSH



Rapid7's RDP and SSH honeypots were used to collect data over nine months between September 10, 2021, and September 9, 2022. This resulted in the discovery of tens of millions of attempted connection attempts during this timeframe. Honeypots were set up over two weeks in which they captured 215,894 unique IP source addresses, 512,002 unique passwords, and both RDP and SSH honeypots. A large portion (99.997%) of the passwords can likely be found in the text file rockyou2021.txt.

The Rockyou website was hacked in 2009 as a result of a security breach. Consequently, 32 million user accounts were found in cleartext by the attackers, and they stole them. There was an exposed list containing 14,341,564 passwords that eventually turned into the original rockyou.txt list of passwords. This list was widely used in dictionary attacks and is included with Kali Linux as an aid to penetration testing.

There have been numerous password lists added to the original over the years, and updated ones are constantly being added. A result of this research is the rockyou2021.txt collection, which comprises about 8.4 billion records. It is a 92 GB text file that contains about 8.4 billion passwords. There is a pre-release version of the code on the GitHub website for free download. 

Rapid7 explains in its report titled Good Passwords for Bad Bots (PDF), "We use the RockYou set of passwords as a source of passwords that attackers could generate and try to see if there was any evolution beyond the use of a password list." 

The fact that 99.99% of the passwords used to attack Rapid7 honeypots can be found on this password list probably comes as no surprise. This is because most of the passwords used are very common. There are only 14 of the 497,848 passwords that are not included in rockyou2021, out of 497,848 passwords that are involved in the SSH attacks.

There is also an IP address included with each of these files that represent the honeypot that has been hacked. As per Rapid7, there may have been a programming error in the scanner used by the attacker, which in turn makes this situation seem more likely.

In rockyou2021, only one password among those used to attack the RDP honeypots is not included among those that were used in the attack. There was a password 'AuToLoG2019.09.25' that was the thirteenth most prevalent in the entire country. This is a bit puzzling, but the report notes there are malware samples containing the ‘AuToLoG’ string. “The samples are classified as generic trojans by most antivirus vendors but appear to have RDP credentials hardcoded into them,” adds the report.

Besides the SSH mistakes in the example above and the one AuToLog password that was used to access the honeypot, every other password that was used in those honeypot attacks can be found in rockyou2021. In general, honeypot attacks are automated opportunistic bot attacks that prey on weak signals and extract data from them.

During Rapid7's analysis of the passwords that were used, the company found that standard, well-known passwords were preferred over less common passwords. The top five RDP password attempts were: (the empty string), '123', 'password', '123qwe', and 'admin', with '' (the empty string) coming in second. According to the statistics, 123456, nproc, test, qwerty, and password were the top five SSH password attempts over the last 12 months. All of these passwords, as well as all of the others, could have been obtained from rockyou2021.

Rockyou2021 is effectively nothing more than a massive list of words. Random ASCII and mixed ASCII string strings as well as special character strings do not fall under the definition. The number of possible ASCII seven-character strings is approximately 8.4 billion, which would mean that if we added up every possible variation of ASCII seven characters, it would take around 70 trillion possibilities to find the complete set.

With the length of a password being increased, the probability that this would happen will rise dramatically. From Rapid7's analysis, the overriding conclusion is that the use of long, strong random strings like those generated by password manager applications and which are not likely to be included in dictionaries would provide a very strong defense against opportunistic bot-driven automated attacks that are carried out by hackers.

Despite their low costs, Tod Beardsley, Rapid Seven's director of research, advises that these automated attacks are not complementary to each other, but are rather low-cost. As a result, this indicates that password managers are currently not the default method of generating and storing passwords, which signifies that this needs to change. It is imperative to note that password managers have one major drawback, which is that they are not always intuitive or easy to use.

Password Managers Can Protect Your Online Security


Users need to create unique passwords for all their online accounts so that they can keep track of which password is associated with which account. Users should use both capital and lowercase letters, numbers, and symbols in their passwords.  

Using the same password for everything will not cut it, yes, if you don't want to make yourself an easy target for cybercriminals, it would be smart to choose a different password for each account. Incorporating one easy-to-remember code across all of your accounts may be tempting, but it will end up jeopardizing your online security and you do not want to make yourself a victim of cybercrime.  

Using a password manager can be one of the most vital tools you have to ensure that you remain safe online. This is because they simplify the process of creating, using, and protecting strong passwords that help you stay safe online. 

It won't take you very long to figure out how to use them, and they are extremely easy. Although four out of five Americans do not use password managers at all, a study from Security.org found that nine out of ten do use one at some point.  

Is a password manager necessary and what are the benefits?


Password managers are online services that allow you to store your passwords and any other data that you may need regularly. This includes credit card numbers, bank account information, and identification documents, in a secure, encrypted environment. It simplifies your job by removing this vulnerability.

You must not develop unwise password habits to ensure your digital security. It is advisable to use strong passwords on your accounts. This is because weak passwords make them easy to crack, and reusing passwords increases your risk of credential stuffing, an attack that can compromise accounts that use similar passwords.

By using a password manager, you only have to remember one master password. The password manager will handle the rest for you. This way, you can create strong, unique passwords for each of your online accounts without having to worry about remembering anything else. If you aren't sure how to create a strong password, you do not have to come up with one all by yourself. A password manager can generate one for you if you don't know how to come up with one on your own. Password managers also include current passwords. This will enable you to know which ones are weak or reused and need to be changed to prevent you from using them again.

There are also secure ways to share passwords and sensitive documents between you and your family and friends if necessary. If you are shopping online, you may be able to quickly and easily fill out your credit card information. This is because you may not need to worry about getting your physical credit card if you are making purchases online.  

LastPass Hacked, Customer Data and Vaults Secure

The password manager, LastPass recently unveiled that the attackers who breached its security in August 2020 also had access to its network for four days. 
 
As per the latest statements by LastPass, the company suffered from the interference of cyber attackers for four days in august 2022. Luckily, the company was able to detect and remove malicious actors during this period. 

With regards to the investigation updates concerning the security breach, the CEO of LastPass, Karim Toubba published a notice, stating, “We have completed the investigation and forensics process in partnership with Mandiant.” 
 
Furtermore, the company also stated, “There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.” 
 
During the investigation, the company found that the malicious actors got access to the development environment by compromising a developer’s endpoint. After the developer completed its multi-factor authentication, the cyber attackers used their persistent access in imitating the developer and entered the development environment. 
 
However, the company commented that the system design and controls of the developer environment prevented threat actors from meddling with customer data or coded password vaults. 
 
The security measures of LastPass include a master password, which is required to access the vaults and decrypt the data. However, LastPass does not store that master password, which invalidates any other attempt of accessing other than by the user himself. In essence, LastPass does not have access to its users' master passwords. 

In an analysis of source code and production, it was found that as LastPass does not allow any developer from the development environment to push source code into a production environment without a fixed process, the threat actors were also unable to inject any code-poisoning or malicious code. 
 
In order to extend support to LastPass’s customers, Toubab further assured in the notice that they "have deployed enhanced security controls including additional endpoint security controls and monitoring.” The company has worked jointly with Mandiant, an American cybersecurity firm and a subsidiary of Google – to conclude that no sensitive data has been compromised. 

In 2015, the company witnessed a security incident that impacted email addresses, authentication hashes, and password reminders along with other data. Today, LastPass has approximately 33 million customers, thus a similar security breach would have a more jarring impact and hence is a matter of utmost concern. LastPass persuaded customers that their private data and passwords are safe with them as there was no evidence suggesting that any customer data was compromised. 


Japanese City Worker Loses USB Containing Resident's Personal Data

 

A Japanese city has been compelled to apologise after a contractor admitted to losing a USB memory stick holding the personal data of over 500,000 inhabitants following an alcohol-fueled night out. 

Amagasaki, western Japan, officials claimed the man – an unidentified employee of a private contractor hired to administer Covid-19 compensation payments to local homes – had taken the flash drive from the city's offices to transfer the data to a contact centre in neighbouring Osaka. 

After spending Tuesday evening drinking at a restaurant, he realised on his way home that the bag holding the drive, as well as the personal information of all 460,000 Amagasaki residents, had gone missing. The next morning, he reported the loss to the police. 

According to the Asahi Shimbun, the information contained the residents' names, residences, and dates of birth, as well as data on their residence tax payments and the bank account numbers of those receiving child benefits and other welfare payments. There have been no complaints of data leaks because all of the information is encrypted and password secured. 

“We deeply regret that we have profoundly harmed the public’s trust in the administration of the city,” an Amagasaki official told reporters. The city told in a statement that it would “ensure security management when handling electronic data. We will work to regain our residents’ trust by heightening awareness of the importance of protecting personal information.” 

Not a new affair 

Last month, a man in Abu was handed £279,000/US$343,000 in Covid-19 relief payments meant for 463 low-income people. Local officials said this week that they had recovered all of the money via internet payment services after the individual claimed he had gambled it all away. 

The Amagasaki event highlights worries about some Japanese organisations' ongoing usage of obsolete technologies. According to media reports last week, dozens of businesses and government agencies were rushing to transition away from Internet Explorer before Microsoft retired the browser at midnight on Wednesday. 

According to Nikkei Asia, a sense of "panic" seized businesses and government organisations who were slow to abandon their dependency on IE before Microsoft formally ceased support services, leaving surviving users susceptible to flaws and hacks.

This Malware is Spreading Via Fake Cracks

 

An updated sample of the CopperStealer malware has been detected, infecting devices via websites providing fraudulent cracks for applications and other software.

Cyber attackers employ these bogus apps to perform a range of assaults. The hackers in this assault operation took advantage of the desire for cracks by releasing a phoney cracked programme that actually contained malware. 

The infection starts with a website or Telegram channel offering/presenting false cracks for downloading and installing the needed cracks. The downloaded archive files include a password-protected text file and another encrypted archive. 

The decrypted archive displays the executable files when the password specified in the text file is typed. There are two files in this sample: CopperStealer and VidarStealer. 

What are the impacts of Copper Stealer and Vidar Stealer on the systems? 

CopperStealer and Vidar stealer can cause many system infections, major privacy problems, financial losses, and identity theft. 
  • CopperStealer: The primary function of CopperStealer is to steal stored login information - usernames and passwords - as well as internet cookies from certain browsers. Mostly focuses on the login details for business-oriented Facebook and Instagram accounts. CopperStealer variants also seek login credentials for platforms and services such as Twitter, Tumblr, Apple, Amazon, Bing, and Apple. The malware can steal Facebook-related credentials from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Yandex.
  • Vidar stealer: The most common ways for this malware to propagate are through pirated software and targeted phishing efforts. Vidar stealer is capable of stealing credit cards, usernames, passwords, data, and screenshots of the user's desktop. The malware steals data from a range of browsers and other system apps. It can also steal cryptocurrency wallets such as Bitcoin and Ethereum. 
Safety first

Attackers can utilise data stealers like CopperStealer to steal sensitive information for more illegal reasons. Users can stay secure by taking the following precautions: 
  • Downloading cracks from third-party websites should be avoided. 
  • Keep the systems up to date with the newest patches. 
  • It is highly advised that security detection and prevention technologies be enabled to safeguard systems from attacks.

Nearly Half of Security Enterprises Store Passwords in Office Documents

 

A new survey conducted by identity management vendor Hitachi ID discovered that nearly 46% of IT and security enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It indicates that IT leaders aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

“It raises an important question about how effective password management training is when nearly half the organizations are still storing passwords in spreadsheets and other documents, and 8% write them on sticky notes,” stated Nick Brown, CEO at Hitachi ID. Insecure passwords are still a leading cause of cyberattacks, and education alone is clearly not enough. More companies need to follow the lead of the 30% who report that they store passwords in a company-provided password manager.” 

The worrying thing is that many enterprises know their secrets and password management isn’t up to par. Question marks were also raised about the risks posed by departing employees. Only 5% say they were extremely confident that wasn’t possible. If they have to urgently terminate an employee, only 7% of enterprises were confident they can transfer passwords and credentials, terminate access, and maintain business continuity. 

That lack of confidence has real-world implications. Some 29% of respondents say they’ve experienced an incident in the past year where they lost access to product systems after an employee left the organization. Last year, it emerged that a former employee at a credit union destroyed 21GB of corporate data, including 20,000 files and almost 3500 directories in retaliation for being fired. 

According to Ian Reay, VP, Product Management at Hitachi ID, it is estimated that each employee might have as many as 70-100 passwords and “decentralized secrets” that could be exploited by attackers to gain access to and move through an organization. 

“In the midst of the Great Resignation, every organization should be extremely confident that passwords will stay in the company regardless of which employees come and go,” Reay concluded.

Multiple Critical Vulnerabilities Identified in Concrete CMS

 

Fortbridge researchers have unearthed multiple security bugs in a popular open-source content management system (CMS) allowing threat actors to secure full control of the underlying web server.

The vulnerabilities become more threatening when combined with the insecure use of the uniqid() function that allows cybercriminals with low privileges to achieve remote code execution (RCE). 

“The uniqid() function was not cryptographically secure. Instead, it returned a pseudo-random number, allowing us to guess the name of a pseudo-random directory and then upload a web shell on the server,” Adrian Tiron from Fortbridge explained. As of 2021, more than 62,000 live websites are designed with Concrete CMS. 

The first bug discovered is a race condition in the file upload function that allows a Concrete CMS user to upload files from a remote server. Files are downloaded to ‘$temporaryDirectory’ – a class called VolatileDirectory which creates a temporary directory, that gets deleted at the end of each request.

According to cybersecurity researchers, the name designed of the directory will always be random, and so in order to guess the name of it, researchers needed to brute-force this directory to find where it was coming from. A single brute-force request takes 100ms to implement, meaning that researchers needed more time to carry out their attack. As they looked to bypass the 60-second cURL timeout, they turned to the uniqid() function, which returned the time and day to the microsecond. 

“We will add a sleep() for 30-60 seconds in the test.php file which gets downloaded from the remote server. This will basically force the CMS to keep the $temporaryDir directory for 30-60 seconds on the local filesystem before deleting it. Enough time for us to brute-force the directory name with Burp Turbo Intruder,”  researchers added.

How to keep site safe 

Users should always keep software up to date with security patches and new releases. This includes operating systems, web services, server-side parsers, content management systems, databases, and all plug-ins.

Users are advised to uninstall all applications and services that aren't necessary and only run services that are required for their website and CMS to operate. Use a password manager which will help in ensuring that you use unique passwords on every site.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”