passwords

What's inside the windowless AT&T/NSA spying hub in lower Manhattan?

The windowless, 550'-tall AT&T tower at 33 Thomas Street in lower Manhattan is the building referred to as TITANPOINTE in the NSA documents leaked by Edward Snowden, and was likely the staging point for the NSA's BLARNEY operation, which illegally spied upon communications to and from "International Monetary Fund, the World Bank, the Bank of Japan, the European Union, the United Nations, and at least 38 different countries, including U.S. allies such as Italy, Japan, Brazil, France, Germany, Greece, Mexico, and Cyprus." Read the rest

300 million Adultfriendfinder accounts breached

Adultfriendfinder, "the world's largest sex & swinger community," has suffered a major breach, leaking 300,000,000 accounts' worth of personal information, namely email addresses, passwords, usernames, IP addresses and browser information. Read the rest

Plaintext passwords galore in huge AdultFriendFinder hack

AdultFriendFinder was hacked (again) in October 2016. According to LeakedSource, which acquired a copy of the dataset, this amounts to more than 400m accounts, many with plaintext passwords, from AdultFriendFinder and associated websites.

The site was compromised with a local file inclusion exploit, which means the website's code allowed access to files on the server that aren't supposed to be public.

Nearly a million accounts have the password "123456". More than 100,000 have the password "password".

The non-plaintext passwords were easily cracked anyway, apparently due to some roll-your-own encryption that involved lowercasing everything, SHA1ing it and going back to bed. The longest passwords were "pussy.passwordLimitExceeded:07/1" and "gladiatoreetjaimelesexetjaimefum", with a Blackadder fan in #3 with "antidisestablishmentarianism" and a sybarite who reads XKCD in #4 with "pussypussymoneymoneyweedweed."

Hotmail was the most common email provider, followed by Yahoo and gmail. These three accounted for the vast majority of registered addresses, with AOL and Live an order of magnitude down.

Leaked Source isn't making the data set publicly available; but if they have it, others might too. Read the rest

The internet's core infrastructure is dangerously unsupported and could crumble (but we can save it!)

Nadia Eghbal's Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure is a long, detailed report on the structural impediments to maintaining key pieces of free/open software that underpin the internet -- it reveals the startling fragility of tools that protect the integrity, safety, privacy and finances of billions of people, which are often maintained by tiny numbers of people (sometimes just one person). Read the rest

Unsecured Internet of Things gadgets get hacked within 40 minutes of being connected to the net

The Atlantic's Andrew McGill set up a virtual server on Amazon's cloud that presented to the internet as a crappy, insecure Internet of Things toaster; 41 minutes later, a hacked IoT device connected to it and tried to hack it. Within a day, the "toaster" had been hacked more than 300 times. Read the rest

China electronics maker will recall some devices sold in U.S. after massive IoT hack

A China-based maker of surveillance cameras said Monday it will recall some products sold in the United States after a massive "Internet of Things" malware attack took down a major DNS provider in a massive DDOS attack. The stunningly broad attack brought much internet activity to a halt last Friday.

Read the rest

If you bail on Yahoo Mail, forget about having your email forwarded

A week after the revelations that Yahoo illegally allowed American spies to access all Yahoo users' email (possibly via a dangerous rootkit), and two weeks after admitting that 500,000,000 Yahoo Mail users' passwords were leaked years previously, possibly to a "state actor," the company has disabled email forwarding for Yahoo Mail users. Read the rest

The malware that's pwning the Internet of Things is terrifyingly amateurish

Following the release of the sourcecode for the Mirai botnet, which was used to harness DVRs, surveillance cameras and other Internet of Things things into one of the most powerful denial-of-service attacks the internet has ever seen, analysts have gone over its sourcecode and found that the devastatingly effective malware was strictly amateur-hour, a stark commentary on the even worse security in the millions and millions of IoT devices we've welcomed into our homes. Read the rest

Company suspected of blame in Office of Personnel Management breach will help run new clearance agency

In 2014, the US Office of Personnel Management was hacked (presumably by Chinese spies), and leaked 22,000,000+ records of Americans who'd applied for security clearance, handing over the most intimate, compromising details of their lives (the clearance process involves disclosing anything that could be used to blackmail you in the future). This didn't come to light until 2015. Read the rest

Your next DDoS attack, brought to you courtesy of the IoT

The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding. Read the rest

Let's kill inane "(in)security questions"

After last week's revelation of a record-smashing breach at Yahoo (which the company covered up for years), security researcher Matt Blaze tweeted: "Sorry, but if you have a Yahoo account, you will need to find a new mother, and have grown up on a different street." Ha, ha, only serious. Read the rest

Social media site targeted at teen girls is leaking 5.5M+ passwords right now

I-Dressup is a social media site aimed at teen and tween girls, where users play and interact with fashion. Six days ago, Ars Technica's Dan Goodin contacted I-Dressup to tell them that they were leaking more than 5.5 million cleartext passwords, and that a hacker had already downloaded 2.2 million of them. Read the rest

Yahoo says at least 500 million accounts hacked, blames "state-sponsored actor"

Yahoo today confirmed that it suffered a massive data breach that exposed information for at least 500 million user accounts in 2014. If you have a Yahoo account, the company says you should review all your online accounts for any suspicious activity.

Read the rest

Jigsaw: "wildly ambitious" Google spin-out aimed at tackling "surveillance, extremist indoctrination, censorship"

Technologists have a dismal pattern: when it comes to engineering challenges ("build a global-scale comms platform") they rub their hands together with excitement; when it comes to the social challenges implied by the engineering ones ("do something about trolls") they throw their hands up and declare the problem to be too hard to solve. Read the rest

French spy boss admits France cyberattacked Iran, Canada, Spain, Greece, Norway, Ivory Coast, Algeria, and others

Bernard Barbier presided over DGSE, France's answer to NSA, during the agency's period of fast growth, spending €500M and adding 800 new staffers; in a recent speech to a French engineering university Ecole Centrale Paris, Barbier spilled a ton of secrets, apparently without authorisation. Read the rest

IoT malware exploits DVRs, home cameras via default passwords

The Internet of Things business model dictates that devices be designed with the minimum viable security to keep the products from blowing up before the company is bought or runs out of money, so we're filling our homes with net-connected devices that have crummy default passwords, and the ability to probe our phones and laptops, and to crawl the whole internet for other vulnerable systems to infect. Read the rest

This week in terrifying, mind-boggling password breaches

800,000 usernames and passwords from Brazzers, a giant porn site; 98 million passwords from Rambler.ru ("Russia's Yahoo") and, coming soon, the entire user database for VKontakte/VK.com, Russia's answer to Facebook. Read the rest

Previous PageNext page