Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Password Manager. Show all posts

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Google says “sorry” after a bug stopped Windows users from finding or saving their passwords. The issue began on 24th July and stayed till 25th July, before it was fixed. The problem, google said was due to “a change in product behavior without proper feature guard,” an incident sharing similarities with the recent Crowdstrike disruption.

The disappearing password problem affected Chrome users worldwide, causing them trouble finding saved passwords. Users even had trouble finding newly saved passwords. Google has fixed the issue now, saying the problem was in the M127 version of Chrome Browser on Windows devices.

Who were the victims?

It is difficult to pinpoint the exact numbers, but based on Google’s 3 Billion Chrome users worldwide, with the majority of Chrome users, we can get a positive estimate. According to experts, around 15 million users experienced the vanishing password problem.  "Impacted users were unable to find passwords in Chrome's password manager. Users can save passwords, however it was not visible to them. The impact was limited to the M127 version of Chrome Browser on the Windows platform," said Google.

The password problem is now fixed

Fortunately, Google has now fixed the issue, users only need to restart their Chrome browsers. “We apologize for the inconvenience this service disruption/outage may have caused,” said Google. If a user has any inconveniences beyond what Google has covered, they are free to contact Google Workplace Support.

Chrome Password Manager: How to use it?

Google's Chrome password manager may be accessed through the browser's three-dot menu by selecting Passwords & Autofill, then Google Password Manager. Alternatively, you can install the password manager Chrome app from the password manager settings and then access it from the Google Apps menu. If Chrome invites you to autofill a password, clicking Manage Passwords will take you directly there.

Things that went missing besides passwords recently

According to cybersecurity reporter Brian Krebs, the email verification while creating a new Google Workplace Account also went missing for a few Chrome users. 

The authentication problem, which is now fixed, allowed threat actors to skip the email verification needed to create a Google Workplace account, allowing them to mimic a domain holder at third-party services. This allowed a threat actor to log in to third-party services like a Dropbox account.  

Tech Giant Apple Launches Its Own Password Manager App

 

People with knowledge of the matter claim that Apple Inc. launched a new homegrown app this week called Passwords, with the goal of making it simpler for users to log in to websites and apps. 

The company introduced the new app as part of iOS 18, iPadOS 18 and macOS 15, the next major versions of its iPhone, iPad and Mac operating systems, said the people, who asked not to be identified because the initiative hasn’t been announced. The password-generating and password-tracking software was unveiled on June 10 at Apple's Worldwide Developers Conference. 

The new app is backed by iCloud Keychain, a long-standing Apple tool for syncing passwords and account information across several devices. This capability was previously concealed within the company's settings app or displayed when a user logged into a website. 

Apple is attempting to encourage more people to use safe passwords and improve the privacy of its devices by making the feature available as a standalone app. However, the action increases competition with third-party apps. The new app will compete with password managers such as 1Password and LastPass, and Apple will allow users to import credentials from rival services. 

The app displays a list of user logins and divides them into categories such as accounts, Wi-Fi networks, and Passkeys, an Apple-supported password replacement that uses Face ID and Touch ID.

Like most password managers, the data can be auto-filled into websites and apps when a user logs in. The software will also function with the Vision Pro headset and Windows computers. It also supports verification codes and functions as an authentication software similar to Google Authenticator. 

The Passwords push is only one part of the WWDC event. The primary focus will be Apple's artificial intelligence project, which will include features such as notification summaries, fast photo editing, AI-generated emoji, and a more powerful Siri digital assistant. Apple will also announce a collaboration with OpenAI to utilise the ChatGPT chatbot.

AutoSpill Attack Steal Credentials from Android Password Managers


Security researchers from the International Institute of Information Technology (IIIT) in Hyderabad, India, have discovered a new vulnerability with some Android password managers in which some malicious apps may steal or capture users’ data credentials in WebView. 

The threat actors carry out the operation particularly when the password manager is trying to autofill login credentials. 

In a presentation at the Black Hat Europe security conference, the researchers revealed that the majority of Android password managers are susceptible to AutoSpill even in the absence of JavaScript injection. 

How AutoSpill Works

WebView is frequently used in Android apps to render web content, which includes login pages, within the app, rather than redirecting users to the main browser, which would be more challenging on small-screen devices. 

Android password managers automatically enter a user's account information when an app loads the login page for services like Apple, Facebook, Microsoft, or Google by utilizing the WebView component of the platform. 

According to the researchers, it is possible to exploit vulnerabilities in this process to obtain the auto-filled credentials on the app that is being invoked. 

The researchers added that the password managers on Androids will be more vulnerable to the attack if the JavaScript injections are enabled. 

One of the main causes of the issue regarding AutoSpill is Android’s inability to specify who is responsible for handling the auto-filled data securely, which leaves the data vulnerable to leakage or capture by the host app.

In an attack scenario, the user's credentials could be obtained by a rogue app presenting a login form without leaving any trace of the breach.

Impact and Patch Work

Using Android's autofill framework, the researchers tested AutoSpill against a number of password managers on Android 10, 11, and 12. They discovered that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are vulnerable to assaults.

It was found that Google Smart Lock 13.30.8.26 and DashLane 6.2221.3 had different technical approaches for the autofill process, wherein they did not compromise data to the host app unless JavaScript injection was used.

The researchers submitted their recommendations for fixing the issue along with their results to the security team of Android and the affected software manufacturers. Their report was accepted as legitimate, however, no information regarding the plans for rectifying it was disclosed.  

iLeakage Attack: Protecting Your Digital Security

The iLeakage exploit is a new issue that security researchers have discovered for Apple users. This clever hack may reveal private data, including passwords and emails, and it targets Macs and iPhones. It's critical to comprehend how this attack operates and take the necessary safety measures in order to stay safe.

The iLeakage attack, detailed on ileakage.com, leverages vulnerabilities in Apple's Safari browser, which is widely used across their devices. By exploiting these weaknesses, attackers can gain unauthorized access to users' email accounts and steal their passwords. This poses a significant threat to personal privacy and sensitive data.

To safeguard against this threat, it's imperative to take the following steps:

1. Update Software and Applications: Regularly updating your iPhone and Mac, along with the Safari browser, is one of the most effective ways to protect against iLeakage. These updates often contain patches for known vulnerabilities, making it harder for attackers to exploit them.

2. Enable Two-Factor Authentication (2FA): Activating 2FA adds an extra layer of security to your accounts. Even if a hacker manages to obtain your password, they won't be able to access your accounts without the secondary authentication method.

3. Avoid Clicking Suspicious Links: Be cautious when clicking on links, especially in emails or messages from unknown sources. iLeakage can be triggered through malicious links, so refrain from interacting with any that seem suspicious.

4. Use Strong, Unique Passwords: Utilize complex passwords that include a combination of letters, numbers, and special characters. Avoid using easily guessable information, such as birthdays or common words.

5. Regularly Monitor Accounts: Keep a close eye on your email and other accounts for any unusual activities. If you notice anything suspicious, change your passwords immediately and report the incident to your service provider.

6. Install Security Software: Consider using reputable security software that offers additional layers of protection against cyber threats. These programs can detect and prevent various types of attacks, including iLeakage.

7. Educate Yourself and Others: Stay informed about the latest security threats and educate family members or colleagues about best practices for online safety. Awareness is a powerful defense against cyberattacks.

Apple consumers can lower their risk of being victims of the iLeakage assault greatly by implementing these preventive measures. In the current digital environment, being cautious and proactive with cybersecurity is crucial. When it comes to internet security, keep in mind that a little bit of prevention is always better than a lot of treatment.


Freecycle Data Breach: Urgent Password Update Required

Freecycle, a well-known website for recycling and giving away unwanted stuff, recently announced a huge data breach that has affected millions of its users. This news has shocked the internet world. Concerns over the security of personal information on the internet have been raised by the hack, underscoring once more the significance of using secure passwords and being aware of cybersecurity issues.

According to reports from security experts and Freecycle officials, the breach is estimated to have affected approximately seven million users. The exposed data includes usernames, email addresses, and encrypted passwords. While the company has stated that no financial or highly sensitive information was compromised, this incident serves as a stark reminder of the risks associated with sharing personal data online.

The breach was first reported by cybersecurity researcher Graham Cluley, who emphasized the need for affected users to take immediate action. Freecycle, recognizing the severity of the situation, has issued a statement urging all users to change their passwords as a precautionary measure.

This breach underscores the critical importance of password security. In today's digital age, where data breaches are becoming increasingly common, using strong and unique passwords for each online account is paramount. Here are some key steps users can take to protect their online presence:
  • Change Passwords Regularly: Freecycle users, in particular, should promptly change their passwords to mitigate any potential risks associated with the breach. Additionally, consider changing passwords for other online accounts if you've been using the same password across multiple platforms.
  • Use Strong, Complex Passwords: Create passwords that are difficult to guess, combining uppercase and lowercase letters, numbers, and special characters. Avoid easily guessable information like birthdays or common words.
  • Implement Two-Factor Authentication (2FA): Whenever possible, enable 2FA for your accounts. This adds an extra layer of security by requiring a one-time code or authentication device in addition to your password.
  • Password Manager: Consider using a reputable password manager to generate and store complex passwords securely. These tools can help you keep track of numerous passwords without compromising security.
  • Stay Informed: Regularly monitor your accounts for any suspicious activity and be cautious of phishing emails or messages asking for your login credentials.

Freecycle is not the first and certainly won't be the last platform to experience a data breach. As users, it's our responsibility to take cybersecurity seriously and proactively protect our personal information. While it's concerning that such breaches continue to occur, they serve as reminders that vigilance and good security practices are essential in our interconnected world.

Meduza Stealer Targets Password Managers

 


A critical cybersecurity issue known as Meduza Stealer, a perilous new info stealer, has surfaced. By particularly attacking well-known password managers, this sophisticated virus compromises private user information. Users are urged to exercise caution and take the necessary safety measures by security professionals to protect their data.
According to a recent report by TechRadar Pro, Meduza Stealer has gained notoriety for its ability to bypass traditional security measures, making it challenging to detect and mitigate. The malware primarily focuses on infiltrating prominent password manager applications, a concerning trend given the increasing reliance on such tools to secure online credentials.

The reports state Meduza Stealer has already targeted 19 password managers, putting millions of users at risk. It operates by intercepting and exfiltrating sensitive information stored in these applications, including usernames, passwords, and other confidential data. The stolen information can be used for various malicious purposes, such as unauthorized access to personal accounts, identity theft, or financial fraud.

Meduza Stealer malware adopts evasive techniques to evade detection and remain hidden within targeted systems. Its advanced capabilities enable it to bypass antivirus software and firewalls, making it a significant challenge for security professionals to combat effectively.

Industry experts are urging users of password managers to remain cautious and implement additional security measures. Regularly updating software and using multi-factor authentication are recommended practices that can significantly reduce the risk of falling victim to such attacks. In addition, individuals are advised to exercise caution while clicking on suspicious links or downloading files from unknown sources, as these are often the entry points for malware.

Cybersecurity firms and researchers are working hard to create solutions in response to the threat Meduza Stealer poses. To remain ahead of such new threats, close cooperation between software developers, security professionals, and end users is essential.

Cybersecurity analyst John Smith underlines the value of preventative security measures. He says, "Users must continually upgrade their security procedures and keep up with the most recent threats. People can dramatically lessen their vulnerability to info stealers like Meduza Stealer by using strong passwords, enabling two-factor authentication, and exercising caution."

The development of complex attacks like Meduza Stealer, which are part of the ongoing transformation of the digital environment, highlights the importance of strong security procedures. People may safeguard their important data and reduce the risks brought on by these new cybersecurity threats by keeping themselves informed and putting in place thorough security measures.


KeePass Vulnerability: Hackers May Have Stolen the Master Passwords


One would expect an ideal password manager to at least keep their users’ passwords safe and secure. On the contrary, a new major vulnerability turned out to be putting the KeePass password manager users at serious risk of their passwords being breached.

Apparently, the vulnerability enables an attacker to extract the master password from the target computer's memory and take it away in plain text, or in other words, in an unencrypted form. Although it is a fairly easy hack, there are expected to be some unsettling repercussions.

Password managers, like in this case KeePass, lock up a user’s login info encrypted and secure behind a master password in order to keep it safe. The vault is a valuable target for hackers since the user is required to input the master password to access everything within.

How is KeePass Vulnerability a Problem? 

Security researcher 'vdohney,' according to a report by Bleeping Computer, found the KeePass vulnerability and posted a proof-of-concept (PoC) program on GitHub.

With the exception of the initial one or two characters, this tool can almost entirely extract the master password in readable, unencrypted form. Even if KeePass is locked and, possibly, if the app is completely closed, it is still capable of doing this.

All this is because the vulnerability extracts the master password from KeePass’s memory. This can be acquired, as the researcher says, in a number of ways: “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.”

The exploit is only possible due to some custom code KeePass uses. Your master password is entered in a unique box named SecureTextBoxEx. Despite its name, it turns out that this box is actually not all that secure since each character that is entered essentially creates a duplicate of itself in the system memory. The PoC tool locates and extracts these remaining characters.

‘A Fix is Incoming’ 

Having physical access to the computer from which the master password is to be taken is the only drawback to this security breach. However, that is not always a problem; as the LastPass vulnerability case demonstrated, hackers can access a target's computer by utilizing weak remote access software installed on the device.

In case a device was infected by a malware, it may as well be set up to dump KeePass's memory and send it and the app's database back to the hacker's server, giving the threat actor time to get the master password.

Fortunately, the developer of KeePass promises that a fix is incoming; one of the potential fixes is to add random dummy text that would obscure the password into the app's memory. It may be agonizing to wait until June or July 2023 for the update to be made available for anyone concerned about their master password being compromised. The fix, however, is also available in beta form and may be downloaded from the KeePass website.    

Passkeys: A Modern Solution For All Your Password Troubles

 

We all use far too many passwords, and they're probably not all that secure. Passkeys are the next development in password technology and are intended to replace passwords with a more secure approach. 

Password troubles 

For a very long time, we have used usernames and passwords to sign in to websites, apps, and gadgets. 

A serious issue with passwords is that nearly entirely their creators are to fault. You must remember the password, thus it's easy to fall into the trap of using real words or phrases. It's also fairly typical to use the same password across several websites and apps in favour of having unique passwords for each one. 

Although it is obviously not very safe, many individuals continue to use passwords like their birthdate or the name of their pet. If they are successful, they can attempt it in every other place you use the same password. Using two-factor authentication and special passwords is essential as a result of this. Password managers, which produce random character strings for you and remember them for you, have been developed to solve this issue. 

Passkey vs. password: What distinguishes them

Over time, not much has changed with regard to the login and password system. Think of passkeys as a full-fledged alternative for the outdated password system. Basically, the process you use to unlock your phone is the same one you use to sign into apps and websites. 

It is among the fundamental distinctions between passkeys and conventional passwords. All locations where Facebook is accessible accept your Facebook password. On the other hand, a passkey is bound to the machine where it was made. The passkey is far more secure than a password because you're not generating a universal password. 

The same security process can be used to verify a QR code you scanned with your phone to log in on another device. There are no passwords used, thus nothing can be stolen or leaked. Because you must sign in with your phone in hand, you don't need to be afraid about a stranger across the nation using your password. 

Device compatibility 

Passkeys are still very new, but they already work with all the best phones and a majority of the best laptops. This is because the tech behemoths Microsoft, Google, Apple, and others collaborated to create them using the FIDO Alliance and W3C standards. 

Apple introduced passkeys to the iPhone with the release of iOS 16 in the previous fall. Passkeys eliminates the need for a master password on its devices by using TouchID and FaceID for authentication. Here's how to set up passkeys on an iPhone, iPad, or Mac if you want to try them out for yourself.

Your passkeys are stored and synchronised using the Google Password Manager if you have one of the top Android phones or an Android tablet. If you want to use passkeys with it, you must first enable screen lock on your Android device, as this stops people with access to your smartphone from utilising your passkeys. 

In both Windows 10 and Windows 11, you can use Microsoft's Windows Hello to sign into your accounts using passkeys. Because your passkeys are linked to your Microsoft account, you may use them on any device as long as you're signed in.

Regarding your web browser, passkeys are currently supported by Chrome, Edge, Safari, and Firefox. For Chrome/Edge, you must be using version 79 or above, for Safari, version 13 or higher, and for Firefox, version 60 or higher.

Before It's Too Late, Switch to a New LastPass Password Manager

 

One of the most well-known password organisers in the world, LastPass, experienced a significant data breach in December, putting the online passwords and personal information of its users at risk. Time is running out if you still haven't changed your passwords. 

On December 22, LastPass CEO Karim Toubba admitted in a blog post that a security breach the business first disclosed in August ultimately resulted in the theft of crucial vault data and customer account information by a "unauthorised entity." The issue is the most recent in a protracted and alarming line of security occurrences affecting LastPass that stretch back to 2011.

According to Toubba, the unauthorised entity was able to acquire unencrypted customer account data including LastPass usernames, business names, billing addresses, email addresses, phone numbers, and IP addresses. The same unauthorised entity also had access to client vault data, which contains both encrypted and unencrypted information including usernames and passwords for all the websites that consumers have saved in their vaults. If you use LastPass, you should consider switching to another password manager given how seriously your passwords and personal information are at risk from this attack. 

How did it get to this point? 

In an article written by Toubba and posted on the LastPass blog in August 2022, the company claimed that it had "determined that an unauthorised party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information."

When the threat first surfaced, LastPass "engaged a leading cybersecurity and forensics firm," according to Toubba. This was followed by the implementation of "enhanced security measures." But as the breach's extent progressively increased, that blog article would be modified multiple times over the ensuing months. 

Toubba informed readers that the incident's investigation was over in a blog post update on September 15. 

"Our investigation revealed that the threat actor's activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor's activity and then contained the incident," Toubba stated. "There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults." 

Customers were reassured by Toubba at the time that LastPass would take good care of their passwords and personal information. 

It turned out, however, that the unauthorised person was in fact able to access customer data in the end. 

The company "found that an unauthorised entity, using information gained in the August 2022 event, was able to get access to certain components of our customers' information," according to a Nov. 30 update to the blog post by Toubba. 

On December 22, Toubba published a lengthy update to the blog post detailing the worrying specifics of what client data the hackers had really been able to access during the attack. The public only learned the full extent of the problem at that point, when it was revealed that LastPass users' personal information was in the hands of a threat actor and that all of their passwords stood a major risk of being leaked. 

However, Toubba reassured users who adhere to LastPass's recommended password practises and have the most recent default settings enabled that they don't need to take any further action at this time because their "sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture." 

Toubba cautioned, though, that individuals who don't enable LastPass's default settings and don't adhere to the password manager's best practices run the danger of having their master passwords compromised. Toubba advised those people to think about switching the passwords for the websites they had saved. 

How should LastPass users act? 

The firm did not disclose the number of users who were impacted by the hack, and LastPass did not reply to CNET's request for any information on the incident. But if you're a LastPass user, you should act as though your user and vault data are in the possession of an uninvited person with bad intentions. Although the most sensitive information is encrypted, there is still an issue because the threat actor can use "brute force" attacks on the local files they have stolen. If you've complied with LastPass's recommended procedures, it would reportedly take "millions of years" to figure out your master password. 

If you haven't changed your individual passwords, or if you simply want complete peace of mind, you'll need to put in a lot of time and work. Additionally, you should probably stop using LastPass while you're doing that. 

Keeping that in mind, the following is what you must do immediately if you are a LastPass subscriber:

Look for a fresh password manager: Given LastPass' history of security issues and the seriousness of this most recent leak, it's more important than ever to look for an alternative. 

Immediately change your most vital site-level passwords: Passwords for anything, such as online banking, financial information, internal company logins, and medical data, are included in this. Make sure the passwords you choose are both secure and original. 

Turn on two-factor authentication whenever you can: After changing your passwords, make sure that any online account that supports 2FA has that feature enabled. By warning you and requesting your authorization for each login attempt, this will give you an extra degree of security. As a result, even if someone manages to discover your new password, they shouldn't be able to visit a particular website without your secondary authenticating device (typically your phone).

Picking The Right Password Manager: Five Things To Bear In Mind

 

The best password managers, along with efficient password and credential management, are becoming more crucial as more and more business is conducted online. Your company will be more immune to cybercrime if you make sure the password manager you select provides the majority or all of these. 

Whether through widespread hacking or targeted efforts, cybercrime continues to pose serious hazards to organisations. In light of this, it makes sense for businesses in particular to invest in the best password managers. How can you select from the best password managers, though? 

Below are the five key characteristics you should consider while selecting a password manager. These essential components, in our opinion, are what separate a good platform from a just good service.

1. End-to-end encryption

A password manager's superior encryption is its most crucial component. It is a must. In the end, password managers are really all about data security, and without end-to-end encryption, your data won't be safe enough. 

Your data is indecipherable while it is in transit and at rest thanks to end-to-end encryption. A special authentication key must be given for the platform in order to decode the data. The only person with access to this authentication key is the user thanks to end-to-end encryption.

This implies that no one, not even your provider, can access your passwords. Your encrypted and unreadable data is all that is stored by the platform. Your passwords will therefore be secure even if the provider is compromised. 

End-to-end encryption, also known as zero-knowledge architecture, enables a provider to encrypt and store client data at the greatest levels of security without knowing what data is being stored. It is the first thing you should look for if you want to keep your organization's passwords and credentials in the most secure manner possible. 

2. Multi-factor authentication (MFA) 

While we're talking about security, let's talk about MFA. Users must log in with MFA and a secondary authentication method in addition to their password. This guarantees that a user's account will probably stay secure even if their master password is stolen.

An app-generated unique code or a one-time password are both acceptable forms of secondary authentication. These supplementary techniques are typically connected to a user's personal device, like their mobile phone or personal email address. This makes sure that a user needs their email address or device in addition to the master password to access their account. 

Because user login is one of the most major points of vulnerability across all password managers, MFA is one of the simplest ways to boost your account's security. If a user's master password is compromised and a provider doesn't have MFA procedures in place, then all of the encryption and security measures in the world won't matter and their data could still be exposed. Selecting a password manager with MFA capability is something we strongly advise.

3. Regular updates 

Make sure to verify that your preferred options are up to date because password managers, like any other piece of software, must be kept updated. You should invest in a password organiser that is regularly updated to keep up with the ever-changing security landscape because hackers and other cybercriminals constantly change their tactics and behaviour. 

4. Password creation 

The first challenge we all confront is coming up with a strong password. You should gain the further advantage of the software's ability to produce a new log-in anytime you require it by investing in a high-quality password manager. This will always be considerably superior than anything you generate yourself, therefore it should be secure and safe. 

5. Setting up passwords 

There is an additional benefit to using a password manager if you have been using log-ins for any length of time. There are many password manager programmes that can analyse your current password collection and let you know which ones are weak or possibly have previously been compromised. They frequently have the ability to compare them to databases of compromised log-in details, and they can offer advice on how to update details to best protect against possible assaults.

Gen Digital Customers' Accounts were Breached by Hackers

 


A Norton LifeLock spokesperson has confirmed that malicious third parties are likely to have gained access to some customers' accounts, possibly even gaining access to their password vaults. 

The document describing affected customers' rights as a result of a data breach is available on the website of the Vermont attorney general's office. Using username and password login combinations, the report suggests hackers may have been able to access the accounts of Norton and Norton Password Manager users. 

According to the vendor, which is owned by Gen Digital, the login information was not obtained by breaching the IT environment of the company itself. This is due to a security breach. 

As one of the leading manufacturers of antivirus software for consumers, Gen Digital Inc. is a publicly traded company. It has been more than a year since Gen Digital, a security company founded in September, was formed when Norton LifeLock Inc. and Avast plc merged. In addition to antivirus software, Gen Digital also sells cybersecurity products that include password managers and virtual private networks tools, and some other cybersecurity products.

A report regarding the breach of some Gen Digital accounts emerged on Friday, indicating that some customers' accounts had been compromised. According to a statement released by the company the next day, it had "secured 925,000 inactive and active accounts that may have been targeted" by hackers during the attack. TechCrunch reported earlier this week that the accounts of 6,450 customers had been compromised as a result of the breach. 

In an attempt to break into Gen Digital's customer database, hackers may have accessed the names, telephone numbers, and mailing addresses of a large number of customers. The company discovered, some of the data stored in its Norton Password Manager tool may have been compromised as a result of the breach. Gen Digital says it is possible that one of the hackers was able to access the login credentials of the users that were affected in Norton Password Manager. This is a password management program. 

It has been reported that Gen Digital was not affected by the breach and that no data had been compromised. Hackers allegedly gained access to customer accounts by stuffing credentials to breach the security of the antivirus maker's systems. That is the term used to describe a type of cyberattack. In this attack, hackers compromise customers of another company by using login credentials they have stolen from one of their competitors. 

There has been no compromise of any systems, and they are safe and operational. However, threat actors are all too common in today’s world of taking credentials that they find elsewhere, like on the dark web, and using them to make automated attacks. This enables them to gain access to other unrelated accounts. According to a spokesperson for the company, the system has not been compromised.  

It was Gen Digital that first recognized the breach on December 12 after discovering an unusually high number of failed login attempts that were aimed at its customers' accounts. Earlier this month, the company identified the lack of security measures by which hackers were able to gain access to customer accounts. 

It was Gen Digital who found out about the breach and notified the affected customers and rewrote their passwords as soon as possible. To ensure that customers are protected, the company also says "additional security measures" have been implemented. 

Earlier this month, one of Gen Digital's major competitors in the password manager market, LastPass US LLP, suffered a breach of its security. This breach coincided with the launch of the company. Earlier in August, a cyberattack against the company was preceded by another breach of security. Hackers accessed LastPass' cloud storage environment using the technical information they stole during the August cyberattack in which technical information was stolen. 

During the hacking operation, hackers gained access to the usernames and billing addresses of customers. A backup copy of LastPass' password manager, which is the most widely used password management tool available, was also obtained by hackers. As per the policy of the company, the encrypted copy of account information cannot be decrypted without the password of the user's account, which was not compromised.

How to Safeguard Your Data in the Era of Privacy Violations

 

When our information falls into the wrong hands, it could cause a lot of harm, especially since con artists frequently prey on helpless victims. More evidence that widespread fraud and scams are on the rise comes from the recent data breaches at Optus and Medibank. According to the Attorney-office, General's identity theft, con artists, and credit card fraud cost Australians $900 million annually. However, there are extra precautions we can take to safeguard ourselves. How? Read on.

Invest in a password manager

Don't make it simple for con artists to figure out. The word "password" is one of the most popular passwords, did you know that? one more typical one? 123456. Although they are simple to remember, none of us can expect to remember every password we have. There are fortunately some excellent password manager products available. The best cloud-based password manager, according to Finder.com.au, is LastPass, which is also reasonably priced. 1Password was singled out as a flexible password manager that's particularly useful for iPhone or Mac users. Both are capable of creating passwords and checking accounts for security holes. Additionally, they advise changing insecure passwords and synchronising your passwords between your computer and smartphone.

Multi-factor authentication 

We should all use multi-factor authentication whenever possible, according to the Cyber Security Stakeholder Group (CSSG), a group made up of the ATO, tax practitioner industry groups, governmental organisations, and industry partners. Users must provide multiple pieces of information, such as a text message sent to your phone when logging into a website, as part of multi-factor authentication. Your accounts may become more difficult for others to access by adding this extra layer of security. 

Consider a credit ban 

Think someone has stolen your identity? By obtaining a credit ban, you can prevent scammers from taking out loans in your name. It is a gratis service. IDCare.org, an independent organisation that offers free assistance to people affected by fraud or scams, suggests that you can apply to credit reporting agencies for a credit ban to prevent people from obtaining credit or loans in your name. The 21-day suspension can be extended. When a bank or credit provider verifies your eligibility for credit, they consult credit reporting agencies, and if you have placed a ban on your credit report, the check will be unsuccessful if someone attempts to take out a loan in your name. 

Maintain software updates

The Australian Tax Office reports an increase in the use of malicious software. Accidentally clicking on an email or website link that can infect your computer can be simple.

"Your device might occasionally be affected by ransomware. When you use ransomware, your computer can be locked until you pay a fee to let criminals install software that gives them access to your bank accounts and lets them steal your money," the ATO warned. The response? Install the most recent security updates, perform routine antivirus scans, and use a spam filter on your email accounts to protect yourself. Weekly malware and anti-virus scans should be conducted, and security software should be current. 

Consult your bank 

You may have received correspondence from your bank about enhancing security as a result of the most recent data breaches. For instance, Westpac requires the presentation of forms of identification. So that no one can pretend to be you, request additional checks from your financial institution. 

In order to alert you to any unusual activity on your accounts, The Commonwealth Bank advises customers to activate location-based security, set notification preferences, and review registered devices. Yet another wise move? If you're worried about your accounts right now, you might want to think about lowering your daily withdrawal caps.

Attackers are Exploiting Weak Password Policy of Internet Users

 

A new report by vulnerability management firm Rapid7 disclosed that hackers attempt very simple usernames and passwords to breach third-party systems. 

The researchers employed a few hundred honeypots over 12 months to examine how hackers try to remotely breach foreign networks using the two most widely utilized types of remote administration systems - secure shell protocol and remote desktop protocol. 

Interestingly, threat analysts unearthed 512 thousand of cases in which the attackers could enter information from a well-known file called RockYou2021.txt that has close to 8.4 billion passwords employed by users. 

"We know now, provably and demonstrably, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet. Therefore, it's straightforward to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls,” Tod Beardsley, director of research at Rapid7 stated. 

According to an analysis by cybersecurity firm ESET, the exploitation of common passwords has risen dramatically during the COVID-19 pandemic, with password guessing becoming the most popular method of attack in 2021. To infiltrate third-party systems, the hackers employ usernames such as “user” or “admin” and passwords such as “123456”, “123456789” and “qwerty”. 

This emphasizes the poor choice of internet users while setting passwords. Last year in October, a cybersecurity researcher in Tel Aviv, Israel, discovered he could recover the passwords to 70% of the wireless networks as he pedaled past, often because they used a cellphone number as the password.

"With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed," Rapid7 added in its report. "As with so many things in security, the addition of convenience and complexity has made the task of protecting these systems far more challenging." 

Mitigation Tips 

The researchers recommended organizations lock down RDP, including limiting all remote access attempts to only hosts that have been legitimized first via the corporate VPN, as well as changing the default RDP port to automatically sidestep many automated attacks. Organizations should also encourage employees to use password managers. 

Additionally, the businesses can employ a free tool such as Defaultinator, which Rapid7 designed to audit SSH and RDP endpoints, to ensure that production systems aren't using default passwords.









































































































Shopify Risking Customers Data by Employing Weak Password Policy

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week disclosing that e-commerce giant, Shopify with more than 3.9 million live websites globally, employs weak password policies on the user-facing section of its website. 

To create a Shopify account, users only need to create a password that is at least five characters in length and that does not begin or end with a space. 

Threat analysts at Specops examined a list of a billion breached passwords and unearthed that nearly every (99.7%) of those passwords comply with Shopify's requirements. However, this does not mean that Shopify customers' passwords have been breached, in fact, it only highlights the threats linked with using weak passwords. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. 

Risk of using weak passwords 

According to security analysts at Specops, password attacks work because the majority of businesses require users to set short-length passwords. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Earlier this year, Hive Systems, a cybersecurity firm, analyzed the amount of time required to brute force crack passwords of multiple lengths and with different levels of complexity. The security analysts discovered that a five-character password can be easily breached, irrespective of complexity. Given the ease with which hackers can crack shorter passwords, organizations ideally require complex passwords that are at least 12 characters in length. 

Enterprises risking users’ data safety 

According to the survey conducted by identity management vendor Hitachi ID, nearly 46% of enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It suggests that businesses aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

Enhancing IT security 

This, of course, raises the question of what businesses require to strengthen their overall password security. Perhaps the most critical recommendation would be to set a password requirement that is longer and more complex than what is currently used. Businesses can employ Windows operating systems containing account policy settings to control password length and complexity requirements.

Additionally, organizations can use Specops Password Policy to restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. This might include using consecutive repeating characters (such as 99999) or replacing letters impersonating symbols (such as $ instead of s).

Google Announces Password Manager Updates to Enhance User Security

 

Last week, Google updated its Password Manager service dedicated to users who have been facing troubles with their passwords. 

The users using the Chrome browser can now utilize Google Password Manager's auto-fill option to enable the browsers to remember the passwords and keep them in memory of all the sites which the users are visiting, the company told in a blog post. 

Earlier, users were allowed to add passwords to Google Password Manager only when Google used to prompt the user to enter the password; now, they can manually add passwords at any time. 

Although Google is not yet comfortable with making Password Manager a standalone app, users on Android can now add a shortcut to it on the home screen. Customers can use their iPhones to generate unique, strong passwords for their apps when they opt for Chrome as the default autofill provider. 

Additionally, the built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further highlight weak and reused passwords à la Apple iOS. Google is also expanding the compromised password warnings to Chrome users across all operating systems. 

Last but not least, Google is launching a new "Touch-to-Login" to Chrome on Android that allows users to sign in to websites with a single tap after entering the credentials with autofill. It's worth noting that Apple implemented a similar feature in Safari with iOS 12.2. 

According to Google's blog post, the latest updates and added features have been designed at the Google Safety Engineering Center, where the privacy and security experts work on creating a secured ecosystem for the customers. 

The blogpost further stated, “Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.” 

The announcement comes after Verizon’s 2022 Data Breach Investigations Report highlighted that compromised credentials accounted for almost 50% of data breaches.

New Specops Password Policy Detects and Blocks in User's Active Directory

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week explaining how the company’s breached password protection policy can spot over 2 billion known breached passwords in users' Active Directory. 

Specops Breached Password Protection offers a service that scans a user’s Active Directory passwords against a dynamically updated list of vulnerable passwords. The list contains over 2 billion passwords from known data leak incidents as well as passwords used in real assaults happening currently. 

Specops also restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. During a password change, the password scanner blocks any passwords identified in the database with a dynamic response for end-users. Additionally, it designs a custom dictionary containing potential passwords relevant to users work place, including firm names, locations, services, and relevant acronyms. 

According to security analysts at Specops, password attacks work because users set predictable passwords. When asked to set a complex password, users employ familiar steps that attackers can easily crack. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Specops scanned over 800 million known exploited passwords, up to 83% of passwords were present in vulnerable password databases meaning they were unable to meet regulatory password standards. To finalize the result, security analysts compared the construction rules of 5 different standards against a dataset of 800 million exploited passwords. 

“You can install Specops Password Auditor on any workstation that’s joined to your Active Directory. From the outset, you can download a database from us, which is updated every three months, based on the biggest leaks that have happened in that three-month period, plus the most common hits against our master database, Darren James, password and authentication analyst from Specops explained.

The database downloaded by the user consists of over 800 million of the most commonly breached and leaked password hashes, while our master database, updated daily, contains 2.6 billion hashes. You can export reports showing the results into a script or document to send to members of your organization. From here, Password Policy helps to solve the problem by eliminating breaches and weak passwords and ensuring that passwords are compliant.” 

LastPass Says No Passwords Were Stolen in Latest Security Threat

 

Near the end of December 2021, multiple users of password manager firm LastPass reported that their master passwords were compromised after they received alerts via email that someone from an unknown location attempted to log in to their accounts.

The email notifications also mention that the account access was blocked due to the unknown location where the attempt was made. "Someone just used your master password to try to log in to your account from a device or location we didn't recognize," the login alert says. “LastPass blocked this attempt, but you should take a closer look. Was this you?" 

Reports of compromised LastPass master passwords have been circling in social media sites such as Twitter, Reddit, and Hacker News after a LastPass user created a post to highlight the issue. He claims that LastPass warned him of a login attempt from Brazil using his master password. 

This led to speculation that vulnerability in LastPass sever allowed attackers to steal leaked master passwords, as these emails only arrive if the unauthorized person logs in with the correct password. However, this seemed unlikely, as LastPass clarified that it doesn’t store master passwords on its servers.

"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer. 

"It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure," Nikolett added. 

However, users of LastPass who received these warnings have said that their passwords were only used to log in to LastPass and not used elsewhere. To mitigate further threats, security researchers have recommended LastPass users enable multifactor authentication to guard their accounts even if their master password was not compromised.