Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Password Stolen. Show all posts

No Evidence: Twitter Denies Hacking Claims and The Stolen Data Being Sold Online


Twitter has denied the claim of getting hacked and the stolen data being sold online. 

According to a LinkedIn post last week by Alon Gal, co-founder of the Israeli cybersecurity monitoring company Hudson Rock, stolen data has been discovered, that contained email addresses of more than 200 million twitter users. 

The breach would probably result in "hacking, targeted phishing, and doxxing," according to Gal, who labeled it as a "significant leak" and said that the information had been uploaded on an internet hacker forum. 

He claimed that despite alerting the firm, Twitter, he had not received a response. 

"I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter's conclusion of the data being an enrichment of some sort which did not originate from their own servers," says Alon Gal. 

Although, Twitter has denied all claims of the emails, allegedly linked to the users’ accounts, being obtained through a hack. 

In regards to the issue Twitter responded by stating “in response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.” 

According to Twitter, the stolen records in question was instead probably a collection of data “already publicly available online.” While it still warns online users to be wary of suspicious emails. 

Gal, meanwhile, disapproved of Twitter's answer in a fresh post on LinkedIn. In contrast to instances of data enrichments, he noted, “The authenticity of the leak is evident in the lack of false positives between Twitter usernames and emails found in the database, opposite to cases of data enrichments.” 

The disclosure came to light following the multiple reports that Twitter data of millions of users – 5.4 million in November 2022, 400 million in December 2022, and 200 million last week – have been exposed online for sale on cybercrime forums. 

The Breach Could Not Be Correlated to Previous or New Incidents 

Twitter, in its latest post says that the latest dataset breach of 200 million users “could not be correlated with the previously reported incident, nor with any new incident or any data originating from an exploitation of Twitter systems.” 

It added that, “None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.” 

Moreover, in December 2022, another set of reports claimed that 400 million email addresses and phone numbers were stolen from Twitter – which the company denied as well.  

LastPass Developer Account Compromised, Data Stolen


LastPass Compromised, Data Stolen

LastPass, a password management firm was hacked two weeks ago, allowing hackers to steal the company's and proprietary technical data. 

The incident surfaced after Bleeping Computer came to know about the breach from insiders and contacted the company last week. According to experts, the employees faced difficulties to contain the breach after LastPass was compromised. 

LastPass issued a security advisory accepting the company was compromised through a breached developer account that attackers use to gain access to the company's developer environment. 

Company launches investigation 

According to LastPass, there is no evidence that encrypted password vaults or customer data were compromised, but the attackers did steal "proprietary LastPass technical data" and chunks of their source code. 

Responding to the incident, the company has deployed containment and mitigation measures and hired a leading cybersecurity agency to look into the issue. 

The investigation is in process, LastPass said the containment state has been achieved, it has applied advanced security measures, and hasn't noticed any further evidence of malicious activity. 

The company didn't disclose any further details related to the attack, like how the attackers breached the developer account and what source code was stolen. 

About LastPass 

LastPass is one of the largest password management companies in the world, it has more than 33 million users and 100,000 businesses. 

As businesses and customers use the company's software to keep their passwords safely, there are also worries that if the company was compromised, it could let attackers get access to stored passwords. 

But we should note that LastPass stores passwords in 'encrypted vaults' that can only be decoded via a customer's master password, which, according to the company, was not compromised. 

Company was targeted second time

In 2021, LastPass was bit by a credential stuffing attack that enabled attackers to cross-check a user's master password. Besides this, it was also disclosed that threat actors stole LastPass master passwords and distributed the Redline password-stealing malware.

Because of this, you should always use two-factor authentication for your LastPass accounts so that the threat actors can't access your account even after it has been compromised. 

"Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve," said LastPass.

CySecurity will update its readers about further updates.