Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label password hack. Show all posts

60 Million Users Exposed: The Pinterest Data Breach Explained

60 Million Users Exposed: The Pinterest Data Breach Explained

Pinterest, the popular image-sharing platform with over 518 million monthly active users, faces a potential data leak that could affect millions of users. A hacker known as “Tchao1337” has allegedly leaked a database containing 60 million rows of Pinterest user data on a popular data leak forum.

The breach details

The leaked database, which reportedly contains 6 million records, has been compressed to a file size of 1.59 gigabytes. While the full extent of the exposed information is unknown, the leaked data includes email addresses, usernames, user IDs, and IP addresses.

The first and most obvious action is changing your Pinterest password and the related email address. Knowing even a few of your details can allow hackers to piece together information and cause you major difficulties. 

Of course, you know not to use the same password for many things, right? If you are guilty of that cardinal sin, change your password everywhere and use one of the best password organizers to create a safe password that you will not forget. Use two-factor authentication to provide maximum security. 

Stay cautious: Phishing

If your data has been hacked, you are likely to become the victim of other phishing efforts. Be cautious when clicking dodgy links, and not simply in messages on your Pinterest account. 

When using your email account, use caution; any communication that does not appear to come from a known source may be a hoax. Attachments should be treated with caution since they could contain malware. 

One of the best VPNs might help you protect yourself from phishing frauds. Nord and Surfshark offer built-in anti-virus with their memberships, while Nord's Threat Protection Pro product is a proven anti-phishing champion. 

Currently, Pinterest has not issued an official statement regarding the reported hack. The Cyber Press team has contacted Pinterest to warn them of the data leak and is awaiting their response.

If proven, this data leak might have serious ramifications for Pinterest. The company may incur significant operating costs in investigating the hack and alerting affected users.

As the issue evolves, users should actively check their accounts and look for any formal statements from Pinterest regarding the potential data loss.

Be careful while sharing your data

The greatest method to avoid becoming a victim of a data breach is to use extreme caution while disclosing your personal information. Give websites only what they need; having a VPN enabled prevents many trackers and encrypts your data on both ends, preventing hackers from making sense of it. VPN services frequently have zero-logs policies, which means hackers have nothing to work with. 

Has Your Password Been Compromised? Here’s How to Find Out

 

If your online accounts have been hacked, you may be thinking about what to do next. There are multiple ways to find out if your accounts were hacked — and the severity of the breach. 

HaveIBeenPwned 

Have I Been Pwned, a searchable data breach database was created by Troy Hunt, a Microsoft regional director, and MVP in December 2013. With 1.5 lakh visitors every day, and three million email subscribers it is, by far, the biggest and most popular method to find out if your password has been stolen. 

You start by simply entering your email address or username, and within seconds details of any data breaches that your credentials were stolen will appear. However, the site won't tell you which sites the password was found on since this could make it possible for someone to piece together a username and password that hasn't been changed yet. 

DNS Hijack 

 A domain name system (DNS) hijack is another way that hackers can find out if their victims are using a particular website. DNS hijacks redirect your computer’s web browser to an entirely different website — usually, one that looks like the real website you’re trying to reach. 

History Scan 

You can also check your browser’s activity history to see if a hacker accessed your computer via your browser. See if there are any entries that indicate that someone used your computer to visit a website your browser normally doesn’t go to. 

Mitigation Tips 

You can't protect against everything. The most important thing you can do is to always keep your personal information secure. And even if you do everything right, there is always a chance that you'll get hacked. A breach is a catastrophe for any business, not just one dealing with large amounts of sensitive data. 

The more you know about hacks and how to mitigate them, the better equipped you are to respond to a breach. There are a number of ways to protect your online accounts, including using a password manager, two-factor authentication, and multi-factor authentication. 

If you do not think your account was accessed by someone other than you, the best thing to do is to log out of all sessions and change your password. And activate two-factor authentication, which will cut down on the likelihood that someone will gain access to your account, even if they have your password. Once you're sure that you didn't have unauthorized access to your account, you can get back to business as usual. 

There are other ways, too, that you can protect yourself from online threats, including installing your operating system's built-in protection or using a virtual private network (VPN). And if you do think your account was accessed by someone other than you, make sure to report it as a potential hacking attempt.

RTX 4090 can Crack Your Password in 50 Minutes

 

RTX 4090 can Crack Your Password in 50 Minutes RTX 4090 can crack one of your passwords twice as quickly compared to the previous leader RTX 3090. 

Threat analyst and password cracker Sam Croley expressed on Twitter how amazing the latest GeForce RTX 4090 is in breaching passwords. The Ada Lovelace architecture flagship graphics card can crack one of your passwords twice as quickly as the previous leader, the RTX 3090, by circumventing Microsoft’s New Technology LAN Manager (NTLM) authentication technique. 

According to the researcher, all of the tests were performed using Hashcat v6.2.6 in benchmark mode. Hashcat is a popular and widely employed password-cracking tool utilized by system administrators, cybersecurity experts, and hackers to examine or guess user passwords. 

“First @hashcat benchmarks on the new @nvidia RTX 4090! Coming in at an insane >2x uplift over the 3090 for nearly every algorithm. Easily capable of setting records: 300GH/s NTLM and 200kh/s bcrypt w/ OC! Thanks to a blazer for the run,” Croley tweeted. 

Croley's benchmark run results 

Based on the benchmark findings, a fully outfitted password hashing rig with eight RTX 4090 GPUs has the computing power to bypass through all 200 billion iterations of an eight-character password in 48 minutes. The sub-one-hour result is 2.5 times faster than the RTX 3090's previous record. Both benchmark measurements were performed using only commercially available GPU hardware and related software. 

Additionally, the Hashcat software offers multiple assault types created to facilitate password recovery assistance or, depending on the user, unauthorized access to another's accounts. The attack types include dictionary attacks, combinator attacks, mask attacks, rule-based attacks, and brute force assaults. 

While the benchmark results may sound ominous, it's important to note that the Croley performed a test on a limited set of real-world use cases and the cracking tool was working under ideal conditions on local/offline files. 

Moreover, individuals with enough bank balance can afford to buy RTX 4090. The password-cracking tools cost $1,600 including electricity costs. Therefore, it’s not merely a question of will. The RTX 4090 lowers the cost of actually cracking passwords, which will continue to happen as long as more potent GPUs are published and security techniques are primarily unchanged. 

The researcher advised users to employ multi-factor authentication and not use old passwords as it may allow a malicious hacker to get a hold of a password hash database.

New Specops Password Policy Detects and Blocks in User's Active Directory

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week explaining how the company’s breached password protection policy can spot over 2 billion known breached passwords in users' Active Directory. 

Specops Breached Password Protection offers a service that scans a user’s Active Directory passwords against a dynamically updated list of vulnerable passwords. The list contains over 2 billion passwords from known data leak incidents as well as passwords used in real assaults happening currently. 

Specops also restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. During a password change, the password scanner blocks any passwords identified in the database with a dynamic response for end-users. Additionally, it designs a custom dictionary containing potential passwords relevant to users work place, including firm names, locations, services, and relevant acronyms. 

According to security analysts at Specops, password attacks work because users set predictable passwords. When asked to set a complex password, users employ familiar steps that attackers can easily crack. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Specops scanned over 800 million known exploited passwords, up to 83% of passwords were present in vulnerable password databases meaning they were unable to meet regulatory password standards. To finalize the result, security analysts compared the construction rules of 5 different standards against a dataset of 800 million exploited passwords. 

“You can install Specops Password Auditor on any workstation that’s joined to your Active Directory. From the outset, you can download a database from us, which is updated every three months, based on the biggest leaks that have happened in that three-month period, plus the most common hits against our master database, Darren James, password and authentication analyst from Specops explained.

The database downloaded by the user consists of over 800 million of the most commonly breached and leaked password hashes, while our master database, updated daily, contains 2.6 billion hashes. You can export reports showing the results into a script or document to send to members of your organization. From here, Password Policy helps to solve the problem by eliminating breaches and weak passwords and ensuring that passwords are compliant.” 

Google stored G Suite passwords in plaintext, apologises


Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

If you have a Google account, Google's core sign-in system is designed not to know your password.
The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.

The tech giant said it had notified G Suite administrators to change the impacted passwords.

Google on Wednesday extended an apology to its G Suite customers.

"We apologise to our users and will do better," she added.

Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google's various other services.

No consumer Gmail accounts were affected by the security lapse, said Frey.

Storing passwords without cryptographic hashes expose them to hacking risk as they become readable.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.

"The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company's users," the company said today.

Bitcoin hacker steals money and passwords from Dark Web users, jailed

Blockchain and cryptocurrency related crimes are something heard about in a very scarce quantity. But this week, a 37 year-old man in the US has been sentenced to one year and one day in prison for fraud in connection with a Bitcoin $BTC▲2.4% phishing scheme designed to rob victims of their cryptocurrency.

Michael Richo was allegedly running an elaborate bitcoin phishing scheme, all with the purpose of stealing confidential information from unaware victims, including various sums of cryptocurrency which they held.

Richo, of New Haven, was also ordered to forfeit $352,000 in cash, various computers and electronic devices, such as digital and hardware-based wallets, which contained a vast array of different precious metals and virtual coins that he purchased with the proceeds of his offense.

It was during the trial that evidence, such as court documents from the trial in question, as well as supplementary statements, illustrate just where Richo was going in order to target individuals for his Phishing attacks – The Dark Web.

Per court documents associated with Richo’s case, he will be subject to three years of supervised release once he’s out of prison. His operation involved targeting individuals on the dark web using marketplaces.

He did so by posting fake links to online marketplaces on dark web forums. Once users clicked on them, these links would then direct users to fake login pages that resembled the real login pages for various dark web marketplaces. Once the victim entered his credentials, the hacker would steal them. He would then monitor the individual’s Bitcoin balance at the real marketplace and would withdraw the coins once the person deposited the funds. He would then either deposit the funds directly to his bitcoin wallet, or sell them on cryptocurrency exchanges for US dollars. The US dollars obtained as a result were deposited into bank accounts under his control or provided to him through Green Dot Cards, Western Union transfers, and MoneyGram transfers.

The dangers of default passwords : Routers use default 'password'


A hacker with twitter handle SuperSl1nk has discovered a security flaw in the Router's web admin interface. The famous organization left their router password as default one.  The worst part is that the default password is 'password'

"The dangers of default passwords is a critical vulnerability that unfortunately touches a lot of school, business, government and other ... The developpers are not aware of the danger or repercussion that this may have on the entire system." The hacker said in the leak.

"I can publish a little of my results. Only for Lesson ! :p"

The list of affected network includes BellSouth.net (U.S.A), Imagination (U.S.A),
Hotwire Communications (U.S.A), Capital Market Stragies L (U.S.A), University of Maryland Baltimore County (UMBC U.S.A), U.S. Network (U.S.A), LG DACOM Corporation (Korea).

Other affected networks : Harano Telecom (Korea),SK Broadband Co Ltd (Korea) ,Korea Telecom (Korea) , Infrastructure EM (Denmark) , Bahnhof Internet AB (Sweden), Intelligente Office (Canada), Wightman Telecom (Canada).

"@EHackerNews I've seen much worse, but I did not publish everything, I have access to ISP, Telecom, Gov, Military, Big Company... " In a tweet hacker replied to EHN.

All of the affected network has the same password to sign in to the interface .  Yes it is 'password' .  

http://pasteit.com/19643

Browser Event Hijacking allows hacker to steal your password

Browser Event Hijacking

Be careful what you type on your web browser.  Hacker can hijack search command in browser and steal your password or any other sensitive data by social engineering attack.

The hacking method has been possible for years , but now two POCs has been published that demonstrate how an attacker can lure victims to give their password.

Browser Event Hijacking:

The hacker can hijack the browser event by using 'preventDefault' method on JavaScript, that cancels an operation while allowing all remaining handlers for the event to be executed. For Eg: if you press Ctrl+F , hackers can display their own search box instead of the browser search box.

The hack was initially posted here:
http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/

A simple code that hijacks the browser event and steal password :
$(window).keydown(function(evt){
                if((evt.which == "70" && (evt.metaKey || evt.ctrlKey))){
                        console.log("STRG+F");
                        evt.preventDefault();
                        /* display fake search */
                        $("#searchbox").slideDown(110);
                        $('#search').focus();



Then another researcher rebuild the POC with a fake list of leaked passwords. So someone just presses CTRL+F in his browser and types his password to look if it is leaked ,become victim.

The POC :
http://h43z.koding.com/blog/leaked.html

If you search for any keywords in the page, it will lure you to believe there is password with your search string.