About these ads

Archive

Posts Tagged ‘Password’

The Party Is Not Over! 250,000 Twitter accounts compromised!

February 2, 2013 6 comments

The Information Security Community is still commenting the Cyber Attacks against U.S. media companies and here it is another clamorous news in this February Weekend!

twitterposOn the wake of the admissions made by The New York Times and The Wall Street Journal, Twitter has revelaed in a blog post, to have detected, over the last week, unusual access patterns that led to identify unauthorized access attempts to some user data. They even discovered, and were able to shut down, one live attack, but their effort did not prevent the attackers to access user information for 250,000 users. The compromised data for the affected users includes : usernames, email addresses, session tokens and encrypted/salted passwords.

As a precautionary security measure, the social network has reset the passwords and revoked the session tokens for the affected accounts. The impacted users would have received (or will soon receive) an email, notifying them to create a new password.

This is not the first time that a primary social network is hacked: on June 2012 LinkedIn had 6.5 million accounts compromised.

The problem is that our online experience is getting harder and harder: counting (and immediately patching) all the exploitable 0-day vulnerabilities of the browsers and their components  is getting harder and harder (see the Java saga for example), and apparently even protection technologies are not so useful

About these ads

Yet Another Breach Targeting Adobe

November 15, 2012 Leave a comment

Logo of Adobe Systems Incorporated

Hard Times for Adobe. On the evening of Tuesday, November 13, 2012, immediately after the claims of an alleged Egyptian hacker dubbed ViruS_HimA, the company has taken offline the connectusers.com forum.

In his pastebin post, the hacker claims to have breached an unidentified Adobe server, gaining full access to it and dumping the whole Database: over 150,000 emails, passwords with full data of Adobe customers and partners with some users belonging to Adobe, Google, NASA, Military Institutions, etc.).

As a proof of his breach he has published some screenshot, and a text file containing 645 records with emails belonging to some selected domains: “adobe.com”, “.mil” and “.gov”.

After the rumors, the breach has been finally confirmed by Adobe in a blog post where the company has announced the decision to take the forum offline and to reset the passwords.

Meanwhile more details about the breach are emerging: the hacker allegedly exploited a SQL Injection vulnerability, and also the cracked passwords from the breach show a lack of security with no salt, no iteration, and finally no complexity. Unfortunately we are getting more and more used to attacks exploiting SQLi and to poorly-protected passwords.

Unfortunately Adobe continues to attract the attention of cyber-attackers. At the end of September the company discovered a targeted attack against a build server accessing the code signing infrastructure with the consequence that the certificates of 5000+ applications were revoked, one month and half later the passwords of 150,000 forum users are at risk.

Follow

Get every new post delivered to your Inbox.

Join 2,898 other followers