Search This Blog

Showing posts with label Passwords. Show all posts

RockYou2021: The Largest Data Leak with 8.4 Billion Passwords

 

According to Cybernews, what appears to be the world's largest password collection, called RockYou 2021, has been leaked on a famous hacker site. A forum user uploaded a 100GB TXT file containing 8.4 billion password entries. 

All of the passwords in the leak, according to the author, are 6-20 characters long, with non-ASCII characters and white spaces eliminated. According to the same individual, the collection has 82 billion passwords. However, Cybernews discovered that the actual figure was roughly ten times lower, at 8,459,060,239 entries, after conducting its own testing. 

The forum member has named the compilation ‘RockYou2021,' probably in allusion to the historic RockYou data breach that occurred in 2009 when threat actors hacked into the social app website's servers and obtained over 32 million user passwords stored in plain text. 

This leak is equivalent to the Compilation of Many Breaches (COMB), the greatest data breach compilation ever, with a collection that exceeds its 12-year-old namesake by more than 262 times. The RockYou2021 compilation, which has been accumulated by the individual behind the compilation over several years, contains its 3.2 billion hacked credentials, as well as credentials from numerous other hacked databases. Given that only roughly 4.7 billion people are online, the RockYou2021 compilation might theoretically contain the passwords of the entire global online population almost two times over. 

“By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts,” CyberNews notes.

“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if you feel one or more of your passwords may have been exposed as a result of the RockYou2021 incident, you should change your passwords for all of your online accounts right away. A password manager, according to Cybernews, can help you build strong, complex passwords that aren't easy to remember. You may also set up two-factor authentication (2FA) across all of your accounts. Finally, as always, carefully check all unsolicited spam emails, phone calls, and text messages for signs of phishing.

ClickStudios told Clients to Change Passwords After a Cyberattack

 

Following a cyberattack on the corporate password manager Passwordstate, Click Studios, an Australian software house, has advised consumers to reset passwords across their organizations. According to an email sent to consumers by Click Studios, attackers had "compromised" the password manager's software upgrade function in order to extract user passwords. 

Between April 20 and April 22, the Australian software firm was hacked. The attack specifics were published by CSIS Security Group, which dealt with the hack. In an advisory, ClickStudios detailed the assault.

The company said, “Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.” 

An update to the Passwordstate app started the supply chain assault. When the malicious update is enabled, it connects to the attacker's servers and downloads malware intended to intercept and deliver the password manager's contents back to the attackers. The attacker's servers were also taken down on April 22, according to the company. However, if the attackers are able to reactivate their infrastructure, Passwordstate users can be at risk.

Employees can exchange passwords and other personal information through their company's network computers, such as firewalls and VPNs, shared email addresses, internal directories, and social media accounts, using enterprise password managers. According to Click Studios, Passwordstate is used by “more than 29,000 customers,” including Fortune 500 companies, federal agencies, banks, military and aerospace companies, and businesses in most sectors. 

For the remediation for Passwordstate customers, ClickStudios said, “Customers have been advised to check the file size of moserware.secretsplitter.dll located in their c:\inetpub\passwordstate\bin\ directory. If the file size is 65kb then they are likely to have been affected. They are requested to contact Click Studios with a directory listing of c:\inetpub\passwordstate\bin output to a file called PasswordstateBin.txt and send this to Click Studios Technical Support.”

Security Firm Stormshield Discloses Data Breach, Theft of Source Code


Stormshield is a French based leading cyber-security firm that provides network security services and security equipment to the government. Recently the firm discovered that malicious actors have used one of its customer support portals and stole sensitive credentials of some of its customers. While reporting the same to the press, the firm also said that hackers successfully managed to steal parts of the source code for the Stromshield Network Security (SNS) firewall, a product certified for use in sensitive government networks, as part of infiltration. 

The organization told that its team is investigating the attack and assessing the impact of the breach on government systems with the French cyber-security agency ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information). 

"As of today, the in-depth analysis carried out with the support of the relevant authorities has not identified any evidence of illegitimate modification in the code, nor have any of the Stormshield products in operation been compromised," Stormshield said in a message posted earlier today on its website. 

The cybersecurity department of the French government is taking this cyberattack as a major data breach. The French cyber-security agency ANSSI noted in its own press release that "Stormshield SNS and SNI products have been 'under observation' for the duration of the investigation." 

Additionally, Stromshield has informed that its department is reviewing the SNS source code and has also taken some major steps to prevent further attacks on the firm. The Company has also replaced the digital certificates which were used to sign SNS software updates. 

"New updates have been made available to customers and partners so that their products can work with this new certificate, all the support tickets and technical exchanges in the accounts concerned have been reviewed and the results have been communicated to the customers," Stormshield spokesperson said. 

“Only about 2% of customer’s accounts were affected in the breach, which is "around 200 accounts out of more than 10,000." He added. 

Furthermore, the French security firm said “it also reset passwords for its tech support portal, which the attackers breached, and the Stormshield Institute portal, used for customer training courses, which weren’t breached, but the company decided to reset passwords as a preventive measure”.

250,000+ Login/Passwords Leaked in The Trident Crypto Fund Data Breach


More than 260,000 customers’ data was compromised online in a gigantic data breach that went down pretty recently.

Trident Crypto Fund, per reports, experienced this data breach which gave rise to the leakage of thousands of customer records including usernames and passwords, online.

Per sources, Trident is a crypto-investment index fund that functions as an arm of the “Dragonara Business Center”, Italy. It also is reportedly the “first coin-based index fund”.

And like scattered sugar for ants, the leaked records were immediately devoured by the cyber-cons right after they were compromised.

Per sources, personal data of over 260,000 registered users of the Trident Crypto Fund was left bare for people to exploit as per they wished to.

Reports mention that the leaked data comprised of phone numbers, encrypted passwords, email addresses, and IP addresses.

The aforementioned data was discovered to be published on several “file-sharing” websites in the past month.

According to researchers, the hackers had evidently de-crypted the stolen files and published an array of over 120,000 passwords at the beginning of March. It was also found out that the password and login ID pairs were matchless with the ones previously leaked.

The details or even the mention of the data breach haven’t appeared on the website or on other communication platforms. But reportedly, a victim of the breach was contacted who confirmed the connection between the fund and the leaked data.

As mentioned on the fund’s website, the company “works hard” to protect its customers’ data and secure accounts. They allegedly are also investigating the “suspected breach”.

The Russians were the ones to get heavily affected by the above-mentioned data leak as the compromised data was a direct key to their accounts. Word has it that more than 10,000 Russian users were impacted by the Trident Crypto Fund data breach.

Even though it’s possible that Russian residents might have had their records leaked previously as well, there are no records of that happening.

Nevertheless, this data breach structured the history of data leakages for Russia as this happens to be one of the first major ‘Personal’ data breaches the country’s citizens have faced that has had such a major impact.

TP-Link Routers Vulnerable Again; Voids Passwords! Patching Highly Suggested!



A “zero-day vulnerability” was recently discovered in the “TP-Link Archer C5v4 routers” with the firmware version 3.16.0 0.9.1 v600c and of the build 180124 Rel.28919n.

This vulnerability could affect devices both at corporate levels as well as domestic level. The attacker could take control of the routers configuration by way of “telnet on the local area network” and it could connect to the File Transfer Protocol (FTP) via the LAN or WAN (wide area network).

The attackers could gain complete access of all the admin licenses and privileges. Enabling guest wi-fi, and acting an entry point happen to be a few other demerits of the vulnerable router.

Previously as per reports there was a “password overflow issue”. When a string shorter than the estimated length is typed then the estimated length is sent as the password, altering the actual password whereas if too long then the password gets void.

The vulnerability allegedly depends on the type of request that is sent through for requesting access to the device. Either it is safe or is vulnerable. The safe requests for HTML content there are two aspects that need to be taken into account.

One of them being the “TokenID” and the other being “the JSESSIONID”. Per reports the common Gateway Interface though, is only based on the referrer’s HTTP headers if it matches the IP address or the domain related to it then the main service of the routers thinks it to be valid and if the referrer is removed it responds as “Forbidden”.

The automated attacks that were dissipated via the botnet malware, “Mirai” were caused by weak passwords that allowed access to the FTP server and even provided console access.


Reportedly, the function “strncmp” is used to validate the referrer header with the string “tplinkwifi.net”. It apparently also validates for the IP address. This is definitely hence a disconcerting vulnerability which could be easily exploited.

The shorter strings when sent corrupt the password stopping the users from logging in but luckily it would stop the attacker too. FTP, Telnet and other services are mostly affected by this.

A longer string length made it entirely void and the value became empty. This made Telnet and FTP accessible simply by using “admin” as a password which is the default.

The same configuration of FTP is also allowed on the WAN. The router also reportedly happens to be vulnerable to the CGI attack which is pretty injurious to privacy.

So far there isn’t a way to set a new password, but even if there were the next vulnerable LAN/WAN/CGI request would void that password as well. Per reports, another aftermath of this vulnerability is that the RSA encryption key would crash.

This vulnerability is extremely disconcerting when the “Internet of Things” IoT security is considered at large. Millions of businesses and homes could be affected by any exploit or vulnerability these routers disperse.

What could be done right off the bat is, creating stronger passwords, applying two-factor authentication, changing all the default passwords and at last applying mitigating controls to all the devices in use.

Patching is HIGHLY ADVISED. TP-Link has provided patches for the TP-Link Archer C5 v5 and other versions.