WebProNews

Tag: passwords

  • Ditch the Password for Your Microsoft Account

    Ditch the Password for Your Microsoft Account

    Microsoft has announced that users can ditch the password for their accounts, a move that brings a new level of convenience and security.

    Remembering passwords has always been a challenge for many, one that grows with the number of services, apps and platforms a person uses. Add in some passwords being caught in data breaches and needing to be replaced, and keeping up with one’s passwords quickly becomes a chore.

    Microsoft is trying to help ease that frustration by making passwordless login a reality. CEO Satya Nadella tweeted about it Wednesday, September 15:

    Vasu Jakkal Corporate Vice President, Security, Compliance and Identity, expanded on how the feature will work.

    For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

    Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.

  • Majority of Users Don’t Change Passwords After Data Breach

    Majority of Users Don’t Change Passwords After Data Breach

    A new study has found the vast majority of users fail to change their passwords after being notified their data was impacted by a security breach.

    Virtually everyone has received an email from a credit agency, or a company whose products and services they use, informing them their data was compromised in a breach. Inevitably, those emails include recommendations to change their password. Unfortunately, it appears those warning go largely unheeded.

    Sruti Bhagavatula and Lujo Bauer of the Carnegie Mellon University, and Apu Kapadia of the Indiana University Bloomington, conducted a study on the aftermath of data breaches, with a goal to helping companies better mitigate damage.

    According to the researchers, “only 21 of the 63 affected participants changed a password on a breached domain after the breach announcement.”

    To make matters even worse, “previous work has shown that, on average, a user exactly or partially reuses their passwords on over 50% of their accounts.”

    This means that many customers are not only at ongoing risk from the data breach directly impacting them, but their data on other, unrelated sites is also at risk because of reusing passwords.

    The study illustrates that companies need to do a far better job of helping customers choose more secure passwords, and engage them post-breach to help them update their passwords and information. Overall, the study is an in-depth look at the challenges companies face in order to better mitigate the impact of data breaches and is a must-read for any security professional.

  • Your Passcode Is Protected by Fifth Amendment, Says Court

    Can the police compel you to give up your iPhone passcode?

    Not according to one federal court’s ruling. Doing so would be a violation of your Fifth Amendment rights.

    The case in question involved two insider trading suspects and the Securities and Exchange Commission’s desire to get at evidence it believed was present on the defendants’ work-issued iPhones.

    Unfortunately for the SEC, the phones were protected with passcodes.

    “The SEC argues Defendants, as former Bank data analysts, are corporate custodians in possession of corporate records, and as such cannot assert their Fifth Amendment privilege in refusing to disclose their passcodes. Defendants disagree they are corporate custodians and argue providing the passcodes to their phones is ‘testimonial’ in nature and violates the Fifth Amendment,” says the ruling.

    So, who’s right?

    According to the court, it’s the defendants.

    “Since the passcodes to Defendants’ work-issued smartphones are not corporate records, the act of producing their personal passcodes is testimonial in nature and Defendants properly invoke their fifth Amendment privilege.”

    Your passcode is testimonial, and thus forcing you to reveal it would violate your right against self-incrimination.

    But according to one constitutional scholar, it wouldn’t be wise to think that there’s no feasible way for the government to get around said Fifth Amendment protections.

    “Having the defendant enter in his passcode would minimize the Fifth Amendment implications of the compelled compliance, as it would not involve disclosing the potentially incriminating evidence of the passcode itself. The passcode itself could be independently incriminating, at least in some cases. Imagine a conspiracy case in which members of the conspiracy use a common passcode. Proof that a suspect used that exact passcode on his own phone would be incriminating evidence, as it could help to show membership in the conspiracy,” writes Orin Kerr for the Washington Post.

    “Because the passcode itself could be incriminating, the smart way to limit the Fifth Amendment problem is for the government to ask for an order compelling the target to enter in the passcode rather than to divulge it to the police.”

    And we’re just talking about passcodes. If you use Apple’s Touch ID or any other sort of biometrics to lock your devices, you may be shit out of luck.

  • Apple’s New iOS 9 Requires 6-Digit Passcodes

    If you use TouchID to unlock your iPhone and iPad, the idea of typing in a passcode seems quite Stone Age – but plenty of iOS users still punch in a four-digit passcode every time they unlock their devices. That’s about the change.

    The new iOS set to debut this fall, iOS 9, is changing your passcode from four digits to six.

    According to Apple, this will make it harder for those with bad intentions to access your private info.

    “Keeping your devices and Apple ID secure is essential to protecting all the personal information you store with and access through Apple — like your photos, documents, messages, email, and so much more. iOS 9 advances security by strengthening the passcode that protects your devices, and by making it harder for others to get unauthorized access to your Apple ID account. These new security features are easy for you to use. But they make it much harder for anyone else to access your personal information,” says Apple.

    Your new six-digit codes offer 1 million possible permutations – as opposed to just 10,000 offered by a four-digit code.

    Definitely a step up, but not perfect by any means.

    Apple is also introducing two-factor authentication with iOS 9.

    “A password alone is not always enough to keep your account secure. With two-factor authentication, when you sign in from a new browser or on a new device, you’ll be prompted for a verification code. This code is automatically displayed on your other Apple devices or sent to your phone. Enter the code and you’re quickly signed in — and any unauthorized users are kept out,” says the company.

    Will a six-digit code be tougher to remember than a four-digit code? Possibly. You can always just use Touch ID in most scenarios, though. Will a six-digit code be more secure than a four-digit code? Yeah, it’ll be harder to brute force – unless your passcode is “123456”.

  • Your Security Questions Aren’t Providing Much Security

    Everyone’s favorite food is pizza, so when a site asks you to provide an answer for the security question What’s your favorite food, don’t say pizza.

    Providing answers to security questions is something we’re all very familiar with, as it’s been a tool for account security and recovery for a long time. But are these security questions even that secure?

    Apparently not, according to a new Google study. The company looked at hundreds of millions of secret questions and answers used over the years and concluded that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.”

    The main problem is that easy answers are easy … to guess. And more specific, harder-to-guess answers are harder … for you to remember. Talk about a double-edged sword.

    Let’s take the “pizza” example. According to Google, anyone looking to break into someone else’s account has a 20% chance of getting in with the answer to the “what’s your favorite food” query – on the first try. That’s because everyone says “pizza”.

    Also, if you think lying is going to trip someone up, think again:

    “Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as “What’s your phone number?” or “What’s your frequent flyer number?”. We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in,” says Google.

    On the other side of the sword, you have the tougher security questions that merit more specific answers. For instance, What’s your frequent flyer number?

    From Google:

    Surprise, surprise: it’s not easy to remember where your mother went to elementary school, or what your library card number is! Difficult secret questions and answers are often hard to use. Here are some specific findings:

    – 40% of our English-speaking US users couldn’t recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.
    – Some of the potentially safest questions—”What is your library card number?” and “What is your frequent flyer number?”—have only 22% and 9% recall rates, respectively.
    – For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76% while the potentially safer question “What is your first phone number?” had only a 55% success rate.

    Long story short, having a harder-to-crack security Q&A means nothing if you can’t remember it.

    Text and email code verification seems to be a much better way to protect and retrieve accounts. Maybe we can say good riddance to the security question. I sure hate having to think about my first dog whenever I forget my password.

    Infographic via Google, Image via Thinkstock

  • Starbucks: Bad Passwords, Not Hackers to Blame for App Thefts

    Starbucks: Bad Passwords, Not Hackers to Blame for App Thefts

    If you use the Starbucks app to pay for your morning coffee, you might want to check your bank account. And then strengthen your password.

    After reports emerged saying hackers had gained access to user accounts and used its app to siphon money away from unsuspecting customers, Starbucks has hit back, saying that these reports are false.

    Blogger Bob Sullivan first reported the issue, telling the stories of multiple victims. What these “hackers” are doing is accessing a Starbucks customer’s account, using the balance to buy a gift card, and waiting for the app to auto-load more money onto the card. This way, they can draw funds directly from someone’s bank account or PayPal account.

    From Bob Sullivan:

    Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes.

    CNN confirmed that this was happening to other people:

    It happened to Jean Obando on the Saturday evening of December 7. He had just stopped by a Starbucks in Sugar Land, Texas and paid with his phone app. Then while driving on the highway, his phone chimed with a barrage of alerts. PayPal repeatedly notified him that his Starbucks card was being automatically reloaded with $50.

    Then came the email from Starbucks.

    “Your eGift Just Made Someone’s Day,” the email said. “It’s a great way to treat someone — whether it’s to say Happy Birthday, Thank you or just ‘this one’s on me.’”

    He got 10 more just like it — in just five minutes.

    Sounds bad. And it is. But according to Starbucks – this isn’t a hack. This is simply bad password practices.

    “Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously,” said Starbucks.

    “Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”

    Starbucks is right in that your passwords do suck. But the company can do more to help prevent this sort of scheme (two-step authentication wouldn’t fix everything but could help). Also, Starbucks doesn’t have a perfect record when it comes to app security.

    Image via Starbucks

  • Edward Snowden on Your Laughably Bad Passwords

    “The best advice here is to shift your thinking from passwords to passphrases. Think about a common phrase that works for you that’s too long to brute force and also make them unlikely to be in the dictionary,” says American living in exile Edward Snowden.

    The famed NSA contractor who exposed America’s massive surveillance empire sat down with HBO’s John Oliver this past Sunday to discuss, among other important things, dick pics. Oliver traveled to Russia to interview Snowden, and it provided us with a very entertaining and also quite informative fifteen minutes of television.

    Well, it looks like there was more to the interview that HBO didn’t edit into the final product. Oliver and Snowden had a brief conversation about passwords, and HBO has finally put it up online.

    You can watch the video below, but if you’re in a rush, the main takeaway is that Edward Snowden laughs at your 13-character passwords. If you’re not rockin something like “margaretthatcheris110%sexy” when you login to Facebook, you’re vulnerable.

    I take it back. Watch the video in its entirety. It’s worth it.

    Y’all’s password really are terrible though. Mine is too. I’m not above this.

    Image via Last Week Tonight with John Oliver, YouTube

  • Uber Denies Breach After User Info Goes Up for Sale

    Uber says that it has found no evidence of a security breach following reports that user data has popped up for sale on dark web sites.

    Motherboard reports that thousands of active Uber accounts are currently for sale on sites like AlphaBay market – some for as cheap as $1 and up for $5. Of course, having one’s Uber login credentials would give you access to their email address, phone number, home address, and travel history.

    Uber accounts also show partial credit card numbers. There’s also the possibility that people share their Uber login/password with other services.

    From Motherboard:

    Motherboard received a sample of names and passwords available and verified that at least some of the accounts were active by contacting those users. The data includes names, usernames, passwords, partial credit card data, and telephone numbers for Uber customers.

    Despite the report, Uber is claiming an investigation has yielded no evidence of any sort of security breach.

    “We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services,” said the company in a statement.

    This isn’t the first time Uber has been involved in a possible hack. The company admitted that up to 50,000 users may have been affected by a breach back in May. This also isn’t the first time Uber’s been under fire for possibly employing lax security practices.

    Uber recently reiterated its mission to make the service safer.

  • ‘123456’ Is Still the Most Common Password, So, Congrats Guys

    Congratulations are in order, as a year of corporate data spills and leaked Jennifer Lawrence nudes failed to move the most stubborn among us. Privacy be damned, people still enjoy the ease and comfort of the most simplistic, easily-sussed passwords imaginable.

    For another year, the most common password was ‘123456’. After that? ‘Password’.

    The data comes from SplashData, who compiles their annual “Worst Passwords” list from over 3.3 million leaked passwords.

    Here’s the top 25 list:

    1. 123456
    2. password
    3. 12345
    4. 12345678
    5. qwerty
    6. 1234567890
    7. 1234
    8. baseball
    9. dragon
    10. football
    11. 1234567
    12. monkey
    13. letmein
    14. abc123
    15. 111111
    16. mustang
    17. access
    18. shadow
    19. master
    20. michael
    21. superman
    22. 696969
    23. 123123
    24. batman
    25. trustno1

    “The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years,” security expert Mark Burnett said. “The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”

    Oh good! It’s getting better.

    At this point, if your password is still ‘123456’, ‘baseball’, or ‘batman’, then you deserve whatever happens to you.

    Image via DelcanTM, Flickr Creative Commons

  • Dropbox: We Were Not Hacked

    Dropbox: We Were Not Hacked

    According to reports, hundreds of Dropbox usernames and passwords were leaked online as a preview to a larger alleged leak of 7 million accounts.

    As The Next Web reports, a thread appeared on reddit pointing to files with the leaked account details, saying, “Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts. To see plenty more, just search on [redacted] for the term Dropbox hack. More to come, keep showing your support.”

    According to Dropbox, it hasn’t been hacked, and any such account details have been obtained from third-party services. The company addressed the situation on its blog, saying that it wasn’t hacked:

    Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

    Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

    In a update to the post, it added:

    A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.

    Long story short, it’s probably a good time to reset your passwords across the various online services you use, and to make them all different this time.

    Image via Dropbox

  • Millions Of Gmail Passwords Leaked

    Millions Of Gmail Passwords Leaked

    According to various reports, starting with Russia’s CNews, nearly five million Gmail usernames and passwords were leaked, and published to a Russia Bitcoin forum.

    You can see the original report in Russian here, but The Daily Dot recaps:

    Much of the information is old and potentially out-of-date, Google representatives told Russian media, so the so-called “leak” may be more accurately described as a collection of phished and hacked credentials collected over years. In fact, many of the accounts have long been suspended or are matched with very old passwords.

    The file contains information on English-, Russian-, and Spanish-speaking users of Google services, such as Gmail and Google Plus. In addition to Google, the leak includes thousands of user credentials for Yandex, the largest search engine in Russia. Google and Yandex representatives told CNews that while the credentials were stolen through years of phishing and hacking against individuals, their own systems were never compromised.

    TheNextWeb provides further comment from Google:

    “The security of our users’ information is a top priority for us,” a Google spokesperson told TNW. “We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”

    There’s a very good possibility this won’t affect you at all, but it might not be a bad idea to change your password to be on the safe side.

    Image via Wikimedia Commons

  • Over 1 Billion Online Usernames, Passwords Reportedly Stolen

    Wow, this is a big one.

    A first reported by The New York Times, Hold Security discovered that a Russian crime ring has stolen 1.2 billion user name and passwords combinations and over 500 million email addresses from 420,000 websites “including household names and small Internet sites”. The Times reports:

    Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

    Compromised sites include some here in the U.S. as well as some based in Russia itself. According to Hold Security, most of the sites involved are still vulnerable.

    A message on Hold Security’s site says:

    You have been hacked! Over the past 18 months, this was our conversation starter with many companies and individuals. Helping our clients prevent breaches or find their stolen data is our business. If you have been following information security, or even if you haven’t, you have probably heard of Hold Security and our work. In October 2013, we identified a data breach with Adobe Systems. Later in December that year, we independently identified and tracked the Target breach and in February 2014 we identified over 360 million stolen credentials trafficked on the black market. Overall, Hold Security played a role in identifying and helping victims with most of the largest breaches.

    In the latest development, Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date.

    Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach. Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.

    They’re calling the Russian gang, which they say still has possession of the stolen data, “CyberVor”. The 1.2 billion credentials are just the unique ones taken from a whopping 4.5 billion records altogether. The 420,000 compromised sites includes FTP sites.

    According to Hold Security, the gang acquired databases of stolen credentials from other hackers on the black market. These, it says, were used to attack email providers, social media, and other sites to distribute spam to victims and install malicious redirections on legitimate systems. Later, they got access to data from botnet networks and SQL injection.

    “The CyberVors did not differentiate between small or large sites,” the firm says. “They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

    They encourage companies to check if their sites (including auxiliary sites) are susceptible to SQL injection. They then use the opportunity to plug their new “Breach Notification Service,” which charges you $10 a month or $20 a year to monitor your site for vulnerability.

    In fact, some see this as a bit shady.

    Kashmir Hill at Forbes writes, “It’s certainly in the interest of any security firm to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm. Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it. We don’t just need hashed passwords salted, we need grains of salt in our reporting around security.”

    Those who watched the recent John Oliver bit on native advertising (which specifically talks about The New York Times) might be going back to look at the NYT piece for indication of a sponsored post. There doesn’t appear to be one.

    Meanwhile, Hold Security is also offering a service to individuals.

    Image via Facebook

  • Identity Theft Could Soon Be A Reality For eBay Users

    Identity Theft Could Soon Be A Reality For eBay Users

    Identity theft is a constant concern for those who entrust their personal information to Internet companies. Now millions of users are at risk following a massive cyber-attack that recently hit eBay.

    Last week, we reported that eBay was hit by a massive cyber-attack when hackers broke into the company’s database that hold customers’ personal information. While no financial information was taken, customers’ email addresses, passwords and physical addresses were exposed. Skilled hackers can use this information to gain access to more personal information through social engineering tactics.

    As with most major cyber attacks, eBay can’t do much now that the damage is done. What it can do is ask that its customers change their passwords:

    EBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.

    Unfortunately, the hackers didn’t just take user information. Ebay reports that that the hackers also took some employee log-in credentials. There’s no indication that this information was used to access databases that may contain more sensitive information, but eBay is working with law enforcement to bring in those responsible.

    As you can imagine, people are not pleased with eBay at the moment. Much like the Target hack of last year, Attorneys General from various states are now opening up investigations to see if eBay could have done more to protect user information. The Attorneys General will also be looking into how eBay is planning to prevent future attacks.

    “My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” said Connecticut Attorney General George Jepsen. “However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed.”

    Image via Wikimedia Commons

  • eBay Hack Leads to Official Investigation by Multiple States

    Earlier this week, eBay revealed that an ongoing investigation of their own had revealed a a “small number” of employee login credentials had been compromised, giving attackers access to their corporate network.

    Now, it appears that they will face external probes from various state Attorneys General.

    “The magnitude of the reported eBay data breach could be of historic proportions, and my office is part of a group of other attorneys general in the country investigating the matter,” said Florida Attorney General Pam Bondi. “We must do everything in our power to protect consumers’ personal information, which is exactly why I worked with the Florida Legislature on the Florida Information Protection Act.”

    That group also includes the state Attorneys General for Connecticut and Illinois.

    “My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” said Connecticut Attorney General George Jepsen. “However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed.”

    According to eBay, the database that was breached contained names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth–but eBay is claiming that no financial information was ever at risk.

    Even so, the company urged all users to change their eBay passwords, as well as any other passwords that they shared among other services.

    “Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace,” said eBay in a statement.

    New York Attorney General Eric Schneiderman is urging eBay to offer free credit monitoring to all customers impacted by the hack.

    “The news that eBay has discovered a security breach involving customer data is deeply concerning. New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach,” he said.

    This would fall in line with what other high-profile companies, including Target, have done following a massive data breach.

    Image via Wikimedia Commons

  • eBay Hacked, Wants You to Change Your Passwords

    eBay Hacked, Wants You to Change Your Passwords

    If you receive an email from eBay later today asking you to change your password, you should definitely take their advice. The company has just confirmed a cyberattack that may have affected millions of users, exposing personal information like usernames, passwords, and email addresses.

    As the result of an ongoing investigation, eBay learned that a “small number” of employee login credentials had been compromised, giving attackers access to their corporate network. The database that was breached contained names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth–but eBay is claiming that no financial information was ever at risk.

    They also say that they’ve found no evidence that the hack led to any sort of unauthorized access.

    “[There is] no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats,” said eBay.

    Still, eBay is asking every user to change their password, and any other shared passwords for other services. If you’re an eBay user, you’ll most likely receive an email later in the day on Wednesday.

    Though eBay is saying that there’s no evidence that PayPal user info has been compromised, it was PayPal that “broke” the news earlier today. A post appeared on the PayPal community blog that simply read “eBay Inc To Ask All eBay Users To Change Passwords”–that’s it. There was no text accompanying that headline.

    Of course, with just that little snippet to go on, there was a little bit of panic from some users on social media. PayPal quickly pulled the post, and a couple of hours later eBay officially confirmed the cyberattack.

    “Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace,” said eBay in a statement.

    Image via Wikimedia Commons

  • Twitter Warns a Bunch of Users of Hack, Resets Their Passwords in Error

    An email sent to some Twitter users warning them that their accounts may have been compromised was sent in error, according to Twitter.

    “Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’re reset your password to prevent others from accessing your account,” said Twitter in an email to some users.

    Of course, users took to Twitter to ask if this warning was legit.

    Over the last day or so, you may have seen plenty of tweets that look like this if you searched the network:

    Although the message was in fact from Twitter, it was sent in error.

    “We unintentionally sent some password reset notices tonight due to a system error. We apologize to the affected users for the inconvenience,” said Twitter in a statement.

    This isn’t the first time that this has happened. A little over a year ago, Twitter sent the same email to many users–but that time the company had a reason. In November of 2012, Twitter believed that a small subset of user account had been compromised, but they accidentally reset too many user passwords–way more than they felt had possibly been compromised.

  • Yahoo Warns Users Of Big Yahoo Mail Hack Attempt

    Yep, time for another announcement about an issue with Yahoo Mail.

    Yahoo announced that it identified a “coordinated effort” to gain unauthorized access to Yahoo Mail accounts, though it didn’t say how many. As others have pointed out it must be a substantial number since they bothered to make the announcement. The company said it took “immediate action” to protect users, and prompted them to reset passwords.

    “Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise,” writes Yahoo SVP, Platforms and Personalization Products, Jay Rossiter, in a blog post. “We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.”

    This comes less than a month after Yahoo made HTTPS encryption the default on Yahoo Mail, following up on its previously announced initiative to make all data on its servers secure.

    It also follows a recent major service outage for Yahoo Mail, which angered a lot of users (many of which were already angry over changes to the interface), which CEO Marissa Mayer ended up publicly apologizing for.

    Earlier this month, Yahoo also hosted some ads that spread malware to users.

    Regarding the most recent situation, Yahoo says it’s resetting passwords on impacted accounts and using second sign-in verification to let users “re-secure” their accounts. Users may receive email notifications or text messages if they’ve added their mobile number to their account, prompting them to change their password.

    The company says it is also working with federal law enforcement to find and prosecute the perpetrators responsible for the attack, and has implemented “additional measures” to block further attacks.

    “We regret this has happened and want to assure our users that we take the security of their data very seriously,” says Rossiter.

    Yahoo is making no indication that this has anything to do with its email address recycling program, which gave away old accounts to new users, and was highly criticized.

    Image via Yahoo

  • HBO ‘Builds Addicts’ One Shared HBO Go Password at a Time

    HBO wants you to become addicted to their shows, and it turns out they don’t really care if you do it somewhat nefariously.

    You think you’re sticking it to the man when you steal your buddy’s HBO Go password to binge on Game of Thrones? Wrong. According to HBO CEO Richard Plepler, you’re simply playing into their hands.

    “To us, in many ways, it’s a terrific marketing vehicle for the next generation of viewers and it is actually not material at all to our business,” said Plepler in an interview with Buzzfeed.

    “It’s not that we’re ignoring it, and we’re looking at different ways to affect password sharing, I’m simply telling you that it’s not a fundamental problem, and the externality of it – it presents the brand to more and more people and gives them the opportunity to hopefully become addicted to it.

    What we’re in the business of doing it building addicts – building video addicts. And the way we do that is by exposing our product, and our shows, and our brand to more and more people.”

    That’s a pretty progressive stance – one that should make password-sharers pretty happy. But Plepler also makes a terrific point – and you can see that HBO is playing the long game here. Expose people to great programming that they simply cannot live without, and you have a future subscriber.

    Of course, one of the main reasons that people share HBO Go passwords is HBO’s fault. Unlike other streaming video apps like Netflix, Hulu, or Amazon Prime Instant Video, HBO is still tied to the ball & chain that is cable TV. In order to access HBO Go, you have to be an HBO subscriber through one cable company or another. It’s a real drag and something that the internet (and cordcutting movement in particular) has been pretty vocal about in their frustration.

    People shouldn’t hold their breath, as HBO is living comfortably with this model. It’s not like HBO hasn’t thought about offering a standalone HBO Go service – one free of the ties of cable – but right now, that’s what works for the decades-old company.

    Plepler reiterated that position to Buzzfeed.:

    “Right now, that’s the right model for us. Are we always thinking about optionality, of course we are always thinking about optionality…if the arithmetic changes and made sense in a different way we are not going to be caught without the ability to pivot.”

    Of course, HBO Go’s inaccessibility leads to password sharing. It also leads to piracy – which, oddly enough, is another thing that HBO has a history of simply brushing off.

    “I probably shouldn’t be saying this, but it is a compliment of sorts,” HBO programming head Michael Lombardo said of Game of Thrones piracy last year. “The demand is there. And it certainly didn’t negatively impact the DVD sales. [Piracy is] something that comes along with having a wildly successful show on a subscription network.”

    In fact, his true worry came when he thought about downloaders receiving an inferior product.

    “One of my worries is about the copies [downloaders are] seeing. The production values of this show are so incredible. So I’m hoping that in the purloined different generation of cuts that the show is holding up.”

    Here’s the bottom line: HBO is so, so good. Their shows are so, so good. They know this. You know this. And until their current model starts to deteriorate, there’s simply no reason to screw with it.

    Image via Wikipedia, HBO

  • Millions Of Google, Facebook, Yahoo, Twitter And LinkedIn Passwords Compromised

    Millions Of Google, Facebook, Yahoo, Twitter And LinkedIn Passwords Compromised

    Two million user passwords from Google, Yahoo, Facebook, Twitter, LinkedIn and other sites were reportedly stolen and posted online.

    Daniel Chechik at Spider Labs posted about the findings, which is actually a follow-up to a June post about the Pony botnet controller. At the time, it was found that about 650,000 website credentials had been stolen from Facebook, Yahoo, Google and others.

    The new findings are as follows:

    ~1,580,000 website login credentials stolen

    ~320,000 email account credentials stolen

    ~41,000 FTP account credentials stolen

    ~3,000 Remote Desktop credentials stolen

    ~3,000 Secure Shell account credentials stolen

    The login credentials come mostly from those sites mentioned at the beginning of the article.

    Long story short, you might want to think about changing your password.

    Image: Facebook Developers

  • Sony Resetting Some PSN Passwords After Detecting “Irregular Activity”

    It’s been two years now since the PSN was down for a month following an attack orchestrated by members of Anonymous. Since then, Sony has done everything in its power to protect its infrastructure and the accounts that reside on it. That sometimes includes resetting passwords without telling anybody about it until after the fact.

    Some PSN users tried to login to their accounts yesterday to find that their password was no longer valid. The prevailing theory was that accounts were hacked, but Sony says that was not the case. In a post on the official PlayStation forums, the company said that this was merely a precautionary measure after detecting “irregular activity.”

    We monitor PSN account for any irregular activity. If such activity is detected we will sometimes reset passwords.

    This was done purely as precautionary measure and there was no specific evidence that any accounts had been compromised.

    Only a small number of users were affected by this and as I said this was precautionary so there is nothing specific to worry about.

    I can’t provide any further details as this would affect out ability to keep you guys safe.

    It’s unfortunate that Sony can’t provide further details because it would be interesting to see what Sony counts as “irregular activity.” If no accounts were compromised, what’s the purpose behind resetting passwords? It’s also more than a little troublesome that Sony reset the passwords first and then told people about it after complaints started to appear.

    While it’s good that no PSN accounts were compromised, Sony apparently still hasn’t learned a thing about communication since the 2011 hack. At that time, it took Sony several days after the initial hack to acknowledge that their systems had been compromised and it took even longer for them to announce that some customer information may have been stolen.

    All of this is to say that Sony needs to announce these kind of things beforehand. If they’re going to reset passwords, they should be upfront and transparent about it. Pretty much every other tech company will tell their users if they had to reset their passwords right as soon as it happens. Waiting until people start complaining doesn’t inspire confidence and will give people terrible flashbacks to 2011.

    On a final note, if you had your password reset and don’t know how to update it, check out the link in the below tweet:

    [Image: Sony Entertainment Network]
    [h/t: Eurogamer]

  • Nymi Bracelet: Tech-Accessory May Replace Passwords

    Is this the future of passwords? A rather simple bracelet that tracks your heartbeat?

    Bionym, a Canadian start-up says, Yes!

    The Nymi bracelet uses your unique cardiac rhythm as your password, authenticating that you are who you say you are with a wireless connection to your device. The company promotes use with computers, smartphones, cars, etc. It also is advertised to allow for customizing notifications, pushing your emails and social media updates. Pre-ordering is available for $79 a bracelet before it comes on the market in 2014 (come 2014, units will be $99 each).

    The authentication begins as soon as you click the bracelet closed and locks any other user out. You actually will need three things to close the loop: heartbeat, bracelet and a paired mobile device.

    Skeptics warn that there is insufficient information provided to test the bracelet’s technology to prove it’s the next best techno-gadget. CEO of the creating company, Karl Martin, said that formal security audits have yet to be performed.

    “This could be a very nice technology and an upgrade over password security for most users… I’d like to see something like this work out. I just hope that they get some security experts to vet this before people trust it for anything important,” says researcher Joe Bonneau, whose PhD thesis is on passwords and personal identification numbers.

    The tech-accessory is drawing comparisons to the NFC ring which is designed to perform similar basic functions, unlocking smartphones, etc. The ring, from UK-based Kickstarter, should be shipping this month and starting prices are around $35 each.

    The jury may still be out, but Bionym is courting other tech developers and innovations from “enhanced gaming experiences to safer banking.”

    For now, the Nymi will support Windows, OS X, Android and iOS.
    [Image via www.getnymi.com]