The FBI, NSA, and other global authorities are warning vital infrastructure organizations about the rise of password spraying and MFA fatigue (push bombing) attacks. Hackers use common passwords to access accounts, then repeatedly send MFA requests until a user mistakenly approves one, granting access. Once in, attackers register their own devices for persistent control. Targeted […]
Two-factor authentication (2FA) is widely recommended for security, but the devil is in the details. Google recently faced issues with their Google Authenticator app, causing concern in the security community.Authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy generate time-dependent six-digit numbers based on a secret key. This system, known as time-based one-time passwords (TOTP), […]
A passkey is a digital key that is linked to a user account and a website or app. It lets users prove who they are without needing to type in a username, password, or provide another authentication factor. Once the option has been set up, you can sign f.e. into your Google account with your […]
How did the crooks get in given that the needed access credentials of 4 developers at LastPass were locked up in a secure password vault to which only they had access? Access to the vault password was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled […]
The hacker copied information from backup that contained basic LastPass customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data from the […]
The American crypto exchange Gemini leaks private data of 5.3 million users, which is subsequently being used for targeted phishing attacks. It concerns e-mail addresses and partial telephone numbers. According to Gemini, the data was stolen from an unnamed “third-party” supplier. No further details about the data breach have been provided. Gemini does advise users […]
Online gambling platform DraftKings has been hit by a credential stuffing attack in which attackers managed to break into users’ accounts and steal some $300,000. Credential stuffing uses previously leaked email addresses and passwords to gain automated account access. Attackers check whether they can also log in to website B with credentials stolen from website […]
Analysts see an uptick in token theft from authenticated users, allowing threat actors to bypass MFA protections. Stealing session cookies has become one of the most common ways that attackers circumvent multifactor authentication. For unmanaged devices, they recommend conditional access policies and strong controls.
Recent SMS phishing attacks company employees show how easy it is to set up a site that looks like the company’s IAM landing page (f.e. Okta) which asks for a user credentails and a one time passcode for access. This would result in gaining the users’ credententials which would be send to the attacker in […]
Twilio, which earlier this month became a sophisticated phishing attack, disclosed last week that the threat actors also managed to gain access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service.