Microsoft Office Vulnerability Exposes User Data, Including Passwords
Summary: In July 2022, an attacker compiled information from 5.4 million Twitter users due to a now-corrected system vulnerability. The attacker stole email addresses and phone numbers and connected them to user accounts. Twitter maintained that no passwords were stolen but urged all Twitter users to use two-factor authentication for their accounts.
Summary: A hacker accessed 77 million Sony PSN and Qriocity user accounts. These users were also unable to go online for 23 days due to the hack. Although Sony encrypted all of the credit card information on its systems and there was no evidence that credit card data had been stolen, the hacker may have been able to access credit card numbers and CVV numbers. In addition, other personal data, such as names, email addresses, dates of birth, account passwords, and addresses, were also compromised.
Phishers and social engineers can exploit your employees for all sorts of internal data, including passwords, as well as gain access to your facilities. How? Phishers imitate legitimate companies your employees might interact with, like your enterprise software vendors or email provider, and simply ask for the data via phone or email. A social engineer might dress up like a maintenance person, slip past your front desk and plug a thumb drive into an empty workstation.
According to LeakedSource, FriendFinder Networks secured their passwords with the unsalted hash algorithm SHA-1 and stored user data in plaintext files. Furthermore, a white-hat hacker named Revolver revealed a Local File Inclusion (LFI) vulnerability from photos shared on social media. This was a huge security issue for the adult entertainment company because it had been hacked just one year prior, in May 2015, which compromised 3.5 million users. Despite the data breaches, AdultFriendFinder still attracts over 50 million visitors per month worldwide.
Over an eight-month period, a developer working for an affiliate marketer scraped customer data, including usernames and mobile numbers, from the Alibaba Chinese shopping website, Taobao, using crawler software that he created. It appears the developer and his employer were collecting the information for their own use and did not sell it on the black market, although both were sentenced to three years in prison.
The most obvious IMAP protocol vulnerability -- transmitting credentials as well as email interactions in plain text -- has largely been addressed through the use of implicit TLS for all email protocols. The IMAP over TLS protocol, spelled out in RFC 8314, clarifies that all legacy email protocols, including SMTP and POP, should by default use TLS for encryption of user mail sessions, or at least implement opportunistic encryption through the STARTTLS protocol. However, requiring TLS by itself is not enough to prevent the IMAP password spraying attacks.
To solve this problem, the client application will often submit this data to the server in a POST request and then assign the user a session cookie, effectively logging them in. This request is roughly equivalent to the form submission request that might be sent as part of a classic, password-based login. However, in this scenario, the server does not have any secrets or passwords to compare with the submitted data, which means that it is implicitly trusted. 2b1af7f3a8