Tag Archive for: Password

I’m a tech expert still in shock at these ways hackers steal your password

/in


Join Fox News for access to this content

Plus special access to select articles and other premium content with your account – free of charge.

Please enter a valid email address.

You’ve probably heard it a million times, right? Keep your passwords strong, unique and under wraps. Don’t go clicking on shady links, and change your passwords like you change your socks. Oh, and let’s not forget about tucking them away in a cozy, encrypted password manager. The advice list is never-ending.

But here’s a kicker. What if you tick all those boxes and your password still ends up in the wrong hands? I know it sounds like we’re going overboard, but it’s a legitimate worry. How can you keep yourself safe from all the password-stealing scams out there and the damage that can potentially come with that?

The truth is, you can never keep yourself 100% safe from anything. But you can try your best. It starts by taking a step back and understanding the ways that your password, emails and usernames could be potentially compromised.

CLICK TO GET KURT’S FREE CYBERGUY NEWSLETTER WITH SECURITY ALERTS, QUICK VIDEO TIPS, TECH REVIEWS AND EASY HOW-TO’S TO MAKE YOU SMARTER

passwords 1

Illustration of locking up your devices (Kurt “CyberGuy” Knutsson)

The many ways hackers try to steal your password

Theoretically, there are many ways that hackers can go about stealing your password and other login information, especially when it comes to tricking you into giving it to them. But, all the methods go back to the basics. Here are some of the methods hackers employ to steal passwords from innocent people like you and me.

Password spraying: This isn’t always successful, but attackers may attempt to log in to your accounts by trying random common passwords and seeing if anything hits.

Credential stuffing: Hackers test databases or lists of stolen credentials against multiple accounts to see if there’s a match. If you use the same password across different sites,…

Source…

Hackers discover way to access Google accounts without a password

/in


Security researchers have uncovered a hack that allows cyber criminals to gain access to people’s Google accounts without needing their passwords.

Analysis from security firm CloudSEK found that a dangerous form of malware uses third-party cookies to gain unauthorised access to people’s private data, and is already being actively tested by hacking groups.

The exploit was first revealed in October 2023 when a hacker posted about it in a channel on the messaging platform Telegram.

The post noted how accounts could be compromised through a vulnerability with cookies, which are used by websites and browsers to track users and increase their efficiency and usability.

Google authentification cookies allow users to access their accounts without constantly having to enter their login details, however the hackers found a way to retrieve these cookies in order to bypass two-factor authentication.

The Google Chrome web browser, which is the world’s most popular with a market share greater than 60 per cent last year, is currently in the process of cracking down on third-party cookies.

“We routinely upgrade our defences against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected,” Google said in a statement.

“Users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.”

The researchers who first uncovered the threat said it “underscores the complexity and stealth” of modern cyber attack.

“This exploit enables continuous access to Google services, even after a user’s password is reset,” Pavan Karthick M, a threat intelligence researcher at CloudSEK, wrote in a blog post detailing the issue.

“It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats.”

The security issue was detailed in a report, titled ‘Compromising Google accounts:…

Source…

LastPass prompting users to set a stronger master password

/in


LastPass security breach | Promo image

LastPass faced a major attack in 2022 after hackers gained access to sensitive user data through an exploit found on the computer of one of the engineers working for the company. More than two years after this incident, LastPass has now announced new measures to better protect users’ data, who will now be required to set a stronger master password.

LastPass now requires stronger master password

In a blog post on Wednesday, LastPass says that users will now be asked to set a new master password to protect their account on the platform. This new password needs to be at least 12 characters long, whereas previously the master password only needed to be 8 characters long.

According to the company, while the National Institute of Standards and Technology (NIST) says that passwords must be at least 8 characters long, more advanced password cracking and brute force techniques have motivated the company to set a new, stronger standard. The password must also contain at least one special character, a number and an upper case letter.

The company reinforces that since last year, all new users or existing users who needed to reset their master password were already asked to set a 12-character password. With today’s change, everyone will be required to update their LastPass master password. LastPass also says it will check a database to make sure the new password hasn’t been leaked before.

By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data.

A major security incident

LastPass doesn’t explicitly mention the security incident that affected the company in 2022, saying only that the changes “are being implemented in response to the constantly changing cyber threat environment.”

At the time, hackers gained access to data such as passwords, names, emails, addresses, phone numbers and more from LastPass customers. Last year, LastPass revealed that the credentials for the Amazon AWS servers used by the…

Source…

Chrome Browser Alert! This Cookie Malware Can Access Your Google Accounts Even If You Reset Password, Log Out; Details

/in


Online threats and malware can be tough to track in the rapidly evolving digital world. As these dangers replicate in the internet landscape, a new data-stealing malware, which abuses Google’s OAuth endpoint called ‘MultiLogin’ to revive expired cookies and sign in to user accounts is among the new concerns, according to a report from BleepingComputer. This works even after you reset an account’s password or log out from the internet browser.

For the unaware, session cookies store authentication details of an account that lets users log in to websites automatically next time without entering the sign-in credentials. They have an expiration period to limit their misuse by bad actors, such as stealing access to user accounts. The news outlet earlier reported about information-stealers that could restore access to expired authentication cookies last month.

Also Read: Google Is Taking Scammers To Court For Creating Malware Copies Of Bard, Exploiting Businesses Via Hoax Copyright Claims

Such malware allows a cybercriminal to access Google accounts even if the victim has logged out, changed their password or reached session expiry. According to a new report from CloudSEK, it was first chased by threat actor PRISMA in October, who posted about the exploit on the messaging platform Telegram. As per the researchers, the exploit uses the Google OAuth endpoint that synchronises accounts across Google services.

The session cookie can be regenerated only once if a user changes their password.(Image:Canva/peshkov from Getty Images)

The malware abuses the endpoint to extract tokens and accounts of Chrome profiles logged into a Google account. Later, this data (including saved passwords) is decrypted to extract information. With the stolen token, the cybercriminals regenerate the cookie and can ensure continuous access to these accounts.

Also Read: FB Account Hacking Malware Targeting Indian HRs, Digital Marketers Via ‘Google Docs Offline’ Extension; Safety Tips

CloudSek Researcher Pavan Karthick told BleepingComputer that the cookie can be regenerated only once if a user changes their password. In other cases, it can be refreshed multiple times. According to the report, a minimum of…

Source…