passwords

Google Had a Big Ol’ Hole In Its Two-Step Verification System

Source: http://gizmodo.com/5986830/google-had-a-big-ol-hole-in-its-two+step-verification-system

medium Google Had a Big Ol Hole In Its Two Step Verification System The coast is clear now, but for a while there, Google’s two-step verification system wasn’t keeping you as safe as you thought. In fact, it was providing an avenue for folks to get in. App-specific passwords were propping your door open.

The exploit was found—and reported—by Duo Security, which is publishing its data now that Google has fixed things up. If you’ve enabled two-step (which you should), you know that using applications like Twitter or Facebook or Instagram often involves an app-specific password. Apps that don’t just pass you to a Google login page and have you enter a phone-code will tell you to go get an app-specific password manually from your account page, and put that in.

The logic behind having app-specific passwords is that you can disable access from certain apps—like all the apps on a stolen phone—without disturbing the rest. And that’s great. The problem was, those manual app-specific passwords you put in weren’t actually app-specific. Anyone could re-use any of those passwords to link a Google device (Android phone, Chromebook) to a Google account. From there, hackers could login to services with the device, strolling right on in to account settings without ever knowing the real password.

As explained by Duo Security’s cleverly edited Google ad:

xlarge Google Had a Big Ol Hole In Its Two Step Verification System

That’s not a good situation, but fortunately it’s been fixed. Ever since Feb 21st, anyone trying to get to account settings needs the real password. Convenience be damned. And even though this was a bit of a breach, it’s worth noting that two-step wasn’t making anything worse; in the absence of two-step, a thief with your app-specific password would just have had your real password instead. And they wouldn’t have to know about the connect-a-device exploit to use it. Way worse.

You’re safe for now, but it serves as a good reminder to keep up with those security best-practices. Clean out your app-specific passwords now and then, change your password occasionally, and beware auto-login features that make your life easier because chances are they’re making it more insecure. Nothing’s full-proof, but just try to stay safe out there. [Duo Security]

Tags: , , , , , , , , , , , , , , ,

Monday, February 25th, 2013 news No Comments

Hacked Twitter Passwords Reveal Lots of Spam Accounts

Source: http://gizmodo.com/5908700/its-okay-to-look-through-these-hacked-passwords

medium Hacked Twitter Passwords Reveal Lots of Spam AccountsIf you’ve ever wanted a Twitter account that has around 10 followers, a randomly generated username, and is following thousands of random people, today is your lucky day. Earlier today, an anonymous hacker dumped 55000 usernames and passwords onto Pastebin. Normally, this would be a real inconvenience—and a worrisome breach—but all the affected appear to be spambots with randomly generated passwords and email addresses.

It’s easy to tell that these are spambots, because almost all of the accounts have the type of passwords that are easy for a robot to remember but easier for an actual person to forget. Many of the accounts affected no longer exist, and even if the passwords weren’t leaked, Twitter still regularly shuts down spambots. Most likely, few of these accounts will exist in a week. But if you were itching for a catchy computer -enerated Twitter handle like @Jesicawuaqg or @Pamulakmqxl, well, you’ve got thousands to choose from. Unless your name really is Jesica Wuaqg. Then you might have a problem. [AirDemon via TheNextWeb]

Tags: , , , , , , , , , , , , , , , , , , , ,

Wednesday, May 9th, 2012 digital No Comments

Microsoft Store hacked in India, passwords stored in plain text

Source: http://www.engadget.com/2012/02/12/microsoft-store-hacked-in-india-leaked-passwords-stored-in-plai/

untitled 1 1329074256 Microsoft Store hacked in India, passwords stored in plain text

Frequenters of India’s online Microsoft Store were briefly greeted with the suspicious visage of a Guy Fawkes mask this morning, following a hack that compromised the site’s user database. According to WPSauce, Microsoft Store India’s landing page was briefly taken over by a hacker group called Evil Shadow Team, who, in addition to putting a new face on Windows products, revealed that user passwords were saved in plain text. The group’s motivations are unknown, though the hacked page warned that an “unsafe system will be baptized.” The store is now offline, suggesting that Microsoft may have regained control. Read on for a look at the compromised password database.

[Thanks to everyone who sent this in]

Continue reading Microsoft Store hacked in India, passwords stored in plain text

Microsoft Store hacked in India, passwords stored in plain text originally appeared on Engadget on Sun, 12 Feb 2012 14:19:00 EDT. Please see our terms for use of feeds.

Permalink   |  post label source Microsoft Store hacked in India, passwords stored in plain textWPSauce, HackTeach  | Email this | Comments

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sunday, February 12th, 2012 news No Comments

Digital Consigliere

Dr. Augustine Fou is Digital Consigliere to marketing executives, advising them on digital strategy and Unified Marketing(tm). Dr Fou has over 17 years of in-the-trenches, hands-on experience, which enables him to provide objective, in-depth assessments of their current marketing programs and recommendations for improving business impact and ROI using digital insights.

Augustine Fou portrait
http://twitter.com/acfou
Send Tips: tips@go-digital.net
Digital Strategy Consulting
Dr. Augustine Fou LinkedIn Bio
Digital Marketing Slideshares
The Grand Unified Theory of Marketing