Google Study Reveals Many People Are Still Using Breached Passwords

Recently, a Google study showed that about 316,000 passwords have already been breached and are still in use. These used password credentials also include financial and governmental accounts. The information used to create this study was from Google Chrome’s Password Checkup extension. Google recently stated on their blog, “The study illustrates how secure, democratized access to password breach alerting can help mitigate one dimension of account hijacking.”

The Password Checkup Extension activates when someone signs into a site, which uses one out of 4 billion username/passwords that Google finds unsafe due to a third-party breach. Google found out that out of 21 million passwords and usernames, 1.5% of these sign-ins were risky. They also stated that many people like to reuse passwords that tend to be vulnerable, which puts them at risk. People use vulnerable passwords when it comes to entertainment and news websites, and sometimes on shopping sites where there could be credit card information stored. About 26 percent of unsafe passwords were reset by users. In addition to that, 60 percent of those new passwords are secured, leaving out the possibility of guessing attacks, which would take a hacker over a hundred million guesses before figuring out the user’s new password. 

Not changing used passwords can lead to cybercriminals gaining unauthorized account access. There have been “credential-stuffing incidents”, which affected companies like Dunkin Donuts and State Farm. Hackers would use lists of breached usernames and passwords to log in to web application accounts through automated requests. When the right username and password combination are found, cybercriminals can gain access to the targeted account. 

Google recommends using their Password Checkup Extension as a precautionary measure to alert users of whether their password has been breached. It is good practice to use different passwords for all your accounts and store them in a secure password manager application. As always, avoid using simple-to-guess passwords and instead use phrases with numbers and symbols. 

Ransom Demand Scam Tricks Users by Using Real Passwords in Emails

Have you heard about the new ransom demand sextortion scam? Cybercriminals have implemented a new method of false blackmail to scare users into paying bitcoin.

The email reads:

I’m aware that X is your password.

You don’t know me and you’re thinking why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this website to have fun (you know what I mean). While you were watching the video, your web browser acted as an RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger,  Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 will be a fair price to pay so your secrets stay safe with me. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72

(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have a unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

To be clear, there is a slim chance that anyone has recorded a video of you, therefore making this email a scam. With that said, hackers are able to make emails such as this so convincing nowadays by implementing new strategies like using your real password (most probably accessed through corporate data breaches within the last few years).

This has really changed the cyber-blackmailing game, but luckily hackers don’t have access to current passwords.

“[A]ll three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers,” explained researcher Brian Krebs, thereby making the stolen passwords old and outdated.

While sextortion scams like this have endeavored for a considerable length of time, there are no reports of any cybercriminals utilizing this strategy and really introducing malware to film somebody pleasuring themselves while watching porn. It’s substantially less demanding to simply lie about it and persuade individuals that it’s true.

To be safe from hackers, you can cover your webcam when not in use and change your passwords regularly to prevent any cybercriminals from accessing your login credentials. To be on the safe side, you can also set up two-factor authorization and secure logins.

To read more about this click here.

ATTN Trello Users: Don’t Post Your Passwords on Your Boards

These days, with so many website accounts to keep track of, we turn to applications that can offer us the most convenience in maintaining all our passwords in one place, but dear Trello users: Trello is not a great way to preserve this precious information.

Initiated in 2011, Trello has become a space in which project collaboration with team members is made easy through sharing of boards and lists. However, the site has also become popular for the use of password listing for users, and this comes with consequence, as members of the community are susceptible to password thieves and hackers.

Research from David Shear of Flashpoint–a security firm–found that many users posted login credentials, passwords, and sensitive data on public, or “open” boards. He and Brian Krebs of KrebsOnSecurity alerted Trello of the boards, and some users have already been notified via comment posts like “Change your password” on their boards from other community members.

As Krebs explains on his post:

“One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPagedomain hosting.”

Trello is now working with both Krebs and Shear to purge the site of its public boards with sensitive data, further teaming up with Google to clear the cached sites.

As one Trello spokesperson comments:

“We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around each privacy setting, as well as persistent visibility settings at the top of each board.”

While Trello can be used for business purposes, it’s safe to say it’s not the best place to store your passwords, especially if there are options to make your boards public. Do yourself a huge favor, and steer clear of pasting passwords on sites/apps that can potentially post your information publicly.

 
For more information from the original article, please click here.

May the (Cybersecurity) Fourth Be With You & World Password Day

May 4th is a very important day for cybersecurity and Star Wars aficionados, alike. At Inverselogic we’re both, which is why we are celebrating World Password Day all while battling each other with lightsabers.

According to McAfee’s World Password Report, 34% of people surveyed report that they use the same password for multiple accounts. 37% of people are still storing their passwords on a piece of paper and kept in a place they deem of as safe. Most have yet to enable two-factor authentication.

With this being said, today should be the day that you change your passwords, Layer Up with two-factor authentication, and indulge in a nice, Star Wars binge-watching session with your Chewbacca mask on.

May the (cybersecurity) Fourth Be With You, young padawan. 

#Inverselogic #MaytheFourthBeWithYou #LayerUp #WorldPasswordDay

For more information, please read McAfee’s report by clicking here.