Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Administered by:

Server stats:

12K
active users

mastodon.world: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#haveibeenpwned

1 post1 participant0 posts today
Public *
Karl Voit :emacs: :orgmode:

#TroyHunt fell for a #phishing attack on his mailinglist members: troyhunt.com/a-sneaky-phish-ju

Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.

Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.

Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.

Note: any 2FA is better than no 2FA at all.

Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
#email#malware#security
Public
☮ ♥🧑‍💻

“Infosec veteran Troy Hunt of #HaveIBeenPwned fame is notifying thousands of people after phishers scooped up his #Mailchimp mailing list.

He said the list comprises around 16,000 records and every active #subscriber will be receiving a notification and apology #email soon. …

Around half of these records (7,535), however, pertain to individuals who had #unsubscribed from the list”

#InfoSec / <theregister.com/2025/03/25/tro>

The Register · Infosec pro Troy Hunt HasBeenPwned in Mailchimp phishBy Connor Jones
Public *
Opalsec :verified:

Hey Cyber Security Pros! 👋

Ready to dive into the latest security updates and breaches that should be on your radar? We've got you covered.

🗞️ opalsec.io/daily-news-update-w

At a high level, here are the main stories:

- EncryptHub's Zero-Day Exploits: Trend Micro links EncryptHub (a.k.a. Water Gamayun) to attacks leveraging a Microsoft Management Console (MMC) zero-day vulnerability (CVE-2025-26633). Discover how they're bypassing Windows protections and deploying various payloads.

- Windows NTLM Hash Leak Zero-Day: A new zero-day flaw allows remote attackers to steal NTLM credentials. Learn how this vulnerability affects all Windows versions and how 0Patch is providing unofficial fixes. Don't forget about those older, unpatched vulnerabilities too!

- HaveIBeenPwned Gets Phished: Even security experts aren't immune! Troy Hunt shares his experience of a sophisticated Mailchimp phishing attack. Lessons learned on OTP security and the importance of monitoring password manager behavior.

- Oracle Breach Controversy: Customers are confirming the legitimacy of leaked data despite Oracle Cloud's denial. Could this lead to supply chain and ransomware attacks? Ensure you're rotating those SSO and LDAP credentials and enforcing strong MFA!

- Astral Foods Cyberattack: South Africa's largest chicken producer faced a $1 million loss due to a recent cyberattack.

- Android Malware Evolution: New Android malware is using .NET MAUI to evade detection. Learn how it's disguising itself and targeting users in China and India.

- CS2 Phishing Attacks: Browser-in-the-Browser attacks are targeting Counter-Strike 2 players' Steam accounts.

- VMware Tools Vulnerability: Broadcom warns of an authentication bypass vulnerability in VMware Tools for Windows. Update those systems ASAP!

- CrushFTP Unauthenticated Access Flaw: CrushFTP warns users to patch an unauthenticated HTTP(S) port access vulnerability.

- Kubernetes IngressNightmare: Wiz researchers uncovered critical vulnerabilities in Ingress-Nginx Controller that could lead to complete cluster takeovers.

- Trump Officials' Signal SNAFU: High-profile officials accidentally shared classified Yemen airstrike plans in a Signal group with a journalist.

- FCC Investigates Huawei: The FCC is scrutinizing Chinese manufacturers for circumventing US regulations.

- Privacy-Boosting Tech: A new report suggests governments should prioritize privacy-enhancing technologies to prevent breaches.

Check out the full blog post 👉 opalsec.io/daily-news-update-w

Opalsec · Daily News Update: Wednesday, March 26, 2025 (Australia/Melbourne)Audio Summary: Wednesday, March 26, 2025 (Australia/Melbourne)0:00/305.0161× EncryptHub Linked to MMC Zero-Day Attacks on Windows Systems Trend Micro have linked the threat actor EncryptHub to attacks exploiting a zero-day vulnerability in Microsoft Management Console (MMC) vulnerability dubbed 'MSC EvilTwin' (CVE-2025-26633), as far back as April
#cybersecurity#infosec#securitybreach
Public *
Royce Williams

The protective value of "k-anonymity"¹ for Have I Been Pwned / Pwned Passwords API lookups is significantly reduced because frequency data is included. And the more common the password, the more this effect is magnified.

An example:

gist.github.com/roycewilliams/

... with cracks:

gist.github.com/roycewilliams/

Using "k-anonymity"¹ to return all hashes that begin with b2e98 is less "anonymous" ... when 98.6% of the passwords (by frequency across all leaks) are the top one.

It's not really hiding a needle in a haystack if you just lay it on top.

Edit: in fact, even without the frequency data, since some passwords are much more common than others ... left-skewed distribution is an intrinsic property of password data. Missing frequency data can be largely reconstructed from public cracking efforts. (And even if that weren't true, the hashes can just be cracked using traditional methods. If the cracking community can get a 97%+ cracking rate², what is being achieved other than plausible deniability?)

K-anonymity [as implemented by HIBP, anyway -- true K-anonymity is different¹] may just be a bad fit for password hashes.

¹ Not actually k-anonymity at all:
en.wikipedia.org/wiki/K-anonym

² Actually closer to 99.29% across the entire corpus, publicly:
gist.github.com/roycewilliams/

hibp-download-b2e98 - 2025-02-25. GitHub Gist: instantly share code, notes, and snippets.
Gisthibp-download-b2e98 - 2025-02-25hibp-download-b2e98 - 2025-02-25. GitHub Gist: instantly share code, notes, and snippets.
#passwords#HaveIBeenPwned
Public
ResearchBuzz: Firehose

Troy Hunt: Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs. “We’ve ingested a corpus of 1.5TB worth of stealer logs known as “ALIEN TXTBASE” into Have I Been Pwned. They contain 23 billion rows with 493 million unique website and email address pairs, affecting 284M unique email addresses. We’ve also added 244M passwords we’ve never seen before to Pwned Passwords and updated the […]

https://rbfirehose.com/2025/02/27/troy-hunt-processing-23-billion-rows-of-alien-txtbase-stealer-logs/

ResearchBuzz: Firehose | Individual posts from ResearchBuzz · Troy Hunt: Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs | ResearchBuzz: Firehose
More from ResearchBuzz: Firehose
#databreaches#haveibeenpwned#passwords
ExploreLive feeds
About