Latest news with #HaveIBeenPwned
Business Insider
26-07-2025
- Business
- Business Insider
Google (GOOGL) Shuts Down a Phone Spyware App that Was Operating on Its Servers
Tech giant Google (GOOGL) has shut down Catwatchful, a phone surveillance app that was secretly using the company's Firebase platform to store and operate its spyware. The move happened about a month after TechCrunch notified Google that Catwatchful was holding stolen data from thousands of hacked phones on Google's servers. Interestingly, Catwatchful targeted Android devices and disguised itself as a child-monitoring app. Unfortunately, it was often misused for stalking partners or other non-consensual surveillance. Elevate Your Investing Strategy: Take advantage of TipRanks Premium at 50% off! Unlock powerful investing tools, advanced data, and expert analyst insights to help you invest with confidence. To install the app, someone needed physical access to the target's phone, which was usually gained by knowing the passcode. Once installed, it hid itself from the home screen and quietly uploaded private messages, photos, location data, and more to a web dashboard controlled by the person who planted it. However, in June, TechCrunch discovered a major flaw in Catwatchful's systems that left its database wide open without requiring a password, thereby exposing sensitive information about both victims and paying customers. The exposed data included details from over 26,000 infected devices, along with more than 62,000 customer email addresses and plaintext passwords. It also identified the app's creator as Omar Soca Charcov, who is a developer based in Uruguay. Since there was no sign that Charcov planned to notify the affected users, TechCrunch shared the data with Have I Been Pwned, which is a site that warns people about breaches. It is worth noting that Catwatchful is now one of several spyware operations in recent years that have leaked sensitive information. Is Google Stock a Good Buy? Turning to Wall Street, analysts have a Strong Buy consensus rating on GOOGL stock based on 28 Buys and nine Holds assigned in the past three months. Furthermore, the average GOOGL price target of $215.11 per share implies 11.6% upside potential.
New York Times
18-07-2025
- New York Times
Your Data Appeared in a Leak. Now What?
My personal information has been leaked in a data breach not once or twice or even thrice. By now I've lost count. I've learned about the breaches in letters offering me free credit monitoring, in apologetic emails from affected companies, and in news reports. You've probably been there, too. The urge to shrug and do nothing is strong, but that approach is almost certain to cause you some future pain. Learn from my mistakes — someone once took over my Facebook account using stolen data because I recycled my passwords. (Tip: Don't do this.) Data breaches are now an unfortunate fact of modern life, and there's not much you can do about preventing them. But that doesn't mean you can't protect yourself in the aftermath. Here's what to do. Leaks and data breaches can take many forms — a hacker releases stolen records online, a company accidentally leaves a server available, the list goes on — but the result is that your personal information ends up somewhere it shouldn't. Don't panic, but don't ignore it. The sad truth is, decades of data breaches and a thriving market for data brokers mean that an uncomfortable amount of your personal information is likely already out in the open. 'It doesn't worry me too much anymore, just simply because there's so much of that data out there anyway, and a new data breach doesn't particularly change that,' says Troy Hunt, the founder of HaveIBeenPwned, a site that lets you search data breaches to see if you've been affected. But some breaches, particularly those involving sensitive data such as passwords or other personal information, demand attention. Here's what to do immediately after a data breach to protect yourself in the future: Set up a password manager and enable two-factor authentication. Because attackers know that many people use the same password across multiple accounts, they'll attempt to use a password exposed on one website across others. Hunt says that due to password recycling, 'one data breach of a fairly benign service is suddenly a digital key to everything else.' Even if your password wasn't exposed, take the breach as an opportunity to level up your online security. First, choose a password manager (our picks are 1Password and Bitwarden) and use it to create a new, unique password for the site that was breached. Then, take a minute to activate 2FA, if it's available, to keep attackers out even if they have your password. Two-factor authentication adds another layer of protection on top of your password, often in the form of a PIN, security key, or face scan (if you've ever been prompted to enter a texted code after entering your password, that's 2FA). Once you've done that, change the password on another site or two every day (or whenever you log in), and add it to your password manager. Eventually, you'll have unique and complex passwords protected with 2FA for all of your accounts, which will help protect you after future data breaches. I Tried, and Failed, to Disappear From the Internet Go directly to the source to find more information about the breach. If you hear about a data breach from a letter, email, or news report, go to the affected company's website to get more information. Be sure to avoid links in emails or text messages, as these can sometimes be from opportunistic scammers. Look for explanations of what information was exposed and what, if any, additional steps the company is taking to protect those affected. If you can't find any information on the website, try contacting the company by phone using a verified phone number. Many companies list their contact numbers on their official websites, so use that number instead of whatever pops up on Google. Once you know what information was exposed, you can decide what to do about it. Assessing your risk is deeply personal, and how you react might depend on how much and what kind of information the company had on you, though some personal information is obviously sensitive. If your account password, address, or Social Security number has been exposed, you need to take action. Another important piece of information that is often overlooked is your date of birth: 'You can never change it,' Hunt says. 'And unfortunately, we've got everything from [telecommunication companies] to banks regularly using that as an identity proof.' Change your passwords. Companies sometimes require a password reset after a data breach, so you'll have to create a new password before you can log in. If the company doesn't require a reset, you can do it yourself in your account settings. If you can't log in to change your password, though, an attacker may have already taken control of your account; use the site's password-recovery tool and replace your old password with a strong new one. Store that new password in your password manager and then turn on 2FA. If that doesn't work, contact the company through a verified phone number listed on its site or another trusted source to regain control of your account. Also change the password on any other site where you reused it. As we mentioned earlier, attackers know people's bad password habits and sometimes try confirmed passwords on multiple sites, hoping to get lucky. Share this article with a friend. Monitor your bank and credit card accounts. Log in to your financial accounts and look for fraudulent charges. Most bank accounts in the US are insured by the Federal Deposit Insurance Corporation for up to $250,000, so if you see incorrect charges, contact your bank to file a claim and get your money back. In the US, customers are not responsible for fraudulent credit card charges, either, so report any of those as well to get them removed from your account. When contacting your bank, credit card company, or brokerage, be sure to do so through a verified phone number. Most banks and credit card issuers list a fraud-support phone number on the back of your debit or credit card. Check and freeze your credit. Sometimes, scammers try to use your personal information to open new bank accounts or take out loans. You can check for this kind of fraudulent activity by examining your credit reports from the three major credit bureaus: Equifax, Experian, and TransUnion. The Federal Trade Commission recommends against contacting the credit bureaus individually and instead directs people to use to request one free report from each credit bureau per year. You can also request a credit freeze, which helps prevent new accounts or loans from being opened in your name. If you have children, the FTC recommends freezing their credit, as well; because youngsters are unlikely to be checking their own credit reports, fraud using the information of minors can go unnoticed for years. A credit freeze lasts until you choose to lift it, but keep in mind that it can't protect against all kinds of fraud. The Federal Trade Commission offers resources for reporting identity theft and recovering your accounts if you're concerned that someone is using your Social Security number. If the affected companies offer free credit monitoring or identity-theft support, use it. Many companies offer credit-monitoring services in the wake of a data breach. You should take advantage. However, all of them require you to activate such services, and you have to watch for notifications if these services find anything suspicious. Typically, you have a limited time during which you can activate the services, and they run for only a year or so. File your taxes early. Tax scammers sometimes try to claim your US income tax refund by using stolen information to file a return before you do. If you were involved in a recent data breach, or if sensitive information such as your Social Security number was leaked, consider filing your taxes early to beat scammers to the punch. You can also set up a PIN with the IRS to add an extra layer of protection to your taxes. This is a smart thing to do, even if your data hasn't been exposed. Be on alert for scams purporting to help after a breach. Scammers sometimes send legitimate-looking emails or texts about data breaches that are actually links to phishing sites, which look like reputable sites but are actually designed to convince you to divulge your passwords or sensitive information. It's a cruel manipulation: exploiting your very anxiety about a security leak to steal your information. To protect yourself, be skeptical of messages with links or demands for immediate, dramatic action. Before you follow any instructions from an email, a text message, or even a phone call, confirm that information by going to an official website or contacting support through a verified phone number. Phishing sites have a short lifespan, and most browsers are good at blocking malicious sites. If your browser warns you to stay away, pay attention. Most password managers store a related URL along with your password and notify you when you visit a site with a saved password. If you're on a familiar-looking site but your password manager doesn't recognize it, double-check the URL to confirm that it isn't a cleverly designed look-alike. Your Phone Is Stolen. Your Laptop Gets Lost. Here's What to Do.
Mint
23-06-2025
- Mint
16 billion passwords: How bad is the ‘world's largest data breach'?
New Delhi: On 19 June, a report by cybercrime and data breach reporting platform Cybernews said that a collection of 30 live databases was found with information stolen from individuals around the world—collecting what was claimed as 16 billion passwords and their corresponding credentials. The details reportedly belonged to users who had accounts on the most popular online services—Apple, Facebook, Google and others. Has the breach in question really put most users of the internet at risk? Perhaps not—Mint explains why. What really happened in the alleged data breach? Cybersecurity researchers that Mint spoke with said that the breaches in question were not strictly new or a single consolidated breach, as early reports had claimed. Instead, the new databases are more like master databases where breached information gathered over almost the past decade was put together by an unidentified group or entity. To put it simply, data breaches occur from either unsecured online databases that cyber criminals scrape to collect information, or as part of cyber attacks on large online platforms that lead to the leakage of sensitive information. The largest known data breach so far occurred in 2016, when cyber attackers breached the entire database of once-search and mail giant Yahoo—stealing over 3 billion passwords and related user credentials at one go. Also read: India's big AI test is here: Making sovereign language models work Four cybersecurity researchers that Mint spoke with said that the 'master' database with 16 billion passwords and other corresponding data—such as name, email addresses, dates of birth and other personally identifiable information (PII)—is likely a collection of multiple breaches, dating back to 2015. Is such a widespread data breach even possible? While no number of breaches is outside the realm of possibility, most researchers stated that a single breach exposing such a massive volume of sensitive information at one time is nearly unlikely. 'There are estimates of over 5.5 billion unique users on the internet. Given that any average individual would have at least two or three emails, plus accounts linked with around 10-15 online services—served by an average of around five unique passwords, an extrapolated hypothesis can be that a breach of 16 billion passwords would likely impact over 40% of all internet users globally. For this to happen in one single coordinated data breach would be akin to all of Europe, Asia and then some more being compromised at one go—which is nearly unthinkable even in today's cybersecurity climate," said an independent cybersecurity researcher who closely works with various government departments, requesting anonymity. Mint could not independently access the alleged database in question or verify whether the information is updated. However, a scroll through cyber breach tracker Have I Been Pwned by noted cyber security professional and Microsoft regional director for the US, Troy Hunt, signified that passwords that have been in use on Apple, Facebook and Google's platforms since at least 2018 have not surfaced online in the repository's list of breached passwords. Also read: Sovereign silicon: India targets indigenous 2nm, Nvidia-level GPU by 2030 To be sure, Have I Been Pwned is a public repository that regularly scrapes dark web databases for leaked passwords, such as the one mentioned here. What should users do in this regard? Cybersecurity experts stated that, irrespective of whether their passwords appear in breach trackers such as the one cited above, updating passwords once every six months is prudent. Heather Adkins, vice-president of security engineering at Google, said that as part of its global endeavours to ramp up cybersecurity, the company is in the process of collaborating with Apple, Microsoft and others in a global 'Fido Alliance'—which seeks to establish 'passkeys' as a standard for login. 'Passkeys reduce the dependency on passwords, and thus reduce how breaches occur by using the biometric authentication information that is stored on users' phones and laptops. The benefit here is that attackers cannot breach biometric information even if they want, since they require on-device authentication. Various emails and other logins are steadily shifting to passkeys in this regard," Adkins said. Sidharth Mutreja, cofounder and chief technology officer of homegrown enterprise security consultant Rockladder Technologies, added that a second step is to 'enable two-factor authentication." 'As a second layer of security, users should always either use one-time password-based additional verification or use authenticator apps to ensure that their accounts and personal information are not breached even if a password is compromised. Additionally, it's important to ensure that any caller or email sender is personally verified before they are responded to," he added. For now, though, each of the researchers agrees that no user is at 'immediate risk of losing access to all of their accounts"—even though initial reports projected widespread risk, unlike what was seen before. Can attackers still leverage the information? Unfortunately, yes. The presence of such databases means that attackers with deep pockets and ill intent can pay to access such databases and use the information for a wide range of tasks. These include actions such as 'spear phishing'—where attackers use available information about individuals to closely impersonate a potential acquaintance, and dupe them financially or otherwise. Also read: Eye in the sky: India to set up satellites to spy on satellites To be sure, such attacks have become common in India in the form of 'digital arrests' and originate from such databases. A single, coordinated database could thus be a crucial indirect resource for attackers, even if they do not immediately cause any direct harm to users. Will companies handle damages and fallouts, if any? Mutreja said that a coordinated database that collates all breached information under one umbrella 'could create significant liability for enterprises in terms of securing their own platform with database monitoring tools—and put the onus on consumers to instantly and continuously change their passwords." 'There's no one set law that dictates if a company should be liable for a public database—unless a breach in question directly correlates to a company specifically. In such a case, users can directly raise questions on whether companies should have better protected their data. In this case, though, this does not hold," he added. Apple, Facebook and Google—the three major service providers whose information was a part of the breach as per the original report—have not issued any statements or patches pertaining to a data breach of such stature.
Time of India
21-06-2025
- Time of India
Amid password breach, how can you check if your data is leaked? Learn here
In one of the largest data breaches in recent history, a staggering 16 billion passwords have been leaked online, raising urgent concerns about digital security across the globe. The leak, believed to be a compilation of credentials from multiple past and ongoing breaches, is being dubbed the 'mother of all breaches' by cybersecurity experts . If you're worried your information might be part of the leak, you can check by entering your email ID at HaveIBeenPwned. This trusted site will show whether your credentials have been compromised in any known data breaches. What to do if your data is exposed? If your data has been exposed, change your passwords immediately. Make sure your new passwords are strong, unique, and not similar to ones you've used before. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Cardiologists: 1 spoonful on an empty stomach slims the waist from XL to P (do it today)! Women's health Learn More Undo Also, avoid using the same password across multiple platforms. Using different passwords for different accounts adds an extra layer of security and can help limit the damage in case of future breaches.
Economic Times
21-06-2025
- Economic Times
Amid password breach, how can you check if your data is leaked? Learn here
What to do if your data is exposed? In one of the largest data breaches in recent history, a staggering 16 billion passwords have been leaked online, raising urgent concerns about digital security across the globe. The leak, believed to be a compilation of credentials from multiple past and ongoing breaches, is being dubbed the 'mother of all breaches' by cybersecurity experts If you're worried your information might be part of the leak, you can check by entering your email ID at HaveIBeenPwned. This trusted site will show whether your credentials have been compromised in any known data your data has been exposed, change your passwords immediately. Make sure your new passwords are strong, unique, and not similar to ones you've used avoid using the same password across multiple platforms. Using different passwords for different accounts adds an extra layer of security and can help limit the damage in case of future breaches.
