Latest news with #HaveIBeenPwned
Tom's Guide
3 days ago
- Tom's Guide
More than 184 million passwords exposed in massive data breach — Apple, Google, Microsoft and more
Cybersecurity researcher Jeremiah Fowler has just published a report about his discovery of a massive, unprotected online database of millions of sensitive pieces of data that were stored in a plain text file absent of any password requirement or encryption. According to ZDNet, the 184 million unique account credentials that Fowler found include usernames, passwords, emails and URLs for apps and websites like Google, Microsoft, Apple, Facebook, Instagram and Snapchat, among others. Perhaps more concerning were the even more sensitive information in the database – specifically credentials for bank and financial account, health platforms and government portals. Fowler's analysis determined that this data has been captured by some type of infostealer, meaning the individuals exposed and the accounts involved will be vulnerable to a host of further scams and malicious behavior from threat actors such as phishing attacks. Fowler has said he doesn't know if this database was legitimately or maliciously created in the first place, because the hosting provider would not disclose the name of the owner, though they have removed it from public access. Fowler directly contacted people listed in the file, told them he was researching a data breach and confirmed that the information contained in the database was correct, valid account information. Additionally, he has said that while whomever owns the database is to blame for the incident, users who treat their email accounts like free cloud storage leave themselves open to security and privacy risks by having years worth of sensitive documents such as tax forms, medical records, contracts or passwords readily available to cybercriminals who are able to gain access to their email accounts. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. People who are involved in a security breach of this nature are subject to a variety of further threats, especially if they've reused the same password, used weak passwords, or have accounts in a position of government or other importance. Like Fowler, we recommend that you always use strong, unique passwords that include multiple upper and lower case characters as well as numbers and special characters, that you frequently change and update passwords and that you never reuse passwords. It's often easiest to use a password manager to keep all of your passwords private and safe, or if possible, use a biometric passkey. Whenever possible, enable two-factor or multi-factor authentication on your accounts. Keep a close eye on all your accounts, and if you feel like you've may have been or know you have been victim to a data breach, check your accounts on sites like HaveIBeenPwned or a password leak checker. You should also make sure that your antivirus software is set to regularly scan your computer; these scans can be set to run automatically when you're asleep or when you're otherwise not using your machine so that you won't be interrupted. Lastly, know the signs of phishing scams and social engineering attacks so you can watch out for them – you are always the last line of defense when it comes to malware, and threat actors will take all the information they have in order to try and trick you into clicking on a link or downloading an app or software that appears legitimate but is secretly malicious code. Never click on unexpected links, QR codes or attachments or links or attachments from unknown senders. Verify through independent means if someone contacts you asking you to download or click on something. Don't share personal information with people you don't know online, and clear out your accounts of old emails and photos that contain documents that may contain personal details and information.
Phone Arena
6 days ago
- Phone Arena
If you are using these PIN numbers on your iOS or Android phone, change them immediately
PINs are important. You probably have a four-digit PIN to guard access to your phone, your bank account, and other online portals that you want to keep others away from. The problem, according to a report from the Australian Broadcasting Corporation (ABC), is that the PINs most used are so popular that someone might be able to break into a phone they found or stole. ABC went to website "Have I Been Pwned" and analyzed 29 million PIN codes. What they found is pretty disturbing. The most popular four-digit PIN is 1234 and is used as a code by one out of every ten of the millions of codes that ABC looked at. The second most popular PIN is 0000 followed closely by 1111. People are lazy and don't want to have to tax their brains to remember a PIN so they will repeat the same number. The problem is, the bad guys might be able to figure this out and break into a device. PINs in the top ten of usage include 1212 (which repeats 12 twice) and 4444. Another popular series of PINs uses the device owner's year of birth which explains why 1986 is a very popular PIN. Someone born that year is 38-39 years old. Also in the top 20 of PINs used is 2004 which would include those who turned or are turning 21 this year. In countries outside the U.S., the Date/Month format is more popular than the Month/Date format used in America. Thus, special days that can be converted into four-digit PINs should also be avoided such as 2512 (December 25th-Christmas). You should also avoid 1225. Some popular four-digit PINs are popular because those who use it think that they are clever. For example, 1342 is the most popular code; it is simply a play on 1234. You might wonder why 2580 is in the top 40. If you can't figure out why that combination is so popular, look at the dial pad on your phone. See it now? It's the four numbers straight down starting with the number two. The math reveals the problem. Let's say someone steals a phone and has ten chances to guess before getting locked out or having the data automatically wiped. If the guesses are limited to the 50 most popular PINs, the chance of guessing the correct PIN can be as high as 15% according to Gemini. I don't know about you, but that is a concerning figure if you ask me. To reduce those odds, stay away from using the 50 most popular four-digit PINs: 1234-Popularity 9.0% 1111-Popularity 1.6% 0000-Popularity 1.1% 1342-Popularity 0.6% 1212-Popularity 0.4% 2222-Popularity 0.3% 4444-Popularity 0.3% 1122-Popularity 0.3% 1986-Popularity 0.3% 2020-Popularity 0.3% 7777-Popularity 0.3% 5555-Popularity 0.3% 1989-Popularity 0.3% 9999-Popularity 0.2% 6969-Popularity 0.2% 2004-Popularity 0.2% 1010-Popularity 0.2% 4321-Popularity 0.2% 6666-Popularity 0.2% 1984-Popularity 0.2% 1987-Popularity 0.2% 1985-Popularity 0.2% 8888-Popularity 0.2% 2000-Popularity 0.2% 1980-Popularity 0.2% 1988-Popularity 0.2% 1982-Popularity 0.2% 2580-Popularity 0.2% 1313-Popularity 0.2% 1990-Popularity 0.2% 1991 Popularity-0.2% 1983-Popularity 0.2% 1978-Popularity 0.2% 1979-Popularity 0.2% 1995-Popularity 0.2% 1994-Popularity 0.2% 1977-Popularity 0.2% 1981-Popularity 0.2% 3333-Popularity 0.2% 1992-Popularity 0.2% 1975-Popularity 0.2% 2005-Popularity 0.2% 1993-Popularity 0.2% 1976-Popularity 0.2% 1996-Popularity 0.2% 2002-Popularity 0.2% 1973-Popularity 0.2% 2468-Popularity 0.2% 1998-Popularity 0.1% 1974-Popularity 0.1%
Engadget
22-05-2025
- Engadget
A huge unsecured credential database discovery is a great reminder to change your passwords
Today's report by security expert Jeremiah Fowler of a massive unsecured database full of usernames and passwords shouldn't necessarily frighten you, but it should spur you to action. If you have any weak passwords protecting accounts with sensitive information, or if you've reused the same password — however strong — on multiple accounts, now would be an excellent time to change them and set up two-factor authentication. Fowler reported on Website Planet that the database, which he found unlocked and without any encryption on an anonymously registered server, contained a little over 184 million records. These included usernames, emails, passwords, and direct links to the URLs for logging into the relevant accounts. While Fowler was able to get the hosting provider to lock the server, he couldn't find any hard evidence about who compiled the database, nor whether they had used or shared the information. There are a couple of reasons not to panic here. 184 million records exposed doesn't mean 184 million people exposed — it's just the number of rows in the database. If the info was gathered through malware, as Fowler believes, it's likely to have gathered multiple records from every infected device. That's obviously still bad, but fewer people have been affected than it may seem from the number alone. The database also contained no information that could be used for two-factor authentication, so anyone with a second factor set up has much less reason to worry. Don't forget, though, that one weakly secured account is a liability to the others. For example, a hacker could gain access to your email, then use that access to break through 2FA on your bank account. The potential consequences of having your password stolen are severe enough that it's worth taking common-sense steps. Since the database wasn't leaked on any of the usual dark web sources, its data likely won't show up on breach checkers like HaveIBeenPwned. However, Fowler did share with Wired reporters that he tested a sample of 10,000 fields in the database, and found passwords to the following platforms: Facebook Google Instagram Roblox Discord Microsoft Netflix PayPal Amazon Apple Nintendo Snapchat Spotify Twitter WordPress Yahoo Online banks Online wallets Healthcare web apps Government employee accounts If you have an account on any of those platforms without two-factor authentication, we recommend changing your password and setting up 2FA as soon as possible. Pay special attention to platforms like Roblox and Nintendo where your kids might have set up their own accounts and not bothered with 2FA. As Fowler points out in his blog post, even seemingly innocuous accounts might have personal information lying around.
The Star
01-05-2025
- The Star
World Password Day: Tips to keep your online accounts safe and secure
Forget birthdates or your pet's name, choose complex passwords and remember to change them regularly. — AFP Relaxnews World Password Day, Thursday, May 1, serves to remind Internet users of the basic rules for protecting online accounts and data. Forget birthdates or your pet's name, choose complex passwords and remember to change them regularly. This, and several other steps, can limit the risk of having your accounts hacked. Stop using personal information Avoid using passwords that are too simple or easily recognisable, such as your first name, the names of your children or your pet, your date of birth, or sequences of numbers or letters such as "123456' or "qwerty', which are extremely popular but particularly vulnerable. Change your passwords regularly Another bad habit is reusing the same password for several services, or simply changing one character. This is unwise, because hackers' first instinct is precisely to try their luck with the password they've just stolen on several other platforms. As a general rule, it's also advisable to change all your passwords every three months. It's tedious, but it seriously boosts security. Use a mnemonic strategy to help you choose the right password The best way to compose and remember a complex password – made up of numbers, letters and even special characters – is to use a mnemonic technique. Just think of the first letters of each word in a sentence or song title, for example. However, remember to choose a different one for each separate online service, as each password must be unique. Use two-factor authentication Whenever possible, it's recommended to activate two-factor authentication, which involves adding at least one additional step to logging in to an account. This can take several forms, such as a code sent by SMS or a personal question. This way, even if your password gets cracked, hackers won't be able to access your account. Despite taking all these precautions, no one is entirely safe from having their data hacked or stolen one day. To find out if your phone number or email address has been compromised, simply go to the Have I Been Pwned website. It lists all the latest data reported stolen. Just type in your email address to find out if you've been affected. If so, don't panic. It doesn't necessarily mean that sensitive data is circulating online, but simply that your login is part of a leaked list. In all cases, you should immediately change the passwords concerned, even if the data breach dates back several months or years. – AFP Relaxnews
New York Post
30-04-2025
- New York Post
Here's how long it takes a hacker to figure out your passwords — and the safest to use
Having to come up with a password that matches the symbol requirements for every site can be a hassle, but there's good reason for it. Of course, the more your password has, the longer it takes for a hacker to figure it out. But it's even more specific than that in terms of how long it would take to guess, according to cybersecurity firm Hive Systems Password Table. Advertisement For example, a password with five characters using numbers, upper and lowercase letters would take a hacker just two hours to discover it. However, a password with 18 characters using numbers, symbols, upper and lowercase letters would take 463 quintillion years. The Hive Systems Password Table shows how long it takes for a hacker to guess your password. Reddit/u/hivesystems The password table was first designed in 2020 to show how fast a hacker can 'brute-force' your password based on data from Advertisement They started by looking at the strength of a hashed password against a hacking attempt based on length, complexity, hashing algorithm used by the victim and hardware used by the attacker. A 'hashed' password is a scrambled version of text that can be reproduced if you know what hash software was used. The experts at Hive Systems analyzed password data breaches from 2007 to now reported by HaveIBeenPwned. The table focuses on the concept that the hacker is working in a 'black box' situation, starting from scratch to hack the password. Advertisement A 'hashed' password is a scrambled version of text that can be reproduced if you know what hash software was used. DC Studio – This shows the 'worst case' or 'maximum time required' to do the hacking. Most hackers, according to the blog post, prioritize the words and strings of characters that they'll focus on first through previously stolen hashes, dictionary attacks and rainbow tables. If your password was part of a previous data breach or uses words in the dictionary, then a hacker can figure out your password — no matter how many characters, symbols or numbers used — instantly. Advertisement They noted that these metrics go off the assumption that your password has not been part of a breach in the past. Hackers will often try hashes of all common and breached passwords before even thinking about moving on to new ones.
