Latest news with #dataleak
CNA
6 days ago
- Business
- CNA
Telefonica investigates potential cyberattack after release of data from Peru
MADRID :Spain's Telefonica said on Tuesday it was investigating a potential cyberattack after data allegedly belonging to one million of its customers in Peru was released on an internet forum. In April, the Spanish company sold its troubled Peruvian unit to Argentine company Integra Tec International for about 900,000 euros ($1.03 million). ($1 = 0.8768 euros)
Fox News
24-05-2025
- Fox News
19 billion passwords have leaked online: How to protect yourself
Passwords are outdated, and it's time for both tech companies and users to move on. There, I said it. Like it or not, the weakest link in cybersecurity is anything that relies on human input. While organizations continue to invest in firewalls and endpoint security, the most persistent vulnerability remains the human password. The internet has long struggled with poor password practices, but a recent discovery highlights just how serious the problem is. Security researchers have uncovered more than 19 billion newly leaked passwords, collected from hundreds of breaches between April 2024 and April 2025. An astonishing 94% of these passwords were either reused, predictable or both. Between April 2024 and April 2025, data from nearly 200 separate cybersecurity incidents became publicly available, as discovered by Cybernews. These were not isolated events. They involved massive leak repositories including combolists, stealer logs and compromised databases. In total, over 3 terabytes of raw leaked data were analyzed, comprising more than 19 billion passwords. Only 6 percent of these, just over 1.1 billion, were unique. Among the most used passwords, "123456" appeared in over 338 million instances. Words like "Password" and "admin" followed close behind, despite years of public warnings. Such defaults often originate from devices like routers or enterprise tools, where they are rarely changed and frequently reused elsewhere. Personal names remain a common pattern as well. The name "Ana" appeared in nearly 179 million passwords, followed by countless other first names and name-based combinations. Pop culture, food, cities and even swear words were frequent themes. Words like "Mario," "love," "pizza," "Rome" and various profanities were not just creative choices. They are now security liabilities. Even worse, attackers do not need to guess anymore. They have automation. Credential stuffing tools now run through billions of known passwords across hundreds of platforms, breaching accounts at success rates as high as two percent. That equates to thousands of compromised profiles, bank accounts, emails and cloud tools every single day. According to CyberNews researcher Neringa Macijauskaite, the core issue is not just weak passwords but how often they are reused. Only six percent of passwords are unique. For most users, security depends entirely on two-factor authentication, if it is enabled at all. Most passwords fall between eight to 10 characters, with eight being the most common. Around 27 percent of them contain only lowercase letters and digits, making them highly vulnerable to brute force attacks. Less than 20 percent use a mix of cases and numbers, and only a small fraction includes symbols. Despite widespread education efforts, user habits remain stagnant, but one positive trend has emerged. In 2022, only one percent of passwords used a mix of lowercase, uppercase, numbers and symbols. Now that figure has grown to 19 percent, likely driven by stricter password requirements across platforms. Get a free scan to find out if your personal information is already out on the web. Reused or weak passwords pose a massive threat, not just to individuals but to organizations. A single compromised password can trigger a domino effect, exposing multiple accounts across services. Consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed Password Managers of 2025 here. Protecting your data requires a mix of smart security habits and reliable tools. Here are four effective ways to keep your information safe. 1. Enable two-factor authentication (2FA): Even if your password is stolen, 2FA adds an extra layer of security by requiring a second form of verification, such as a code from an authentication app or biometric confirmation. Cybercriminals rely on stolen usernames and passwords to break into accounts, but with 2FA enabled, they cannot gain access without the additional security step. Make sure to enable 2FA on important accounts like email, banking and work-related logins. 2. Use strong antivirus software and be cautious with downloads and links: Infostealer malware is the root cause of why your password is out there. It often spreads through malicious downloads, phishing emails and fake websites. Avoid downloading software or files from untrusted sources, and always double-check links before clicking them. Attackers disguise malware as legitimate software, game cheats or cracked applications, so it is best to stick to official websites and app stores for downloads. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 3. Keep software updated: Cybercriminals exploit outdated software to deliver malware. Keeping your operating system, browsers, and security software up to date ensures that known vulnerabilities are patched. Enable automatic updates whenever possible, and install reputable antivirus or endpoint protection software that can detect and block infostealer threats before they compromise your system. 4. Consider a personal data removal service: These services can help remove your personal information from data broker sites, reducing your risk of identity theft, spam and targeted scams. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here. When it comes down to it, passwords just aren't cutting it anymore. The sheer number of leaked passwords and the fact that so few are unique show how vulnerable we really are. Cybercriminals are getting smarter and faster, but we don't have to make it easy for them. By using password managers, enabling two-factor authentication, keeping our software updated and considering extra privacy tools, we can take back some control over this situation. It might take a little effort to change old habits, but the peace of mind you get is worth it. How many of your accounts use the same password or a variation of it? Let us know by writing us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels: Answers to the most-asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
Phone Arena
22-05-2025
- Phone Arena
Your Google and Apple logins might be in this leak — and the risks go far beyond those two
Image credit — Unsplash A huge database of usernames and passwords has been found online, and it may affect users of several major services — including Apple, Google, Facebook, and Microsoft. Today, a notable cybersecurity researcher reported the discovery of an unsecured 47GB Elasticsearch server containing over 184 million login credentials. The database was publicly accessible and had no password or encryption protecting it. The leaked records came from users in at least 29 countries and included details from widely used platforms. Although the original disclosure didn't list every service by name, a follow-up review by Wired confirmed that usernames and passwords for Apple ID, iCloud, Gmail, Facebook, Microsoft accounts, and others were part of the leaked data. The server has since been taken offline after Fowler notified its hosting provider, World Host Group. However, it's still unknown who collected the data or how long it was exposed. Screenshot with some entries of stolen passwords referencing Facebook, Roblox, Google, NHS, Live, Microsoft, Discord, and Snapchat. | Image credit — Website Planet" This wasn't a direct breach of Google, Apple, or other major companies. Instead, the leak appears to come from InfoStealer malware — software that pulls saved passwords from browsers and apps. If you've reused passwords across multiple accounts, your other logins may now be often try stolen credentials on multiple sites to see what else they can access. Since many people reuse the same password across services, a single exposed password could unlock a lot more than just one you use any of the affected services, now is a good time to update your passwords, especially if you've reused them. Create strong, unique passwords for each account, and consider using a password manager to keep track of on two-factor authentication (2FA) for extra protection. Services like Apple, Google, Facebook, and Microsoft all offer this feature, and it adds a second layer of security in case your password gets can also check whether your email or password has been involved in a known breach using sites like "Have I Been Pwned." Even if your account wasn't in this specific leak, it's smart to stay alert for phishing emails or suspicious login activity. With so many popular services included, this breach is a good reminder to take password security seriously. More importantly, it's a reminder to stop reusing the same password across different sites. This is something that I have personally done myself for the sake of convenience, but it's become more and more a huge risk.
Forbes
12-05-2025
- Forbes
Warning — 23 Million New Plaintext Credentials Leaked Online
23 billion secrets leaked, report confirms. getty I won't lie, on May 3, when I reported that 19 billion compromised passwords had been found within criminal forums on both the dark and surface web, I thought that the leaked credentials problem couldn't really get any worse. Within 10 days, I had been forced to revise that viewpoint as the actual number of unique stolen passwords included in that list increased from 1.4 billion to 2.9 billion. Oh, and 14 million stolen credit cards were also included, making things even worse. Given the threat posed by so-called unsophisticated hackers looking for the easiest routes to system compromise, and the role that such password lists play, it's hardly surprising I was concerned. And then, dear reader, I was passed a copy of a new report that revealed a revised and truly concerning number of plaintext credentials leaked publicly. Let me explain why. Rarely has the opening line of a security analysis struck me as strongly as that of the GitGuardian 'State of Secrets Sprawl 2025' report. I mean, I wasn't surprised to read that 'long-lived plaintext credentials have been involved in most breaches over the last several years,' but knowing the context, it still hit very hard. After all, this is a message I've been trying to get across for years, decades even, and apparently with very little success. The second half of that leading paragraph sums up my concern nicely: 'When valid credentials, such as API keys, passwords, and authentication tokens, leak, attackers at any skill level can gain initial access or perform rapid lateral movement through systems.' These secrets, these plaintext credentials, should not be leaked. Period. That's pretty obvious to everyone, isn't it? So why, then, according to the GitGuardian analysis, were there a staggering 23,770,171 new hardcoded secrets that had been added to public GitHub repositories in 2024? Sure, it's not in the billions, but it's the context that matters here. It's the kind of credentials, and the fact that this represents an increase of some 25% over the numbers leaked in 2023, that concerns me the most. That, my friends, is genuinely shocking and suggests that lessons are not being learned. Despite GitHub's efforts to prevent such credential leakage, the sprawl of these plaintext secrets is worsening, not improving. If you are not concerned by this revelation, then, frankly, you need to take a long look at yourself. When you consider that, as Verizon's 2024 Data Breach Investigations Report confirmed, nearly a third of all breaches have employed stolen credentials. Last year alone, Verizon said that 22% of breaches used compromised credentials as the initial access route. 'It is an attacker's favorite way to gain an initial foothold and to move laterally through environments,' GitGuardian warned. I have reached out to GitHub for a statement regarding the leakage of plaintext credentials as detailed by GitGuardian analysts, and will update this article once I have anything further to report.
Yahoo
09-05-2025
- Health
- Yahoo
Exclusive-Star Health hacker says they sent death threats, bullets to India executives
By Munsif Vengattil, Praveen Paramasivam and Aditya Kalra NEW DELHI (Reuters) -The hacker who leaked sensitive personal data held by Indian health insurer Star Health last year has taken responsibility for sending death threats and bullets to the company's chief executive and finance head. The hacker, who goes by the alias "xenZen", described their reprisals against Star Health and Allied Insurance Company in a March 31 email to Reuters. The news agency is reporting them for the first time. Star Health, India's biggest health insurer, has faced criticism from customers and data security experts since Reuters reported last September that xenZen had leaked sensitive client data, including medical reports. At the time, xenZen told Reuters in an email they possessed 7.24 terabytes of data related to over 31 million Star Health customers and was speaking to potential buyers for the data. The news agency hasn't independently confirmed the identity or location of xenZen, the accuracy of the facts laid out in the March 31 email or the hacker's motive for targeting Star Health and its executives, which the email ascribed to the company's denial of medical claims to certain customers. In response to questions from Reuters, Star Health's chief legal officer said in a statement the company could not comment "due to an ongoing, highly sensitive criminal investigation" related to its data leak. XenZen said they had concealed bullet cartridges in two packages sent to Star Health's head office in the southern Indian city of Chennai, in Tamil Nadu state, in February. The email included photographs that showed the packages addressed to Chief Executive Anand Roy and Chief Financial Officer Nilesh Kambli and a note inside which read: "next one will go in ur and ur peoples head. tik tik tik." Roy did not respond to a phone call requesting comment, while Kambli told Reuters Star Health's public relations team would respond on his behalf. The company did not respond to further requests for comment. The New Indian Express on Saturday reported that police in Tamil Nadu were investigating the threats and had linked them to xenZen. Tamil Nadu police did not respond to Reuters queries. Three Indian police sources confirmed an investigation was underway. They declined to be named as the matter is confidential. One police source said a man from the neighbouring state of Telangana, who the source did not name, has been arrested in recent days for allegedly helping courier the packages to Star Health on behalf of xenZen. Reuters was unable to identify the individual or the status of his detention. Globally, health care companies have been reassessing the risks for their top executives after UnitedHealthcare Chief Executive Brian Thompson was murdered in a targeted attack in December. The killing also called fresh attention to deepening patient anger over health insurance. In the March 31 email to Reuters, xenZen referred to the killing of Thompson and said the death threats to the Star Health executives were sent after the hacker was contacted for help by customers of Star Health who had been denied claims on medical bills despite coverage plans with the company. Star Health did not comment on what xenZen described as their motive, the claims of dissatisfied customers being denied or the police investigation into the threats. Star Health launched internal investigations into last year's data leak, which the company said followed a ransom demand of $68,000 from the hacker. Star Health last September sued xenZen and messaging app Telegram for hosting the sensitive customer data on its chatbots, court papers show. The chatbots hosting the stolen data have since been deleted and the case is ongoing.
