Weekly Update 434

By: Troy Hunt

12 January 2025 at 17:59

This week I'm giving a little teaser as to what's coming with stealer logs in HIBP and in about 24 hours from the time of writing, you'll be able to see the whole thing in action. This has been a huge amount of work trawling through vast volumes of data and trying to make it usable by the masses, but I think what we're launchung tomorrow will be awesome. Along with a new feature around these stealer logs, we've also added a huge number of new passwords to Pwned Passwords not previously seen before. Now, for the first time ever, "fuckkangaroos" will be flagged by any websites using the service 😮 More awesome examples coming in tomorrow's blog post, stay tuned!

References

Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
Publicly asking for a security contact ios really not something I want to be doing (it tends to be a last resort after not being able to raise the company via various other channels)
Massive kudos to Synology for making the DiskStation rollover process entirely seamless (little bit of work restoring Plex, but at least there was zero data loss)

Troy Hunt
Weekly Update 429
7 December 2024 at 23:09

Weekly Update 429

Troy Hunt

By: Troy Hunt

7 December 2024 at 23:09

A super quick intro today as I rush off to do the next very Dubai thing: drive a Lambo through the desert to go dirt bike riding before jumping in a Can-Am off-roader and then heading to the kart track for a couple of afternoon sessions. I post lots of pics to my Facebook account, and if none of that is interesting, here's this week's video on more infosec-related topics:

References

Sponsored by: Cyberattacks are guaranteed. Is your recovery? Protect your data in the cloud. Join Rubrik’s Cloud Resilience Summit.
The Armenian Government is now the 37th to have free and open access to their domains on HIBP (this gives them API-level domain searches to their gov TLD)
After two and a bit years on sale, we're now giving away "Pwned" the book, for free (go grab it in PDF or EPUB format)

Troy Hunt
Weekly Update 428
30 November 2024 at 22:19

Weekly Update 428

Troy Hunt

By: Troy Hunt

30 November 2024 at 22:19

I wouldn't say this is a list of my favourite breaches from this year as that's a bit of a disingenuous term, but oh boy were there some memorable ones. So many of the incidents I deal with are relatively benign in terms of either the data they expose or the nature of the service, but some of them this year were absolute zingers. This week, I'm talking about the ones that really stuck out to me for one reason or another, here's the top 5:

References

Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
The Spoutible breach was one of the most bizarre instances of returning unnecessary data via an API I've ever seen (passwords, 2FA secrets and the code used in "magic links" to reset passwords)
It's one thing for spyware to be used for stalking partners against their terms and conditions, it was quite another for pcTattletale to explicitly refer to marital infidelity as a use case for the product (this data breach actually killed the company)
The "Combolists Posted to Telegram" breach was more significant for the stealer logs than it was the combolists aggregated from other sources (that really brought this class of breach into the spotlight for me)
The National Public Data breach was much more significant for the exposure of hundreds of millions of social security numbers than it was for the email addresses that went into HIBP (that's another company that folded as a result of their breach)
The Muah.AI breach exposed a trove of requests by users to create CSAM images (the linked thread is a mind-boggling series of tweets about both the content and the justifications offered for not having controls on the images created)

Normal view

References

References

References