Security News

MFA vs 2FA: Which Is Best for Your Business?
2024-03-15 15:17

The terms 2FA and MFA are sometimes used interchangeably. This is because 2FA is really a subset of MFA. 2FA involves only one additional authentication factor.

Spoutible API exposed encrypted password reset tokens, 2FA secrets of users
2024-02-06 14:26

A publicly exposed API of social media platform Spoutible may have allowed threat actors to scrape information that can be used to hijack user accounts. The problem with the Spoutible API. Security consultant Troy Hunt has been tipped off about the API by an individual who shared a file with 207,000 Spoutible user records - supposedly scraped via the API - and an URL that would allow Hunt to do the same with his own account.

Payoneer accounts in Argentina hacked in 2FA bypass attacks
2024-01-19 20:28

Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping. Starting last weekend, many Payoneer users in Argentina, whose accounts were protected by two-factor authentication, reported suddenly losing access to their accounts or simply logging in to empty wallets, losing "Years of work" worth in money ranging from $5,000 to $60,000.

Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers
2024-01-15 17:36

Attackers targeting vulnerable self-managed GitLab instances could use a specially crafted HTTP request to send a password reset email to an attacker-controlled, unverified email address. Users with 2FA enabled aren't vulnerable to account takeover, unless the attacker also had control of the 2FA authenticator, but a password reset could still be achieved.

Mandiant's brute-forced X account exposes perils of skimping on 2FA
2024-01-11 17:00

Google-owned security house Mandiant's investigation into how its X account was taken over to push cryptocurrency scams concludes the "Likely" cause was a successful brute-force password attack. "Normally, 2FA would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," it posted via its now recovered account.

Twilio will ditch its Authy desktop 2FA app in August, goes mobile only
2024-01-08 18:07

The Authy desktop apps for Windows, macOS, and Linux will be discontinued in August 2024, with the company recommending users switch to a mobile version of the two-factor authentication app. "We made this difficult decision to sunset the Twilio Authy desktop apps in order to streamline our focus and provide more value on existing product solutions for which we see increasing demand," explains Twilion in a new support document.

GitHub warns users to enable 2FA before upcoming deadline
2023-12-26 21:03

In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code on GitHub.com must enable 2FA by January 19th, 2024. "On January 19th, 2024 at 00:00 your account will be required to have 2FA for authentication. If you have not yet enrolled by that date, your ability to access GitHub.com will be limited until you finish the enrollment process," the company noted in an email to its users.

New phishing attack steals your Instagram backup codes to bypass 2FA
2023-12-20 19:35

A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. When configuring two-factor authentication on Instagram, the site will also provide eight-digit backup codes that can be used to regain access to accounts if you cannot verify your account using 2FA. This could happen for multiple reasons, such as switching your mobile number, losing your phone, and losing access to your email account.

How to Retrieve and Generate Google 2FA Backup Codes
2023-08-17 12:58

Learn how to retrieve your Google 2FA backup codes and how best to use them. Some services offer 2FA backup codes that can be used instead. Google is one such service.

Massive EvilProxy Phishing Attack Campaign Bypasses 2FA, Targets Top-Level Executives
2023-08-14 18:32

New research from Proofpoint exposes a new massive credential phishing attack campaign aimed at top-level executives in more than 100 organizations worldwide. This cybersecurity attack leverages the EvilProxy phishing kit and bypasses two-factor authentication.