Security News

Cybercriminals are offering to sell for thousands of U.S. dollars network access credentials for higher education institutions based in the United States. The sensitive information consists of network credentials and virtual private network access "To a multitude" of higher education organizations in the U.S. In some cases, the seller posted a screenshot proving that the credentials provide the advertised access.

Customers of automaker General Motors and wedding planning company Zola have had customer accounts compromised through credential stuffing, and the criminals have used the access to redeem gift cards. Credential stuffing is a type of attack aimed at hijacking accounts.

Car manufacturer General Motors has confirmed the credential stuffing attack it suffered last month exposed customers' names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts. Other more personal information, including social security and credit card and bank account numbers, as well as drivers license data are not stored in customers' GM accounts and were not laid bare, GM officials said in a letter [PDF] sent to customers this month.

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points.

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.

Phishing attacks are now using automated chatbots to guide visitors through the process of handing over their login credentials to threat actors. The URL button in the PDF takes the victim to a phishing site where they are supposed to resolve issues causing a package to be undeliverable.

Threat actors are luring potential thieves by spamming login credentials for other people account's on fake crypto trading sites, illustrating once again, that there is no honor among thieves. If the email recipient believes the message was sent to them by mistake and decides to access "Rob Hoffman's" money, they can use the sent credentials to log into the account on Orbitcoin.

A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers. The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

Heroku has now revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database.Like many users, we unexpectedly received a password reset email from Heroku, even though BleepingComputer does not have any OAuth integrations that use Heroku apps or GitHub.

A phishing operation compromised over one hundred UK National Health Service employees' Microsoft Exchange email accounts for credential harvesting purposes, according to email security shop Inky. During the phishing campaign, which began in October 2021 and spiked in March 2022, the email security firm detected 1,157 phishing emails originating from NHSMail accounts that belonged to 139 NHS employees in England and Scotland.