Security News

Researchers say they found several stolen and leaked credentials for a Florida water-treatment plant, which was hacked last week. Researchers at CyberNews said they found 11 credential pairs linked to the Oldsmar water plant, in a 2017 compilation of stolen breach credentials.

The product is the only Active Directory plugin to check credentials at installation and password creation, and continuously monitor for and detect compromised credentials. The automated tool screens passwords against the dynamic Enzoic database containing billions of exposed credentials.

The number of annual credential spill incidents nearly doubled from 2016 to 2020, according to F5 research. "Attackers have been collecting billions of credentials for years. Credential spills are like an oil spill, once leaked, they are very hard to clean up because credentials do not get changed by unassuming consumers, and credential stuffing solutions are yet to be widely adopted by enterprises."

Spotify streaming music aficionados are in the crosshairs of yet another credential-stuffing cyberattack, just three months after the last one. Back in November, cybercriminals attacked hundreds of thousands of Spotify users utilizing this approach, prompting the streaming music service to issue password-reset notices.

Security researchers at cybersecurity company ESET discovered the malware and named it Kobalos, after the misbehaving creature in Greek mythology. "On compromised machines whose system administrators were able to investigate further, we discovered that an SSH credential stealer was present in the form of a trojanized OpenSSH client. The /usr/bin/sshfile was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file" - ESET. The researchers believe that credential theft could explain how the malware spreads to other systems on the same network or other networks in the academic sector since students and researchers from multiple universities may have SSH access to supercomputer clusters.

Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. The malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.

Microsoft has detailed how the Password Monitor feature in Edge works after it pushed version 88 of the browser into the Stable channel. The Password Monitor technology had already been made available to Insiders during 2020 and notifies users in the event their saved passwords are found in a third-party breach.

Cybercriminals behind a successful phishing campaign have exposed more than 1,000 corporate employee credentials on the Internet, according to a warning from security vendor Check Point. As part of the campaign, the attackers were able to successfully bypass Microsoft Office 365 Advanced Threat Protection filtering, which allowed them to harvest more than a thousand credentials from victims.

Attackers behind a recently discovered phishing campaign have unintentionally left more than 1,000 stolen credentials available online via simple Google searches, researchers have found. While this is and of itself is not atypical of phishing campaigns, attackers made a "Simple mistake in their attack chain" that left the credentials they'd stolen exposed to the "Public Internet, across dozens of drop-zone servers used by the attackers," researchers said.

Microsoft is rolling out a built-in password generator and a leaked credentials monitoring feature on Windows and macOS systems running the latest Microsoft Edge version. Microsoft Edge 88 now helps you improve the security of your online accounts with the password generator which suggests secure and strong passwords when updating existing credentials or signing up for new accounts.