Security News

Microsoft has detailed how the Password Monitor feature in Edge works after it pushed version 88 of the browser into the Stable channel. The Password Monitor technology had already been made available to Insiders during 2020 and notifies users in the event their saved passwords are found in a third-party breach.

Cybercriminals behind a successful phishing campaign have exposed more than 1,000 corporate employee credentials on the Internet, according to a warning from security vendor Check Point. As part of the campaign, the attackers were able to successfully bypass Microsoft Office 365 Advanced Threat Protection filtering, which allowed them to harvest more than a thousand credentials from victims.

Attackers behind a recently discovered phishing campaign have unintentionally left more than 1,000 stolen credentials available online via simple Google searches, researchers have found. While this is and of itself is not atypical of phishing campaigns, attackers made a "Simple mistake in their attack chain" that left the credentials they'd stolen exposed to the "Public Internet, across dozens of drop-zone servers used by the attackers," researchers said.

Microsoft is rolling out a built-in password generator and a leaked credentials monitoring feature on Windows and macOS systems running the latest Microsoft Edge version. Microsoft Edge 88 now helps you improve the security of your online accounts with the password generator which suggests secure and strong passwords when updating existing credentials or signing up for new accounts.

The Federal Bureau of Investigation has issued a Private Industry Notification to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms. An observed shift in tactics, the FBI says, is the targeting of all employee credentials, not exclusively of those individuals who might have higher access and privileges based on their corporate position.

Multiple code repositories from Nissan North America became public this week after the company left an exposed Git server protected with default access credentials. The entire collection is around 20 gigabytes large and contains source code for mobile apps and various tools used by Nissan internally for diagnostics, client acquisition, market research, or NissanConnect services.

Leading gaming companies, such as Ubisoft, have become big targets for cybercriminals that aim to turn a profit by selling leaked insider-credentials tied to the top game publishers. More than 500,000 of the leaked credentials pertained to employees of leading game companies, according to the report published Monday.

Several Zyxel firewall and WLAN controller products contain hardcoded credentials for an undocumented user account that has admin privileges. The account was designed for the delivery of automatic firmware updates through FTP and is present on Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices.

Easy WP SMTP, a WordPress plugin for email management that has more than 500,000 installations, has a vulnerability that could open the site up to takeover, researchers said. Easy WP SMTP allows users to configure and send all outgoing emails via a SMTP server, so that they don't end up in the recipient's junk/spam folder.

The attackers behind the attack leveraged hundreds of compromised, legitimate email accounts in order to target organizations with emails, which pretended to be document delivery notifications. In reality, the phishing attack stole victims' Office 365 credentials.