Security News

Meta Fined €91 Million for Storing Millions of Facebook and Instagram Passwords in Plaintext
2024-09-30 06:12

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly...

Ireland fines Meta €91 million for storing passwords in plaintext
2024-09-28 14:16

The Data Protection Commission (DPC) in Ireland has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing in plaintext passwords of hundreds of millions of users. [...]

Bitbucket artifact files can leak plaintext authentication secrets
2024-05-21 19:05

Threat actors were found breaching AWS accounts using authentication secrets leaked as plaintext in Atlassian Bitbucket artifact objects. As developers may not be aware that these secrets are exposed in artifact files, the source code may be published to public repositories where threat actors can steal them.

Misconfigured Firebase instances leaked 19 million plaintext passwords
2024-03-19 23:25

Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development. The researchers started looking on the public web for personally identifiable information exposed via vulnerable Firebase instances.

Google Workspace weaknesses allow plaintext password theft
2023-11-15 18:30

Exploits come with caveats, but Google says no fixes as user security should do the heavy lifting here Novel weaknesses in Google Workspace have been exposed by researchers, with exploits...

Chrome extensions can steal plaintext passwords from websites
2023-09-02 15:04

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code. An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.

WordPress AIOS plugin used by 1M sites logged plaintext passwords
2023-07-14 15:55

The All-In-One Security WordPress security plugin, used by over a million WordPress sites, was found to be logging plaintext passwords from user login attempts to the site's database, putting account security at risk. Roughly three weeks ago, a user reported that the AIOS v5.1.9 plugin was not only recording user login attempts to the aiowps audit log database table, used to track logins, logouts, and failed login events but also recording the inputted password.

AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext
2023-07-14 11:07

All-In-One Security, a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format. "This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website."

GitHub saved plaintext passwords of npm users in log files, post mortem reveals
2022-05-27 12:15

GitHub has revealed it stored a "Number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems. The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question "Prior to the attack on npm."

Samba update patches plaintext password plundering problem
2021-11-12 19:59

That's where someone monitors the SMB1 traffic on your network, and replies to new users on your network to say, "Oh, really sorry, we're very old fashioned here. Please don't send encrypted passwords to log in, use plaintext passwords instead.". Before you blame Samba for having had this bug stop to think that you shouldn't still be using SMB1 at all, and that Samba, like Windows, doesn't enable it by default.