Security News

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly...

The Data Protection Commission (DPC) in Ireland has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing in plaintext passwords of hundreds of millions of users. [...]

Threat actors were found breaching AWS accounts using authentication secrets leaked as plaintext in Atlassian Bitbucket artifact objects. As developers may not be aware that these secrets are exposed in artifact files, the source code may be published to public repositories where threat actors can steal them.

Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development. The researchers started looking on the public web for personally identifiable information exposed via vulnerable Firebase instances.

Exploits come with caveats, but Google says no fixes as user security should do the heavy lifting here Novel weaknesses in Google Workspace have been exposed by researchers, with exploits...

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code. An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.

The All-In-One Security WordPress security plugin, used by over a million WordPress sites, was found to be logging plaintext passwords from user login attempts to the site's database, putting account security at risk. Roughly three weeks ago, a user reported that the AIOS v5.1.9 plugin was not only recording user login attempts to the aiowps audit log database table, used to track logins, logouts, and failed login events but also recording the inputted password.

All-In-One Security, a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format. "This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website."

GitHub has revealed it stored a "Number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems. The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question "Prior to the attack on npm."

That's where someone monitors the SMB1 traffic on your network, and replies to new users on your network to say, "Oh, really sorry, we're very old fashioned here. Please don't send encrypted passwords to log in, use plaintext passwords instead.". Before you blame Samba for having had this bug stop to think that you shouldn't still be using SMB1 at all, and that Samba, like Windows, doesn't enable it by default.