Google has denied reports of a massive Gmail data breach, clarifying that the compromised accounts were part of a collection of credentials stolen over years through malware, phishing, and other attacks, not a new breach. The false claims originated from misinterpretations of stolen credential databases, causing unnecessary alarm. Google emphasizes the importance of changing passwords if credentials are exposed, but reassures users that their Gmail security remains strong.
The reported 16 billion credential breach is likely exaggerated and based on recycled, outdated data rather than a single, recent event, highlighting the dangers of misinformation in cybersecurity and the importance of focusing on proven threats like infostealer malware and online hygiene.
A massive data breach dubbed the 'Mother of All Data Breaches' allegedly exposed 16 billion user credentials from various platforms, but experts suggest it may be a compilation of old breaches rather than a new one. The breach highlights the ongoing risks of credential theft and the use of malware like infostealers, emphasizing the importance of updating passwords and enhancing online security.
A webinar on July 9th will explore how cybercriminals are increasingly breaching networks using stolen credentials instead of vulnerabilities, covering attack methods, detection, and prevention strategies, with insights from industry experts.
Security researchers have discovered a major vulnerability, called AutoSpill, that affects the Android autofill function in popular password managers. The vulnerability allows hackers to bypass security mechanisms and expose credentials to the host app. Password managers such as 1Password, LastPass, Enpass, Keeper, and Keepass2Android are vulnerable to the exploit, along with DashLane and Google Smart Lock when a JavaScript injection method is enabled. While there is no evidence of exploitation in the wild, the researchers warn that the implications of AutoSpill are highly dangerous. The affected password managers and the Android security team have been informed, and fixes are being developed.
Researchers have discovered a vulnerability in the WebView autofill mechanism used by many Android apps, which can potentially expose credentials from mobile password managers. The flaw, known as "AutoSpill," allows malicious apps to grab the credentials of unsuspecting Android users and access sensitive information. Popular mobile password managers such as LastPass, 1Password, Enpass, and Keeper were found to be vulnerable to credential leakage. While Google is working on a fix, most companies deferred the problem to Google, except for 1Password, which promised to find its own fix. The researchers suggest that the best solution would be to move away from passwords and adopt passwordless authentication.
Microsoft has patched a critical security vulnerability in Azure CLI that could have allowed attackers to steal credentials from GitHub Actions or Azure DevOps logs. The vulnerability, reported by a security researcher, could enable unauthenticated attackers to remotely access plain text contents written by Azure CLI to CI/CD logs. Microsoft advises customers to update to the latest Azure CLI version (2.54) and take steps to prevent accidental exposure of secrets in logs. The company has also implemented new security measures to restrict the presentation of secrets in output and broaden credential redaction capabilities.
Former Vice President Mike Pence and biotech entrepreneur Vivek Ramaswamy clashed during the first GOP presidential debate, with Pence dismissing Ramaswamy as a "rookie" leader and emphasizing the need for an experienced president to handle various crises. Ramaswamy advocated for unlocking American energy, including drilling, fracking, burning coal, and embracing nuclear power, as a means to boost employment. Other candidates, such as Chris Christie, also criticized Ramaswamy's lack of experience.
Researchers from ESET found that more than half of the secondhand enterprise routers they bought for testing had been left completely intact by their previous owners, and the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to. All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords.
Researchers from ESET found that more than half of the secondhand enterprise routers they bought for testing had been left completely intact by their previous owners, and the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to. All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords.
According to Nansen analytics, 18.5% of Ethereum network validators holding 284,286 Ethereum, worth $596 million, have not updated their withdrawal credentials following the Shapella upgrade. Validators without updated credentials will have to wait for the network to run through and update them, which could take up to 100 hours. Over 31,166 validators have signaled for a "full exit," with 1,118,291 Ethereum, but half of that demand comes from Kraken, which recently shuttered its staking service in the US. Liquid staking platforms like Lido Finance and Rocketpool have signaled that upgrading credentials for stakers won't be an issue.
