fbpx

Free tools and resources for Data Protection Officers!

Tag Archives for " passwords "

Irish data regulator looking into Facebook password gaffe

Ireland’s Data Protection Commission (DCP) has confirmed it’s looking into the hundreds of millions of passwords that Facebook stored without encryption.

The social network notified the regulator that user passwords for Facebook, Facebook Lite and Instagram were stored in plain text in the company’s internal servers.

Source: Irish data regulator looking into Facebook password gaffe | IT PRO

Facebook app developers leaked millions of user records on cloud servers

Facebook app developers left hundreds of millions of user records exposed on publicly visible cloud servers.

The larger of the two data sets came from a Mexican media company called Cultura Colectiva. A 146GB data set with information like Facebook user activity, account names, and IDs was found that included more than 540 million records, the researchers said.

A similar data set was also found for an app called “At the Pool.” While smaller, the latter included especially personal information, including 22,000 passwords apparently used for the app, rather than directly for Facebook.

Source: Facebook app developers leaked millions of user records on cloud servers, researchers say – The Verge

Study shows programmers will take the easy way out and not implement proper password security

In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.

For their study, the German academics asked a group of Java programmers to write a user registration system for a fake social network. The results show that the level of understanding of what “secure passwords” mean differs greatly in the web development community.

Paying developers higher rates didn’t help considerably, researchers said. However, the research team found that giving programmers specific instructions to implement a secure password storage system did yield better results than not saying anything at all and then expecting developers to think of security by themselves.

Source: Study shows programmers will take the easy way out and not implement proper password security | ZDNet

W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins

The World Wide Web Consortium (W3C) and the FIDO Alliance announced the Web Authentication (WebAuthn) specification is now an official web standard.

WebAuthn is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) Web browsers.

WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can — and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.

Source: W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins

Google’s new Chrome Extension checks your passwords are still secure

A new Chrome Extension from Google called Password Checkup will automatically check whether your passwords have been exposed in a data breach.

Once installed, the extension checks any login details you use — Google says “most” US sites are supported — against a database of around four billion usernames and passwords, and warns you if it finds a match.

Source: Google’s new Chrome Extension checks your passwords are still secure – The Verge

Largest collection of breached data ever seen is found

The largest collection of breached data ever seen has been discovered, comprising of more than 770m email addresses and passwords posted to a popular hacking forum in mid-December.

The 87GB data dump was discovered by security researcher Troy Hunt, who runs the Have I Been Pwned breach-notification service. Hunt, who called the upload “Collection #1”, said it is probably “made up of many different individual data breaches from literally thousands of different sources”, rather than representing a single hack of a very large service.

Source: Largest collection of breached data ever seen is found | Technology | The Guardian

How Hackers Bypass Gmail 2FA at Scale

Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled.

They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.

Full article: How Hackers Bypass Gmail 2FA at Scale – Motherboard

This is the future of authentication, according to security experts

Passwords may not have been much of an annoyance back in the 1960s, when they were first believed to have been introduced to the world of computing. But as we’ve increasingly adopted a wide range of personal gadgets and online services, they’ve become a pain to manage, and a point of vulnerability that hackers can exploit when conditions are in their favor.

It looks like passwords aren’t going away anytime soon. For at least a few years into the future, we’ll continue to rely on them as a mode of authentication. But now for the good news: soon, you won’t need to bother with them quite as much as you do now.

Full article: This is the future of authentication, according to security experts

Instagram GDPR Tool Exposes Subscriber Passwords

A warning has been issued by Instagram that a number of users of the social media platform have had their password details exposed by a security leak.

Ironically, this breach occurred due to a flaw in the ‘Download Your Data’ tool that Instagram added to the platform to allow users to download a copy of their own data. Instagram sent these users their passwords in plain text. This feature was implemented in April in order to ensure compliance with the European Union General Data Protection legislation which became enforceable on May 25 this year. The tool was developed due to privacy concerns in the aftermath of Facebook’s Cambridge Analytica scandal.

Full article: Instagram GDPR Tool Exposes Subscriber Passwords – Compliance Junction

>