Just like house keys, passwords can give thieves all they need to get their foot in the door.
Users of the online dating service Cupid Media and well-known source code repository GitHub recently have been advised to reset their passwords and double-check their security in light of attacks. In the case of Cupid Media, attackers swiped unencrypted passwords, usernames and birthdays and other information belonging to 42 million customers and sent them to the same remote server linked to millions of records stolen from Adobe Systems, PR Newswire and other entities.
According to security blogger Brian Krebs, Cupid Media stated that the records were from a breach that occurred in January 2013. After being contacted by Krebs, the company said Nov. 20 it is double-checking that “all affected accounts have had their passwords reset and have received an email notification.” The company also told Krebs that in the aftermath of the breach, the company hired external consultants and began hashing and salting user passwords and making other security improvements.
GitHub meanwhile has already sent emails to affected users following an aggressive brute-force password guessing attack targeting victims with weak passwords. According to GitHub, passwords for the compromised accounts have been reset and personal access tokens, OAuth authorizations and SSH keys have been revoked. Users were also notified that they need to create a new, strong password and review their account for any suspicious activity.
“While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly [40,000] unique IP addresses,” blogged GitHub security engineer Shawn Davenport. “These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly-used weak passwords.”
In both cases, the situation put a spotlight on weak passwords. Some of the most common passwords found among Cupid Media users were “123456” – used approximately 1.9 million times – and “111111”, which was used roughly 1.2 million times.
“It has become exceedingly clear over the last several years that password reuse is one of the most significant threats to average internet users,” said Patrick Thomas, security consultant at Neohapsis. “Using the same password on multiple sites risks exposing that password if any sites are breached; the excellent security of one site is entirely nullified if attackers can harvest the correct password from a breach of a less secure site. Most internet users will be far better off using random, unique passwords simply writing them down, or taking advantage of password vault programs that help generate and store passwords.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
