Thousands of Instagram accounts had their passwords exposed due to a vulnerability in an app claiming to boost follower numbers. Social Captain was revealed as storing passwords of its users in an unencrypted file which could be easily accessed by hackers. Criminals who accessed the site would have been able to simply read an account's username and password in plain text. It is unknown if any details were seized by hackers but users are urged to change their password and details urgently. Criminals who accessed the Social Captain site would have been able to simply read an account's username and password in plain text (stock) Instagram users that signed up to the Social Captain site to boost their numbers had to link their accounts.
Apple has fixed two vulnerabilities in its Mac operating system that put passwords at risk of theft by hackers. The company released the security fix Thursday, an Apple spokesperson told ZDNet. Synack's Patrick Wardle, who was credited with finding one of the now-fixed vulnerabilities, revealed a password-stealing bug just hours before High Sierra was released. The bug let an attacker grab and steal every password in plain text using a malicious, unsigned app downloaded from the internet -- without needing the user's master Keychain password. Apple fixed the bug by requiring users to enter their password before unlocking their Keychain.
Last month, news broke that Facebook employees had access to up to 600 million user passwords, which had been stored in plain text. Today, the company revealed that millions of Instagram passwords were also stored in a readable format. An internal investigation determined the stored passwords were not internally abused or improperly accessed, but this adds to the growing list of privacy issues the company seems to be racking up. Facebook shared the news as an update to a month-old blog post, which could be seen as a suspicious move to attract less attention. But a company spokesperson said Facebook simply learned that more Instagram passwords than originally suspected were exposed.
Remote desktop protocol (RDP) enables employees to securely connect to the servers of their organisation remotely - a practice which has grown during 2020 as employees have increasingly worked from home. RDP is also regularly used by administrator accounts, enabling IT and security teams to perform updates and provide assistance to users. However, while extremely useful, an improperly secured RDP account or server can provide cyber criminals with easy access to a corporate network with either stolen or easily cracked passwords. Cybersecurity researchers at Armor analysed 15 different dark web markets and underground cyber criminal forums and found that the average price for RDP credentials has dropped to between $16 and $25, compared with an average of over $20 during 2019. Some dark web vendors are advertising these credentials as "non-hacked", claiming that they haven't been used before.
Everyone needs a password manager. It's the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily. In one of the biggest password re-use studies of its kind, an analysis of more than one billion leaked credentials has discovered that one out of every 142 passwords is the classic "123456" string. The study, carried out last month by computer engineering student Ata Hakçıl, analyzed username and password combinations that leaked online after data breaches at various companies. These "data dumps" have been around for more than half a decade, and have been piling up as new companies are getting hacked. The data dumps are easily available online, on sites like GitHub or GitLab, or freely distributed via hacking forums and file-sharing portals.