IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [breach]

48 questions
0
votes
0 answers

Were Heroku's standard git repositories accessible by April 2022 attacker?

In their communication about the april 2022 breach (summary here), Heroku mentioned that organizations with the Heroku Github integration got their source code potentially accessed by the attacker. Indeed the attacker had acquired OAuth tokens,…
Vic Seedoubleyew
  • 31
  • 9
0
votes
0 answers

Google says my password has been found in data breach. HIBP knows nothing about it. Which data breach was that?

I've been using Chrome to save and sync my passwords across devices (and lately I am trying to switch to Bitwarden). Google warned me recently about a password I have used across multiple sites that have been found in data breach. However, if I…
dragi
  • 101
  • 2
0
votes
1 answer

How to secure Laravel website against the ongoing massive exploitation

My website built upon Laravel is currently under attack. Only the index.php file was changed, and by that I mean that every line of code is inserted above the original Laravel code. So this code executes before the legitimate Laravel code. It is…
Hassan Nasir
  • 1
0
votes
0 answers

Historical examples of breached TOTP secrets?

While reading about password breaches, it occurred to me; where are the TOTP shared secret breaches? Because TOTP relies on a shared secret (unlike say U2F) the server has a copy of the shared secret, which lends itself to the same vulnerability to…
user8187
  • 141
  • 1
  • 6
0
votes
2 answers

How are data breach lists sourced and distributed?

I understand at an elementary level how data breaches tend to be distributed, starting with friends of the attacker/discoverer and then being distributed via forums, paste bins, etc. However I was wondering is there a common location/forum/method…
Rivesticles
  • 644
  • 3
  • 13
0
votes
1 answer

Database of breached websites

I run a website with a user database. I have an account with my email and I put it on a website like Have I Been Pwned, which does not reveal a breach. I also check the website's list of breaches to see if my website is included, which is not. I…
miguelmorin
  • 103
  • 4
0
votes
1 answer

How to monitor your user accounts for breached logins?

On a few rare instances, I've received an email from a website notifying me that my email and password were found in batch of harvested logins, and they then force me to change my password. This has only happened on a few very old unused accounts…
Cerin
  • 101
  • 1
0
votes
4 answers

Why can't you use the same password for every site, if they are hashed on the site?

I've often heard people talking about not using the same password on every website. What's the deal if servers store passwords in a SHA hash instead of plain text? The most they can do is spam you with junk mail, right?
randomcake
  • 1
0
votes
1 answer

How Were FireEye's Tools Exfiltrated?

What was the mechanism for exfiltrating FireEye's redhat tools in the recent SolarWinds hack? I understand it was via HTTP (small packets to many servers)? Are there any further details? Is this a likely ongoing systemic threat or can it be…
Ryan
  • 173
  • 1
  • 4
0
votes
1 answer

How do maintainers calculate x number of accounts compromised by hack?

I am always curious by reports in the news of big network sites getting hacked and the report confidently stating a statistic such as "only 10,000 users were affected" or "Microsoft confirms 40,000 accounts compromised". Here's just a few examples:…
Martin Joiner
  • 101
0
votes
0 answers

Has this PC been hacked? What's going on?

I'm reasonably technically competent, but I don't know how to interpret this PC issue. As its a real-world incident, there's some back-story. I'm in the UK. The suspect PC runs Win8.1 up to date, used for simple desktop stuff by a family member.…
Stilez
  • 1,664
  • 8
  • 13
0
votes
1 answer

Database breach protection

I'm developing an API which requires an API key to use. These keys are assigned to users. To figure out which user the key belongs to, I have to store some information in that key. But I don't want it to be seen by "others". So I want to encrypt…
DoomBro_Max
  • 3
  • 1
0
votes
0 answers

What authentication systems have been involved in data breaches?

Recently, a Federal Judge ordered Marriott to reveal the forensics report for its data breach. I know the Courts have sided with businesses in the past to keep the forensic details of breaches from public disclosure (this may now be changing). And I…
gethopr
  • 31
  • 4
0
votes
1 answer

Why would I 'have been pwned' on a website that I never had an account on?

I was recently sent a notification by https://haveibeenpwned.com/ that one of my email addresses has been found in a breach, in particular in a breach of https://www.chegg.com. I am positive I never signed up for an account there, it's a US…
Sebastiaan van den Broek
  • 257
  • 2
  • 12
0
votes
1 answer

Phishing emails and securing set up from compromise?

I'm a one-man company and I'm getting a lot of phishing emails very similar to the emails from companies I use. Some of these companies and the emails we exchange are very unique. How would these malicious senders 'learn' the type of emails and…
adam78
  • 101
  • 1
1 2
3
4