The Data Breach Disclosure Conundrum

Presently sponsored by: Lithnet Access Manager. Level up your lateral movement defence with RapidLAPS, the passwordless LAPS experience.

The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? I’m writing this after many recent such

Continue reading The Data Breach Disclosure Conundrum

Begging for Bounties and More Info Stealer Logs

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

TL;DR — Tens of millions of credentials obtained from info stealer logs populated by malware were posted to Telegram channels last month and used to shake down companies for bug bounties under the misrepresentation the data originated from their service.

How many attempted scams do you get each day?

Continue reading Begging for Bounties and More Info Stealer Logs

Telegram Combolists and 361M Email Addresses

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Last week, a security researcher sent me 122GB of data scraped out of thousands of Telegram channels. It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before. Alongside those addresses were passwords and, in many cases, the

Continue reading Telegram Combolists and 361M Email Addresses

Operation Endgame

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

Today we loaded 16.5M email addresses and 13.5M unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they’ve coined Operation Endgame. That link provides an excellent overview so start there then come back to this blog

Continue reading Operation Endgame

Have I Been Pwned Employee 1.0: Stefán Jökull Sigurðarson

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

We often do that in this industry, the whole “1.0” thing, but it seems apt here. I started Have I Been Pwned (HIBP) in 2013 as a pet project that scratched an itch, so I never really thought of myself as an “employee”. Over time,

Continue reading Have I Been Pwned Employee 1.0: Stefán Jökull Sigurðarson

Inside the Massive Alleged AT&T Data Breach

Presently sponsored by: Kolide can get your cross-platform fleet to 100% compliance. It’s Zero Trust for Okta. Want to see for yourself? Book a demo.

I hate having to use that word – “alleged” – because it’s so inconclusive and I know it will leave people with many unanswered questions. But sometimes, “alleged” is just where we need to begin and over the course of time, proper attribution is

Continue reading Inside the Massive Alleged AT&T Data Breach

The Data Breach “Personal Stash” Ecosystem

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

I’ve always thought of it a bit like baseball cards; a kid has a card of this one player that another kid is keen on, and that kid has a card the first one wants so they make a trade. They both have a bunch of cards they&

Continue reading The Data Breach “Personal Stash” Ecosystem

Inside the Massive Naz.API Credential Stuffing List

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

It feels like not a week goes by without someone sending me yet another credential stuffing list. It’s usually something to the effect of “hey, have you seen the Spotify breach”, to which I politely reply with a link to my old No, Spotify Wasn’

Continue reading Inside the Massive Naz.API Credential Stuffing List