Cyber Insights 2024-07-07

What a week, and no, I am not talking just football and Wimbledon tennis. The cyber security events keep piling up, despite the summer holidays having started for many.

As always, please let me know if you are finding my newsletter useful; that is, if it reaches to you at all due to my reporting on repeating Microsoft security incidents.

10 billion Passwords Exposed in the Largest Leak Ever

Link: https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/

Indeed, that is more passwords than humans on the planet (at least today). The researchers at Cybernews uncovered a file, titled rockyou2024.txt, posted on July 4 by someone going with call sign ‘ObamaCare’ containing 9,948,575,739 unique plaintext passwords. As Cybernews writes, this is likely a compilation of past and recent leaked passwords.

The protection against these breaches is relatively simple: change your password and enable multi-factor authentication, ideally Passkeys where supported. ?It is worth setting up a notification using our favourite site Have I Been Phwned https://haveibeenpwned.com/

?

ChatGPT caught disregarding best practices in secure software development on macOS

I thought the engineers at OpenAI knew better than to do such a trivial mistake. Their app for macOS did not encrypt the local files, which were also not sandboxed (i.e. not protected from access by other apps). The researcher Pedro José Pereira Vieito did an impressive job documenting the issues on a site called Threads: ?https://www.threads.net/@pvieito/post/C85NVV6hvF6

?The good news is that OpenAI fixed the issue only two days after the original post - update asap.

?

Twilio confirms hackers obtained cell phone numbers of Authy users

Did I mention the best practice is to enable MFA? Apparently, not every MFA app generating those 6 digits every 30 seconds, such as Google Authenticator, Authy, Microsoft Authenticator, 1Password, deserves the same level of trust. The Authy have announced the breach of the personal data, including the mobile phones. No word about losing the shared secrets; sadly, no mention of the breach even on their blog site. https://authy.com/blog/ or anywhere else on their website. I’d prefer a bit more comms and transparency from a security company.

?

Another security breach at Microsoft (anyone surprised anymore?)

This was reported by Kevin Beaumont on LinkedIn 2 days ago (https://www.dhirubhai.net/posts/kevin-beaumont-security_check-your-email-logs-including-exchange-activity-7215355395878305793-K8n_/)

“Check your email logs (including Exchange Online) for an email from [email protected]. Microsoft had a breach by Russia impacting customer data and didn’t follow the Microsoft 365 customer data breach process. “

?

I have checked in Foresight Cyber Exchange admin centre / Message trace and no messages were sent to our tenant; phew!