Weekly Update 395
Troy Hunt
by Troy Hunt
5d ago
Data breach verification: that seems like a good place to start given the discussion in this week's video about Accor. Watch the vid for the whole thing but in summary, data allegedly taken from Accor was published to a popular hacking forum and the headlines inevitably followed. However, per that story: Cybernews couldn’t confirm the authenticity of the data. We reached out to Accor for clarification and are awaiting a response. I couldn't confirm the authenticity of the data either and I wrote a short thread about it during the week: I'm not convinced this data is from Accor. There are bar ..read more
Visit website
Weekly Update 394
Troy Hunt
by Troy Hunt
1w ago
I suggest, based on my experiences with data breaches over the years, that AT&T is about to have a very bad time of it. Class actions following data breaches have become all too common and I've written before about how much I despise them. The trouble for AT&T (in my non-legal but "hey, I'm the data breach guy" opinion), will be their denial of a breach in 2021 and the subsequent years in which tens of millions of social security numbers were floating around. As much as it's hard for the victim of identity theft to say "this happened because of that breach", it's also hard for the cor ..read more
Visit website
Weekly Update 392
Troy Hunt
by Troy Hunt
3w ago
Let's get straight to the controversial bit: email address validation. A penny-drop moment during this week's video was that the native browser address validator rejects many otherwise RFC compliant forms. As an example, I asked ChatGTP about the validity of the pipe symbol during the live stream and according to the AI, it's permissible "when properly quoted": "john|doe"@example.com Give that a go and see how far you get in an input of type "email". Mind you, that example allows a pipe when not quoted. And the more you read, the more contradictory things seem; try this Stack Overflow quest ..read more
Visit website
Inside the Massive Alleged AT&T Data Breach
Troy Hunt
by Troy Hunt
1M ago
I hate having to use that word - "alleged" - because it's so inconclusive and I know it will leave people with many unanswered questions. But sometimes, "alleged" is just where we need to begin and over the course of time, proper attribution is made and the dots are joined. We're here at "alleged" for two very simple reasons: one is that AT&T is saying "the data didn't come from us", and the other is that I have no way of proving otherwise. But I have proven, with sufficient confidence, that the data is real and the impact is significant. Let me explain: Firstly, just as a primer if you'r ..read more
Visit website
Weekly Update 391
Troy Hunt
by Troy Hunt
1M ago
I'm in Japan! Without tripod, without mic and having almost completely forgotten to do this vid, simply because I'm enjoying being on holidays too much ? It was literally just last night at dinner the penny dropped - "don't I normally do something around now...?" The weeks leading up to this trip were especially chaotic and to be honest, I simply forgot all about work once we landed here. And when you see the pics in the thread below, you'll understand why: Tokyo time! ? pic.twitter.com/dG0Ja60eQb — Troy Hunt (@troyhunt) March 13, 2024 Regardless, this week has a bunch of content primarily o ..read more
Visit website
Welcoming the Liechtenstein Government to Have I Been Pwned
Troy Hunt
by Troy Hunt
1M ago
Over the last 6 years, we've been very happy to welcome dozens of national governments to have unhindered access to their domains in Have I Been Pwned, free from cost and manual verification barriers. Today, we're happy to welcome Liechtenstein's National Cyber Security Unit who now have full access to their government domains. We provide this support to governments to help those tasked with protecting their national interests understand more about the threats posed by data breaches, and we look forward to welcoming many more national infosec teams in the future ..read more
Visit website
Welcoming the German Government to Have I Been Pwned
Troy Hunt
by Troy Hunt
1M ago
Back in 2018, we started making Have I Been Pwned domain searches freely available to national government cybersecurity agencies responsible for protecting their nations' online infrastructure. Today, we're very happy to welcome Germany as the 35th country to use this service, courtesy of their CERTBund department. This access now provides them with complete access to the exposure of their government domains in data breaches. With the unabated flood of data breaches, we're happy to provide this support to governments in the hope it better enables them to protect their national interests and w ..read more
Visit website
Weekly Update 389
Troy Hunt
by Troy Hunt
1M ago
How on earth are we still here? You know, that place where breached companies stand up and go all Iraqi information minister on the incident as if somehow, flatly denying the blatantly obvious will make it all go away. It's the ease of debunking the "no breach here" claim that I find particularly fascinating; the truth is always sitting there in the data and it doesn't take much to bring it to the surface. Ah well, as I always end up lamenting, with behaviour like this it's a good time to be in the industry ?‍♂️ References Sponsored by: Report URI: Guarding you from rogue JavaScri ..read more
Visit website
Weekly Update 388
Troy Hunt
by Troy Hunt
1M ago
It's just been a joy to watch the material produced by the NCA and friends following the LockBit takedown this week. So much good stuff from the agencies themselves, not just content but high quality trolling too. Then there's the whole ecosystem of memes that have since emerged and provided endless hours of entertainment ? I'm sure we'll see a lot more come out of this yet and inevitably there's seized material that will still be providing value to further investigations years from now. Good job folks! References Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t ..read more
Visit website
Thanks FedEx, This is Why we Keep Getting Phished
Troy Hunt
by Troy Hunt
1M ago
I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. Just as a brief reminder, they look like this: These get through all the technical controls that exist at my telco and they land smack bang in my SMS inbox. However, I don't fall for the scams because I look for the warning signs: a sense of urgency, fear of missing out, and strange URLs that look nothing like any parcel delivery service I know of. They have a pretty rough go of convincing me they're from Australia Post by putting "auspo ..read more
Visit website

Follow Troy Hunt on FeedSpot

Continue with Google
Continue with Apple
OR