PasswordSecurity
Latest
Who hacked Facebook?
Late last week, a hacker named Orange Tsai wrote about how he hacked into Facebook under the aegis of its bug bounty program. A bug bounty is when a company pays hackers for vulnerabilities they find, providing the company with real-world threat testing outside the scope of its security team. But Tsai found much more than a bug. He discovered that another hacker had been in the company's systems for around eight months, grabbing employee usernames and passwords -- and probably more.
Feedback Loop: Crowdfunding perils, dying passwords, cameras and more!
It's time for the latest edition of Feedback Loop! We discuss the dark and sometimes disappointing side of crowdfunding, ponder whether passwords are dying, look for point-and-shoot camera suggestions, share the cheapest ways to get HBO and talk about overly hyped gadgets. Head past the break to talk about all this and more with your fellow Engadget readers.
Following Adobe hack, Facebook requires compromised users to change passwords
Here's a good lesson to vary up your passwords if we've ever seen one: Facebook is locking out Adobe users whose accounts were compromised by a recent large-scale hack if they use the same login info for both Adobe and the social network. To regain access, they'll need to change their password and answer a few security questions. According to Krebs on Security, Facebook has mined the encrypted password data to discover which of its users were affected by the breach -- more than 38 million Adobe users' accounts were reportedly exposed. Facebook was able to discover the same email-password combos by running them through the same code it uses to confirm your credentials at login time. If the site found that your account matched one of the millions exposed in the Adobe hack, you'll receive a notification like the image above. Diapers.com and Soap.com have reportedly put the same policy in place; this is important stuff, guys!
Blizzard suffers security breach, encrypted passwords and authenticator data compromised
According to a recent Blizzard security update, now might be a good time cook up a new password. Blizzard's security team found that its internal network has been illegally accessed, and answers to personal security questions, authenticator data and cryptographically scrambled Battle.net passwords have found their way into the perpetrator's hands. The team is confident, however, that the compromised data isn't enough to give the attacker access to user accounts, and says that there is no evidence to suggest financial data (credit cards, billing addresses and customer names) were accessed. Blizzard President Mike Morhaine recommends that users update their passwords all the same, and we couldn't agree more. Check out his official statement at the source link below and get that Diablo III account locked down.
Amazon, Apple stop taking key account changes over the phone after identity breach
By now, you may have heard the story of the identity 'hack' perpetrated against Wired journalist Mat Honan. Using easily obtained data, an anonymous duo bluffed its way into changing his Amazon account, then his Apple iCloud account, then his Google account and ultimately the real target, Twitter. Both Amazon and Apple were docked for how easy it was to modify an account over the phone -- and, in close succession, have both put at least a momentary lockdown on the changes that led to Honan losing much of his digital presence and some irreplaceable photos. His own publication has reportedly confirmed a policy change at Amazon that prevents over-the-phone account changes. Apple hasn't been as direct about what's going on, but Wired believes there's been a 24-hour hold on phone-based Apple ID password resets while the company marshals its resources and decides how much extra strictness is required. Neither company has said much about the issue. Amazon has been silent, while Apple claims that some of its existing procedures weren't followed properly, regardless of any rules it might need to mend. However the companies address the problem, this is one of those moments where the lesson learned is more important than the outcome. Folks: if your accounts and your personal data matter to you, use truly secure passwords and back up your content. While Honan hints that he may have put at least some of the pieces back together, not everyone gets that second chance.
Hotmail adds 'My friend's been hacked!' feature to finger phishers
Hotmail's spent the past few years playing catch up with the competition, but for the most part, it hasn't done anything particularly groundbreaking with its services. Earth shattering might not be the appropriate descriptor for its latest addition, but Hotmail's added a helpful new feature to distinguish plain old spam from the kind that comes form a trusted source. Now, when you get an email from a friend that smells of something sea dwelling -- say a plea for some extra scratch from abroad -- you can select "My friend's been hacked!" from the "Mark as" menu, alerting the powers that be that your friend's account has been hacked. When you mark a missive as junk, you can likewise click a box that reads: "I think this person was hacked!" Once that's done, the spammers are kicked to the curb, and your friend is put through an "account recovery flow" the next time they attempt to log in. On the prevention front, Hotmail will soon roll out a new service that blocks users from selecting common passwords. It might not be enough to coax us over, but maybe this time the other guys could learn a few lessons.
