Tag: credential stuffing
28 articles

23andMe Agrees to $18m Settlement, New Data Security Mandates
After cracking down on 23andMe's lax security measures, a coalition of 42 US attorneys general, led by New York Attorney General Letitia James, has secured an $18 million settlement and binding data-protection commitments to safeguard customer information. This move comes after a 2023 data breach put millions of 23andMe customers at risk of having their personal info exposed.

23andMe Breach Settlement Imposes $18 Million Penalty
New York Attorney General Letitia James slammed 23andMe for its lax security, saying the company's failure to protect customer data put millions at risk. The criticism comes as part of a settlement that hits 23andMe with an $18 million penalty for its role in a massive data breach.

FortiBleed Campaign Tied to Lynx Ransomware Operators
Researchers uncovered a massive credential-theft operation, dubbed FortiBleed, which exposed over 73,000 Fortinet device credentials and was surprisingly linked to active ransomware negotiation panels. This shocking discovery offers a rare glimpse into the tactics of threat actors.

Hackers Exploit Microsoft 365 Flaws with 81 Million Login Attempts
In just two weeks, a massive password-spraying campaign racked up over 81 million login attempts, compromising 78 Microsoft 365 accounts across 64 organizations and highlighting a dramatic surge in cyber threats. This alarming trend saw a 155-fold increase in attacks, with organizations now facing an average of 1,964 failed login attempts per month.

Minnesota Hacker 'Snoopy' Sentenced for DraftKings Breach Role
A 21-year-old Minnesota hacker known as "Snoopy" has been sentenced to 18 months in prison for his role in a massive credential stuffing attack that compromised nearly 60,000 DraftKings user accounts. He'll also serve three years of supervised release, pay over $1.3 million in restitution, and forfeit $463,000.

DraftKings hacker sentenced to 18 months for $600,000 cyberattack
Meet Nathan Austad, a 21-year-old from Minnesota who pleaded guilty to masterminding a massive $600,000 cyberattack on DraftKings, compromising nearly 60,000 customer accounts with a clever alias and a crew of co-conspirators. He'll be serving 18 months for his role in the hack, which exploited weak passwords and left thousands of customers vulnerable.

FortiBleed Campaign Exploits FortiGate Devices to Harvest Credentials
A massive cyber operation, known as FortiBleed, has been secretly targeting over 430,000 FortiGate firewalls worldwide since February 2026, allowing hackers to harvest and crack sensitive VPN and authentication credentials on a huge scale. This alarming campaign has enabled large-scale credential harvesting, putting countless online security systems at risk.

Password Reuse: Exclusive Risks of Effortless Workarounds
Password reuse is the digital equivalent of leaving a master key under the mat—effortless workarounds and recycled credentials give attackers a straightforward path to account takeover. Even helpful conveniences like autofill and brittle browser extensions can betray reused passwords, turning everyday browsing into a security shortcut.

Android TV Exclusive: Dangerous Botnet Risk Revealed
Think that bargain Android TV box is just for streaming? Security researchers warn Superbox devices can quietly turn your home network into a botnet relay, routing criminal traffic and exposing you to fraud and legal trouble.

Android TV streaming box: Exclusive Dangerous botnet alert
Think twice before buying a bargain Android TV streaming box—some models quietly turn your home network into a botnet relay, routing illicit traffic that can slow your connection, invade your privacy and even expose you to legal risk. Here’s what to watch for so convenience doesn’t end up costing you more than you bargained for.

Android TV Streaming Box Danger: Exclusive Security Alert
If it sounds too good to be true, it probably is — investigative reporting reveals Superbox firmware can turn your Android TV into a hidden internet relay, exposing your home network to fraud and account-takeover schemes.

Passwd: Exclusive Best Google Workspace Password Tips
If your companys digital keys were leaked tomorrow, could you recover fast? Passwd is a business-first password vault for Google Workspace that secures shared credentials, enforces access controls and automates rotations so teams can stop credential-stuffing attacks without slowing down work.

630M Passwords Stolen: Stunning, Alarming Credential Cost
Some 630 million passwords have been leaked to criminal marketplaces — a stark reminder that passwords are no longer sacred. Now’s the moment to stop reusing credentials, enable MFA, and push for faster detection and smarter defenses.

FBI Exclusive: Stunning $262M Costly Account Takeovers
Imagine waking to find your bank account emptied by someone who cloned your bank’s site — the FBI says over $262M has been lost to account takeover scams since January 2025. Learn how phishing, credential stuffing and fake reporting pages let criminals turn stolen logins into instant cash — and what you can do to stop them.

FTSE 100 Exclusive: Alarming 500,000 Stolen Credentials
Half a million stolen credentials tied to FTSE 100 staff have surfaced in criminal data stores — a blunt wake-up call that weak passwords and reused logins are leaving Britain’s biggest firms dangerously exposed. Socura’s findings show how easily attackers can impersonate insiders and turn simple credential theft into costly breaches unless boards treat cyber as a strategic priority.

Most common passwords: Exclusive list of the worst
We all scoff at 123456, yet it still tops the charts because convenience and password reuse beat security. That complacency makes credential-stuffing cheap and effective, letting attackers turn one weak password into dozens of account takeovers.

credential stuffing: Risky Scourge, Must-Have Defenses
Think one reused password can’t hurt? A £2.31m fine proves it can — credential stuffing uses recycled logins and bots to drain money, steal data and wreck trust, and regulators are now forcing companies to adopt MFA, breached-password checks and smarter anti-bot defenses.

Palo Alto portal scans: Stunning 500% Risky Surge
Is your firewall login page being probed right now? GreyNoise logged a nearly 500% one‑day surge in targeted scans against Palo Alto Networks admin portals — a structured reconnaissance blast that should prompt immediate checks: lock down management interfaces, enable MFA, patch, and review logs.

unauthorized access incident: Stunning Risk — Act Now
Ugh — Plex warned of another password exposure. If you got notified, reset your password, enable MFA, and review connected devices right away.

SSL VPN Urgent: Must-Have Best Defenses
Imagine someone pounding on invisible locks: a massive brute‑force campaign recently blasted SSL VPNs and RDP hosts with relentless login attempts, showing how one weak credential can lead to ransomware or data theft. If you run remote access services, enable MFA, rate‑limit logins, and segment networks now to stop attackers before they get in.

password managers Must-Have Best Defense After 16B Leak
Imagine waking up to find every password you’ve ever used dumped online — that’s the reality of a 16 billion credential leak, and businesses can’t afford to rely on reused passwords. Adopt enterprise password managers, enforce strong MFA, and harden identity controls now before attackers turn those lists into breaches.

multifactor authentication Risky Crisis, Must-Have Fix
Login attacks are skyrocketing, and the identity systems we trust—from MFA to identity providers—are under siege, eroding confidence and leaving security teams scrambling. Rebuilding trust will take pragmatic steps like phased passkey rollouts, phishing‑resistant methods, and smarter help‑desk controls that balance security with usability.

VPS-based attacks: Critical Guide to Risky Threats
Attackers are increasingly using rented VPS hosts to make their logins look like legitimate data-center traffic, blurring the line between customer and criminal. SaaS teams and users need stronger passwords, phishing-resistant MFA, and behavior-based authentication to stop stealthy account takeovers.

CRM platform Risky Breach: Stunning Contact Exposure
Workday says its core systems were untouched, but a third-party CRM was breached — exposing business contacts that could fuel phishing, BEC and credential-stuffing attacks. Treat contact data as compromised: tighten MFA, audit integrations, and warn teams to watch for targeted social engineering.