At a glance.
- DDoS-Guard data being sold in criminal markets.
- Pizza chains breached in Ireland and the Netherlands.
- Successful credential stuffing.
- TikTok's biometric plans.
DDoS-Guard becomes the victim.
The tables have turned on DDoS-Guard, a hosting service and infamous market for piracy websites that prides itself on its impenetrability. HackRead reports a DDoS-Guard database, including such incriminating evidence as info on the operators of Russian torrent site RuTracker, was posted for sale on hacking forum Exploit[.]in. Discovered late last month by security firm Group-IB, the database also included DDoS-Guard source code and was listed for $350,000. Perhaps this is karmic retribution for DDoS-Guard’s decision to help Parler restore operations when their questionable practices led Amazon Web Services to cut ties.
Extra cheese with a side of data theft.
Ireland’s popular Apache Pizza is warning its pie patrons that a data breach might have exposed private information, the Irish Examiner reports. The exfiltrated data includes street addresses and encrypted passwords, but fortunately credit card details were not compromised. Meanwhile, leading Dutch chain New York Pizza (because “New Amsterdam” doesn’t have the same ring to it) suffered a breach at the hands of an extortionist who exploited a system bug in the pizza purveyor’s system last week. As the Record by Recorded Future reports, the pizzeria released a statement explaining, “This hacker claimed he stole a large amount of customer data from New York Pizza and threatened to publish or sell it.” It’s estimated that the data of around 3.9 million users (or about 22% of the population of the Netherlands) were exposed.
Credential stuffing trumps password strength.
Naked Security explores how credential stuffing can overcome the power of a “good” password. Even if you’ve crafted the most secure password known to man, it’s no more secure than “123456” or “iloveyou” (two of the twenty most used passwords according to Have I Been Pwned’s Pwned Passwords database) if it falls into the hands of a cybercriminal executing a credential stuffing operation. Once an attacker acquires the password for one account, credential stuffing allows him to try that same password on various other accounts in search of a match. Because so many of us fall for the perilous pattern of password reuse, chances are high that that seemingly strong password could be the skeleton key that unlocks a treasure trove of sites. To avoid password reuse, experts recommend using a password manager and employing two-factor authentication.
TikTok is now collecting biometrics.