Tag: passwords

Categories
Mobile Syrup

Plex warns users to change passwords following data breach

Digital media player and streaming service Plex sent a letter to users warning that a “third-party was able to access a limited subset of data,” including emails, usernames, and encrypted passwords.

Plex said it already addressed the method the attacker used to gain access to its systems and is doing additional security reviews. Moreover, the company said it doesn’t store credit card or other payment data on its servers, and so the attacker was not able to gain access to that data. Finally, Plex says it is requiring all Plex accounts to reset passwords “out of an abundance of caution.”

However, Plex did not share what method the attacker used to gain access.

Interestingly, ‘Have I Been Pwned‘ creator Troy Hunt was “pwned” in the Plex breach. Hunt tweeted a copy of the letter along with a reminder that users can’t do anything to avoid being caught in a breach, but they can take steps to lessen the impact of breaches. For example, using a password manager to generate unique, random passwords for each account, as well as using two-factor authentication (2FA), can help mitigate the severity of security breaches.

If you use Plex, you should go change your account password now. However, it’s worth noting that several users report having issues with changing their password — per Hunt’s tweets, it seems there’s an issue with the option to sign out connected devices after changing the password. As such, anyone having issues changing their Plex password should uncheck the option to sign out connected devices as that should fix the problem.

Source: Troy Hunt (Twitter) Via: Engadget

Categories
Mobile Syrup

Apple, Google and Microsoft to begin supporting passwordless ‘end-to-end’ sign-ins

Apple, Google and Microsoft are teaming up and committed to supporting a new passwordless sign-in standard from the FIDO Alliance and World Wide Web Consortium. This means users can use Fast Identity Online (FIDO) authentication to sign in to an app or a website using a smartphone or tablet.

The trio of tech giants envision a time when “end-to-end” passwordless sign-ins for apps and websites become the norm. Once in place, FIDO authentication reads a user’s biometric scans as a means of signing in. Users may use a facial recognition scan or a finger ID to sign in to a website or app. Alternatively, sign-ins are completed using PINs on a smartphone or tablet.

Plans are in motion to incorporate passwordless features accessible throughout the “coming year.” Most likely, the changes to bring this feature into effect will likely come as a major software update across each respective ecosystem.

FIDO authentication streamlines sign-ins and puts those laundry lists of passwords we have to rest. Additionally, biometric scans and device PINs make it more difficult for scams to succeed in obtaining passwords from unsuspecting users.

In theory, this is a great step towards passwordless ubiquity across ecosystems and platforms. The practice of passwordless sign-ins has already begun. Apple’s App Store already offers Face ID scans as a way to confirm new installs and purchases. Microsoft has also been independently working towards this future.

Via: Engadget

Categories
Mobile Syrup

Millions in recent funding make 1Password one of Canada’s most valuable tech companies

Stuttgart, Germany – 08-01-2021: Person holding smartphone with logo of password manager company AgileBits Inc. (1Password) on screen in front of website. Focus on phone display. Unmodified photo.

Toronto-based cyber security company 1Password has grown its net worth into billions.

A statement from the company shows it raised $620 million USD (roughly $774 million CAD) in recent rounds of funding. This is the largest amount raised by a Canadian company.

1Password is now valued at $6.8 billion USD (roughly $8.4 billion CAD).

The company creates technology that helps businesses keep their information safe and focuses its products around human actions. It allows companies to keep track of what apps employees are downloading without permission, breaching possible security guidelines.

“Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been bigger for 1Password,” Jeff Shiner, CEO of 1Password, said in a statement.

Investments came from a barrage of people, including celebrities and CEOs. Executives at LinkedIn, General Motors, and Snowflake Computing are also investing.

Over the past 24 months, the company’s customer base grew past 100,000, leading to the hiring of 570 employees.

The company will use the additional funds to develop security solutions that will help companies protect private data and other information. This will focus on improving the company’s existing security measures and creating better habits for employees.

“That way, we can tackle the biggest security threats facing the modern workforce and deliver on the promise of providing a safer life online for families and businesses around the world,” Shiner said.

Image credit: ShutterStock

Source: 1Password

Categories
Mobile Syrup

Several LastPass users reported login attempts using their correct passwords

LastPass, one of the more well-known and popular password managers available, is seeing several reports of attempted log-ins with users’ correct master passwords.

For those unfamiliar with LastPass or password managers in general, they typically require users to have a primary or master password that unlocks their password vault, which contains the passwords for all their other accounts. Although that may sound like a recipe for disaster, password managers allow people to use randomly generated passwords for all their accounts, meaning you only need to remember one really strong password for your password manager instead of hundreds of mediocre passwords (or worse, the same password reused).

Reports were first spotted on the ‘Hacker News’ forum by AppleInsider (via Android Police). The reports explain that LastPass informed users about blocked login attempts that originated from other parts of the world, often from Brazil. According to the LastPass emails, these login attempts include correct passwords, but were blocked because of the unusual geographic location.

Interestingly, LastPass’ owner, LogMeIn, says there’s no indication that its servers were hacked. You can read the full statement provided to Android Police below:

“LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”

Passwords could have come from third-party breaches, phishing scams

However, the attempted logins appear to be coordinated, which begs the question: where did these malicious actors get the passwords from? LogMeIn points the finger at third-party breaches, which could be a possibility if LastPass users reused their passwords from other online accounts.

Other theories posited on the Hacker News forum include a LastPass autofill exploit from 2015, while others suspect the LastPass users who reported the problem may have been phished. Another possibility is that LastPass’ old, discontinued forum, which apparently required people to log in with their LastPass master password, could be to blame.

Whatever the reason, if you use LastPass, you may want to take a few steps to protect yourself. First, it’s probably a good idea to change your master password. And while you’re doing that, enable two-factor authentication (2FA) if you don’t have it on already. Finally, if you don’t use LastPass anymore — which may apply to several people since LogMeIn effectively killed the free version in 2021 — you should take the time to delete your account. That should prevent any malicious actors from potentially gaining access to any passwords still saved to LastPass.

Source: Hacker News Via: AppleInsider, Android Police

Categories
Mobile Syrup

Twitch confirms passwords weren’t exposed in October 6th security breach

Amazon-owned Twitch, a popular streaming service, has confirmed that passwords weren’t exposed in the recent data breach that saw the platform’s source code leaked online.

In an update posted on October 15th, Twitch explained that it is “confident” that attackers didn’t access the systems that store Twitch login credentials. It also confirmed that attackers didn’t access full credit card numbers or bank information.

On October 6th, a massive trove of Twitch data was made available for download online. The data included Twitch source code, creator payout information, an unreleased competitor to Steam (a popular platform for buying PC games) and more.

Twitch later confirmed the leak, and in the latest update, provided some more information about the data exposed by the security breach:

“The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly.”

Twitch previously blamed the breach on an error in a “server configuration change” and said it had reset all stream keys “out of an abundance of caution.”

The Verge notes that sources have spoken out about Twitch, accusing the company of poor security practices. Further, the sources claimed that Twitch experienced a security problem in 2017 but didn’t report it.

Source: Twitch Via: The Verge