Authentication

One researcher thinks trust is broken in AD. Microsoft disagrees that there's a security vulnerability. But enterprise IT environments should be aware of an authentication gap either way.

Flaw in Toyota's C360 customer relationship management tool exposed personal data of unknown number of customers in Mexico, a disclosure says.

A two-month-long automated credential-stuffing campaign exposed personal information of Chick-fil-A customers, including birthdays, phone numbers, and membership details.

The open authentication standard addresses existing multifactor authentication security vulnerabilities.

The adversaries obtained a decryption key to a LastPass database containing multifactor authentication and federation information as well as customer vault data, company says.

Making the option available only to paid subscribers — while also claiming SMS authentication is broken — doesn't make sense, some say. Is it a cash grab?

A tailored spear-phishing attack successfully convinced a Reddit employee to hand over their credentials and their one-time password, but soon after, the same worker notified security.

Despite growing awareness, organizations remain plagued with unpatched vulnerabilities and weaknesses in credential policies.

Google Fi mobile customers have been alerted that their SIM card serial numbers, phone numbers, and other data were exposed in T-Mobile hack.

Users searching for Bitwarden and 1Password's Web vaults on Google have recently reported seeing paid ads with links to cleverly spoofed sites for stealing credentials to their password vaults.

Two common attacks against on-premises Kerberos authentication servers — known as Pass the Ticket and Silver Ticket — can be used against Microsoft's Azure AD Kerberos, a security firms says.

Encrypted backups for several GoTo remote work tools were exfiltrated from LastPass, along with encryption keys.

Zendesk has alerted customers to a successful SMS phishing campaign that has exposed "service data," but details remain scarce.

A rapid increase in the number of operators in the space — the "locksmiths" of the cyber underground — has made it substantially cheaper for cybercriminals to buy access to target networks.

Password manager accounts may have, ironically, been compromised via simple credential stuffing, thanks to password reuse.