They found out just now through security researcher Troy Hunt, who received the data dump. He says he's impressed with how Imgur is handling this.
The leaked passwords are hashed with SHA-256, which isn't great (although they upgraded to bcrypt since then). No other personal information was included because Imgur never asked for that. Imgur's announcement can be read here
Sigh. This particular lootbox holds about 100GB of data marked 'Top Secret' with regards to a military cloud initiative called Red Disk, a virtual drive, some private keys, and hashed passwords.
When creating a poll, adding an image and then deleting the poll, the image was also removed. After disclosing the researcher received a $10,000 bug bounty.
Nothing most of us mortals have to worry about directly. But it does affect half of the globe's e-mail servers. So if you run an Exim mail server, better patch up.
We don't know how he was identified, but the FBI seems pretty sure, having added the Iranian man to its Most Wanted list. However, considering he lives in Iran, there's no real chance of getting him in front of a US court any time soon.
The three people are part of a security firm believed to have strong ties with the Chinese government. They broke in to Siemens, Moody's and Trimble. Due to the nature of geopolitics however, there's not a lot that happens now. Presumably it's mostly a warning of sorts.
Fascinating post on bitsquatting, a technique where domains with only one bit different are registered, counting on the fact that computers will randomly flip a bit sometimes. In the case of NPM packages, this happens an estimated 500 times per day. One package was found that might have counted on this, installing a Coinhive miner instance.
This is a very technical one, but my attempt to a TL;DR: if an attacker has access to an Active Directory Federation Services account, they can elevate themselves to get SSO access on any cloud application in its federation. There is no fix, one can only monitor and try to rotate keys often. If you rely heavily on SAML, check it out.
It doesn't always have to be serious. This five-year old figured out that he could log into his dad's account by spamming spacebar in the password screen (hey kinda like Apple). He got a "bug bounty" from Microsoft of $50, four games and a year's subscription to XBoX live :)
This newsletter is one year old \o/
Well, it will be Saturday. The first issue of this newsletter was published on December 2nd, 2016. Over the first year we've gained just under 1600 subscribers, and had only about 40 people unsubscribe. Which makes me quite happy :-) Thanks everyone!
Dieter Van der Stock
Attackers only need to find and exploit one vulnerability in your web application to create havoc.