Blogged: Implement client assertions for OAuth client credential flows in ASP.NET Core
Recent searches
Search options
Administered by:
#credentials
3 posts3 participants0 posts today
SheByte, a newish Phishing-as-a-Service platform, is the latest go-to resource for credential-stealing cybercriminals.
#cybercrime #cybersecurity #phishing #credentials #SheByte
https://cnews.link/shebyte-phishing-as-a-service-kit-increase-attacks-us-canada-1/
Unlock the power of seamless integration with Comelit’s API! Our API allows for easy access control management, ensuring your systems are always up to date. Learn more here: https://zurl.co/YrTk #comelitpac #ops #readers #credentials
Thoughts on storing TOTP/MFA codes within your password wallet? Even a cloud-based one.
My org is currently considering 1Password and we're up in arms about this feature. On their side 1Password claim it improves security: https://blog.1password.com/1password-2fa-passwords-codes-together/
I'm interested to know what other teams think
#security #password #credentials #passwordmanager #1password
1Password Blog · 1Password and 2FA: Is it wrong to store passwords and one-time codes together? | 1PasswordMany sites support two-factor authentication (2FA). Learn why it’s safe to store your one-time codes in 1Password, and the differences between 2FA and 2SV.
https://www.europesays.com/1982961/ Nepal’s Ambassador to Belgium Lamsal presents credentials #België #belgien #Belgique #belgium #credentials #Nachrichten #Nieuws #Nouvelles #SewaLamsal
ALT
(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/
A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.
Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.
Sophos News · Stealing user credentials with evilginxA malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there’s hope
Anyone who is a non-citizen of the US -- important note here from the EFF.
(Not YET an issue for US citizens, but it's likely coming where this administration can apply pressure and/or if legal measures fail to stem these moves. i.e. "present your papers")
MastodonElectronic Frontier Foundation (@eff@mastodon.social)“The super-conservative perspective is to assume (CPB) are completely unhinged and that even the most benign reasons for travel are going to subject non-citizens to these device searches,” EFF’s Sophia Cope told @TheGuardian@mstdn.social. https://www.theguardian.com/technology/2025/mar/26/phone-search-privacy-us-border-immigration
#PasswordReuse is rampant: nearly half of observed user #logins are compromised
Many users recycle #passwords, creating a ripple effect of risk when #credentials are leaked.
Based on Cloudflare's observed traffic between Sep-Nov 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.
When including bots 52% of all authentication requests contain leaked passwords found in our 15B record database, including Have I Been Pwned.
https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/
The Cloudflare Blog · Password reuse is rampant: nearly half of observed user logins are compromisedNearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.
@f_moncomble Au fond, c'est un script python, https://www.algolia.com/doc/guides/building-search-ui/what-is-instantsearch/js/ et meilisearch, le code source n'est pas très très compliqué.
Mais pour l'instant, il est trop dégueu pour que je l'ouvre (#credentials hardcodé et cie)
Algolia DocumentationWhat is InstantSearch.js? | AlgoliaWhat is the InstantSearch.js UI library and what are the available customization APIs.
Anyone know someone at #JetBrains to report a #PyCharm #issue to?
Basically it's a #softlocking that happens on the #snap version of #PyCharmCommunity / #PyCharmCE that makes it somehow half-forget #credentials like #GitHub, #Gitlab, #Codeberg, #BitBucket, #Gitea, #git etc. and not allowing to just delete & re-add them as the settings saving just becomes unresponsive.
- Mind you this isn't with like dozens of accounts - just one on each platform - and it's not easily fixable (or at least not in a good way by manually yeeting the #XML files for said logins from
$HOME/.config/PyCharmCE****/...and randomly coming back after a few days or weeks.
Whether this also conflicts with #SettingsSync which should only sync #configs, not #credentials (and AFAICT doesn't!) is also a question I can't confidently answer.
- Needless to say it's really annoying, espechally at work and is the main reason I've not considered paying for JetBrains' products as of now!
#Hackers Are Now Hiding #Malware in Images Sent on #Emails to Steal #Credentials
https://www.digitalinformationworld.com/2025/01/hackers-are-now-hiding-malware-in.html
Digital Information WorldHackers Are Now Hiding Malware in Images Sent on Emails to Steal CredentialsHackers use obj3ctivityStealer and VIP Keylogger malware in email images to steal user credentials and data.
Everything you need to know about #phishing
https://www.techradar.com/news/everything-you-need-to-know-about-phishing
#Cybercriminals are coming for your #credentials, here's how to stop them
TechRadar · Everything you need to know about phishingCybercriminals are coming for your credentials, here's how to stop them
Anyone at @jetbrains / #JetBrains want to investigate an issue re: #PyCharm loosing #credentials or rather bugging them out at random?
- It applies to #GitHub / @github , #GitLab / @gitlab , #Codeberg / @Codeberg and private #Gitlab Instances...
It really pisses me off...
Yearlong supply-chain #attack targeting #security pros steals 390K #credentials
#supplychain
Ars Technica · Yearlong supply-chain attack targeting security pros steals 390K credentials
@jimbob #Outlook has been fucked up for decades as it crashed ages ago once the mailbox hits 2 GiB in size.
- Since they send #login #credentials to #Microsoft I'd consider it #Malware and I'd personally see forward to get anyone who still uses it fired for doing so.
But that's just me as a #Sysadmin doing what I get paid for...
So, #PublicServants get paid squat.
The #passion of helping their #communities should be their #reward
Now, they can add #miner to their list of #credentials they get no credit for.
@ploum instead of @signalapp which also falls under #CloudAct and is also a #Proprietary, #SingleVendor & #SingleProvider solution, consider #XMPP+#OMEMO for real #E2EE with #SelfCustody of all the keys!
Fir #eMail & #Chat, I can recommend @monocles as a paid provider who doesn't run #ads and doesn't fall under Cloud Act or similar laws. (Also they have excellent #Apps that work with basically all providers usibg standard-compliant servers & APIs!)
You may want to consider #Torifying everything by using @guardianproject #Orbot and push everything on #mobile through @torproject / #Tor.
In fact, some providers like cock.li even have #OnionServices to directly connect to them.
#MicrosoftOutlook literally steals your Login #credentials, so using @thunderbird is a necessity anyway. Don't forget to change your logins either way!
#Firefox is okay, but #TorBrowser should be normalized as well.
Consider launching a @cryptoparty to teach other the same.
Nirmalize using @tails_live / @tails / #Tails as your #DailyDriver!
Actually... Does anyone know how often the #JAWS and #NVDA certifications should be retaken in order to be considered current? #accessibility #blind #SR #credentials
#KRITIS Sektor #Staat und #Verwaltung
City of Columbus: Data of 500,000 stolen in July #ransomware attack
"The Rhysida ransomware gang claimed the attack the same day, alleging they had stolen databases containing 6.5 TB of data, including employee #credentials, city video #camera feeds, server #dumps, and other #sensitive information...After failing to extort the City, the threat actors started #leaking the stolen data, publishing 45%..."
https://www.bleepingcomputer.com/news/security/city-of-columbus-data-of-500-000-stolen-in-july-ransomware-attack/
Ever wonder how crooks get the #credentials to unlock stolen #phones ?
A coalition of law-enforcement agencies said it shut down a service that facilitated the #unlocking of more than 1.2 million stolen or lost mobile phones so they could be used by someone other than their rightful owner.
#privacy #security
Ars Technica · Ever wonder how crooks get the credentials to unlock stolen phones?iServer provided a simple service for phishing credentials to unlock phones.