Password “123456” used by 23.2 million users worldwide

Released over the Easter weekend (April 21, 2019), the report also found that the most-used password from global cyber breaches was “123456,” with “ashley” the most-used name as a password. The global password-risk list was published to disclose passwords already known to hackers.

The polling was independently carried out on behalf of NCSC, a part of GCHQ and the Department for Digital, Culture, Media and Sport (DCMS). The findings, as well as 100,000 passwords already known to have been breached by hackers, were released ahead of NCSC’s CYBERUK 2019 conference, which will be taking place in Glasgow this week.

These will inform government policy and guidance offered to the public.

Read entire post Password “123456” Used by 23.2 Million Users Worldwide | Phee Waterfield  | InfoSecurity


Facebook staff had access to hundreds of millions of people’s passwords

This time, the company acknowledges that it mishandled sensitive passwords for hundreds of millions of its users, primarily those who use its Facebook Lite product. The disclosure casts doubt on the company’s abilities to protect its users’ information as it focuses more on privacy.

On Thursday, Facebook said it didn’t properly mask the passwords of hundreds of millions of its users and stored them as plain text in an internal database that could be accessed by its staff.

The company said it discovered the exposed passwords during a security review in January and launched an investigation. Facebook did not say how long it had been storing passwords in this way.

Read entire post Facebook staff had access to hundreds of millions of people’s passwords | Donie O’Sullivan and Kevin Collier | CNN Business

Report: Most IT pros share and reuse passwords

Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according to a new study.

Also known as Data Privacy Day in North America, the awareness-raising event was originally slated for January 28 13 years ago as this was the date that the Council of Europe’s data protection convention (Convention 108) was opened to signature.

However, while most of the respondents to Yubico’s study — who were IT and information security pros in the US, UK, Germany and France — said they were increasingly concerned about privacy, bad habits persist.

Read entire post Most IT Pros Share and Reuse Passwords: Report | Phil Muncaster | InfoSecurity

Facebook resets 90 million user passwords as flaw is discovered

Facebook has issued a password reset for around 90 million users, after a flaw was found in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else.

According to a statement by Guy Rosen, VP of product management at Facebook, the flaw was discovered on Tuesday 25th September, and affected almost 50 million accounts. He said that the flaw would have allowed an attacker steal Facebook access tokens which they could then use to take over people’s accounts.

“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he said.

> Read entire article Facebook resets 90 million user passwords as flaw is discovered | Dan Raywood | InforSecurity

Air Canada app data breach involves passport numbers!

The airline has warned that users who had entered their passport details into the product may have had that data stolen. Experts warn that the theft of such information would pose a serious ID fraud risk.

The firm has also been criticized for its relatively weak password system.

See also Edward Snowden and John Oliver discuss password security and it’s hilarious!

Although it is not clear how the breach occurred, one cyber-security specialist highlighted that Air Canada’s website still says account passwords should contain between six and 10 characters and that it only accepts letters and numbers, but no other symbols.

Many users will choose short and easily guessable passwords,” commented Amit Sethi, a security consultant at Synopsys. “Moreover, users that want to use strong passwords cannot do so.

> Read entire article Air Canada app data breach involves passport numbers | BBC

Edward Snowden and John Oliver discuss password security and it’s hilarious!

Really important tips and advises from Edward Snowden. Will this video motivate you to upgrade your password, or passphrase? It sure did for me!

Watch the complete interview at

Browse through our collection of Information Security related publications at

Is this the most secure security code ever?

Do you need to find a code no one could break into? Ask Commander Data for help!

> If you liked this video, check out our Resilience in popular culture playlist on YouTube.

Why every Twitter users should update their password right now!

An error in the way the passwords were handled meant some were stored in easily readable form, said Twitter.

The passwords should have been put through a procedure called “hashing” making them very difficult to read. Security experts said the way Twitter handled the potential breach was “encouraging”.

The bug caused the passwords to be stored on an internal computer log before the hashing process was completed.

Read entire article Twitter users told to change passwords after internal leak | BBC

Our password-free future is near (but not really)

Published on Wired | By Alyssa Foote

Password-free logins have long been the stuff of dreams for security researchers and privacy advocates.

Now, a new standard for the web called WebAuthn is being lauded as a major step forward in secure authentication, and “probably the most effective anti-phishing measure for the web that’s out there,” according to Selena Deckelmann, senior director of engineering for Mozilla Firefox. It introduces a set of rules for the web that, if adopted by popular browsers and websites, would mean people could use a single device or a single fingerprint to log into, well, almost everything.

But like the password-free attempts before it, WebAuthn still faces hurdles before it becomes something that impacts the masses. Some security and identity experts seem reluctant to claim that our password-free future has finally arrived. And a lot of WebAuthn’s success comes down to whether hugely popular websites like Amazon or Facebook will adopt this new standard.

Read entire article Our password-free future is near (but not really)

US Police Unlock iPhones with Fingerprints of Deceased

US police now use fingerprints of deceased criminals to unlock their iPhone devices

Published on InfoSecurity | By Phee Waterfield

According to a report by Forbes, separate sources close to local and federal police investigations in New York and Ohio said it is now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhone devices, which have been wrapped up in increasingly powerful encryption over recent years.

The article highlights that “once a person is deceased, they no longer have a privacy interest in their dead body.” This means that while some might consider it unethical, it is legal for the police to use this technique to gather evidence.

For instance, the technique has been used in overdose cases, said one source. In such instances, the victim’s phone could contain information leading directly to the dealer.

Read entire article | Yes, Cops Are Now Opening iPhones With Dead People’s Fingerprints

You can hack almost any smart device with a Google search!

A simple design change can fix the Internet-of-Things’ biggest security hole.

Thirty minutes. That’s the time it took a team of researchers from Ben-Gurion University in Israel to access security cameras, baby monitors, doorbells, thermostats, and other internet-of-things, not-so-smart devices. It didn’t require any special hacking techniques. Anyone can do it.

The research show how easy it is to extract the default hard-coded passwords of any machine when you have physical access to itPut that information into a Google search box and, within a few minutes, you will find a site or a forum post somewhere describing how to enter into that device using the manufacturer’s default administration user name and password.

Any pedophile, thief, ex-spouse, or regular Peeping Tom can use this information to gain access to any of these devices installed in your home. A government or criminal organization can also use these user/password combos to control many devices at once, in order to mine data, spy, or launch global internet attacks.


The research was led by Yossi Oren, who is in charge of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. With his colleagues, he analyzed 16 popular high and low-end IoT devices, using different reverse-engineering techniques that show how easy it is to extract the default hard-coded passwords of any machine when you have physical access to it.

Read entire article You can hack almost any smart device with a Google search! | Jesus Diaz | CO.Design


Become a Certified Privacy Expert

The Certified Data Protection Officer (CDPO) training course will enable you to develop the necessary knowledge, skills and competence to effectively implement and manage a compliance framework with regard to the protection of personal data.

Join us for our upcoming CDPO training events.

See our complete training schedule. Next events in London, Brussels, New York, San Francisco, and many more!

Most IT Execs have zero control over password hygiene

Despite the clear danger that passwords pose to organizations, more than half of IT executives in a recent survey said they rely solely on employees to monitor their own password behavior.

Posted on InfoSecurity | By Tara Seals

Despite this, employees are struggling with the task: The survey from LastPass and Ovum, which queried a few hundred IT executives and corporate employees in EMEA, revealed that 76% of employees regularly have problems with password usage or management,and nearly a third of users need help desk support at least once every month.This onus on personal responsibility translates into companies wrestling with a lack of visibility and control. Yet the majority are not doing enough, if anything at all, to address the situation.

For instance, in terms of what organizations are doing to enforce strong passwords, 62% of IT executives rely exclusively on employee education. Employees are essentially on their own, with no technology in place to enforce any password strength requirement.

62% of IT executives rely exclusively on employee education

Read entire article Most IT Execs Have Zero Control Over Password Hygiene | InfoSecurity