Security experts are busy for the last couple of days patching these new security breach at WordPress, OpenSSL, Reddit, Tumbler and other social media websites.
The data breach disclosed earlier this month by the Yahoo-owned microblogging platform Tumblr affects 65 million users.
On May 12, Tumblr warned that a third party gained access to the email addresses and hashed passwords of Tumblr users who had registered accounts up until early 2013, before the company was acquired by Yahoo. Tumblr said it had not found any evidence that the leaked information was used to access accounts, but it reset the passwords of affected customers as a precaution.
Tumblr refused to say how many users had been affected by the breach, but it turns out that it’s a significant number. An individual using the online moniker “peace_of_mind” has been offering information associated with 50 million Tumblr accounts on a darknet website called “The Real Deal” for the price of 0.4255 Bitcoin (roughly $225).
Australian security researcher Troy Hunt has analyzed the data and found a total of 65,469,298 records. The information has been added to Hunt’s “Have I Been Pwned” service to allow users to check if they are affected. Hunt reported that 20 percent of the accounts were already present in Have I Been Pwned.
continue reading: http://www.securityweek.com/65-million-users-affected-tumblr-breach
Owners of WordPress-based websites should update the Jetpack plug-in as soon as possible because of a serious flaw that could expose their users to attacks.
Jetpack is a popular plug-in that offers free website optimization, management and security features. It was developed by Automattic, the company behind WordPress.com and the WordPress open-source project, and has over 1 million active installations.
Researchers from Web security firm Sucuri have found a stored cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, starting with version 2.0.
continue reading: Computer World
An OpenSSL vulnerability patched in early May with the release of versions 1.0.2h and 1.0.1t still hasn’t been patched on many of the world’s most visited websites, exposing potentially sensitive traffic to man-in-the-middle (MitM) attacks.
Last week, security firm High-Tech Bridge used its free SSL/TLS testing service to determine how many of the Alexa Top 10,000 websites are still plagued by the OpenSSL vulnerability tracked as CVE-2016-2107.
The flaw was introduced in 2013 as part of the fix for the TLS attack dubbed “Lucky 13.” In April, Juraj Somorovsky discovered that an MitM attacker can launch a padding oracle attack to decrypt traffic in cases where the connection uses an AES CBC cipher and the server supports AES-NI instructions.
“The bad news is that support of the AES CBC cipher is widely recommended for compatibility reasons, required by TLS 1.2 RFC and recommended by NIST guidelines. AES CBC cipher is also considered the strongest cipher for TLS 1.0 and TLS 1.1,” the security firm said in a blog post.
Reddit co-founder Christopher Slowe announced yesterday that his company had to take precautionary measures and ask 100,000 users to reset their passwords after its security team detected a growing number of account hijackings.
Slowe blames this on the recent wave of data breaches, such as the massive LinkedIn 2012 incident, only recently discovered in full, which, at the time of writing his post, was the biggest data breach ever, with 167 million leaked records. The MySpace data breach announced only a few hours ago has now taken the crown, with 427 million leaked user details.
Read more: http://news.softpedia.com/news/reddit-resets-passwords-for-100-000-users-after-recent-surge-in-hacked-accounts-504584.shtml#ixzz4AL0M3GHa