It's been a crazy time for data breaches and as I wrote yesterday, we've seen a very distinct pattern of historical mega breaches lately [https://www.troyhunt.com/the-emergence-of-historical-mega-breaches/]. Fling in 2011, LinkedIn in 2012, tumblr in 2013 and the mother of them all, MySpace in, well, we don't quite know. There's been no information forthcoming from anyone about when this breach actually occurred and there's no explicit indicators in the data dump either (sometimes there are time...

Over the period of this month, we've seen an interesting trend of data breaches. Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing. For example, just yesterday I loaded the Fling database (you probably don't want to go to fling dot com until you're in a private setting). That was over 40 million records and the breach dates back to 2011 [http://motherboard.vice.com/read/another-day-another-hack-passwords-an...

Last week there was no escaping news of the latest data breach. The LinkedIn hack of 2012 which we thought had "only" exposed 6.5M password hashes (not even the associated email addresses so in practice, useless data), was now being sold on the dark web [https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password] . It was allegedly 167 million accounts and for a mere 5 bitcoins (about US$2.2k) you could jump over to the Tor-based trading site, pay your Bi...

Last week we got news of the Rosebutt data breach [http://motherboard.vice.com/read/rosebuttboard-ip-board]. This is a very particular class of site and like many others we've recently seen compromised, it's highly likely that members would have preferred to keep their identities secret. It doesn't matter if you don't agree with the lifestyle choice of those on the site and certainly I myself am not one to look around the house at everyday items and think "I wonder if that could...". That's enti...

A couple of months ago I did a video titled Understanding CSRF, the video tutorial edition [https://www.troyhunt.com/understanding-csrf-video-tutorial/] which was a pretty raw run through of the mechanics and defences of cross site request forgery. It's content I often show in my workshops [https://www.troyhunt.com/workshops/] and I recorded the video pretty much as I present it in those sessions. Today I thought I'd do one on content security policies or as we otherwise know it, CSP. This is...

Round 2 of European travel for me this year has just wrapped up with talks in Brussels for Techorama (which incidentally, was sensational!) followed by a private event for a multinational information services company in Barcelona doing my usual Hack Yourself First workshop [https://www.troyhunt.com/workshops/]. But it's time for the next one already so it's back to Europe again and then after catching my breath at home for a couple of week, time for some US travel for the first time this year. L...

This was pretty big news 18 months ago: It was what greeted Sony Pictures employees [https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack] when they turned up to the office and switched on their machines. Machines infected with malware was one thing - a very bad thing at that - but it got much, much worse for Sony. In all, we saw about 40GB of company data walk out the proverbial door and it included everything from employee credentials to unreleased films to somewhere in the order...

Let me start with this headline [http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6]: Other headlines went on to suggest that you need to change your password right now [http://www.iflscience.com/technology/millions-passwords-hotmail-gmail-and-yahoo-have-been-stolen] if you're using the likes of Hotmail or Gmail, among others. The strong implication across the stories I've read is that these mail providers have been hacked and now there's a mega-list of stolen accounts floating...

I've just been reading Kingpin by Kevin Poulsen [http://www.amazon.com.au/Kingpin-Butler-master-billion-network-ebook/dp/B006FLRFQK?ie=UTF8&keywords=kingpin%20hacker&qid=1461881397&ref_=sr_1_1&sr=8-1] which sheds some really interesting light on criminal credit card fraud in the mid 2000's. Towards the end of the book, there's a reference to a 1997 case in which the government persuades the sentencing judge to permanently seal the court transcripts for fear that disclosure would impact the targ...

I certainly didn't expect it would go this far when I built Have I been pwned [https://haveibeenpwned.com/] (HIBP) a few years ago, but I've just loaded the 100th data breach into the system. This brings it to a grand total of 336,724,945 breached accounts that have been loaded in over the years, another figure I honestly didn't expect to see. But there's something a bit different about this 100th data breach - it was provided to me by the site that was breached themselves. It was self-submitte...