The other day, a hacker compromised someone’s email account. It was almost certainly a phishing attack, he probably just sent them over an email claiming to be from the victim’s organisation and then just, well, asked for their credentials. From there, the attacker wandered over to the web portal of the victim’s organisation and attempted to logon, which unfortunately for him didn’t work. No worries, they simply called up the helpdesk who kindly gave him access. So now he’s logged in to the vict...

I just spent almost a month in Europe and did an insane number of events: 7 workshops of 2 days each, 6 conference talks, video interviews, Pluralsight courses, media events, multiple user groups and amazingly, absolutely everything went perfectly to plan! Trips like that are both very intensive and very fulfilling and whilst 27 days was longer than I’d ideally like, I had a fantastic time in Europe so I’m coming back again – twice – in the coming months. I’ve give you the tl;dr version first t...

A few months ago, the Hong Kong based toy maker VTech allowed itself to be hacked [https://www.troyhunt.com/2015/11/when-children-are-breached-inside.html] and millions of accounts exposed including hundreds of thousands of kids complete with names, ages, genders, photos and their relationships to their parents replete with where they (and assumedly their children) could be located. I chose this term deliberately – “allowed itself to be hacked” – because that’s precisely what happened. In an era...

We tend to get very focused on digital security controls; firewalls, antivirus, software updates and then all the usual practices I spend so much time talking to developers about, stuff like defending against SQL injection, cross site scripting and a whole raft of other attacks against systems. But the bigger risk – and it’s one that doesn’t get near as much coverage – is attacks against humans. Whereas most of the time we’re thinking about attacks against the systems, we tend to neglect weaknes...

This weekend, I loaded five additional data breaches into Have I been pwned [https://haveibeenpwned.com/] (HIBP) that had come from various forums running on vBulletin. These came via supporters that had collected them from data breach traders over the years and some of them dated back quite some time. I always go to great lengths to validate that a breach is indeed legitimate and one of the ways I do that is to take a real good look at the passwords stored in the system and ensure that they do...

I had a follower send me a curious question the other day which if I paraphrase, went like this: > Hi, I was worried about the security of the Waitrose login form so I contacted them about it. They sent me a response but I’m not sure if it’s correct – can you shed some light on it? Actually, yes, I can and frankly, it’s a bit of a comedy of errors. For those not familiar with Waitrose [https://en.wikipedia.org/wiki/Waitrose], they’re a large British supermarket chain bringing in somewhere ar...

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected: > When someone whacks XSS in the live question feed whilst you're answering security questions on a panel... pic.twitter.com/paLp7ECXHF [https://t.co/paLp7ECXHF] — Troy Hunt (@troyhunt) January 22, 2016 [https://twitter.com/troyhunt/status/69056...

I’ve been running “Have I been pwned?” (HIBP) for just over a couple of years now and to say that it’s exceeded my wildest expectations of what it might achieve is somewhat of an understatement. The volume of data it now holds is one thing, the many hundreds of thousands of notification subscribers is another and yet another again is the volume of traffic it serves, sometimes in the millions of visitors a day. But recently, the penny has dropped on something else it’s managed to achieve that I n...

I got a rather odd invoice via PayPal the other day, it looks like this: Naturally the first thing I did was to look for spoof email indicators, but none of the usual suspects were showing up: 1. It was from member@paypal.com.au 2. The mail headers were legit 3. The “View and Pay Invoice” button linked directly to https://www.paypal.com/ Which all struck me as quite odd so I tweeted it out [https://twitter.com/troyhunt/status/683386377904361472]. I suggested that it was spam because that...

We’re a few days into the new year and I’m sick of it already. This is fundamental web usability 101 stuff that plagues us all and makes our online life that much more painful than it needs to be. None of these practices – none of them – is ever met with “Oh how nice, this site is doing that thing”. Every one of these is absolutely driving the web into a dismal abyss of frustration and much ranting by all. And before anyone retorts with “Oh you can just install this do-whacky plugin which rewri...