For many years now, I’ve lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It’s by far the single most time-consuming activity in processing breaches for Have I Been Pwned (HIBP) and frankly, it’s about the most thankless task I can imagine. Finding contact details is hard.…

111 years ago almost to the day, a murder was committed which ultimately led to the first criminal trial to use fingerprints as evidence. We’ve all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people have ever been found to have a matching set.…

When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago, I had a nightmare of a time getting in touch with the company. They’d left a MongoDB instance exposed to the public without a password and someone had snagged all their data. Within the data were references…

Today I’m really excited to announce a big piece of work 1Password and I have been focusing on this year, a totally free video series called “Hello CISO”. This is a multi-part series that launched with part 1 and when I say “free”, I don’t mean “give us your personal data so we can market…

More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the world’s largest websites that didn’t properly redirect insecure requests to secure ones. We updated it December before last and pleasingly, noted that more websites than ever were doing the right thing and forcing browsers…

Researchers have discovered a new attack named SysBumps, which targets macOS systems running on Apple Silicon processors. This attack leverages speculative execution vulnerabilities in system calls to bypass critical security measures such as Kernel Address Space Layout Randomization (KASLR) and kernel isolation. KASLR, a crucial defense mechanism, randomizes the memory layout of the kernel, making…

In a concerning development within cybersecurity, attackers have been leveraging DocuSign’s API capabilities to send out fraudulent invoices that closely mimic genuine documents. These campaigns have been rising in frequency, with reports over the past five months highlighting a significant uptick in incidents. In the context of cybersecurity, the abuse of DocuSign’s API represents a…

Introduction: The smooth functioning of Microsoft Outlook depends on the health of its data file formats—OST and PST. Both the files store the mailbox data like email messages, contacts, calendars, etc. locally on the system. OST, or offline storage table files, are encrypted with a MAPIEntryID GUID key and are linked with a particular profile.…

The music streaming industry is one of the largest revenue-generating platforms for artists and labels. Streaming services such as Spotify, Apple Music, and others pay royalties to artists based on the number of times their songs are played. However, what if these streaming numbers are not genuine? Between 2018 and 2023, Michael Smith masterminded an…

Microsoft experienced a significant disruption across several Azure cloud services on July 30, 2024, due to a distributed denial-of-service (DDoS) attack. The attack, which targeted Azure and Microsoft 365 services, was exacerbated by an error in Microsoft’s DDoS defense mechanisms, resulting in an outage lasting nearly eight hours. Microsoft experienced a significant disruption across several…