Astrix Security, an Israeli cybersecurity startup that provides access management for third-party app integrations, has emerged from stealth with $15 million in funding. The startup was co-founded in 2021 by CEO Alon Jackson and CTO Idan Gour, both former members of Israel’s famed intelligence division Unit 8200, to help organizations monitor and control the complex […]

FIN7, a financially motivated Russian hacking group, has set up a fake company to lure unwitting IT specialists into supporting its continued expansion into ransomware, security researchers have found. According to researchers at Recorded Future’s Gemini Advisory unit, FIN7 — known for hacking into point-of-sale registers and stealing over $1 billion from millions of credit cards […]

Ring, the video doorbell maker dubbed the “largest civilian surveillance network the U.S. has ever seen,” is rolling out new but long overdue security and privacy features. The Amazon-owned company’s reputation was bruised after a spate of account breaches in late 2019, in which hackers broke into Ring user accounts and harassed children in their own […]

ZeroFox, a cybersecurity startup that helps companies detect risks found on social media and digital channels, has announced it has acquired dark web threat intelligence company Vigilante.  Vigilante — not to be confused with the controversial crime reporting app — scours the dark web to source intelligence that helps to protect organizations from cyberattacks. The […]

Japanese multinational conglomerate Fujifilm has been forced to shut down parts of its global network after falling victim to a suspected ransomware attack. The company, which is best known for its digital imaging products but also produces high-tech medical kit, including devices for rapid processing of COVID-19 tests, confirmed that its Tokyo headquarters was hit […]

Online shopping service Instacart says reused passwords are to blame for a recent spate of account breaches, which saw personal data belonging to hundreds of thousands of Instacart customers stolen and put up for sale on the dark web.

The company published a statement late on Thursday saying its investigation showed that Instacart “was not compromised or breached,” but pointed to credential stuffing, where hackers take lists of usernames and passwords stolen from other breached sites and brute-force their way into other accounts.

“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,” the statement reads.

The statement comes after BuzzFeed News reported that data on more than 270,000 user accounts was for sale on the dark web, including the account user’s name, address, the last four digits of their credit card, and their order histories from as recently as this week.

Instacart said that the stolen data represents a fraction of the “millions” of Instacart’s customers across the U.S. and Canada, a spokesperson told BuzzFeed News.

But who’s really to blame here: the customers for reusing passwords, or the company for not doing more to protect against password reuse?

Granted, it’s a bit of both. Any internet user should use a unique password on each website, and install a password manager to remember them for you wherever you go. That means if hackers make off with one of your passwords, they can’t break into all of your accounts. You should also enable two-factor authentication wherever possible to prevent hackers from breaking into your online accounts, even if they have your password. By sending a code to your phone — either by text message or an app — it adds a second layer of protection for your online accounts.

But Instacart cannot shift all the blame onto its users. Instacart still does not support two-factor authentication, which — if customers had enabled — would have prevented the account hacks to begin with. When we checked, there was no option to enable two-factor on an Instacart account, and no mention anywhere on Instacart’s site that it supports the security feature.

Data published by Google last year shows even the most basic two-factor can prevent the vast majority of automated credential stuffing attacks.

We asked the company if it plans to roll out two-factor to its users. When reached, Instacart spokesperson Lyndsey Grubbs would not comment on the record beyond pointing to Instacart’s already published statement.

Instacart claims security is a “top priority,” and that it has a “dedicated security team, as well as multiple layers of security measures, focused on protecting the integrity of all customer accounts and data.”

But without giving users basic security features like two-factor, Instacart users can barely protect their own accounts, let alone expect Instacart to do it for them.

Instacart blames reused passwords for account hacks, but customers are still without basic two-factor security by Zack Whittaker originally published on TechCrunch

It was a busy week in security.

Newly released documents shown exclusively to TechCrunch show that U.S. immigration authorities used a controversial cell phone snooping technology known as a “stingray” hundreds of times in the past three years. Also, if you haven’t updated your Android phone in a while, now would be a good time to check. That’s because a brand-new security vulnerability was found — and patched. The bug, if exploited, could let a malicious app trick a user into thinking they’re using a legitimate app that can be used to steal passwords.

Here’s more from the week.

---

THE BIG PICTURE

Every iPhone now has a working jailbreak

Decrypted: iOS 13.5 jailbreak, FBI slams Apple, VCs talk cybersecurity by Zack Whittaker originally published on TechCrunch