AdGuard resets all user passwords after account hacks

Popular ad-blocker AdGuard has forcibly reset all of its users’ passwords after it detected hackers trying to break into accounts.

The company said it “detected continuous attempts to login to AdGuard accounts from suspicious IP addresses which belong to various servers across the globe,” in what appeared to be a credential stuffing attack. That’s when hackers take lists of stolen usernames and passwords and try them on other sites.

AdGuard said that the hacking attempts were slowed thanks to rate limiting — preventing the attackers from trying too many passwords in one go. But, the effort was “not enough” when the attackers know the passwords, a blog post said.

“As a precautionary measure, we have reset passwords to all AdGuard accounts,” said Andrey Meshkov, AdGuard’s co-founder and chief technology officer.

AdGuard has more than five million users worldwide, and is one of the most prominent ad-blockers available.

Although the company said that some accounts were improperly accessed, there wasn’t a direct breach of its systems. It’s not known how many accounts were affected. An email to Meshkov went unreturned at the time of writing.

It’s not clear why attackers targeted AdGuard users, but the company’s response was swift and effective.

The company said it now has set stricter password requirements, and connects to Have I Been Pwned, a breach notification database set up by security expert Troy Hunt, to warn users away from previously breached passwords. Hunt’s database is trusted by both the UK and Australian governments, and integrates with several other password managers and identity solutions.

AdGuard also said that it will implement two-factor authentication — a far stronger protection against credential stuffing attacks — but that it’s a “next step” as it “physically can’t implement it in one day.”

1Password nets partnership with ‘Have I Been Pwned’

A little over a month since 1Password incorporated a pwned password check feature developed by Have I Been Pwned‘s Troy Hunt, the password manager service has now netted what’s being described as “a partnership” with the popular breach monitoring service.

Essentially this boils down to a commercial arrangement between 1Password and the free-to-use breach check service, with HIBP now recommending users sign up to 1Password’s service at the point when they learn their information may have been involved in a data breach.

In a blog post explaining why he feels it’s the right time to accept a sponsor for the service, Hunt writes that one of the reasons he feels comfortable taking money in this way is that users want “actionable steps once they’ve found themselves pwned” — so being able to point them to a specific, named and, in his view, trusted password manager makes sense for him.

“I also could have listed just a few of the industry leaders but people being as they are and the whole paradox of choice problem… they need more,” he adds.

It’s a major win for 1Password of course, whose brand will now be in front of people at the point when they are likely to be most motivated to pay to tighten the security screw.

And for Hunt it’s understandable that he wants to gain a bit more financial reward for his efforts running the now popular and high profile service (he has accepted donations before), although it’s a move that will undoubtedly face some criticism — given the core issue (which he himself flags): “There’s no way to sugar-coat this: HIBP only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike.”

You can say the same for security products in general, of course. But moving from the goodwill of offering a free breach check — with the stated aim of helping raise the general standard of security among web users — to accepting money from a company to encourage people to subscribe to its (security) service is a new, more clearly commercial direction.

Hunt says he’s had lots of such offers before and rejected them — and says he picked 1Password specifically because of having a “long-standing history with them”.

“This is a product I was already endorsed in by my own free volition and from the perspective of my own authenticity, that was very important,” he writes, noting that he recommended the service in another post, last October, and signed up as a subscriber himself just last month.

He also says 1Password’s decision to integrate his pwned password check into their product last month impressed him, and that he’s found them good people to work with.

Beyond the fact the company’s product will now appear in step 1 (and step 2) of the “3 security steps” HIBP recommends to people whose emails are confirmed been involved in a breach, Hunt hasn’t provided many details about the terms of the partnership.

Nor is he saying how much money he’s getting — aside from quipping that “it’s not quite $120M”.

But he does claim it’s a “partnership” — “rather than just a one-way relationship where their name appears on HIBP”, flagging up continued product integrations (of pwned passwords) by 1Password as an example. So there looks to be more coming on that front too.

We’ve reached out to 1Password about the partnership and will update this story with any response.

Air Force launches bug bounty program

 The Air Force announced today that it will launch a bug bounty next month for several of its public-facing websites, allowing hackers to seek out vulnerabilities in the sites and exchange them for cash rewards. Over the past year, the federal government has slowly started to open up to the idea of bug bounty programs. Hack The Pentagon, which launched last April, was the government’s… Read More

Cloudbleed investigation turns up a million leaks but no signs of exploitation

cloudbleed2 Since Cloudflare revealed a bug that caused random chunks of data to leak from customer websites, including Fitbit and OkCupid, the company has worked to determine the extent of the problem. It turns out that the vulnerability caused extensive leaks — which isn’t much of a surprise, given the sheer number of websites that use Cloudflare for its security and performance… Read More

Cloudbleed investigation turns up a million leaks but no signs of exploitation

cloudbleed2 Since Cloudflare revealed a bug that caused random chunks of data to leak from customer websites, including Fitbit and OkCupid, the company has worked to determine the extent of the problem. It turns out that the vulnerability caused extensive leaks — which isn’t much of a surprise, given the sheer number of websites that use Cloudflare for its security and performance… Read More

How to secure your data after the Cloudflare leak

securityhall Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients, and it’s possible that personal data such as passwords and cookies leaked from many client websites during the five months… Read More

Cloudflare and CREDO are still gagged from talking about national security letters

fbi-gag-cloudflare-credo In 2013, the government estimated that it issued approximately 60 of these national security letters a day. But, until last summer, no company was allowed to admit that it had received one. This week, the content delivery network Cloudflare revealed that it received a demand for customer data from the FBI in 2013. Cloudflare has been prevented from talking about the demand for many years, but… Read More

CloudFlare adds lots of new encryption features

SAN FRANCISCO, CALIF. - SEPT 29, 2010 Photo by Max Whittaker CloudFlare is encrypting its corner of the internet. The company announced today that it has rolled out new encryption features for all the websites it protects: TLS 1.3, automatic HTTPS rewrites, and and opportunistic encryption upgrades. The technical upgrades will occur behind the scenes, so CloudFlare’s customers won’t notice much of a difference (except perhaps a slight uptick… Read More

The Politics Of The Internet Of Things 

IOTcoffee The prospective scale of the Internet of Things (IoT) has the potential to fill anyone looking from the outside with the technical equivalent of agoraphobia. However, from the inside, the view is very different. Looked at in detail, it is a series of intricate threads being aligned by a complex array of organizations. As with any new technological epoch, questions around shape, ownership… Read More