Login
Citrix patched a critical vulnerability in its NetScaler ADC and NetScaler Gateway products that is already being compared to the infamous CitrixBleed flaw exploited by ransomware gangs and other cyber scum, although there haven't been any reports of active exploitation. Yet.…
Kerio Control has a design flaw in the implementation of the communication with GFI AppManager, leading to an authentication bypass vulnerability in the product under audit. Once the authentication bypass is achieved, the attacker can execute arbitrary code and commands.
I made TrashTalk.me - A free, zero-log, end-to-end encrypted web chat that destroys itself. TL;DR: I built a simple, anonymous, and secure web chat. You click one button, get a private link, share it with one person, and the entire chat is permanently destroyed the moment one of you leaves. No sign-ups, no logs, no history.
Hey Reddit,
For a while now, I've wanted a truly ephemeral way to have a quick, private conversation online without needing to download an app, create an account, or trust a company with my data. I wanted something as simple as handing someone a note that self-destructs after they read it.
So, I built trashtalk.me.
What is it?
It's a dead-simple, free web application that does one thing:
Click "Create Anonymous Chat" - This instantly generates a unique, 64-character URL.
Share the Link - Send this link to the one person you want to talk to. The room is strictly limited to two people.
Chat Securely - Your conversation is end-to-end encrypted directly in your browsers. The server can't read your messages.
Destroy It - The moment one person closes the tab or clicks the trash can icon, the connection is severed, and the chat room ceases to exist. The server keeps no record of it.
That's it. It’s designed for those moments when you need to share something sensitive—a password, a private thought, a confidential link—and want zero trace of it left behind.
How It Works (For the Tech-Curious)
I wanted this to be as private as possible, which meant minimizing what the server does and knows.
No Database, No Logs: The backend is a simple Python WebSocket server running on my Linode instance. Its only job is to be a temporary matchmaker for two browsers to find each other. It holds no user data, stores no messages, and doesn't even log chat room IDs. Once you disconnect, the room is gone from the server's memory.
End-to-End Encryption (E2EE): The real security happens on your device. The app uses the browser's built-in Web Crypto API to generate a new, temporary key pair for every session. These keys are used to establish a shared secret between you and your peer, and every single message is encrypted and decrypted on your respective devices. The unencrypted text never touches my server.
Peer-to-Peer (P2P) Connection: After the initial handshake, the encrypted messages are sent directly between the two users via WebRTC whenever possible, which is more private and efficient.
Why I Built This
In a world of data breaches and constant tracking, I believe we need more tools that are simple, private-by-design, and don't require you to hand over your personal information just to have a conversation. This is my small contribution to that idea. It's not meant to replace robust apps like Signal, but rather to be a quick, disposable tool for one-off private conversations.
I'd love for you to try it out and let me know what you think. I'm open to any feedback, criticism, or ideas you might have.
Thanks for checking it out!
Unknown miscreants are distributing a fake SonicWall app to steal users' VPN credentials.…
Partner content Recently, I've been diving deep into security control data across dozens of organizations, and what I've found has been both fascinating and alarming. Most security teams I work with can rattle off their vulnerability management statistics with confidence. They know their scan schedules, their remediation timelines, and their critical vulnerability counts. They point to clean dashboards and comprehensive reports as proof that their programs are working.…
Four convicted members of the once-supreme ransomware operation REvil are leaving captivity after completing most of their five-year sentences.…
Psylo, which bills itself as a new kind of private web browser, debuted last Tuesday in Apple's App Store, one day ahead of a report warning about the widespread use of browser fingerprinting for ad tracking and targeting.…
A stealthy, ongoing campaign to gain long-term access to networks bears all the markings of intrusions conducted by China’s ‘Typhoon’ crews and has infected at least 1,000 devices, primarily in the US and South East, according to Security Scorecard's Strike threat intel analysts. And it uses a phony certificate purportedly signed by the Los Angeles police department to try and gain access to critical infrastructure.…
Iran's Internet: A Censys Perspective https://censys.com/blog/irans-internet-a-censys-perspective
The US Department of Homeland Security has warned American businesses to guard their networks against Iranian government-sponsored cyberattacks along with "low-level" digital intrusions by pro-Iran hacktivists.…
After discovering that the haveibeenpwned.com data is accessible via the API and noticing the lack of a visualization tool, I dedicated a few evenings to building haveibeenpwned.watch. This single-page website processes and presents data on leaks from Have I Been Pwned, with daily updates.
The site provides details on the total number of recorded breaches, the number of unique services affected, and the total accounts compromised. Charts break down the data by year, showing the number of breaches, affected accounts, average accounts breached per year, accounts by data type, and accounts by industry. Additionally, tables highlight the most recent breaches, the most significant ones, and the services with the highest number of compromised accounts.
Though simple, the website can be a useful resource for use cases like strategic security planning, cybersecurity sales, risk assessment, or simply tracking trends in the security landscape.
The website is open source, with its repository hosted on GitHub.
McLaren Health Care is in the process of writing to 743,131 individuals now that it fully understands the impact of its July 2024 cyberattack.…
Model Context Protocol is quickly becoming the default way for LLMs to call out to tools and APIs—but from a security standpoint, it’s been a little hand-wavy. This post fixes that.
It shows how five OAuth specs—including dynamic client registration and protected resource metadata—combine to form a secure, auditable, standards-based auth flow for MCP.
Reports last week detail a “16 billion password leak”, with major news outlets worldwide proclaiming this as one of the “largest data breach in history. The exposed dataset appears to be a massive compilation of previously leaked login credentials combined with recent information harvested from devices infected with a type of malware called an infostealer. The vast amount of stolen login credentials, especially from the platforms people use and rely on every day, serves as a powerful reminder of the need for up-to-date online security combined with strong cyber hygiene.
If cybercriminals get hold of your login credentials, the consequences can be serious—think hijacked social media accounts, stolen identities, phishing attacks launched from your personal email account, and potentially even financial loss. The good news? You can take action right now to boost your security and stay protected from scammers.
Don’t let the “old data” narrative fool you into complacency. As McAfee CTO Steve Grobman notes: “With over 16 billion login credentials exposed worldwide, the scale of this breach is a stark reminder of the prevalence of data leaks and the importance of practicing good cyber hygiene.”
This compilation represents a significant threat because:
Password Reuse Amplifies Risk: If you reuse passwords across multiple sites, one stolen credential can unlock multiple accounts.
Social Media Account Takeovers: “Email and social media logins are particularly valuable, as they allow scammers to reset passwords and dig even deeper into someone’s digital life, even impersonating victims,” Grobman explains.
Identity theft: With access to information, like the username and password for your banking or financial account, cybercriminals could steal your identity to open new accounts, apply for loans, and commit fraud.
Increase in Phishing Attacks: In Grobman’s words: “For cybercriminals, this data is gold. It gives them everything they need to scam, impersonate, and steal. With a trove of personal information circulating widely, people should be on high alert for targeted scam emails and texts that look like they’re from trusted brands or known contacts.”
Ongoing Infostealer Infections on Unprotected Devices: New databases appear “every few weeks” with “fresh, weaponizable intelligence” which means that without the right protection you may have malware on your device silently stealing your data. And according to the researchers, the problem isn’t getting better—it’s accelerating.
Following McAfee’s official guidance, here’s what you need to do immediately:
Before changing any passwords, scan your devices for malware. If you’re concerned that an infostealer might be present on your computer, scan your device with a trusted antivirus program before changing any passwords. Otherwise, newly entered credentials could be stolen as well.
Steve Grobman’s recommendation is clear: “Now is the time to update passwords – especially for email, banking, and shopping accounts.” You should:
Enable Two-Factor Authentication everywhere possible. As our CTO recommends: “Enable two-factor authentication wherever possible” to add that crucial second layer of security.
Use authenticator apps, such as Google Authenticator, Duo, and Authy, and do not use SMS. You should avoid using SMS texts to receive 2FA codes, as threat actors can conduct SIM-swapping attacks to hijack your phone number and obtain them.
Given the elevated risk of targeted scams using your real information, Grobman specifically recommends: ” Use scam detection technology, like McAfee’s Scam Detector, to help flag risky messages before they cause harm.”
While this specific data compilation may contain both older and newer data, it highlights a fundamental truth: your credentials are constantly being targeted by cybercrooks.
The infostealer problem has gotten so pervasive that manual monitoring simply isn’t sufficient anymore. You need automated, professional-grade protection that works 24/7.
Traditional approaches wait for you to discover you’ve been compromised. McAfee’s approach is different:
There are thousands, if not hundreds of thousands, of similarly leaked archives being shared online, resulting in billions of credentials records released for free. This 16 billion record compilation is just the latest in an ongoing parade of massive credential dumps.
The Trend Is Accelerating: As infostealers have become so abundant and commonly used, threat actors release massive compilations for free on Telegram, Pastebin, and Discord to build reputation and attract customers to their paid services.
Given the scale of credential theft over the years, assume some of your information is already in criminal hands. This mindset shift changes everything:
Your credentials are valuable to criminals, and they’re actively working to steal and exploit them. The question isn’t whether your information will appear in future compilations—it’s whether you’ll be protected when it does.
McAfee Identity Monitoring provides timely dark web alerts, complete with guidance on how to quickly secure your info if they’re found in breaches.
Get McAfee+, with all-in-one scam, privacy, and identity protection and gain immediate access to:
Remember: Take this opportunity to update your passwords immediately and improve your cybersecurity habits — because the threat is real, ongoing, and growing.
The post 16 Billion Stolen Logins for Apple, Google, Facebook and More: How to Stay Safe appeared first on McAfee Blog.
Britain's Cyber Monitoring Centre (CMC) estimates the total cost of the cyberattacks that crippled major UK retail organizations recently could be in the region of £270-440 million ($362-591 million).…
Infosec in brief A former US Army sergeant has admitted he attempted to sell classified data to China.…
Try it out and shoot me a dm about what you think
So I cooked up a fake transaction for shits and giggles. No valid IBAN. No real user. No device. No signature. No token. No nothing. Just pure distilled bullshit in a JSON payload.
Guess what? “Transaction accepted” “attack_success”: true “fraud_score”: 0.99999 System looked at it and said: “yeah, looks good to me.”
I even told the sandbox I was sending 10k EUR from FAKE_IBAN_901 to INVALID_IBAN_123 using a spoofed IMEI and some RSA nonsense I made up in Notepad. Bunq backend? Nodded politely and gave me a sandbox TXID.
It gets better — it accepts critical priority flags, fake biometric hashes, invalid currency codes, all wrapped in a nice little “success” bow.
This ain’t a bug, this is a fuckin’ confessional.
If bunq staff lurking here: hit me up. This ain’t a ransom, but y’all might wanna know just how open wide your API goes when someone whispers sweet nothings like tpp_id: "lol_fake_999".
We got logs. We got timestamps. We got receipts.
Your move, bunq.
RAWPA helps security researchers and penetration testers with hierarchical methodologies for testing.
This is not a "get bugs quick scheme". I fully encourage manual scouring through JS files and playing around in burp, RAWPA is just like a guided to rejuvenate your thinking.
Interested ? Join the testers now
https://forms.gle/guLyrwLWWjQW61BK9
Read more about RAWPA on my blog: https://kuwguap.github.io/
Firstly, apologies for the annoying clipping in the audio. I use a Rode VideoMic that's a shotgun style that plugs straight into the iPhone and it's usually pretty solid. It was also solid when I tested it again now, just recording a video into the phone, so I don't know if this was connection related or what, but I was in no position to troubleshoot once the stream had started, unfortunately.
Moving on, it's been a ridiculously hectic week of bacb-to-back events then to top it off, we've bee dealing with crazy traffic volumes on HIBP:
Well, that explains the traffic: 2.46M visitors to Have I Been Pwned in 24 hours, mostly from Google searches. The inbound traffic is near unprecedented, with only the Collection 1 credential stuffing list in Jan 2019 and the Facebook scrape in April 2021 coming close. pic.twitter.com/li7qvfy9tk
— Troy Hunt (@troyhunt) June 21, 2025
Anyway, you just can't predict these things, hope you enjoy this week's video regardless.
Scammers are hijacking the search results of people needing 24/7 support from Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal in an attempt to trick victims into handing over personal or financial info, according to Malwarebytes senior director of research Jérôme Segura.…
Aflac is the latest insurance company to disclose a security breach following a string of others earlier this week, all of which appear to be part of Scattered Spider's most recent data theft campaign.…
The latest marketing ploy from the ransomware crooks behind the Qilin operation involves offering affiliates access to a crack team of lawyers to ramp up pressure in ransom negotiations.…
FreshRSS