Slack leaked hashed passwords from its servers for years

Did Slack send you a password reset link last week? The company has admitted to accidentally exposing the hashed passwords of workspace users. The issue occurred when a user created or revoked a shared invitation link for their workspace. The good news is that the password wasn’t plaintext, and it wasn’t visible in any Slack clients. The bad news is that it could be picked up by monitoring encrypted traffic from Slack’s servers, and it appears that all users who created or revoked those links between April 17, 2017, and July 17, 2022, are affected. Slack said only 0.5 percent of users were affected, which doesn’t sound too terrible until you consider how many Slack users are out there. 

Twitter confirms January breach, urges pseudonymous accounts to not add email or phone number

Twitter officially confirmed that a January breach led to the leak of information connected to 5.4 million accounts. Two weeks ago, a hacker on Breach Forums offered email addresses and phone numbers connected to the accounts, which they said ranged from “celebrities, companies, randoms, OGs, etc.” Researchers immediately tied the post to a vulnerability in Twitter’s platform that was discovered in January by a security researcher who reported the issue through HackerOne, which operates a bug bounty platform used by Twitter. Twitter told The Record on July 22 that it would investigate the issue. On Friday, the company confirmed both that the information was obtained through the vulnerability and that the stolen information was legitimate.

Open Redirect Flaws in American Express and Snapchat Exploited in Phishing Attacks

Open redirect vulnerabilities affecting American Express and Snapchat websites were exploited earlier this year as part of phishing campaigns targeting Microsoft 365 users, email security firm Inky reports. Open redirect flaws exist because the impacted website does not validate user input, which allows threat actors to manipulate URLs to redirect users to malicious sites. Because the manipulated link contains a legitimate domain name, the user might consider the link safe. However, the trusted domain is only used as a landing page. From mid-May to late July, Inky observed roughly 7,000 phishing emails that originated from various hijacked accounts and which attempted to exploit the open redirect in snapchat[.]com.

Twilio suffers data breach after its employees were targeted by a phishing campaign

Digital communication platform Twilio was hacked after a phishing campaign tricked its employees into revealing their login credentials (via TechCrunch). The company disclosed the data breach in a post on its blog, noting that only “a limited number” of customer accounts were affected by the attack. Twilio allows web services to send SMS messages and place voice calls over telephone networks and is used by companies including Uber, Twitter, and Airbnb. The hack occurred on August 4th and involved a bad actor sending SMS messages to Twilio employees that asked them to reset their password or alerted them to a change in their schedule. Each message included a link with keywords, like “Twilio,” “SSO” (single sign-on), and “Okta,” the name of the user authentication service used by many companies. The link directed employees to a page that mimicked a real Twilio sign-in page, allowing hackers to collect the information employees inputted there.

US Sanctions Crypto ‘Laundering’ Service Tornado

The United States placed sanctions Monday on Tornado Cash, a leading “crypto mixer” for transactions in virtual currency that US officials describe as a hub for laundering stolen funds, including by North Korean hackers. The Treasury said Tornado Cash had been used to transfer at least $96 million of funds stolen in June from crypto exchange service Harmony Bridge, and another $7.8 million of the nearly $200 million in crypto currency hacked from Nomad, a similar service. In addition, Tornado Cash was used to transfer and mask $455 million of the more than $600 million worth of ethereum, a leading virtual currency, stolen in April from the Axie Infinity game via the Ronin Network. That theft, which the Treasury called the largest known crypto heist to date, was carried out by North Korean state-backed hacking units known as the Lazarus Group and APT38, according to the US Federal Bureau of Investigation.

Black Hat 2022: Ten Presentations Worth Your Time and Attention

The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations and cybersecurity vendors showing off shiny new products. For its 25th anniversary, the venerable Black Hat hacking conference is promising more than 80 presentations on a wide range of topics ranging from hardware and firmware hacking to zero-day malware discoveries to the latest and greatest in APT research. SecurityWeek editors have combed the agenda carefully and identified the 10 Black Hat USA 2022 sessions that will be making news headlines all week.