Latest news with #TroyHunt
Yahoo
22-07-2025
- Automotive
- Yahoo
How worried should EV owners be about their car being hacked?
Electric cars increasingly resemble computers on wheels, connected to the cloud and with their own array of apps — so should users be afraid of them being hacked? Cybercriminals target the most popular electronic products, from PCs to smartphones, and as electric vehicles (EVs) become more popular, their attention will inevitably switch to these expensive, connected, software-driven products. Yahoo News spoke to some of Britain's leading cybersecurity experts to assess the real risks. Can electric cars be hacked? While electric cars can be targeted by cybercriminals, owners should "be aware, but not overly concerned", said Antoinette Hodes, an expert at cybersecurity company Check Point. The connected element of electric vehicles, including having to be plugged in to charging points and download software, makes them particularly vulnerable. 'As EVs become more connected and software-driven, they increase the potential attack surface for cybercriminals," she said. 'EVs rely on wireless communication (bluetooth, wifi, GPS, etc) and cloud-based ecosystems, which makes them vulnerable to cyber threats.' In competitions where hackers test the security of devices to prevent real criminals from exploiting weaknesses, they have managed to take over chargers such as Tesla's Wall Connector (at the January 2025 Pwn2Own Automotive in Tokyo). Australian hacker Troy Hunt showed in 2016 how hackers could break into Nissan Leaf via its app, gaining control of vehicle systems, including climate control. Cybercriminals attack electric vehicles directly, usually through wifi or other wireless connections, or by hacking into infotainment systems, Daniel dos Santos, head of research at cybersecurity company Forescout, told Yahoo News. But one particular vulnerability is attacks that target EV chargers, which have the potential to be devastating, dos Santos said. 'Electric car owners are likely to have EV chargers at home, often solar panels and sometimes battery systems to store the generated energy. All those systems are often remotely managed and therefore connected to the internet," Dos Santos told Yahoo News. Research by Forescout in March 2025 found that attackers could take charge of solar inverters and also EV chargers from the same manufacturer. It's possible that by controlling EV chargers, hackers would be able to either steal electricity, charge cars for electricity they had not used, or even steal private data. "An even scarier scenario – which hasn't yet been demonstrated as far as I know – would be a sort of 'worm' that spreads when cars are connected for charging," says Dos Santos. "So that a car could get infected, then infect other charging points, which would infect other cars and so on. An attacker that managed to compromise a network of chargers through a supply chain attack could then cause some serious impact.' Are certain brands more likely to be hacked? Hackers at the Black Hat security conference demonstrated successful attacks against Tesla vehicles in 2016. But there are additional concerns over the data used by some Chinese brands, particularly those which produce EVs that are cheaper to buy than brands such as Tesla and Nissan. British defence firms have warned staff against connecting work devices to Chinese-made EVs in March 2025, in case the apps steal data, the i paper reported. For ordinary consumers, this is unlikely to be an issue, but cheaper brands may have vulnerabilities that lead to data leaking online, for example. James McQuiggan, security awareness advocate at KnowBe4, said: "The genuine concern isn't just remote hijacking, as it is about data privacy, app compromise, and supply chain vulnerabilities. "EVs are essentially a large electronic ecosystem, which means they require the same level of cyber hygiene as any internet-connected device." What can EV drivers do to stay safe? The approach to keeping electric vehicles safe is very much the same as normal cyber safety, says Check Point's Hodes. That means keeping software updated at all times, and being cautious about what cars are connected to. Hodes said: "As cars become more autonomous and connected, the potential for remote attacks increases. "The key for owners is to adopt good cybersecurity practices — keeping software updated, being cautious about what devices they connect to, and treating their car as any other connected device."
New York Times
18-07-2025
- New York Times
Your Data Appeared in a Leak. Now What?
My personal information has been leaked in a data breach not once or twice or even thrice. By now I've lost count. I've learned about the breaches in letters offering me free credit monitoring, in apologetic emails from affected companies, and in news reports. You've probably been there, too. The urge to shrug and do nothing is strong, but that approach is almost certain to cause you some future pain. Learn from my mistakes — someone once took over my Facebook account using stolen data because I recycled my passwords. (Tip: Don't do this.) Data breaches are now an unfortunate fact of modern life, and there's not much you can do about preventing them. But that doesn't mean you can't protect yourself in the aftermath. Here's what to do. Leaks and data breaches can take many forms — a hacker releases stolen records online, a company accidentally leaves a server available, the list goes on — but the result is that your personal information ends up somewhere it shouldn't. Don't panic, but don't ignore it. The sad truth is, decades of data breaches and a thriving market for data brokers mean that an uncomfortable amount of your personal information is likely already out in the open. 'It doesn't worry me too much anymore, just simply because there's so much of that data out there anyway, and a new data breach doesn't particularly change that,' says Troy Hunt, the founder of HaveIBeenPwned, a site that lets you search data breaches to see if you've been affected. But some breaches, particularly those involving sensitive data such as passwords or other personal information, demand attention. Here's what to do immediately after a data breach to protect yourself in the future: Set up a password manager and enable two-factor authentication. Because attackers know that many people use the same password across multiple accounts, they'll attempt to use a password exposed on one website across others. Hunt says that due to password recycling, 'one data breach of a fairly benign service is suddenly a digital key to everything else.' Even if your password wasn't exposed, take the breach as an opportunity to level up your online security. First, choose a password manager (our picks are 1Password and Bitwarden) and use it to create a new, unique password for the site that was breached. Then, take a minute to activate 2FA, if it's available, to keep attackers out even if they have your password. Two-factor authentication adds another layer of protection on top of your password, often in the form of a PIN, security key, or face scan (if you've ever been prompted to enter a texted code after entering your password, that's 2FA). Once you've done that, change the password on another site or two every day (or whenever you log in), and add it to your password manager. Eventually, you'll have unique and complex passwords protected with 2FA for all of your accounts, which will help protect you after future data breaches. I Tried, and Failed, to Disappear From the Internet Go directly to the source to find more information about the breach. If you hear about a data breach from a letter, email, or news report, go to the affected company's website to get more information. Be sure to avoid links in emails or text messages, as these can sometimes be from opportunistic scammers. Look for explanations of what information was exposed and what, if any, additional steps the company is taking to protect those affected. If you can't find any information on the website, try contacting the company by phone using a verified phone number. Many companies list their contact numbers on their official websites, so use that number instead of whatever pops up on Google. Once you know what information was exposed, you can decide what to do about it. Assessing your risk is deeply personal, and how you react might depend on how much and what kind of information the company had on you, though some personal information is obviously sensitive. If your account password, address, or Social Security number has been exposed, you need to take action. Another important piece of information that is often overlooked is your date of birth: 'You can never change it,' Hunt says. 'And unfortunately, we've got everything from [telecommunication companies] to banks regularly using that as an identity proof.' Change your passwords. Companies sometimes require a password reset after a data breach, so you'll have to create a new password before you can log in. If the company doesn't require a reset, you can do it yourself in your account settings. If you can't log in to change your password, though, an attacker may have already taken control of your account; use the site's password-recovery tool and replace your old password with a strong new one. Store that new password in your password manager and then turn on 2FA. If that doesn't work, contact the company through a verified phone number listed on its site or another trusted source to regain control of your account. Also change the password on any other site where you reused it. As we mentioned earlier, attackers know people's bad password habits and sometimes try confirmed passwords on multiple sites, hoping to get lucky. Share this article with a friend. Monitor your bank and credit card accounts. Log in to your financial accounts and look for fraudulent charges. Most bank accounts in the US are insured by the Federal Deposit Insurance Corporation for up to $250,000, so if you see incorrect charges, contact your bank to file a claim and get your money back. In the US, customers are not responsible for fraudulent credit card charges, either, so report any of those as well to get them removed from your account. When contacting your bank, credit card company, or brokerage, be sure to do so through a verified phone number. Most banks and credit card issuers list a fraud-support phone number on the back of your debit or credit card. Check and freeze your credit. Sometimes, scammers try to use your personal information to open new bank accounts or take out loans. You can check for this kind of fraudulent activity by examining your credit reports from the three major credit bureaus: Equifax, Experian, and TransUnion. The Federal Trade Commission recommends against contacting the credit bureaus individually and instead directs people to use to request one free report from each credit bureau per year. You can also request a credit freeze, which helps prevent new accounts or loans from being opened in your name. If you have children, the FTC recommends freezing their credit, as well; because youngsters are unlikely to be checking their own credit reports, fraud using the information of minors can go unnoticed for years. A credit freeze lasts until you choose to lift it, but keep in mind that it can't protect against all kinds of fraud. The Federal Trade Commission offers resources for reporting identity theft and recovering your accounts if you're concerned that someone is using your Social Security number. If the affected companies offer free credit monitoring or identity-theft support, use it. Many companies offer credit-monitoring services in the wake of a data breach. You should take advantage. However, all of them require you to activate such services, and you have to watch for notifications if these services find anything suspicious. Typically, you have a limited time during which you can activate the services, and they run for only a year or so. File your taxes early. Tax scammers sometimes try to claim your US income tax refund by using stolen information to file a return before you do. If you were involved in a recent data breach, or if sensitive information such as your Social Security number was leaked, consider filing your taxes early to beat scammers to the punch. You can also set up a PIN with the IRS to add an extra layer of protection to your taxes. This is a smart thing to do, even if your data hasn't been exposed. Be on alert for scams purporting to help after a breach. Scammers sometimes send legitimate-looking emails or texts about data breaches that are actually links to phishing sites, which look like reputable sites but are actually designed to convince you to divulge your passwords or sensitive information. It's a cruel manipulation: exploiting your very anxiety about a security leak to steal your information. To protect yourself, be skeptical of messages with links or demands for immediate, dramatic action. Before you follow any instructions from an email, a text message, or even a phone call, confirm that information by going to an official website or contacting support through a verified phone number. Phishing sites have a short lifespan, and most browsers are good at blocking malicious sites. If your browser warns you to stay away, pay attention. Most password managers store a related URL along with your password and notify you when you visit a site with a saved password. If you're on a familiar-looking site but your password manager doesn't recognize it, double-check the URL to confirm that it isn't a cleverly designed look-alike. Your Phone Is Stolen. Your Laptop Gets Lost. Here's What to Do.
Mint
23-06-2025
- Mint
16 billion passwords: How bad is the ‘world's largest data breach'?
New Delhi: On 19 June, a report by cybercrime and data breach reporting platform Cybernews said that a collection of 30 live databases was found with information stolen from individuals around the world—collecting what was claimed as 16 billion passwords and their corresponding credentials. The details reportedly belonged to users who had accounts on the most popular online services—Apple, Facebook, Google and others. Has the breach in question really put most users of the internet at risk? Perhaps not—Mint explains why. What really happened in the alleged data breach? Cybersecurity researchers that Mint spoke with said that the breaches in question were not strictly new or a single consolidated breach, as early reports had claimed. Instead, the new databases are more like master databases where breached information gathered over almost the past decade was put together by an unidentified group or entity. To put it simply, data breaches occur from either unsecured online databases that cyber criminals scrape to collect information, or as part of cyber attacks on large online platforms that lead to the leakage of sensitive information. The largest known data breach so far occurred in 2016, when cyber attackers breached the entire database of once-search and mail giant Yahoo—stealing over 3 billion passwords and related user credentials at one go. Also read: India's big AI test is here: Making sovereign language models work Four cybersecurity researchers that Mint spoke with said that the 'master' database with 16 billion passwords and other corresponding data—such as name, email addresses, dates of birth and other personally identifiable information (PII)—is likely a collection of multiple breaches, dating back to 2015. Is such a widespread data breach even possible? While no number of breaches is outside the realm of possibility, most researchers stated that a single breach exposing such a massive volume of sensitive information at one time is nearly unlikely. 'There are estimates of over 5.5 billion unique users on the internet. Given that any average individual would have at least two or three emails, plus accounts linked with around 10-15 online services—served by an average of around five unique passwords, an extrapolated hypothesis can be that a breach of 16 billion passwords would likely impact over 40% of all internet users globally. For this to happen in one single coordinated data breach would be akin to all of Europe, Asia and then some more being compromised at one go—which is nearly unthinkable even in today's cybersecurity climate," said an independent cybersecurity researcher who closely works with various government departments, requesting anonymity. Mint could not independently access the alleged database in question or verify whether the information is updated. However, a scroll through cyber breach tracker Have I Been Pwned by noted cyber security professional and Microsoft regional director for the US, Troy Hunt, signified that passwords that have been in use on Apple, Facebook and Google's platforms since at least 2018 have not surfaced online in the repository's list of breached passwords. Also read: Sovereign silicon: India targets indigenous 2nm, Nvidia-level GPU by 2030 To be sure, Have I Been Pwned is a public repository that regularly scrapes dark web databases for leaked passwords, such as the one mentioned here. What should users do in this regard? Cybersecurity experts stated that, irrespective of whether their passwords appear in breach trackers such as the one cited above, updating passwords once every six months is prudent. Heather Adkins, vice-president of security engineering at Google, said that as part of its global endeavours to ramp up cybersecurity, the company is in the process of collaborating with Apple, Microsoft and others in a global 'Fido Alliance'—which seeks to establish 'passkeys' as a standard for login. 'Passkeys reduce the dependency on passwords, and thus reduce how breaches occur by using the biometric authentication information that is stored on users' phones and laptops. The benefit here is that attackers cannot breach biometric information even if they want, since they require on-device authentication. Various emails and other logins are steadily shifting to passkeys in this regard," Adkins said. Sidharth Mutreja, cofounder and chief technology officer of homegrown enterprise security consultant Rockladder Technologies, added that a second step is to 'enable two-factor authentication." 'As a second layer of security, users should always either use one-time password-based additional verification or use authenticator apps to ensure that their accounts and personal information are not breached even if a password is compromised. Additionally, it's important to ensure that any caller or email sender is personally verified before they are responded to," he added. For now, though, each of the researchers agrees that no user is at 'immediate risk of losing access to all of their accounts"—even though initial reports projected widespread risk, unlike what was seen before. Can attackers still leverage the information? Unfortunately, yes. The presence of such databases means that attackers with deep pockets and ill intent can pay to access such databases and use the information for a wide range of tasks. These include actions such as 'spear phishing'—where attackers use available information about individuals to closely impersonate a potential acquaintance, and dupe them financially or otherwise. Also read: Eye in the sky: India to set up satellites to spy on satellites To be sure, such attacks have become common in India in the form of 'digital arrests' and originate from such databases. A single, coordinated database could thus be a crucial indirect resource for attackers, even if they do not immediately cause any direct harm to users. Will companies handle damages and fallouts, if any? Mutreja said that a coordinated database that collates all breached information under one umbrella 'could create significant liability for enterprises in terms of securing their own platform with database monitoring tools—and put the onus on consumers to instantly and continuously change their passwords." 'There's no one set law that dictates if a company should be liable for a public database—unless a breach in question directly correlates to a company specifically. In such a case, users can directly raise questions on whether companies should have better protected their data. In this case, though, this does not hold," he added. Apple, Facebook and Google—the three major service providers whose information was a part of the breach as per the original report—have not issued any statements or patches pertaining to a data breach of such stature.
India Today
20-06-2025
- India Today
16 billion passwords leaked: Here is how to check if your account was hacked
In what has been referred to as one of the most severe security breaches in internet history, over 16 billion passwords have been found leaked online. This leak reportedly includes login information ranging from personal email and social media accounts to developer tools like GitHub, and in some cases, even government importantly, the leaked data in this breach does not include recycled old data. According to reports by Cybernews and Forbes, most of the credentials are newly harvested and highly usable by hackers. This thus puts millions of users at risk of cybercrime, including identity theft, phishing attacks, and account leaked data is believed to have been gathered using infostealer malware — malicious software that quietly infects a user's device, extracts login details from browsers or apps, and sends them to cybercriminals. These stolen credentials are then either used directly or sold in bulk on dark web forums, where access is cheap and often doesn't require technical expertise. What makes this breach more concerning is the format in which the data has been leaked. Each leaked entry reportedly includes a website URL, followed by a username and password. This makes the data easier for hackers to exploit. Experts warn that this security breach could lead to a rise in identity theft, phishing scams, and account takeovers across various online the news is certainly alarming, you can check if your account has been exposed in this breach or any previous to check if your account has been exposedadvertisementOne way to check is through a website called Have I Been Pwned. It is a free platform maintained by cybersecurity expert Troy Hunt. The site collects data from hundreds of breaches and allows users to search by email address or password to see if they've been check your credentials-– Visit the site and enter your email address in the search bar.– Click on "pwned?" to see if your email appears in any known breaches.– Use the "Passwords" tab to check if any of your commonly used passwords have been if your data has been compromised?If you find that your email ID or passwords are part of a breach, here are some immediate steps you need to take:Change your password for the affected service right you have reused the same password elsewhere, change it on those platforms can also use a password manager like Google password manager to generate strong and unique passwords. Also enable two-factor authentication (2FA) to add an extra layer of protection to your can even use passkeys, which are more secure than traditional passwords as they use biometric authentication.
Yahoo
31-05-2025
- General
- Yahoo
Gang members sentenced to life for murder of Gwinnett businessman at his home
The Brief A Gwinnett County judge has sentenced two men to life in prison for the murder of the owner of a local check-cashing business in 2019. Investigators say the two members of the "Goodfellas" street gang used a tracking device to follow their victim home in an attempt to rob him that went wrong. One person arrested for the crime died in custody from a drug overdose. The fourth suspect remains unidentified. GWINNETT COUNTY, Ga. - Two men will spend the rest of their lives behind bars after they were found guilty of murder in the 2019 death of the owner of a local check-cashing business. Prosecutors say 37-year-old Daquan Rashad Clarke and 44-year-old Troy Anthony Hunt were among a group of four men who targeted the owner of the DeKalb County business in his home in Gwinnett County. What we know Officials said on Oct. 4, 2019, Clarke, Hunt, Ian Jabar Longshore, and a fourth man followed 55-year-old Sukkee Hong to his Sugar Hill home. According to investigators, the group, all members of the "Goodfellas" street gang, had identified Hong's business, TME Check Cashing, as one of several that they wanted to rob. Clarke's girlfriend, Subriccia S. Moss, bought a tracking device on the internet and distracted Hong while the men put the device on his car. On that night, prosecutors said Hunt and the unidentified man followed Hong into his garage while Clarke and Longshore waited in getaway cars. Video surveillance showed the two men racing out of the garage after firing shots. They took with them a bag from Hong's car that had documents and the victim's cell phone. Detectives say they identified three of the four men using mobile phone data and DNA evidence collected from the crime scene. What they're saying "We stand with the family and loved ones of Mr. Sukke Hong and continue to grieve his loss," District Attorney Patsy Austin-Gatson said. "We thank the jury for returning a verdict which gives Mr. Hong's family justice. Violent gang activity is unacceptable in Gwinnett County, and we will always hold those who commit crimes like these accountable to the fullest extent of the law." Dig deeper Earlier this month, a Gwinnett County jury found Clarke and Hunt guilty of two counts of felony murder, aggravated assault, armed robbery, and four counts of violation of Georgia's Street Gang Terrorism and Prevention Act. Hunt was also found guilty of possession of a firearm during the commission of a felony. Clarke was sentenced to life in prison without the possibility of parole plus 80 years. Hunt was sentenced to life in prison without the possibility of parole plus 30 years. Investigators are still working to identify the fourth man. The Source Information for this story was taken from a release by the Gwinnett County District Attorney's Office.
