Ex-NSA analyst Patrick Wardle has discovered that malicious third - party apps could let hackers access
plaintext passwords stored in Apple's Keychain with the macOS High Sierra update.
The data trove's «Dropbox» file contains 18 million usernames plus
plaintext passwords.
«Fortunately, the eBay account passwords were encrypted, so it will be more difficult for attackers to retrieve
the plaintext passwords and use them to impersonate people,» Craig Young, security researcher for Tripwire, told the E-Commerce Times.
This time, a hacker on a dark web forum called «Hell» claims to have sold the email addresses and
plaintext passwords of over 27 million users of dating site Mate1.com.
An analysis of a massive 8.8 GB trove of files containing usernames and
plaintext passwords suggests hundreds of services may have experienced unreported or undiscovered data breaches.
He used a service that allowed him to covert
the plaintext password to a bcrypt one, a procedure he humorously termed the «poor man's cracking service.»
Not exact matches
It appears Mate1.com hosted the
password files in
plaintext without any hashing.
The information was all
plaintext, meaning no encryption was in place, and included names, email addresses, DOBs and
passwords of around 42m users from around the world.
And off - topic loads of forums and WordPress sites would get called out for accepting
passwords over
plaintext.
Essentially, the
password will never be visible in its
plaintext form.
While «bcrypt» is generally considered safe — meaning, hackers who gain access to databases containing these
passwords can't access them in
plaintext — it is prone to implementation mistakes, as Ashley Madison users discovered during its 2015 breach.
Four locks, for example, transmitted their user
passwords in
plaintext to smartphones, making it easy for anyone with a $ 100 Bluetooth sniffer to pluck the
passwords out of thin air.