About

Latest two-factor authentication (2FA) news


Bug Bounty Radar

The latest bug bounty programs for March 202328 February 2023Bug Bounty RadarThe latest bug bounty programs for March 2023

Bug Bounty Radar

The latest bug bounty programs for February 202331 January 2023Bug Bounty RadarThe latest bug bounty programs for February 2023

Facebook 2FA bypass issue patched

27 January 2023Facebook 2FA bypass issue patchedSecurity vulnerability was one of Meta’s top bugs of 2022

NodeBB

Prototype pollution flaw could lead to account takeover08 December 2022NodeBBPrototype pollution flaw could lead to account takeover

All Day DevOps

Third of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks14 November 2022All Day DevOpsThird of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks

Consent problem

Dex patches authentication bug that enabled unauthorized access to client applications06 October 2022Consent problemDex patches authentication bug that enabled unauthorized access to client applications

‘You get respect for owning what happened’

SolarWinds’ CISO on the legacy and lessons of Sunburst01 August 2022‘You get respect for owning what happened’SolarWinds’ CISO on the legacy and lessons of Sunburst

Enhanced security

GitHub enhances 2FA for NPM, improves manageability28 July 2022Enhanced securityGitHub enhances 2FA for NPM, improves manageability

SMEs slow to adopt MFA – study

07 July 2022SMEs slow to adopt MFA – studyAuthentication shortcomings leave sensitive data at risk

CWE Top 25

These are the most dangerous software weaknesses of 202205 July 2022CWE Top 25These are the most dangerous software weaknesses of 2022

Scroll to Text Fragment flaws

Attackers can use web browser feature to steal data, new research shows20 June 2022Scroll to Text Fragment flawsAttackers can use web browser feature to steal data, new research shows

RubyGems trials 2FA-by-default in code repo’s latest security effort

17 June 2022RubyGems trials 2FA-by-default in code repo’s latest security effortMove intended to help prevent Ruby packages from being used in supply chain attacks

Data breach at Australian pension provider Spirit Super impacts 50k victims

30 May 2022Data breach at Australian pension provider Spirit Super impacts 50k victims‘Super fund’ confirms user information has been exposed

Medical data exposed by phishing attack on US state health agency

25 March 2022Medical data exposed by phishing attack on US state health agencyMedications and test results among data potentially ‘previewed’ by attacker

FBI warning

Russian nation-state hackers targeting US contractors for sensitive defense information17 February 2022FBI warningRussian nation-state hackers targeting US contractors for sensitive defense information

MFA fatigue attacks

Users tricked into allowing device access due to overload of push notifications16 February 2022MFA fatigue attacksUsers tricked into allowing device access due to overload of push notifications

Don’t trust, verify

US government’s ‘zero trust’ roadmap calls time on antiquated paradigm28 January 2022Don’t trust, verifyUS government’s ‘zero trust’ roadmap calls time on antiquated paradigm

US cyber directive

Federal agencies told to raise security bar for national security systems20 January 2022US cyber directiveFederal agencies told to raise security bar for national security systems

Breaking the Box

Researchers discover ‘extremely easy’ 2FA bypass in Box cloud software18 January 2022Breaking the BoxResearchers discover ‘extremely easy’ 2FA bypass in Box cloud software

Credential stuffing attacks

New York Attorney General alerts 17 ‘well-known’ organizations to 1.1m compromised online accounts06 January 2022Credential stuffing attacksNew York Attorney General alerts 17 ‘well-known’ organizations to 1.1m compromised online accounts

Bookshop of errors

Indian academic bookseller Oswaal Books fixes alleged serious vulnerabilities with Shopify relaunch05 January 2022Bookshop of errorsIndian academic bookseller Oswaal Books fixes alleged serious vulnerabilities with Shopify relaunch

Ubisoft confirms Just Dance video game data breach

21 December 2021Ubisoft confirms Just Dance video game data breachDeveloper said no accounts had been improperly accessed

‘Mass-scale impact’

Flaws in Tonga’s top-level domain left Google, Amazon, Tether web services vulnerable to takeover07 December 2021‘Mass-scale impact’Flaws in Tonga’s top-level domain left Google, Amazon, Tether web services vulnerable to takeover

Sixth member of SIM-swapping cybercrime gang sentenced

01 December 2021Sixth member of SIM-swapping cybercrime gang sentencedUS crime syndicate ‘The Community’ stole millions of dollars’ worth of cryptocurrency

GoDaddy managed WordPress hosting breach exposed 1.2m user profiles

23 November 2021GoDaddy managed WordPress hosting breach exposed 1.2m user profilesExternal investigation finds breach dates back more than two months

Security ‘seal of approval’

NIST unveils draft criteria for scheme on consumer software security02 November 2021Security ‘seal of approval’ NIST unveils draft criteria for scheme on consumer software security

Advanced Protection Program

Google distributing 10,000 security keys to journalists, elected officials, human rights activists12 October 2021Advanced Protection Program Google distributing 10,000 security keys to journalists, elected officials, human rights activists

Funds stolen from 6,000 Coinbase users due to SMS authentication flaw

04 October 2021Funds stolen from 6,000 Coinbase users due to SMS authentication flawVictims are told they will be reimbursed

NoSQL bugs in Rocket.Chat left servers open to RCE

20 May 2021NoSQL bugs in Rocket.Chat left servers open to RCEEnterprise messaging platform forced to spill secrets

Bug Bounty Radar // May 2021

New web targets for the discerning hacker30 April 2021Bug Bounty Radar // May 2021New web targets for the discerning hacker

Second factor secrets

Duo 2FA tricked into sending authentication request to attacker-controlled device16 April 2021Second factor secretsDuo 2FA tricked into sending authentication request to attacker-controlled device

Bug Bounty Radar // April 2021

New web targets for the discerning hacker01 April 2021Bug Bounty Radar // April 2021New web targets for the discerning hacker

Google Titan keys cloned

Researchers extract private ECDSA key after extensive physical access12 January 2021Google Titan keys clonedResearchers extract private ECDSA key after extensive physical access

MDM to MitM

Multinational’s mobile endpoints engulfed by Cerberus banking trojan04 May 2020MDM to MitMMultinational’s mobile endpoints engulfed by Cerberus banking trojan

Google open-sources tool to boost 2FA adoption in NPM

15 January 2020Google open-sources tool to boost 2FA adoption in NPMAutomation and security? You can have both!

Even basic authentication is good at thwarting commonplace hijacking attacks

20 May 2019Even basic authentication is good at thwarting commonplace hijacking attacksPassword protection survey shows every little helps

Major vendors conflicted over widespread 2FA flaw

Attackers could maintain access after a password change28 January 2019Major vendors conflicted over widespread 2FA flawAttackers could maintain access after a password change

Instagram launches app-based 2FA and other security tools

Image-sharing site moves away from SMS-based authentication29 August 2018Instagram launches app-based 2FA and other security toolsImage-sharing site moves away from SMS-based authentication

Why it’s time to shed passwords for 2FA and beyond

05 July 2018Why it’s time to shed passwords for 2FA and beyondStatic passwords have had their heyday – a different approach is needed when it comes to improving user security

Flaw in 2FA enabled unauthorized access to Frontier accounts

12 June 2018Flaw in 2FA enabled unauthorized access to Frontier accountsPassword reset flaw allowed complete account takeover