Cerberus 伺服器遭入侵, 建議用家修改密碼

Cerberus Data Leak

Cerberus 是其中一個最知名的手機保安 App,可以用以追踪手機位置, 遙控鎖機, 甚至清除手機資料。

不過,Cerberus 的伺服器日前遭到入侵,部份用家的登入名稱和加密的密碼有可能遭盜取。駭客入侵 Cerberus 後,讀取了一個Log File,內裏載有用戶名稱和經過加密的密碼。 Cerberus 確認未有其他個人資料 (如電郵, 手機資料) 被讀取。

the attacker(s) were able to gain access to usernames and encrypted passwords for a subset of our users. No other personal data (emails, device information, etc.) has been accessed.

Cerberus 將 9萬多個客戶的密碼重設,並通知受影響用家。其中有三個帳戶曾經被駭客試行讀取。而截至 26日為止,仍未見被盜取的帳戶資料公開或流傳。

– The database was not accessed, password are hashed and uniquely salted multiple times there, and we will migrate to bcrypt soon
– The attacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords, that was generated by the app logins between March 1 and March 21
– We have then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present into the log and notified the users involved
– A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
– A total of 3 accounts were accessed by the attackers, before we blocked their activity and reset the passwords. Those 3 users were notified before the others with a different email communication.
– As of March 26, none of the data obtained by the attacker was released publicly, that we know of.

保安公司也不安全… Anyway, 若果有使用 Cerberus 的,要留意一下帳戶有否異常,也可在 Cerberus 內重設密碼。

Source: +Cerberus

發佈留言