Cerberus 是其中一個最知名的手機保安 App,可以用以追踪手機位置, 遙控鎖機, 甚至清除手機資料。
不過,Cerberus 的伺服器日前遭到入侵,部份用家的登入名稱和加密的密碼有可能遭盜取。駭客入侵 Cerberus 後,讀取了一個Log File,內裏載有用戶名稱和經過加密的密碼。 Cerberus 確認未有其他個人資料 (如電郵, 手機資料) 被讀取。
the attacker(s) were able to gain access to usernames and encrypted passwords for a subset of our users. No other personal data (emails, device information, etc.) has been accessed.
Cerberus 將 9萬多個客戶的密碼重設,並通知受影響用家。其中有三個帳戶曾經被駭客試行讀取。而截至 26日為止,仍未見被盜取的帳戶資料公開或流傳。
– The database was not accessed, password are hashed and uniquely salted multiple times there, and we will migrate to bcrypt soon
– The attacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords, that was generated by the app logins between March 1 and March 21
– We have then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present into the log and notified the users involved
– A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
– A total of 3 accounts were accessed by the attackers, before we blocked their activity and reset the passwords. Those 3 users were notified before the others with a different email communication.
– As of March 26, none of the data obtained by the attacker was released publicly, that we know of.
保安公司也不安全… Anyway, 若果有使用 Cerberus 的,要留意一下帳戶有否異常,也可在 Cerberus 內重設密碼。
Source: +Cerberus
