Cerberus 是其中一个最知名的手机保安 App,可以用以追踪手机位置, 遥控锁机, 甚至清除手机资料。
不过,Cerberus 的服务器日前遭到入侵,部份用家的登入名称和加密的密码有可能遭盗取。骇客入侵 Cerberus 后,读取了一个Log File,内里载有用户名称和经过加密的密码。 Cerberus 确认未有其他个人资料 (如电邮, 手机资料) 被读取。
the attacker(s) were able to gain access to usernames and encrypted passwords for a subset of our users. No other personal data (emails, device information, etc.) has been accessed.
Cerberus 将 9万多个客户的密码重设,并通知受影响用家。其中有三个帐户曾经被骇客试行读取。而截至 26日为止,仍未见被盗取的帐户资料公开或流传。
– The database was not accessed, password are hashed and uniquely salted multiple times there, and we will migrate to bcrypt soon
– The attacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords, that was generated by the app logins between March 1 and March 21
– We have then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present into the log and notified the users involved
– A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
– A total of 3 accounts were accessed by the attackers, before we blocked their activity and reset the passwords. Those 3 users were notified before the others with a different email communication.
– As of March 26, none of the data obtained by the attacker was released publicly, that we know of.
保安公司也不安全… Anyway, 若果有使用 Cerberus 的,要留意一下帐户有否异常,也可在 Cerberus 内重设密码。
Source: +Cerberus
