At a glance.

  • Hackers lock Experian users out of their own accounts.
  • Manga fans exposed in cartoon app data breach.

Hackers lock Experian users out of their own accounts.

A series of account hacks at Experian indicate that in some cases, a strong password can do little to stop a cybercriminal. KrebsOnSecurity explains that readers have reported having their accounts at the credit bureau hacked, with the attacker replacing the associated email address, making any attempt at a password reset futile. What’s more, the users had relied on password managers to select strong, unique passwords. It appears the hackers were able to hijack the accounts by registering for new Experian accounts using the victim’s personal information and a different email address. 

In at least one case, the attackers went so far as to change the account PIN and security questions to ensure the victim could not recover access. Though the victims were eventually able to create new accounts, they have little confidence they won’t be hijacked again, especially given that Experian doesn’t provide multi-factor authentication. Experian says the users’ experiences were isolated incidents, and that typically if someone attempts to make changes to an account, the system notifies the original account holder via email. “We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” Experian stated. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer…We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

Manga fans exposed in cartoon app data breach.

Data breach notification service Have I Been Pwned (HIBP) says that comic reading platform Mangatoon experienced a data breach compromising the data of 23 million user accounts, Bleeping Computer reports. “Mangatoon had 23M accounts breached in May. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes,” HIBP tweeted. Infamous hacker pompompurin says he stole the data from an Elasticsearch database that was improperly secured, allegedly protected only with the embarrassingly popular password – you guessed it – “password.” The hacker says he plans to eventually leak the data as opposed to selling it. Both HIBP and Bleeping Computer reached out to Mangatoon for response, to no avail.