Welcome to the latest copy of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we analyze the wild world of security.

And the yearly ritual continues.

The list of worst passwords for 2020 is here, and it’s every bit awful as you would expect.

According to an assay of 275,699,516 passwords by NordPass, a countersign administrator annual from the makers of NordVPN, it’s acceptable amply clear that a lot of people are still cyberbanking on simple, easy-to-guess passwords admitting the connected threat of data breaches and other aegis threats.

Coming in at number one is “123456,” and it was used 2,543,285 times. Ouch!

“123456789,” “picture1,” “password,” and “12345678” round up the actual top four spots, with “picture1” being the lone new aspirant that would take about three hours to crack using a brute-force attack.

But a countersign aggregate of belletrist and numbers is still a weak countersign as long as it can be deciphered.

“Your weak countersign can be used for credential capacity attacks, where the breached logins are used to gain crooked access to user accounts,” says Chad Hammond, aegis expert at NordPass.

“If you fall victim to a credential capacity attack, you might lose your Facebook or addition important annual with all its content. Also, your email abode could be used for phishing attacks or for scamming your family and friends, who may very well fall for it, as the email will allegedly be coming from you.”

I get it. Remembering unique, strong passwords for a gazillion online accounts isn’t easy, abnormally this year with the shift to remote work.

In a abstracted study appear by NordPass last month, an boilerplate user was appear to have around 100 passwords, up 25% from last year. That’s a lot to keep track of!

So what can be done to beef up your security? Use a countersign administrator and turn on two-factor affidavit wherever possible. At the same time, don’t make the same mistake I did by not noting down the backup codes.

What’s trending in security?

US President Trump fired the director of the Cybersecurity and Infrastructure Aegis Agency, Bumble and Cisco fixed analytical bugs, and Zoom agreed to enhance its aegis policies after falsely claiming its video calls were adequate by end-to-end encryption.

  • US President Donald Trump fired Chris Krebs, administrator of the Cybersecurity and Infrastructure Aegis Agency (CISA), for calling the recent November 3rd elections “the most secure in American history.” [Twitter]
  • Back in September, a German hospital accommodating died in what was declared to be the first case of a ransomware attack anon amenable for a death. But analysis into the “negligent homicide” case has now appear the patient’s health action was so poor “the delay was of no appliance to the final outcome.” [WIRED]
  • Twitter hired allegorical hacker and L0pht aggregate member Peiter “Mudge” Zatko as its aegis chief. [Reuters]
  • Muslim Pro, a accepted Muslim prayer and Quran app with over 98 actor downloads, said it will no longer share diminutive area data with X-Mode, a aggregation that sells that data to aegis contractors and the US military. [Vice]


  • The US Justice Department (DoJ) seized $1 billion in Bitcoin from an bearding hacker by the name of “Individual X,” who stole it from the Silk Road dark web exchange before it was shut down by the FBI in 2013. [DoJ]
  • Certificate Authority Let’s Encrypt has warned that phones active Android versions prior to 7.1.1 Nougat won’t trust its root affidavit starting in 2021, locking them out of many secure websites. [TNW]
  • Security flaws in the Bumble dating app apparent 95 actor users’ info, including some people’s Facebook data. Worse, it took the aggregation over six months to abode the issue after it was notified in March. [Forbes]
  • Cisco fixed a bug in its Webex conferencing app that could have accustomed counterfeit remote attackers to join advancing affairs as “ghost” participants and spy on potentially acute aggregation secrets. [IBM]
  • Zoom agreed to enhance its aegis behavior as part of a proposed adjustment with the US Federal Trade Commission (FTC), after the aggregation was accused of falsely claiming its video calls were adequate by end-to-end encryption. [FTC]


  • Ransomware gangs have blogs where they broadcast data stolen from companies that refuse to make an extortion payment. Now, a crime group has started using hacked Facebook accounts to run ads about pressuring their ransomware victims into paying up. [Krebs on Security]
  • Criminal gangs that offer ransomware-as-a-service (RaaS), aka renting ransomware to other groups, have grown so accepted that there are currently around 25 RaaS offerings being advertised on the underground hacking scene. [Intel 471]
  • The European Parliament appear new rules for exporting surveillance technologies, such as spyware, alfresco of the EU. The ambition is to limit absolute regimes from secretly accepting their hands on European cyber-surveillance tools. [CyberScoop]
  • A hacking group that advisers accept is alive for Vietnam’s government ran almost twenty fake websites and several Facebook pages in an attack to gather advice on visitors and infect some of them with malware. [Volexity]
  • The last fortnight in data breaches, leaks and ransomware: Americold, Big Basket, Brazil’s Superior Court of Justice, Campari, Capcom, Cencosud, Coil, Compal, Managed.com, Miltenyi Biotec, The North Face, and Vertafore.

Data Point

Healthcare systems, educational institutions, and private sector firms are fighting a steady stream of hackers, who are locking analytical systems and aggressive to broadcast acute advice if their demands are not met.

Now according to Sophos 2021 threat report, several ransomware operators have taken up extortion as a side-hustle. What’s more, entry level cybercriminals having access to ransomware-as-a-service (RaaS) type tools are set to become a more alarming threat.

Over the past quarter, the boilerplate ransom payout has risen by 21%, a figure the firm said can be skewed by just one or two very large ransom attacks. The boilerplate ransom payout for Q3 2020 is about $233,817.30 (payable in cryptocurrency). A year ago, the boilerplate payout was $84,116.

That’s it. See you all in two weeks. Stay safe!

Read next: Facebook patches a Messenger bug that accustomed others to snoop on your calls