Update: Hacker Disclosed 4 New Microsoft Zero-Day Exploits in Last 24 Hours

microsoft windows zero-day vulnerability

Less than 24 hours after publicly disclosing an unpatched zero-day vulnerability in Windows 10, the anonymous hacker going by online alias “SandboxEscaper” has now dropped new exploits for two more unpatched Microsoft zero-day vulnerabilities.

The two new zero-day vulnerabilities affect Microsoft’s Windows Error Reporting service and Internet Explorer 11.

Just yesterday, while releasing a Windows 10 zero-day exploit for a local privilege escalation bug in Task Scheduler utility, SandboxEscaper claimed to have discovered four more zero-day bugs, exploits for two has now been publicly released.

AngryPolarBearBug2 Windows Bug

One of the latest Microsoft zero-day vulnerabilities resides in the Windows Error Reporting service that can be exploited using a discretionary access control list (DACL) operation—a mechanism that identifies users and groups that are assigned or denied access permissions to a securable object.

Upon successful exploitation, an attacker can delete or edit any Windows file, including system executables, which otherwise only a privileged user can do.

Dubbed AngryPolarBearBug2 by the hacker, the vulnerability is a successor to a previous Windows Error Reporting service vulnerability she found late last year, which was named AngryPolarBearBug and allowed a local, unprivileged attacker to overwrite any chosen file on the system.

However, as SandboxEscaper says, this vulnerability is not very easy to exploit, and it “can take upwards of 15 minutes for the bug to trigger.”

“I guess a more determined attacker might be able to make it more reliable,” the hacker said. “It is just an insanely small window in which we can win our race; I wasn’t even sure if I could ever exploit it at all.”

Internet Explorer 11 Sandbox Bypass

The second Microsoft zero-day vulnerability revealed today by SandboxEscaper affects Microsoft’s web browser, Internet Explorer 11 (IE11).

Though the exploit note doesn’t contain any detail about this flaw, a video demonstration released by the hacker shows the vulnerability exists due to an error when the vulnerable browser handles a maliciously crafted DLL file.

This would eventually allow an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions.

Though all three unpatched zero-day vulnerabilities SandboxEscaper released within last 24-hours are not critical, user can expect security updates from Microsoft on 11 June, the company’s next month patch Tuesday.

SandboxEscaper has a history of releasing fully functional zero-day vulnerabilities in Windows operating system. Last August, she debuted another Windows Task Scheduler vulnerability on Twitter, which hackers quickly started exploiting in the wild in a spy campaign after disclosure.

Later in October, 2018, the hacker released an exploit for a then zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll), which she dubbed “Deletebug.” In December, 2018, she released two more zero-day vulnerabilities in Windows operating system.

You can expect two more Microsoft zero-day vulnerabilities from SandboxEscaper in the coming days, as she promised to release them.

Important Update — Two More 0-Day Exploited Published

Gal De Leon, Principal security researcher at Palo Alto Networks, in a Tweet revealed that the AngryPolarBearBug2 bug is not a zero day; instead, it has already been patched, identified as CVE-2019-0863, by Microsoft in May 2019 Patch Tuesday security updates.

However, SandboxEscaper has just released PoC exploits for two more new unpatched zero-day vulnerabilities in Microsoft Windows, making the zero-day disclosure to a total of 4 in the past 24 hours.

The first exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

Another repository on GitHub has been labeled as a new “Installer Bypass” issue by SandboxEscaper.

Though the hacker has released video demonstration for both new flaws as well, security researchers have yet to confirm the claims.

Tor Browser for Android — First Official App Released On Play Store

tor browser for android apk download

Wohooo! Great news for privacy-focused users.

Tor Browser, the most popular privacy-focused browser, for Android is finally out of beta, and the first stable version has now arrived on Google Play Store for anyone to download.

The Tor Project announced Tuesday the first official stable release of its ultra-secure internet browser for Android devices, Tor Browser 8.5—which you can now download for FREE on your mobile devices from Google Play Store.

Tor Browser is mostly used by privacy-focused people, activists, journalists, and even cyber criminal gangs to avoid government monitoring. It allows users to browse the Internet anonymously, by hiding their IP addresses and identity, through a network of encrypted servers that bounce their web requests around multiple intermediate links.

Access to Tor anonymity network was previously available on Android mobile operating system only through other apps or browsers like Orbot/Orfox app, but you can now use the official Tor Browser built on Firefox on your mobile device.

The first alpha build of Tor Browser was released by the Tor Project back in September last year, and since then, the developers have worked hard to provide the same protections users get on the desktop variant to the Android platform as well.

“Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet,” the Tor Project wrote in a blog post. “In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users.”

According to the Tor Project developers, Tor Browser for Android is not as complete as its desktop version, but you can see security features like no proxy bypass, enabled first-party isolation to block cross-site tracking and other anti-fingerprinting defenses.

“While there are still feature gaps between the desktop and Android Tor Browser, we are confident that Tor Browser for Android provides essentially the same protections that can be found on desktop platforms,” the Tor Project said.

In the notification area of your Android device, Tor Browser gives a quick, “New Identity” button that allows you to immediately clean the instance of your Tor network, with various caches and other information, without reopening the app or restarting the Tor onion network.

Besides the Android release, the Tor Project also announced the release of a couple of new features in the latest Tor Browser version, like extra tabs, new logos, and user interface improvements.

The company also said the Tor browser would continue to be missing from the iOS platform, as Apple continues to restrict all third-party browsers and forces browser companies to use its own engine. However, iPhone and iPad users can still use Onion Browser to access the Tor network.

5 Cybersecurity Tools Every Business Needs to Know

best cyber security tools

Cybersecurity experts all echo the same thing – cyber attacks are going to get more rampant, and they will continue to pose severe threats against all technology users.

Businesses, in particular, have become prime targets for cybercriminals due to the nature of data and information they process and store.

2018 saw a slew of data breaches targeting large enterprises that resulted in the theft of the personal and financial records of millions of customers.

Falling victim to cyber attacks can deal with a major financial blow to businesses as the cost of dealing with an attack has risen to $1.1 million on the average. It can even be more devastating for small to medium-sized businesses.

60 percent of these smaller operations close within six months after failing to recover from cyber attacks. But aside from these monetary costs, companies can also lose credibility and their customers’ confidence.

Needless to say, businesses must improve the protection of their infrastructures and networks against cyber attacks.

Fortunately, the cybersecurity space has been continually working on developments to keep pace with evolving threats. Here are five tools that businesses should consider adding to their arsenal to boost their defenses.

Log Analysis — XpoLog

XpoLog Log Analysis Software

Companies must know what is exactly happening within their infrastructures. Fortunately, computers and digital devices have logging mechanisms built in that record most, if not all, computing processes that transpire within them. Logs can reveal patterns and trends that can be indicative of a security breach or malware infestation.

However, since log files are essentially dumps of information stored in plain text format, performing log analyses manually can be a painstaking process.

A way to effectively tap into logs is by using a log analysis tool like XpoLog. The solution collects log files from sources such as servers, endpoints, and applications in real-time.

Using artificial intelligence (AI), it then parses and analyzes the information contained in these logs in order to identify alarming patterns. Insights generated from the analysis can readily inform administrators of any problems that warrant attention.

Application and Data Protection — Imperva

Imperva Application Data Protection

Attackers are constantly probing infrastructures, so it’s critical to have mechanisms that immediately prevent malicious traffic from accessing key network resources such as web applications and databases.

This can be done through the use of web application firewalls (WAFs) and data protection services.

Imperva has been a leading name in WAF and distributed denial-of-service (DDoS) attack mitigation. Most organizations now maintain hybrid infrastructures consisting of on-premises devices and cloud components such as instances, storage, and data warehouses.

Imperva’s WAF can be deployed to protect these resources. It profiles traffic and transactions conducted and prevents malicious traffic and actions from accessing these components.

Penetration Testing — Metasploit

metasploit framework

Integrating security tools into the infrastructure is one thing; checking if they actually work is another.

Companies shouldn’t wait for actual cyber attacks to happen to find out if their solutions are properly implemented. They can be proactive about and test their defenses themselves.

Administrators can perform penetration testing by using frameworks such as Metasploit. It’s an open source tool that can be configured to scan for exploits and even deploy a payload to vulnerable systems.

Metasploit also features select evasion tools that could potentially circumvent existing security measures. It can be used on Windows, Linux, and Mac OS X systems.

Discovering gaps in security gives companies a chance to remedy these issues before an actual attack actually strikes.

Anti-Phishing — Hoxhunt

Hoxhunt Anti-Phishing Software

The human element continues to be the biggest vulnerability in a company’s cybersecurity chain.

Over 90 percent of security breaches are found to be caused by human error. This is why cybercriminals still actively employ social engineering attacks such as phishing to try and compromise infrastructures.

Such attacks trick users into giving up their credentials or installing malware into their systems.

HoxHunt addresses this by teaching users how to check if an email is a phishing message or if a website is malicious.

Companies can train users using simulated phishing attacks. Hoxhunt’s AI-driven engine even personalizes these attacks to copy how real-world attacks look like.

Users can report these attacks through a special plugin, and they get immediate feedback on how well they’ve performed.

Fraud Detection — Riskified

Riskified Fraud Detection Software

Not all attacks seek to breach and steal information from companies. Businesses also have to be wary of fraud attacks.

Hackers and fraudsters now have access to millions of valid personal and financial information from previous data breaches that they can easily manipulate business’ e-commerce channels, costing merchants billions of dollars globally.

Solutions like Riskified offer comprehensive means to prevent online fraud throughout the course of an online transaction.

Riskified uses machine learning to analyze each transaction and only allows legitimate orders to be processed. It also provides a dynamic checkout feature that automatically adjusts based on a customer’s risk profile, providing various means for customers to verify their purchases.

For instance, a customer with a higher risk profile may be asked to perform additional verification steps without denying transactions outright.

Investments Required

An effective cybersecurity strategy demands that businesses cover all possible areas that can be exploited by attackers. This requires adopting a comprehensive set of tools and solutions that would keep their infrastructures secure. Implementing and integrating these solutions do require spending.

But considering the costs that falling victim to cyberattacks bring, it’s only prudent to make these investments. It’s simply the reality of doing business in this highly digital landscape.

PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online

windows zero day vulnerability

An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3] in less than a year.

Published on GitHub, the new Windows 10 zero-day vulnerability is a privilege escalation issue that could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine.

The vulnerability resides in Task Scheduler, a utility that enables Windows users to schedule the launch of programs or scripts at a predefined time or after specified time intervals.

SandboxEscaper’s exploit code makes use of SchRpcRegisterTask, a method in Task Scheduler to register tasks with the server, which doesn’t properly check for permissions and can, therefore, be used to set an arbitrary DACL (discretionary access control list) permission.

“This will result in a call to the following RPC “_SchRpcRegisterTask,” which is exposed by the task scheduler service,” SandboxEscaper said.

A malicious program or a low-privileged attacker can run a malformed .job file to obtain SYSTEM privileges, eventually allowing the attacker to gain full access to the targeted system.

SandboxEscaper also shared a proof-of-concept video showing the new Windows zero-day exploit in action.

The vulnerability has been tested and confirmed to be successfully working on a fully patched and updated version of Windows 10, 32-bit and 64-bit, as well as Windows Server 2016 and 2019.

More Windows Zero-Day Exploits to Come

Besides this, the hacker also teased that he/she still has 4 more undisclosed zero-day bugs in Windows, three of which leads to local privilege escalation and fourth one lets attackers bypass sandbox security.

The details and exploit code for the new Windows zero-day came just a week after Microsoft monthly patch updates, which means no patch exists for this vulnerability at the current, allowing anyone to exploit and abuse.

Windows 10 users need to wait for a security fix for this vulnerability until Microsoft’s next month security updates—unless the company comes up with an emergency update.

Google Stored G Suite Users’ Passwords in Plain-Text for 14 Years

google g suite plaintext password

After Facebook and Twitter, Google becomes the latest technology giant to have accidentally stored its users’ passwords unprotected in plaintext on its servers—meaning any Google employee who has access to the servers could have read them.

In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature.

G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses.

It’s basically a business version of everything Google offers.

The flaw, which has now been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on-boarding employees and for account recovery.

If the admins did reset, the admin console would store a copy of those passwords in plain text instead of encrypting them, Google revealed.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password,” Google says.

However, Google also says that the plain text passwords were stored not on the open Internet but on its own secure encrypted servers and that the company found no evidence of anyone’s password being improperly accessed.

“This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Google says. “This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google also clarifies that the bug was restricted to users of its G Suite apps for businesses and that no free version of Google accounts like Gmail were affected.

Though the company did not disclose how many users might have been affected by this bug beyond just saying the issue affected “a subset of our enterprise G Suite customers,” with more than 5 million G Suite enterprise customers, the bug could affect a large number of users — presumably any user who used G Suite in last 14 years.

In order to address the issue, Google has since removed the capability from G Suite administrators and emailed them a list of impacted users, asking them to ensure that those users reset their passwords.

Google says the company would be automatically resetting passwords for those users who do not change their passwords.

“Out of an abundance of caution, we’ll reset accounts that have not done so themselves,” the tech giant says.

Google is the latest tech company to accidentally store unhashed passwords on its internal servers. Recently, Facebook was in the news for storing plaintext passwords for hundreds of millions of its users, both Instagram and Facebook, on its internal servers.

Almost a year ago, Twitter also reported a similar security bug that unintentionally exposed passwords for its 330 million users in readable text on its internal computer system.

Hacking and Cyber Security Certification Training Bundle 2019 (10 Courses)

Ethical Hacking Course, Learn Penetration Testing Online

The world of cybersecurity is fast-paced and ever-changing. New attacks are unleashed every day, and companies around the world lose millions of dollars as a result.

The only thing standing in the way of cybercrime is a small army of ethical hackers.

These cybersecurity experts are employed to find weaknesses before they can be exploited. It’s a lucrative career, and anyone can find work after the right training.

According to the Bureau of Labor Statistics, demand for cyber security experts will expand rapidly over the next three or four years. If you want to build a career in the industry, now is the time to take action.

Do you also want to learn real-world hacking techniques but don’t know where to start?

This week’s THN deal is for you — 2019 Ethical Hacker Master Class Bundle.

This latest training bundle includes 10 following-mentioned courses with over 180 hours of  1395 in-depth online lectures, helping you master all the fundamentals of cybersecurity and prepare for important certification exams.

  1. Ethical Hacker Training: Explore common hacking attacks and cyber defenses in an intuitive, Lab-filled environment.
  2. Cyber Threat Intelligence Analyst: Expose cyber threats and take them down as a threat intelligence expert.
  3. Ethical Hacker Bootcamp: Get up to speed with penetration testing, intrusion detection and more in this wall-to-wall bootcamp.
  4. Ethical Hacking With Python: Dive into Python programming and discover its ethical hacking applications.
  5. Advanced Persistent Threat Analyst: Fight back against advanced malware with a deep dive into today’s cyber threats.
  6. Computer Hacker & Forensic Investigator Training: Put hackers behind bars with a detailed look at investigating cyber crimes.
  7. CompTIA A+ Certification Prep: Ignite your IT career as you prep for this essential cybersecurity certification.
  8. CompTIA Security+ Certification Prep: Master the network security essentials and prepare to certify your skills.
  9. CompTIA Network+ Certification Prep: Bolster your cybersecurity skills with a deep dive into the networking essentials.
  10. Security Analyst Training: Fix network vulnerabilities before they’re exploited as a penetration tester.

The training includes full prep for three CompTIA exams: A+, Security+ and Network+. These certificates are essential for anyone who wants to work in cybersecurity and are highly valued in other technical roles.

Just as importantly, this bundle helps you stand out in the jobs market and over 2400 students from all around the world have already joined this training program so far.

You can get lifetime access to this huge learning library for just $39 — that’s after 99% of special huge discount for The Hacker News readers.

You will learn through concise video lessons, and each course provides plenty of hands-on experience.

Along the way, you learn how to set up your secure workflow and perform penetration tests on multiple platforms. The training also looks at intrusion detection, policy creation, social engineering, DDoS attacks, and much more. You even pick up some useful Python programming skills along the way.

There is no time limit on any of the courses, and you can stream the tutorials on both mobile and desktop devices.

Get lifetime access to “Ethical Hacker Master Class Bundle” now for only $39.

WEBINAR: How to Get Enterprise Cyber Security for your Mid-Sized Organization

cybersecurity webinar

High-quality cybersecurity posture is typically regarded as the exclusive domain of the large and heavy resourced enterprises – those who can afford a multi-product security stack and a skilled security team to operate it.

This implies a grave risk to all organizations who are not part of this group, since the modern threat landscape applies to all, regardless of size and vertical.

What is less commonly known is that by following basic and well-defined practices and wise security product choices, any organization can level up its defenses to a much higher standard.

“At the end of the day it comes down to strategic planning,” says Eyal Gruner, CEO and co-founder of Cynet, “rather than thinking in term of specific product or need, zoom out and breakdown the challenge to its logical parts – what do you need to do proactively on an on-going basis, while you’re under attack and when you manage a recovery process.”

From the various frameworks of security best practices, the prominent one is the NIST cybersecurity framework, which suggests the following pillars:

  • Identify – know your environment and proactively search for weak links attackers might target. Such links can include unpatched apps, weak user passwords, misconfigured machines, carelessly used admin accounts, and others.
  • Protect – security technologies that automatically block attempted the malicious activity. The prominent examples here are AV and firewalls. However, while these cannot efficiently confront the more advanced threats, one should always assume that a certain portion of active attacks will bypass them.
  • Detect – security technologies that address the attacks that successfully evaded prevention and are alive within the targeted environment, ideally, as earlier as possible in the attack lifecycle.
  • Respond – security technology that takes charge from the point an active attack was detected and validated and consists of enabling defenders to understand the attack’s scope and impact as well as to eliminate malicious presence from all parts of the environment.
  • Recover – restore all compromised entities as close as possible to their pre-attack stage. Achieving this has much to do with proactive steps such as having backups and implementing disaster recovery workflows in the context of cyber attacks.

At first glance it seems as if adequately addressing all these pillars is complex with at least one security product or more for each, says Gruner, and unfortunately there are many organizations that try to take that path.

Usually, the end result is a patched framework of many products that don’t talk to each other and become heavy resource consumers.’

Cynet 360 platform radically simplifies working with NIST guidelines. The various security technologies Cynet natively integrate are easily matched to each step in the NIST framework:

  • vulnerability assessment and asset management to Identify;
  • NGAV and network analytics prevention to Protect;
  • EDR, UBA, and deception to Detect; and
  • the wide array of manual and automated remediation to Respond.

“Our goal,” continues Gruner, “was to make cybersecurity easy and manageable – being able to address most needs with one platform is a major part of our vision.”

Learn more on how Cynet addresses the NIST cybersecurity framework in their webinar next week on May 29th, 2019, 1:00 PM EDT – Security for all – How to Get Enterprise-Grade Security for Your Mid-Sized Organization.

Register Now to secure your place!

Core Elastic Stack Security Features Now Available For Free Users As Well

elastic stack security

Elastic, the company behind the most widely used enterprise search engine ElasticSearch and the Elastic Stack, today announced that it has decided to make core security features of the Elastic Stack free and accessible to all users.

ELK Stack or Elastic Stack is a collection of three powerful open source projects—Elasticsearch, Logstash, and Kibana—that many large and small companies are using to format, search, analyze, and visualize a large amount of data in real time.

In recent months, we have seen how thousands of instances of insecure, poorly configured Elasticsearch and Kibana servers had left millions of users sensitive data exposed on the Internet.

Since the free version of Elastic Stack by default does not have any authentication or authorization mechanism, many developers and administrators fail to properly implement important security features manually.

The core security features—like encrypted communication, role-based access control, authentication realms—in previous versions required a paid Gold subscription, but the latest versions 6.8.0 and 7.1.0 of the Elastic Stack released today offers these features for free so that everyone can run a fully secure cluster without any hassle.

Here’s the list of core security features that are now free in the latest Elastic Stack versions as a part of the Basic tier:

  • TLS (Transport Layer Security) for encrypted communications.
  • File and native realm for creating and managing users.
  • Role-based access control for controlling users’ access to cluster APIs and indexes; also allows multi-tenancy for Kibana with security for Kibana Spaces.

These features now make it possible for users to “encrypt network traffic, create and manage users, define roles that protect index and cluster level access, and fully secure Kibana with Spaces.”

However, the company clarifies that its advanced security features like single sign-on, Active Directory/LDAP authentication, attribute-based access control, and field-level and document-level security remain available only for paid customers.

You can download versions 6.8.0 or 7.1.0 of the Elastic Stack to take advantage of the security features.

US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei

huawei china trade war

Google has reportedly suspended all businesses with the world’s second-biggest smartphone maker, Huawei, and revoked its Android license effective immediately—a move that will have a drastic impact on Huawei devices across the globe.

Revoking Android license means Huawei future smartphones will no longer have access to Android updates and apps like Gmail or the Play Store, as well as Google technical support beyond services that are publicly available via open source licensing, Reuters report.

Why? That’s because last week, U.S. President Donald Trump signed an executive order declaring a national emergency banning foreign companies—over surveillance fear—from doing telecommunication business in the United States without the government’s approval.

About the executive order, White House Press Secretary Sarah Sanders said in a statement that President Trump “has made it clear that this Administration will do what it takes to keep America safe and prosperous, and to protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services in the United States.”

The Trump administration added Huawei Technologies Co Ltd and some 68 affiliates to its so-called “Entity List”—a list of companies that American firms like Qualcomm, Intel, and Google cannot trade with unless they have an approval from the U.S. government.

As a result of which, not just Google, but also three of the world’s leading chip makers—Intel, Qualcomm, and Broadcom—are also reportedly cutting off their trades with Huawei, effective immediately.

However, that doesn’t mean that the current Huawei smartphone users will be cut off entirely from Google services.

In a statement via Android’s official Twitter account, the company says current Huawei smartphones will continue having access to services like Google Play and security from Google Play Protect. However, they won’t receive any future OS updates, like the upcoming Android Q.

“For Huawei users’ questions regarding our steps to comply w/ the recent U.S. government actions: We assure you while we are complying with all U.S. gov’t requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device,” Google’s Android account tweeted.

However, future Huawei devices will continue to have access to the Android operating system version available through the Android Open Source Project (AOSP), which is available for free to anyone.

It seems like Huawei has been prepared for “worst-case scenarios,” specifically for the event of being banned from using Android, and has already been working on its own operating system, Huawei executive Richard Yu said in an interview with Die Welt.

Hackers Breach Stack Overflow Q&A Site, Some Users’ Data Exposed

StackOverflow data breach

Note: We have updated this story to reflect new information after Stack Overflow changed its original announcement and shared more details on the security incident.

Stack Overflow, one of the largest question and answer site for programmers, revealed today that unknown hackers managed to exploit a bug in its development tier and then almost a week after they gained unauthorized access to its production version.

Founded by Jeff Atwood and Joel Spolsky in 2008, Stack Overflow is the flagship site of the Stack Exchange Network. With 10 million registered users and over 50 million unique visitors every month, Stack Overflow is very popular among professional and enthusiast programmers.

In an older version of the announcement published by Mary Ferguson, VP of Engineering at Stack Overflow, the company confirmed the breach but said it did not find any evidence that hackers accessed customers’ accounts or any user data.

However, the updated announcement now says that after sitting quiet for a week, hackers executed privileged web requests, but were able to gain access to a very small portion of data, including IP address, names, and email address—and that for only a small number of users.

“Between May 5 and May 11, the intruder contained their activities to exploration. On May 11, the intruder made a change to our system to grant themselves a privileged access on production. This change was quickly identified and we revoked their access network-wide, began investigating the intrusion, and began taking steps to remediate the intrusion.”

“We can now confirm that our investigation suggests the requests in question affected approximately 250 public network users. Affected users will be notified by us,” Ferguson said.

The company also revealed hackers exploited a bug that was introduced in a recently deployed built to the development tier for the Stack Overflow website.

Stack Overflow said the company is patching all known vulnerabilities.


“We discovered and investigated the extent of the access and are addressing all known vulnerabilities,” Ferguson said.

“As part of our security procedures to protect sensitive customer data, we maintain separate infrastructure and networks for clients of our Teams, Business, and Enterprise products and we have found no evidence that those systems or customer data were accessed. Our Advertising and Talent businesses were also not impacted by this intrusion.”

Late last year, another popular question and answer website Quora suffered a massive data breach with hackers gaining access to sensitive information of about 100 million of its users, including their names, email addresses, hashed password, and personal messages.