AdGuard, a popular ad blocker for Android, iOS, Windows, and Mac, has reset all user passwords, the company's CTO Andrey Meshkov announced today.
The company took this decision after suffering a brute-force attack during which an unknown attacker tried to log into user accounts by guessing their passwords.
Meshkov said the attacker used emails and passwords that were previously leaked into the public domain after breaches at other companies.
This type of attack --using leaked usernames and passwords to hack into accounts at other services-- is known as credential stuffing.
The AdGuard CTO said attackers were successful in their assault and gained access to some AdGuard accounts, used for storing ad blocker settings.
"We don't know what accounts exactly were accessed by the attackers," Meshkov said. "All passwords stored in AdGuard database are encrypted so we cannot check whether any of them is present in the known leaked database. That's why we decided to reset passwords of all users."
The company says it implemented the Have I Been Pwned API into their existing infrastructure so that when users will configure a new password, the AdGuard system will warn them if they're using passwords leaked at other services.
Meshkov said AdGuard now also uses stricter rules for choosing passwords, and they also intend to support two-factor authentication in the future.
The AdGuard exec also revealed that the company found out about the attack after its rate-limiting systems detected the numerous failed login attempts during the password guessing phase of the attack.
Most of the attacks were stopped, but some were successful, which usually tends to happen when attackers get lucky and guess the proper combination during the first login attempts.
It is unclear what the attackers were attempting to do with such low-value accounts.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
If you can't answer these basic questions, your security could be at risk.
Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.
Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.
- Nasty piece of CSS code crashes and restarts iPhones
- FragmentSmack vulnerability also affects Windows, but Microsoft patched it
- Data breaches affect stock performance in the long run, study finds
- Why the 'fixed' Windows EternalBlue exploit won't die
- Hackers swipe card numbers from local government payment portals
- Chinese police arrest hacker who sold data of millions of hotel guests on the dark web
- Access to over 3,000 backdoored sites sold on Russian hacking forum
- Canadian retailer's servers storing 15 years of user data sold on Craigslist
- Broadcaster ABS-CBN customer data stolen, sent to Russian servers
- 'Hacky hack hack': Teen arrested for breaking into Apple's network TechRepublic