Cyber Security Today, July 11, 2022 – Mandatory 2FA For The PyPI Registry, Beware Of Fake Google Software Updates And A Poor Password Leads To Huge Data Hack

Share post:

Mandatory 2FA for the PyPI registry, beware of fake Google software updates and a poor password leads to huge data hack.

Welcome to Cyber Security Today. It’s Monday, July 11th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Mandatory two-factor login authentication will be imposed on maintainers of critical projects in the open source PyPI registry. That’s the website for projects written in the Python language. The new policy was announced Friday by the registry as a way to improve security and reduce the odds a hacker can tamper with a project in the registry. It will be implemented in the coming months. As an incentive a limited number of Google Titan USB security keys are being given away to developers. However, project maintainers or owners can use any approved USB security key or app-based 2FA like Google Authenticator, Microsoft Authenticator, Duo, Authy or a password manager that generates authentication codes. Any project in the top one per cent of downloads in a six-month period is considered critical. At the moment 3,500 projects would qualify.

A new ransomware strain is being distributed that pretends to be a Google software update. Researchers at Trend Micro call this strain HavanaCrypt. Before executing the ransomware it deletes Windows shadow copies of data and system restore instances. Listeners must ignore any email or text message that claims to be a Google update. Remember applications like Gmail, Workspace, Google Docs and others automatically update. The only safe way to get a browser update is to have your Chrome browser set to automatically download updates, or you can just go into the control menu. You get that from clicking on the three dots in the upper right corner of the browser. From there click on Help and then About Google Chrome.

A poorly protected Elasticsearch database allegedly led to the theft in May of data on 23 million users of the Mangatoon comic reading platform. The Bleeping Computer news service said a well-known hacker who uses the name pompompurin claims they were able to copy that database because the password was the word …. password. Who created that database isn’t known. It had the usernames — which may not be the real names — of subscribers, plus their email addresses, auth tokens for social media accounts and hashed passwords. Those tokens might allow an attacker to take over a social media account. So Mangatoon subscribers should consider changing their social media passwords as well as their Mangatoon passwords.

Finally, in a news story earlier this year on I reported that Microsoft planned to make an important change to boost security in its Office suite. That change would be to make it harder for users to get around protection against malicious macros from running. Macros are pieces of automated code. Hackers can include malicious macros in compromised documents in email attachments. Microsoft disables external macros from running automatically unless the user clicks on an approval button. Microsoft planned to remove that button because too many people just click on it. However, British security reporter Graham Cluley notes that last week Microsoft has paused the change because of criticism. It promises to make improvements to the user experience and still lower the odds of bad macros running.

Remember links to details about podcast stories are in the text version at That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, July 11, 2022 – Mandatory 2FA for the PyPI registry, beware of fake Google software updates and a poor password leads to huge data hack first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, June 21, 2024 – US to ban Kaspersky for businesses, consumers

U.S. to ban the sale of Kaspersky products to consumers and businesses. Welcome to Cyber Security Today. It's Friday...

Why Jensen Huang in the Taylor Swift of tech. Hashtag Trending for Friday, June 21, 2024

Hashtag Trending is brought you with the generous sponsorship of Zoho Canada. We thank them for making it...

Biden administration to ban US sales of Kaspersky software over ties to Russia

The Biden administration is set to announce a ban on the sale of Kaspersky Lab's antivirus software in...

Security bug may allow anyone to spoof Microsoft employee emails

A security researcher claims to have discovered a bug that enables anyone to impersonate Microsoft corporate email accounts,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways