Announcement PSA: Passwords, Security, and Hackers... OH MY!!!!!

Pics
Date sort Score sort
My Google Security protects me. I think the year, 2019 someone in Brazil tried hacking my phone, but Google Security prevented it from happening, & informed me to strengthen my password.
 
Check this ou:
https://www.security.org/how-secure-is-my-password/
I entered casportpony
1675469344526.png
 
My PayPal security was breached a couple months ago. The pretender ordered gold bullion and a Leatheman on my dime. Had to go through lots of stuff to protect myself. Make a Police report... call companies... visit my bank. I was reimbursed by PayPal, eventually. But, I chose to close that account. I now keep a sheet of passwords (all changed and all unique)
 
samanthaoverton said:
Nice to know..didnt know PayPal had a breech. I use them for everything..
Click to expand...
(MANY WORDS INCOMING. FAIR WARNING.)

https://www.bleepingcomputer.com/ne...ed-in-large-scale-credential-stuffing-attack/ (a different report on the same incident Nifty posted in the first post.)

35k users is not "large scale" but whatever. It's a significant sum of users. Note that this was a credential stuffing attack where the crackers used password lists mined off of the internet to see if they could get matches. This is EXACTLY why Nifty started this thread. Datamines of users and passwords even years old can still be used to break into accounts if you don't regularly change passwords or use the same credentials on multiple sites. It's even more risky since it's an accepted practice on websites to use your email address as your user id all over the internet. So literally every place you have a login, half the work is likely already done once your email address is grabbed. All an attacker needs to do is collate it to password lists and start fishing.

Here's a very real hypothetical scenario illustrating how scary this can be:

(Begin scenario)
So say you have "[email protected]" as your login for gmail. And paypal. And netflix. And your bank. Etc, etc... And you have a password of "password 123" on gmail. Coincidentally, this is the same password you used 10 years ago on your mysapce you've forgotten about, with the same [email protected] login. And that 10 year old data was stolen in a data breach of myspace in 2015. You changed your password then on myspace but forgot you've used this password before.

Now a bad guy has the data from that 2015 myspace breach, and in the thousands of lines of info is your "[email protected]/password 123" credentials. So he writes a script to try logging into gmail and your username/password combo works. now he's got access to your gmail. Which is where all your password reset emails for all your OTHER accounts go when you hit the "forgot password" link. The attacker can now try to find as many logins with your [email protected] email address as they can, and password reset them all to take control of your accounts. You have been owned.
(End scenario)

This doesn't even take into account that the attacker likely has more than one list, there are hundreds of datamines out there. So potentially any old password you've used can be collected and used against you maliciously. Attacks like this happen daily. It's a very simple "low skill level" kind of attack. You don't need complicated tools, you need simple looping scripts and a list of users and passwords to try. A 5th grader with a month of programming lessons could do this. It's not "hackers" in basements with Guy Fawkes masks on to hide their identity. It's kids and adults in call centers and cyber cafe's in Russia and China (among other places) who are trying to put food on the table because they get paid for every account they can pop.

Every one of you probably know someone who's credentials on SOME website have been popped. It may seem innocent today, but it can come back to bite you hard years later.
 
Last edited:
azurbanclucker said:
(MANY WORDS INCOMING. FAIR WARNING.)

https://www.bleepingcomputer.com/ne...ed-in-large-scale-credential-stuffing-attack/ (a different report on the same incident Nifty posted in the first post.)

35k users is not "large scale" but whatever. It's a significant sum of users. Note that this was a credential stuffing attack where the crackers used password lists mined off of the internet to see if they could get matches. This is EXACTLY why Nifty started this thread. Datamines of users and passwords even years old can still be used to break into accounts if you don't regularly change passwords or use the same credentials on multiple sites. It's even more risky since it's an accepted practice on websites to use your email address as your user id all over the internet. So literally every place you have a login, half the work is likely already done once your email address is grabbed. All an attacker needs to do is collate it to password lists and start fishing.

Here's a very real hypothetical scenario illustrating how scary this can be:

(Begin scenario)
So say you have "[email protected]" as your login for gmail. And paypal. And netflix. And your bank. Etc, etc... And you have a password of "password 123" on gmail. Coincidentally, this is the same password you used 10 years ago on your mysapce you've forgotten about, with the same [email protected] login. And that 10 year old data was stolen in a data breach of myspace in 2015. You changed your password then on myspace but forgot you've used this password before.

Now a bad guy has the data from that 2015 myspace breach, and in the thousands of lines of info is your "[email protected]:password 123" credentials. So he writes a script to try logging into gmail and your username/password combo works. now he's got access to your gmail. Which is where all your password reset emails for all your OTHER accounts go when you hit the "forgot password" link. The attacker can now try to find as many logins with your [email protected] email address as they can, and password reset them all to take control of your accounts. You have been owned.
(End scenario)

This doesn't even take into account that the attacker likely has more than one list, there are hundreds of datamines out there. So potentially any old password you've used can be collected and used against you maliciously. Attacks like this happen daily. It's a very simple "low skill level" kind of attack. You don't need complicated tools, you need simple looping scripts and a list of users and passwords to try. A 5th grader with a month of programming lessons could do this. It's not hacker in basements with Guy Fawkes masks. It's kids and adults in call centers and cyber cafe's in Russia and China (among other places) who are trying to put food on the table because they get paid for every account they can pop.

Every one of you probably know someone who's credentials on SOME website have been popped. It may seem innocent today, but it can come back to bite you hard years later.
Click to expand...
:bow
 
azurbanclucker said:
(MANY WORDS INCOMING. FAIR WARNING.)

https://www.bleepingcomputer.com/ne...ed-in-large-scale-credential-stuffing-attack/ (a different report on the same incident Nifty posted in the first post.)

35k users is not "large scale" but whatever. It's a significant sum of users. Note that this was a credential stuffing attack where the crackers used password lists mined off of the internet to see if they could get matches. This is EXACTLY why Nifty started this thread. Datamines of users and passwords even years old can still be used to break into accounts if you don't regularly change passwords or use the same credentials on multiple sites. It's even more risky since it's an accepted practice on websites to use your email address as your user id all over the internet. So literally every place you have a login, half the work is likely already done once your email address is grabbed. All an attacker needs to do is collate it to password lists and start fishing.

Here's a very real hypothetical scenario illustrating how scary this can be:

(Begin scenario)
So say you have "[email protected]" as your login for gmail. And paypal. And netflix. And your bank. Etc, etc... And you have a password of "password 123" on gmail. Coincidentally, this is the same password you used 10 years ago on your mysapce you've forgotten about, with the same [email protected] login. And that 10 year old data was stolen in a data breach of myspace in 2015. You changed your password then on myspace but forgot you've used this password before.

Now a bad guy has the data from that 2015 myspace breach, and in the thousands of lines of info is your "[email protected]/password 123" credentials. So he writes a script to try logging into gmail and your username/password combo works. now he's got access to your gmail. Which is where all your password reset emails for all your OTHER accounts go when you hit the "forgot password" link. The attacker can now try to find as many logins with your [email protected] email address as they can, and password reset them all to take control of your accounts. You have been owned.
(End scenario)

This doesn't even take into account that the attacker likely has more than one list, there are hundreds of datamines out there. So potentially any old password you've used can be collected and used against you maliciously. Attacks like this happen daily. It's a very simple "low skill level" kind of attack. You don't need complicated tools, you need simple looping scripts and a list of users and passwords to try. A 5th grader with a month of programming lessons could do this. It's not hacker in basements with Guy Fawkes masks. It's kids and adults in call centers and cyber cafe's in Russia and China (among other places) who are trying to put food on the table because they get paid for every account they can pop.

Every one of you probably know someone who's credentials on SOME website have been popped. It may seem innocent today, but it can come back to bite you hard years later.
Click to expand...
Dang your a brain. I got hacked on social media 13 years ago. So quit facebook and MySpace. Knew who said hacker was. Personal thing. After that started using annoying long passwords upper lower case..yada..yada. It made me aware...very aware. Thanks for making me even more aware..
 
samanthaoverton said:
Dang your a brain. I got hacked on social media 13 years ago. So quit facebook and MySpace. Knew who said hacker was. Personal thing. After that started using annoying long passwords upper lower case..yada..yada. It made me aware...very aware. Thanks for making me even more aware..
Click to expand...
Part of the day job.
 

Similar threads

Nifty-Chicken
    • Like
    • Love
    • Wow
Moderator Account Accessed By 3rd Party
15 16 17
Replies
169
Views
19K
Marie2020
Marie2020
K
    • Like
advantage to a unique username
Replies
3
Views
1K
nuthatched
nuthatched
A
    • Love
    • Wow
how's this essay #2
2
Replies
18
Views
918
A_dele
A
A
    • Love
    • Like
how's this essay?
Replies
6
Views
718
A_dele
A
P
What is killing my hens? Two died, a third one seems about to.
Replies
1
Views
472
Eggcessive
Eggcessive

New posts New threads Active threads

Back
Top Bottom