General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
alexanderbrevig:
https://www.eevblog.com/forum/chat/forum-rules-please-read/
--- Quote ---Only the moderators and administrators can access it [email], and will only do so for the purposes of administration.
--- End quote ---
Proactively investigating possible explanations for an increase in apparent spam from known users seems totally fine by me.
Keep in mind that the alternative, to just pretend nothing is going on - could lead to a compromised moderator which could lead to unpleasant surprises for many of us.
Let's lower our pitch forks and continue to the next thread?
alexanderbrevig:
--- Quote from: jpanhalt on January 12, 2023, 11:46:47 pm ---Was that service safe or was it the one you linked to?
--- End quote ---
The linked service is safe. Please read and understand page 1 of this thread. Thanks.
Halcyon:
--- Quote from: jpanhalt on January 12, 2023, 11:46:47 pm ---Maybe nothing was compromised, but maybe you can fill us in on how you did it?
--- Quote from: Halcyon ---I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.
--- End quote ---
Was that done by you with a printout of such sites, or did you enter the email addresses into some service? Was that service safe or was it the one you linked to?
--- End quote ---
The breached email addresses used to sign-up to this forum were checked using the HIBP API/service. It was both safe and the same service I linked to in my original post.
The link was provided so that others (not involved in the small handful of accounts that were breached) could benefit from the same, secure and beneficial service, should they wish to do so.
I apologise if my methods were not made clear initially. My focus was ensuring that everyone knew things were fine on our end.
sarge:
Sounds like some people need to research what they read, and stop coming to immediate conclusions. That said, compromises and breaches happen too much anymore, so I'm happy a moderator like Halcyon took the time to check into it. Cheers!
jpanhalt:
@Halcyon,
I can accept that and the fact that you think that site is safe. We come from quite different spheres. In my field in the USA, we are legally bound by restrictions placed by HIPAA (https://www.hhs.gov/hipaa/for-professionals/privacy/index.html), which is often pronounced as if spelled "hippa." Basically, with one notable exception, a physician cannot share personally identifiable information with anyone without explicit permission from the patient. That includes anything in the chart. The one exception is by and within insurance companies -- their lobbyists were better financed, so some skeptics say.
That law hit practicing physicians by surprise. For example, in some instances, a surgeon was not allowed to share the patient's chart with the surgical pathologist without explicit permission, and permission forms at the time did not include that. That was almost a disaster for hospital based physicians. Pathologist were affected most as they infrequently actually see the patient to ask permission. That problem has largely been fixed.
The legacy of that stays with me. My email address that I shared with EEVBlog is personally identifiable, and if HIPAA applied, it should not be shared with anyone -- reputable or not -- without my permission. "Business associate" or not, and so forth. Such a law doesn't exist in the US or Australia to my knowledge, but I think it is worth considering whether the concept can be adapted reasonably to the problem you face in combating spammers and worse.
It's a given that moderators need access to email addresses to do their jobs. If you could download the database from that site and then test individual email addresses against that database locally might be safe. But that database is probably huge, and the site owner has good reasons not to share it. Would it be practical only to download email addresses associated with certain domains or domains +partial addresses associated with suspected bad actors, and then test their actual addresses against the addresses you have locally? I don't know enough of the subject to suggest a reasonable solution, but my background leads me to not share information, regardless of how much I may trust the other entity, without getting a potentially affected individual's permission.
Anyway, any breach was done by me checking my email address, not you. I accept accountability for doing that.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version