Check your email address(s) and passwords for cyber security breaches

[Halcyon]

Good morning all,

A few of you may have noticed some user accounts posting spam on the forum, where they previously seemed to make legitimate posts. These are different to the normal spammers who create new accounts, foolishly attempt to make them seem genuine but then end up posting spam.

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.
Before anyone panics, it's important to stress that the breached sites/services do not include EEVblog, the forum or anything connected to Dave.

I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this. Troy Hunt (who created/runs HIBP) is a well known and reputable Australian Cyber Security professional. This site is totally legitimate and is a valuable resource for checking your email addresses and passwords against a list of known leaked data.

A lot of breaches occur when people use the same passwords across multiple platforms, so when one site is breached, threat actors can gain access to multiple sites/services you use. In terms of a secure and reputable password manager, I personally use BitWarden, but if you're the type of person who doesn't want their credentials "in the cloud", KeePass is a great offline alternative.

You may also consider using 2FA/MFA on your forum account. You can enable this by going to Account Settings > Modify Profile > Two-Step Authentication.

[SeanB]

Thanks, done over 3 times. first my metro, then Gravatar ( where I do not even remember having actually using it either...), and finally patreon.

Now waiting to see if the latest will show up there now.

[RoGeorge]

I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this. Troy Hunt (who created/runs HIBP) is a well known and reputable Australian Cyber Security professional. This site is totally legitimate and is a valuable resource for checking your email addresses and passwords against a list of known leaked data.

You think wrong.  To give such advice you have to be either very gullible, or maybe malicious.


To put personal data in a webpage, because "trust me that's safe" is the worst idea ever.  To check a passwords in somebody else's webpage, dumbest idea ever.  Why would anyone trust an online place?


Also, Halcyon, please do not use user's email for your experiments, or other user's personal data.  Not without written consent.  Nobody named you to check the status of my email.

I have already enough spam without you putting my email in some "totally legitimate" online webpage.

Whether you realize it or not, you did a childish thing from a security standpoint.  You probably abused your admin privileges, too, by putting everybody's email in who knows what online database(s).  Please don't do that again.

[JohanH]

I don't know what to say, but RoGeorge got practically everything wrong in his post here... (at least if nothing was edited away in Halcyon's post, because the answer doesn't make sense).

[JohanH]

haveibeenpwned.com is perfectly legitimate. You don't enter your password there, you just enter your email address and it looks if your address is part of leaked data. This leaked data comes originally from hacker forums and is now practically public data.

E.g. when I enter my email, it says my email has been part of following leaked data:

"Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text."
"Dropbox: In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers."
"Twitter (200M): In early 2023, over 200M records scraped from Twitter appeared on a popular hacking forum. The data was obtained sometime in 2021"

and a couple more.

I have been careful enough to use different passwords in different places, so if one place is hacked, they can't login to my other services. Also, when receiving notice from haveibeenpwned.com I've been quick to change password and turn on 2FA in the sites that have been breached.

[RoGeorge]

That's what I wrote, not edited.  The point is, one can not trust an online page.  If that place is "legit" or not, that's irrelevant.

There is no way to know for sure where the info will land, now or in the future.  If you really want to know if your email or pass is in a database, then download the databases and examine them offline.  This is security 101 - consider anything online as already compromised.  Trust no one.

In the past there was the possibility to check if a given password is in the known databases of leaked passwords.  I didn't say the linked page can still do that or not.  I said it's dumb to put your pass in a webpage to get it checked it for you, and I still think it is, from a security practices standpoint.  "Don't tell your pass to others."  No exceptions.

Such benevolent online checking places can be easily used to prune away old data, or to prioritize spam to confirmed email addresses (confirmed by entering the address in a pwned checking webpage, for example).  Same to prioritize brute force attacks by starting first with those password somebody checked online against pwning.

[DavidAlfa]

Almost all my emails are ** up, even relatively new ones.
I really hope the 2-factor authentification makes really hard for hackers to access my data (Or that's what I'd like to believe  )

[JohanH]

In the past there was the possibility to check if a given password is in the known databases of leaked passwords.  I didn't say the linked page can still do that or not.  I said it's dumb to put your pass in a webpage to get it checked it for you, and I still think it is, from a security practices standpoint.  "Don't tell your pass to others."  No exceptions.

But you are not giving your "pass" to the web site, only _email address_. That's a big difference. But if _your_ email is that secret, well then don't give it to any site. If you never give away your email, you are certainly not among the data leaks.

You are correct in one way, that you shouldn't give your email address to random sites on the net. On the other hand, I'm sure you have handed over your email address to a lot of sites and people without thinking, when registering on sites etc. How do you know the sites were the real thing?

haveibeenpwned.com is an exception, because by _reputation_ it is known for a long time, and the person behind it is well known in cyber security circles around the world. There is really no other way to know.

[RoGeorge]

I will explain one more time, because you seem to have a wrong understanding about security practices.

1.  I don't care about my email address.  I care about wrong security advice coming from a forum's "Global Moderator".

2.  My post here was against the advice to use a webpage to check "security".  Particularly to check your PASSWORDS online.

I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this.

That phrase implies one should check own passwords against a webpage.  WRONG!
And do that periodically maybe ("timely reminder" can be interpreted as "periodic reminder").  So not only a WRONG advice, but an advice to turn a one time mistake into a habit.  Even WORST than wrong.

3.  Yes, but said webpage has _reputation_.  You don't get it.  DO NOT WILLINGLY TELL YOUR PASSWORD.  There are no exceptions from this.  Any amount of reputation can be lost in a blink of an eye.  The website can be compromised, the server admin can be blackmailed, an employee can stole the databases, man in the middle attacks, zero days exploits, drunk IT misconfiguring the website, social engineering, an evil villain taking over your gov while Batman was depressed that day and didn't come to rescue the city of passwords, etc., etc., etc.  DO NOT GIVE YOUR PASSWORD TO 3rd PARTIES.  No exception.


NOTE:
Words were chosen intentionally to be harsher than in casual replies.  Not trying to get a flame or to offend, stronger words were meant to make some ideas to stick:
- never willingly hand your passwords to 3rd parties
- something safe today might become a threat later, times changes
- trust nobody
- don't spill info

[JohanH]

For the last time. NOBODY IS TELLING THEIR PASSWORD TO ANYONE!    The phrase that you seem to be stuck on "check your email address(s) and passwords against known leaks" doesn't mean that you have to enter your password. It is badly phrased in the post, I admit that. But that's not how the site works. It means you can check the site to see _if_ your credentials have been leaked.    I'm not going to waste time arguing and have to sadly admit that the site isn't perfect, due to people misunderstanding its purpose.

[RoGeorge]

The same recommended website can also check for compromised passwords:
https://haveibeenpwned.com/Passwords

I know that the databases of leaked emails and/or passwords are supposed to be in hashed form and not in clear.  I know that the checking webpage is supposed to hash locally (in your computer) the email or password you typed, then only send the hashed value (not the clean text) to be checked against the online databases.

That is how the check is supposed to be working, assuming there are no bugs and no bad actors involved.  Yet we all know software use to have bugs, and the world use to have bad actors.  So don't spill info.

The whole idea of checking against a known list is kind of useless.  If you are not in the databases, that doesn't mean you haven't been pwned.  It only means you are not in that database.  You pass or email might still have been compromised.  And if you find yourself in such databases, then you probably already noticed you have been hacked.

Such databases usually goes exploited before going public.  And most often they never go public.  Hackers do not just steal passwords only to upload them next day to a public pwned checker.

[SiliconWizard]

Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea!

[alexanderbrevig]

How do you use a password that you never spill? You enter it on this site, don't you?

I get the criticism here, and to never spill is a good advice. Though, if you care to research the linked site you will come to trust it _more_ than you trust whatever site you use that password for. I trust haveibeenpwned to keep my entry safe during transit much more than I trust this forum install to keep it safe at rest.

BTW: They actually buy leaks early from the same marketplaces that threat actors would, so it's not getting information any later. This means routinely checking with this particular respected service (or signing up for an alert on email leaks) is _good_ advice. Much better than never spilling hoping for the best and not knowing before it's too late.


I think your advice is good in general, but the outcry here is misplaced in my opinion.

[SiliconWizard]

I looked at the source code of the above site.

The password is part of a very simple HTML form which directly submits the password through a post method. The site is on a https connection, so your password is relatively safe until it reaches the server, which then gets it in full clear. What could go wrong? Seriously. Through this site, you are submitting passwords in CLEAR to them. They are not hashed before being sent. You may argue that this is how most sites handle passwords, but one that is *dedicated* to collecting passwords is something else. You'll have to fully trust the owner's code, the server, and everyone involved.

But please submit your passwords!

[alexanderbrevig]

Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

TLDR: It does not send your password in the clear.

[SiliconWizard]

Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

TLDR: It does not send your password in the clear.

I'm not a HTML5 specialist, but from what I've read, such a form will post the password in clear. It will just not show it in the browser. But a HTML5 specialist may correct me and then tell me what the standard says about this.

Code: [Select]

<form action="/Passwords" method="post" novalidate="novalidate">
<div class="input-group">
<input autocapitalize="off" autocorrect="off" class="form-control" data-val="true" data-val-maxlength="The field Password must be a string or array type with a maximum length of &#39;450&#39;." data-val-maxlength-max="450" data-val-minlength="The field Password must be a string or array type with a minimum length of &#39;1&#39;." data-val-minlength-min="1" id="Password" maxlength="450" name="Password" placeholder="password" spellcheck="false" type="password" />
<span class="input-group-btn">
<button class="btn btn-primary btn-lg" type="submit" id="searchPwnedPasswords">pwned?</button>
</span>
</div>
<div class="progress progress-striped active" id="loading">
<div class="progress-bar" role="progressbar" aria-valuenow="100" aria-valuemin="0" aria-valuemax="100" style="width: 100%">
</div>
</div>
</form>

[alexanderbrevig]

The password is part of a very simple HTML form which directly submits the password through a post method.

Did you lie on purpose or just misread the code?

See the script here: https://haveibeenpwned.com/scripts/passwordsearch
Relevant snippet:

Code: [Select]

function getPwnage(n,t){var i=sha1(n).toUpperCase(),r=i.substring(0,5);$.get("https://api.pwnedpasswords.com/range/"+r)
Without javascript your are right that it would send it in the clear. Though because of this it won't:

Code: [Select]

$("#searchPwnedPasswords").click(function(n){n.preventDefault(); ...That preventDefault stops the form from sending, so javascript takes over and sends the hash. 

[jpanhalt]

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

The text in the email was: NOTE: Only send YES! via email; recruitilluminatii@gmail.com

The actual url shown was: (see attachment)

Safe?  Rarely, very rarely do I get such emails because I am very stingy about giving out my address.  Coincidence or ploy?  Maybe Halcyon will address what he did to vett the site.

[madires]

Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

[thm_w]

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

Its just a coincidence.

Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

Yeah I probably wouldn't enter my main password there.
But its a sort of useful tool to tell someone: hey think of a secure password, now test it on this site.
Oh qwertyuiop12345 was used 11,000 times? clearly its not secure, even though it is a long seemingly complex password.

[alexanderbrevig]

Come on people!...

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

https://en.wikipedia.org/wiki/Apophenia

Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key.

The password is not the search key. The first five characters of the sha1 of the password is.

BTW, SHA1 is a bit outdated and shouldn't be used anymore.

It's perfectly fine to use! Just don't use it to encrypt passwords in its entirety and expect it to be safe. Here it's used and then stripped to the first five characters. There is no way to retrieve anything compromising from that.
Perfectly usable for https://en.wikipedia.org/wiki/K-anonymity

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

Yes! I take it for granted that we use different passwords for different services in 2023. Wholeheartedly agree 

[madires]

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

If you tell someone your email address you have to consider it being published. Some people use this as a feature and create a different email address for each website/shop/whatever and see which ones get SPAM. Then they know who has a data breach issue.

[Halcyon]

I don't know what to say, but RoGeorge got practically everything wrong in his post here... (at least if nothing was edited away in Halcyon's post, because the answer doesn't make sense).

Exactly.

RoGeorge: With all due respect, you have no idea what you're talking about. Secondly, your email address wasn't checked (I'll leave that up to you), only the compromised accounts were (those addresses have already been leaked and are out in the wild). Unless you choose to sign up to the "notification" service on HIBP, email addresses are not stored anywhere.

Safe?  Rarely, very rarely do I get such emails because I am very stingy about giving out my address.  Coincidence or ploy?  Maybe Halcyon will address what he did to vett the site.

Coincidence. Spam and fraudulent calls and SMS's have only increased over the last few years. I now get spam emails to my personal email address (which isn't published anywhere), which I can only assume is a complete accident/guess by throwing names at my domain name. Same with my mobile, previously I might get 3 or 4 dodgy messages or per year, that's now up to about 3 to 4 per month, and again my number is rarely disclosed outside Government organisations.

Submitting passwords for checking against known-breached passwords, as others have pointed out, is done by using part of the SHA-1 hash, not the actual password itself. Furthermore email addresses/account information are not stored together with the password. If your email comes back on HIBP as being breached, it's already out there, available in a list for anyone to download (along with who knows what other information), but it's still not perfect. Not every breach is made public in this way and it's possible that your email address has been sourced from somewhere and sold to spammers/scammers. There is plenty of information here about the use of SHA-1 https://www.troyhunt.com/understanding-have-i-been-pwneds-use-of-sha-1-and-k-anonymity/

Of some of the governments using this service includes New Zealand, Canada, Finland, Switzerland, and of course some government and cybersecurity agencies in Australia.

At the end of the day, I don't expect anyone to blindly trust what I, or anyone else on this forum says. Do your own homework and come to your own conclusions. If I have said something incorrect, I stand to be corrected provided you can prove to me what I was saying was wrong. Guesswork and assumptions are not forms of proof.

[jpanhalt]

Not all of us are as savvy as you and a few others are about such spoofs.  Nor do I intend to become that savvy.  If the site you presented as safe is not safe, then that assertion needs to be corrected.  Fact is, I have rarely gotten such clearly dangerous emails.  The temporal relation to "checking" as you suggest cannot be ignored.  Whether that is important to Dave is his choice.  My decision has already been made.  The link you provided has been deleted and my trust in you has been affected.  Not that that any of that matters to a site this size.

[james_s]

Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea!

What are they going to do with it? Knowing a password is useless if you don't know what it's the password to. If you search for it and it comes up in a database of known leaked passwords then you already know that it's in a database that likely includes associated usernames.

[Halcyon]

Not all of us are as savvy as you and a few others are about such spoofs.  Nor do I intend to become that savvy.  If the site you presented as safe is not safe, then that assertion needs to be corrected.  Fact is, I have rarely gotten such clearly dangerous emails.  The temporal relation to "checking" as you suggest cannot be ignored.  Whether that is important to Dave is his choice.  My decision has already been made.  The link you provided has been deleted and my trust in you has been affected.  Not that that any of that matters to a site this size.

Savvy or not, even careful individuals will probably have personal information leaked at some point.

It's a shame you didn't find the resource I presented as useful to you, but that's OK, it's completely your decision whether to use a particular service or not.

At the end of the day, I took steps to investigate and ensure that the breach didn't occur on EEVblog's end and I presented what I know to everyone, so that individuals can make an informed decision about whether or not to change passwords, implement MFA etc... I don't believe in closing my eyes and blocking my ears, and pretending everything is normal. I can almost guarantee that if the forum was breached or subject to a data breach, and we did nothing about it or inform the users, a lot of people would be quite upset.

[jpanhalt]

You are missing my real concern.  It is not whether I am foolish enough to enter my email address on such a site.  It is that YOU, unknown to us, did that with some of our email addresses.  Who gave you permission to do that?

[james_s]

You are missing my real concern.  It is not whether I am foolish enough to enter my email address on such a site.  It is that YOU, unknown to us, did that with some of our email addresses.  Who gave you permission to do that?

What are you talking about? It's a reputable site, it doesn't do anything with your email address and if he tried it with your email address it means that your address was already compromised. He doesn't need permission to do that, you voluntarily gave your email address to this site when you signed up.

[Halcyon]

You are missing my real concern.  It is not whether I am foolish enough to enter my email address on such a site.  It is that YOU, unknown to us, did that with some of our email addresses.  Who gave you permission to do that?

No one gave me "permission", but to be quite blunt, no one's information was used in an irresponsible or unsafe manner, nor shared or stored anywhere else beyond this forum.
When you sign up or use any service, be it on the internet or otherwise, you're entrusting that it's being owned and operated by sensible and knowledgeable people. EEVblog is no different. Dave knows me personally, knows my background and qualifications and has entrusted a small handful of us with the administration and moderation of this forum. That includes access to the information you voluntarily provide upon sign-up. You're also trusting that the service itself (in this case SMF 2.0.18) does the job and fulfills your needs and expectations.

You might disagree with my methods, and that's OK, you weren't involved nor impacted. You seem to be making an issue out of a non-issue.

My final word on this matter is, it's impossible to keep everyone happy. Someone will always complain about an action or inaction, or the way something was said. I'm not here to preserve your feelings and emotions, I'm here to do the best job I know how as a moderator, and contribute positively to this forum and to Dave's operations. I believe in sharing knowledge and wisdom gained over many years of experience and education, that will not change as long as I'm alive. I refuse to hide behind anything, all of this is out in the open for all to see and comment on, including Dave. If he wants to give me a smack, I'll accept that.

[jpanhalt]

Maybe nothing was compromised, but maybe you can fill us in on how you did it?

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.

Was that done by you with a printout of such sites, or did you enter the email addresses into some service?  Was that service safe or was it the one you linked to?

[alexanderbrevig]

https://www.eevblog.com/forum/chat/forum-rules-please-read/

Only the moderators and administrators can access it [email], and will only do so for the purposes of administration.

Proactively investigating possible explanations for an increase in apparent spam from known users seems totally fine by me.
Keep in mind that the alternative, to just pretend nothing is going on - could lead to a compromised moderator which could lead to unpleasant surprises for many of us.

Let's lower our pitch forks and continue to the next thread?

[alexanderbrevig]

Was that service safe or was it the one you linked to?

The linked service is safe. Please read and understand page 1 of this thread. Thanks.

[Halcyon]

Maybe nothing was compromised, but maybe you can fill us in on how you did it?

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.

Was that done by you with a printout of such sites, or did you enter the email addresses into some service?  Was that service safe or was it the one you linked to?

The breached email addresses used to sign-up to this forum were checked using the HIBP API/service. It was both safe and the same service I linked to in my original post.

The link was provided so that others (not involved in the small handful of accounts that were breached) could benefit from the same, secure and beneficial service, should they wish to do so.

I apologise if my methods were not made clear initially. My focus was ensuring that everyone knew things were fine on our end.

[sarge]

Sounds like some people need to research what they read, and stop coming to immediate conclusions. That said, compromises and breaches happen too much anymore, so I'm happy a moderator like Halcyon took the time to check into it. Cheers!

[jpanhalt]

 @Halcyon,

I can accept that and the fact that you think that site is safe.  We come from quite different spheres.  In my field in the USA, we are legally bound by restrictions placed by HIPAA (https://www.hhs.gov/hipaa/for-professionals/privacy/index.html), which is often pronounced as if spelled "hippa."  Basically, with one notable exception, a physician cannot share personally identifiable information with anyone without explicit permission from the patient.  That includes anything in the chart.  The one exception is by and within insurance companies -- their lobbyists were better financed, so some skeptics say.

That law hit practicing physicians by surprise.  For example, in some instances, a surgeon was not allowed to share the patient's chart with the surgical pathologist without explicit permission, and permission forms at the time did not include that.  That was almost a disaster for hospital based physicians.  Pathologist were affected most as they infrequently actually see the patient to ask permission.  That problem has largely been fixed. 

The legacy of that stays with me.  My email address that I shared with EEVBlog is personally identifiable, and if HIPAA applied, it should not be shared with anyone -- reputable or not -- without my permission.  "Business associate" or not, and so forth. Such a law doesn't exist in the US or Australia to my knowledge, but I think it is worth considering whether the concept can be adapted reasonably to the problem you face in combating spammers and worse.

It's a given that moderators need access to email addresses to do their jobs.  If you could download the database from that site and then test individual email addresses against that database locally might be safe.  But that database is probably huge, and the site owner has good reasons not to share it.  Would it be practical only to download email addresses associated with certain domains or domains +partial addresses associated with suspected bad actors, and then test their actual addresses against the addresses you have locally?  I don't know enough of the subject to suggest a reasonable solution, but my background leads me to not share information, regardless of how much I may trust the other entity, without getting a potentially affected individual's permission.

Anyway, any breach was done by me checking my email address, not you.  I accept accountability for doing that.

[Halcyon]

I'm aware of HIPAA and other such privacy regulations (mostly in Australia). My day job (which happens to be in cybersecurity) involves conducting security assessments as well as investigating breaches. Some of these breaches are "reportable" (for example, financial sectors). We do have privacy laws in Australia which do control how and what information is shared and of course that varies among organisations and industries. Since we're talking about laws and regulations, in this particular instance, I'm not bound by legislation to seek your permission, but that's getting beyond the scope of what happened/what we are talking about. You may object based on your own personal opinions and morals.

I agree with you, an email address is personally identifiable (in most respects) and whilst I understand where you're coming from and the concerns you raised, let me make it clear that your (or anyone else's) email address was not "shared" with anyone. It has not been stored anywhere except for the servers that run the EEVblog forum (and that's because you provided it). There is a clear distinction between "sharing" and my actions of submitting an email address for checking against a known list and then having that data discarded. No one else but me saw or will ever see those address.

Also, whilst HIBP does provide a list of compromised password hashes for anyone to download, it does not (and will never) supply a complete dump of compromised email addresses. That is the opposite to cybersecurity and is not what that service is about.

At the end of the day, I stand by my actions and strongly believe they were reasonable and justifiable. My actions were ultimately for the greater good. Should the breach actually have occurred on our end, I suspect people would have a very different reaction. Damned if you do, damned if you don't.

[thm_w]

Imagine caring about security of others and having people complain that you brought it up.

[Shock]

In the world of security posting credentials used on one website to another non related website is the worst idea ever (as already stated). Even if it is "trusted", which is a total fallacy.

Better advice is use unique strong passwords and if required ensure a reliable recovery method to regain access to a lost email account. If you suspect a website account has been compromised check the recovery email and security questions etc and then change passwords, again unique and strong.

I know the argument claiming their info was already in the public domain is enticing but users would reasonably expect those details (especially if hidden) not to be entered into another website without permission.

[Halcyon]

At the end of the day, the advice I have given is sound, but it doesn't work for everyone. Just like not everyone likes long, complex passwords, or the use of password managers. Adopt your own cybersecurity posture in a way that suits you based on some of the fundamental principles. There are countless sources of reliable information out there from plenty of other industry experts, as I said, you don't have to take my word for it, conduct your own research and make your own assessments.

We could go back and forth for weeks. I've said what I've said, I've done what I've done. Upon review, I wouldn't have approached things any differently.

Unless there are any further developments, I consider this matter appropriately dealt with. Feel free to discuss among yourselves.

[Monkeh]

 

[MK14]

Although, on the one hand, I want to basically praise, and agree with what you have been doing and done.  On the other hand, ...

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.
Before anyone panics, it's important to stress that the breached sites/services do not include EEVblog, the forum or anything connected to Dave.

How exactly did they (the hackers/spammers, or whatever they should be called), know which emails, belonged to EEVblog members?

Did they (something on the lines of) have a big list of compromised emails (tens of thousands, or millions or more), and speculatively, attempt to use each one, to either log on or change passwords, on this forum.

Because if they did, and it was scripted/automated (on their side).  Server/router/etc automated rules (whatever its called), possibly could have auto-banned the (presumably) single IP they used, for such attempted account breaching.  I.e. A single IP address, shouldn't be able to try many different email addresses, without being challenged and/or given big/powerful captcha hurdles.

Also, the webpage which allows changing forgotten passwords (if applicable in this case, I don't know).  Could have a powerful captcha, to hopefully largely advert mass automated scripts from trying out a massive lists of compromised email addresses.

One solution, would be an automatic, big captcha or set of them, when logging in to an account, which has been dormant for a period of time (no logins or posts).  E.g. 1 Month.

The current CAPTCHA's, seem to be way too easy.  E.g. One seems to always say what is 84 / 2, which of course is 42.  But there is a second one, which is a little bit difficult, not not especially so.

Obviously there are many ways of improving (if necessary), such security.  There could be add on packages, which improve it, for the forum software.

Maybe the differing country code (from the IP address), I presume.  Could flag a possible security breach, and/or increase the number/difficulty of CAPTCHA's.

[Halcyon]

Really good questions MK14, to which I don't have all the answers to.

Having spoken with Gnif (who administers the server side of things), I am satisfied that the breach did not occur on our end (I won't get into specifics). Among other things. should a list of usernames or email addresses have been leaked from our end, I'd expect a lot of users being sent automated emails with authentication failures. That hasn't happened. If it was a breach of both usernames and passwords, the fallout would have been far worse.

For all we know, it could have been part of the LastPass breach where usernames/passwords were stored alongside names of services or URLs. But that is pure speculation at this point. What I do suspect however is that the compromises against the forum accounts were automated, so we're probably looking at some kind of script or bot. In breaches of this nature, you don't tend to see actual humans plugging away at servers manually. The exceptions I've seen are some SQL injection attacks against low-hanging fruit, but even then, it still tends to be semi-automated.

We managed to identify that the traffic was coming from one particular IP address (which to no surprise, was a VPN). That IP has since been blocked and it looks like it has stopped the activity we were seeing previously. I suspect the automation in-place sees this as bad username/password and moves on to the next in the list, as opposed to changing IP addresses and re-trying. Again, this is just an educated guess at this point.

In terms of "what could be done" to protect against this and other types of spam/scams in the future is limited. I don't administer the server side of things and I'm not going to pretend to understand how SMF and it's plug-ins work. That's Gnif's specialty. I've never set up a forum server in my life. I've come up with suggestions in the past to improve functionality but sometimes it's the case where it's easier said than done, or implementation of one thing, breaks others. I'll let Gnif chime in here if he wants to.

I will say however that threat intelligence is a skill like any other and we don't want to completely give away our hand, what we know, or how we block threats. If someone is specifically targeting Dave and EEVblog, we want to keep them in the dark so they can't adjust their attack methods to get around specific mitigations.

[alexanderbrevig]

Most likely this forum is on a list of known SMF installs. I don't think it's unlikely that the new twitter leak is to blame. Probably they found tweets from leaked accounts with url matcing their SMF dictionary. Then it's just a matter of trying those matches against this login.

I do not at all think they "know which emails, belonged to EEVblog members" but rather discovered a likelihood based on OSINT, and simply tried all the candidates.

[madires]

The legacy of that stays with me.  My email address that I shared with EEVBlog is personally identifiable, and if HIPAA applied, it should not be shared with anyone -- reputable or not -- without my permission.

Isn't HIPAA meant for medical data only?

[Halcyon]

Most likely this forum is on a list of known SMF installs. I don't think it's unlikely that the new twitter leak is to blame. Probably they found tweets from leaked accounts with url matcing their SMF dictionary. Then it's just a matter of trying those matches against this login.

I do not at all think they "know which emails, belonged to EEVblog members" but rather discovered a likelihood based on OSINT, and simply tried all the candidates.

Yep. You're probably right.

If you can think of a way to exploit a system or at least automate some kind of list, chances are someone, somewhere has already done it 10x better and faster.

[madires]

Because if they did, and it was scripted/automated (on their side).  Server/router/etc automated rules (whatever its called), possibly could have auto-banned the (presumably) single IP they used, for such attempted account breaching.  I.e. A single IP address, shouldn't be able to try many different email addresses, without being challenged and/or given big/powerful captcha hurdles.

Some botnets are a bit more professional and perform controlled distributed attacks/scans, i.e. from many different IP addresses with random delays to hide their activity in the common noise created by the bad guys. Can be quite hard to spot.

[AndyBeez]

@Halcyon: ever feel you're p*ssing in the breeze with some of these guys?

[magic]

To be fair, typing your users' email addresses into some random 3rd party website would probably be illegal under current EUSSR regulations; dunno how the situation is in Oz.

[Shock]

At the end of the day, the advice I have given is sound, but it doesn't work for everyone.

Not sound advice, which is why people are bringing it up.

There are circumstances where it's acceptable (if you ask for permission) but I think you are confusing forum members credentials with your employee or clients credentials.

The bit about who you work for, your government customers, the password management you use, the fact you are getting spam in your inbox, all useful to hackers. Quick harvest of all the published emails on the forum and a phishing attack linking to this thread with all the people backing you up saying this is good advice makes it easier to exploit the situation.

Which is why it's never a good idea to discuss security stuff openly on the forum which hopefully you may take onboard with the other advice given.

[MK14]

Some botnets are a bit more professional and perform controlled distributed attacks/scans, i.e. from many different IP addresses with random delays to hide their activity in the common noise created by the bad guys. Can be quite hard to spot.

I agree, and think it is generally accepted.  That some of the measures I mentioned (and similar techniques), pick up or prevent (wild estimate) 50% to 90% of possible attacks.  But that is still at least an improvement.

On the bright side though.  This website (forum), seems to only primarily record peoples email addresses and some metadata (their IP addresses etc).  So, unless a user shares more information (e.g. by using a password shared with other things), or provides more contact information etc.  There is relatively little information, powerful hacks on the forum webserver, would be able to obtain.

As I see it.  If you have used that same email address, on 25 to 200+ websites, already.  Sooner or later (but not definitely), that email address, will risk becoming relatively common knowledge, to some bad guys, sooner or later.

[mendip_discovery]

<hat=tin_foil>
One good practice is to use different email addresses and different passwords for things. I'm getting close to using a password generator to generate really random email addresses.

My old trick was to use a name that would give me a clue at to who leaked. BinDivingAustralian@my.domain.com for this forum as an example. As a leaky site would usually mean that email getting hammered and I could block it and move on.

Not a big fan of over use of 2FA becuase when my mobile gets leaked that means the attackers have another vector to attack me via. Reducing 2FA redundant. I use it only on stuff I care about.

Also I wouldn't worry about the pwned site I can vouch it fairly safe for use.

[Halcyon]

@Halcyon: ever feel you're p*ssing in the breeze with some of these guys?

Yes, sometimes, but I don't mind. Sometimes pissing in the wind can feel cathartic.

Like many people on this forum, my focus and energy goes into the vast majority of people who contribute positively and learn something new from others. The IT industry as a whole is so opinionated. Some people are quick to forget that there is more than one right way to do most things, but if it's not their way, it's somehow "wrong". I mostly ignore those people. Likewise people who criticise someone else's opinion without providing a proper explanation and have a lack of proper understanding of what's being discussed.

I don't mind engaging once in a while, if it means only 1 person learns something they didn't know before, then it's a win in my books.

I also don't mind being proven wrong, because it means I learned something new and am better off for it. But so far, from the loud minority, I've only received "nope you're wrong" with no in-depth analysis or substance to their argument. It always amuses me when people come at me with a counter-argument, but then want me to do their homework for them. I guess this is why flat-earthers exist?

[Black Phoenix]

Halcyon, thank you for the warning. My email was leaked in one of the data breaches of a Manga Website, Mangadex but I use a different password for each website, and that one was already replaced by a different one that is also not reused.

Although is almost time for me to change all the passwords again for all the websites I'm registered (and delete accounts from the ones I don't need anymore).

[Halcyon]

Halcyon, thank you for the warning. My email was leaked in one of the data breaches of a Manga Website, Mangadex but I use a different password for each website, and that one was already replaced by a different one that is also not reused.

Although is almost time for me to change all the passwords again for all the websites I'm registered (and delete accounts from the ones I don't need anymore).

Really good advice. It's amazing how many user accounts people accumulate over the years. I did a full audit of all my accounts last year when I replaced my old KeePass database with Bitwarden. I think I ended up cancelling about 30 or so accounts that I never used (or at least sanitised them of any personal data and changed the email address to a "blackhole" Gmail account I only use for abandoned accounts).

Reputable password managers like 1Password and Bitwarden, also integrate with the HIBP API so you can check your passwords automatically against any known data disclosures. I believe Firefox and Chrome also have similar integration.

[SeanB]

I will add that you can download the password list from HIBP, and use it locally. It is a zip file, and will take a good few minutes to extract to the massive text file. Yes I found some of my passwords in there, and did change them a while ago, but looks like with the latest LP breach I will have to do a good number of updates as well on the lot soon.

[Shock]

Like many people on this forum, my focus and energy goes into the vast majority of people who contribute positively and learn something new from others. The IT industry as a whole is so opinionated. Some people are quick to forget that there is more than one right way to do most things, but if it's not their way, it's somehow "wrong". I mostly ignore those people. Likewise people who criticise someone else's opinion without providing a proper explanation and have a lack of proper understanding of what's being discussed.

I don't mind engaging once in a while, if it means only 1 person learns something they didn't know before, then it's a win in my books.

I also don't mind being proven wrong, because it means I learned something new and am better off for it. But so far, from the loud minority, I've only received "nope you're wrong" with no in-depth analysis or substance to their argument. It always amuses me when people come at me with a counter-argument, but then want me to do their homework for them. I guess this is why flat-earthers exist?

Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.

The fools we are for considering the risks associated with this.

@All

As with what SeanB posted, offline searches a way better idea. I have no problem with obfuscated or partial data matching (with caveats) but typical users aren't controlling their email domains for a catch all solution which is far more appropriate.

I also agree with what Mendip_discovery was saying, this is very accurate advice until he got to the bit about "vouching" for websites.

I think Eevblog/Dave has made good ethical choices on policy. Until as previously mentioned Halcyon advised (if he feels entitled to do so) he may submit your private credentials to an exploit data matching website (or elsewhere) without your permission. We know it was likely done under limited circumstances but still it's a concerning breach of trust and has potential legal consequences. Of course trust is the modern dilemma and many companies and governments use personal data like their own play toys these days and give zero fucks about damage caused by it.

[Black Phoenix]

Halcyon, thank you for the warning. My email was leaked in one of the data breaches of a Manga Website, Mangadex but I use a different password for each website, and that one was already replaced by a different one that is also not reused.

Although is almost time for me to change all the passwords again for all the websites I'm registered (and delete accounts from the ones I don't need anymore).

Really good advice. It's amazing how many user accounts people accumulate over the years. I did a full audit of all my accounts last year when I replaced my old KeePass database with Bitwarden. I think I ended up cancelling about 30 or so accounts that I never used (or at least sanitised them of any personal data and changed the email address to a "blackhole" Gmail account I only use for abandoned accounts).

Reputable password managers like 1Password and Bitwarden, also integrate with the HIBP API so you can check your passwords automatically against any known data disclosures. I believe Firefox and Chrome also have similar integration.

I'm still on the field of the Keepass. I have 3 copies of the database, one in my laptop plus one on my NAS plus one offsite. When I make changes in one, I sync with the other 2, so they are always up to date.

Also there is only one person who knows the pass of my database other than me, in case something happens to me and it's needed to access any account for whatever purpose.

[Shock]

I'm still on the field of the Keepass. I have 3 copies of the database, one in my laptop plus one on my NAS plus one offsite. When I make changes in one, I sync with the other 2, so they are always up to date.

If you are doing this for disaster recovery purposes, keep some older backups as well as periodic copies of the installation software. Test the full software installation and recovery of an old backup on another device or vm to ensure it can be restored. It's easy to mistake backups for redundancy and vice versa.

[Halcyon]

Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.

No one is talking about inherently trusting websites (such as HIBP), in fact, I explicitly said that you shouldn't just take my word and experience as the complete truth without doing your own research.

But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset). You can test this out for yourself and see what this looks like, in fact, I'll use a password that I previously used which was compromised in the Trillian data breach in 2015: https://api.pwnedpasswords.com/range/B3117

Your browser/application then compares the returned suffixes against your password hash and determines whether a match (AKA a compromised password) has been found. For all intents and purposes, this is your offline checking of leaked passwords without having to download, update and compare against an enormous password list.

But again, don't simply take my word for it, take the time to review what other organisations are saying about this useful and reputable service. The API is also very well documented, and since it's open source, you can download and examine the source code yourself from their Github page (if that's your thing). If you decide this isn't something that is useful to you, that's completely OK too.

As someone who works in cybersecurity, it's good practice to check your passwords against existing data breaches using services like HIBP (there are others which I don't use personally so I can't recommend them). In fact, this advice is recommended by organisations such as the US National Institute of Standards and Technology (NIST) under their SP 800-63 (Identify and Access Management) framework.

Myself along with my government and non-government employees have conducted our own assessments of this service and use it regularly for both internal and external client matters.

I hope others have found this advice as useful as I have.

[Shock]

Caveats like I said, I wouldn't have done what you did and posted a thread like this. I think people raised valid points and I'd expect it to illicit the same reaction elsewhere.

Disappointed with your response (relating to the points I and others have already made).

[m k]

5 characters of HIBP against big numbers is pretty exponential.
5+5 is already 10G pieces and remaining part just few still pictures.
How long ago it was when majority of global traffic was SPAM.

For the privacy I'd say that name, address, phone number, email address, social security number, username and password hash are public information.
Private information is not shared around the globe.

[Halcyon]

Caveats like I said, I wouldn't have done what you did and posted a thread like this. I think people raised valid points and I'd expect it to illicit the same reaction elsewhere.

Disappointed with your response (relating to the points I and others have already made).

I agree, people did make valid points and I haven't disregarded them. However for the purposes of security of the forum and security of the information that you provide as part of your individual profile, I felt it more important to investigate what happened, with the tools available to me AND to report on it openly and honestly, rather than not.

Based on all the feedback and discussions both here in the thread and privately with others, I still maintain that the decisions made were the right ones. I would certainly be recommending a similar response were it to happen again. So far, no one has presented any evidence or a valid argument that any of the actions taken were risky, or exposed any user/personally identifiable data. No data was "disclosed" or stored outside of EEVblog (as previously explained).

I'm sorry that you and a small number of others were disappointed, but as far as I'm concerned the matter has been resolved with a positive outcome with no risk to the rest of the forum users. Whilst I don't like to disappoint people, the integrity of this forum and its users comes before preserving your personal feelings.

[magic]

But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset). You can test this out for yourself and see what this looks like, in fact, I'll use a password that I previously used which was compromised in the Trillian data breach in 2015: https://api.pwnedpasswords.com/range/B3117

Your browser/application then compares the returned suffixes against your password hash and determines whether a match (AKA a compromised password) has been found. For all intents and purposes, this is your offline checking of leaked passwords without having to download, update and compare against an enormous password list.

But again, don't simply take my word for it, take the time to review what other organisations are saying about this useful and reputable service. The API is also very well documented, and since it's open source, you can download and examine the source code yourself from their Github page (if that's your thing). If you decide this isn't something that is useful to you, that's completely OK too.

Correct me if I'm wrong, but I presume you didn't use any vetted client to access their API, but instead simply punched the email addresses into their website, which may or may not be compromised at any given time and you have zero control over it. You presumably don't bother verifying the embedded MalwareScript each time you use the website, either.

[Halcyon]

Correct me if I'm wrong, but I presume you didn't use any vetted client to access their API, but instead simply punched the email addresses into their website, which may or may not be compromised at any given time and you have zero control over it. You presumably don't bother verifying the embedded MalwareScript each time you use the website, either.

You're wrong.

The method was via the API on a known-clean forensic workstation (same process as I would undertake for clients with sensitive data, or data subject to a Government security classifications or protective markings).

The image of that particular workstation undergoes constant assessment. On top of that, we deploy the VMware Carbon Black EDR tool.

As I said, no data was put at risk. Feel free to provide any evidence to the contrary and I'll review it. As I said early on, guess-work and assumptions is not evidence.

[madires]

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset).

Such password checks give me stomachache. How many users are able to check the website's JS to make sure that nothing else is done with the password entered? It could be just another phising web page. Users are educated to NOT enter their credentials on some random web page. Now they are encouraged to do so, in the name of security. Very confusing for users!

[nctnico]

Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.

No one is talking about inherently trusting websites (such as HIBP), in fact, I explicitly said that you shouldn't just take my word and experience as the complete truth without doing your own research.

But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash

Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

[alexanderbrevig]

Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

Make a proof of concept script that shows the plaintext based on the first five bytes of the SHA-1 and you will be an over-night infosec celebrity. It's not doable. It's more than good enough for its use here.

You are simply wrong.

[nctnico]

Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

Make a proof of concept script that shows the plaintext based on the first five bytes of the SHA-1 and you will be an over-night infosec celebrity. It's not doable. It's more than good enough for its use here.

No. With 25% of the hash you can limit the pool of passwords you need for a brute force attack and thus accellerate such an attack on a password. With SHA1 being broken you can accellerate the process of reversing the hash and thus reduce the computational time needed.

[alexanderbrevig]

https://en.m.wikipedia.org/wiki/Avalanche_effect

Still need the entire search space for finding a collision. What's worse, you will get many collisions with no true way of knowing which is the original clear text.

Congrats on hashing all the plausible clear texts only to guess the next 15 bytes from the numerous matches you will get from the first five.

You are still wrong.

I find it funny that people on here think they can challenge Cloudflare on security practices and implementation.
The math speaks for itself.

[nctnico]

https://en.m.wikipedia.org/wiki/Avalanche_effect

Still need the entire search space for finding a collision. What's worse, you will get many collisions with no true way of knowing which is the original clear text.

You can insist I'm wrong but I'm definitely not. You are not getting the actual point I'm making here. With part of the hash you can determine offline which may be suitable passwords to try a brute force attack with. Most websites require a password that is like 6 or 8 characters long. Most of these passwords will be text (names, places, regular words, etc), maybe a special character and some numbers. This creates a rather limited pool of passwords to try but you don't know which ones to try. If you have a partial hash for the correct password, you suddenly can filter the pool of passwords to try with the ones that match the hash. So the number of passwords you have to try reduces from trillions to millions. Probably even less. From there use an algorithm that sorts the passwords in order of likely hood (maybe mix in some info that has been obtained through phising social engineering) and you stand a pretty good chance of using the right password after only a few tries.

[Shock]

Better just to change them to unique strong passwords and then check your old ones if curious.

These websites are also used by people who already have leaked data so in those cases a partial password hash and resulting full plain text data matched password could be found and used to identify them. Other submitted credentials as well as connection identifiers can further this.

[Halcyon]

Such password checks give me stomachache. How many users are able to check the website's JS to make sure that nothing else is done with the password entered? It could be just another phising web page. Users are educated to NOT enter their credentials on some random web page. Now they are encouraged to do so, in the name of security. Very confusing for users!

I completely understand your hesitation. I do agree with you, it kind of goes against everything we've been taught about "not putting your passwords out there". I felt the same way many years ago with HIBP was launched.

However the service itself has been vetted time and time again by people (and governments) much smarter than me. As I mentioned before, even NIST recommend you check your passwords against known data leaks. Few users have the resources, knowledge or time to do such things with completely offline password lists. This is why simple, yet effective services like this exist and it's why they are being integrated into several reputable password managers and web browsers.

Cybersecurity is constantly changing as new threats emerge, technology changes and threat actors get more sophisticated and sneaky. Users should stay up-to-date as well so they can better protect themselves. Remember when the advice was that a long, complex (and unmemorable) passwords was the recommendation? Whilst that's still true today, passphrases have emerged as a "just as good, if not better" alternative (if implemented properly, such as not using song lyrics that could easily be brute forced). Some people criticised passphrases because they appeared "too simple", but when you look into it further and do the maths, it actually makes sense.

I constantly see people making the mistake of "but this is the way we've always done it", time and time again and in some cases this can lead to disaster. I could tell you some stories from work about companies being breached and having sensitive data stolen because of this mentality. At the end of the day, whether you're an expert in a given field or an end-user, you should be prepared to adapt, otherwise you'll be left behind in the dark ages.

[Halcyon]

Just for anyone following along at home, it looks like these kinds of credential stuffing attacks (as we've seen here on this forum) are on the increase. Paypal just suffered some authorised access to a "handful" of user accounts: https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/

Since the original post was made here, we've seen another 2 or 3 accounts compromised on the forum, again, all being subject to data breaches in the past. Moderators have taken steps to secure those accounts.

[nctnico]

AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password. The whole concept of login/password has been outdated for a while.

Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.

[Halcyon]

AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password.

Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.

The problem is, "unimportant" websites, like forums etc... form part of the low-hanging fruit attackers love and that comes down to people being lazy, re-using the same email addresses and/or passwords for more important services.

I guess this forum is probably a little bit outside the norm as we have a large group of highly technical people who use their own domains and unique email addresses for different services, but the general population isn't like that. Most people have 1 email address for everything.

[nctnico]

AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password.

Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.

The problem is, "unimportant" websites, like forums etc... form part of the low-hanging fruit attackers love and that comes down to people being lazy, re-using the same email addresses and/or passwords for more important services.

The latter is not a smart move ofcourse. Interestingly the article you linked to also contains a link to an article telling a password manager service was compromised due to a similar attack. At some point you can't fix stupid.

[madires]

But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway?

If a bad guy uses your forum account to slander someone, to post illegal content or sell drugs then you might get into trouble, despite you being innocent. And with the latest ideas of the EU commision to scan for illegal content this will be even exacerbated.

[Halcyon]

But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway?

If a bad guy uses your forum account to slander someone, to post illegal content or sell drugs then you might get into trouble, despite you being innocent. And with the latest ideas of the EU commision to scan for illegal content this will be even exacerbated.

All of those types of offences require solid evidence that the person being accused of the crime was the person actually behind the keyboard. It's not good enough to say "it was your account, so therefore you're in trouble" and that kind of thing would be extraordinarily easy to disprove or introduce doubt. For example, the EEVblog forum stores your IP address alongside every post you make (but this information is only visible to yourself and moderators/admins).

Speaking from personal experience, investigating crimes like child exploitation on the internet can be extremely difficult. In Australian courts, it's not even good enough to rely on the IP address of the user, you need additional evidence on top of all of those types of records to say "this is the person that did the bad thing", you can't just assume.

[mendip_discovery]

Who cares if a forum account gets used by somebody else?

Becuase to the average hacker its somewhere to share dodgy links and random rants of propaganda. But to the skilled one they can use it to advertise items for sale a very attractive price take the money and leave the original user with the reputation.

It also helps them confirm that a person has reused passwords before so go hunting for more places they may have used it. In our case it could be digikey to RS and there they can buy a load of stuff even using stolen cards and have it sent to a different address or even have someone call in and collect from your own house (remember reading about it once).

[PlainName]

Who cares if a forum account gets used by somebody else?

Your reputation on that site can  be used to leverage a scam. Often, security fails because some seemingly innocuous thing is compromised that leads to better (for the scammer) access. What if someone you've previously dealt with here, say, sends you a PM with a fantastic offer of 80% off something you're after? You're far more likely to fall for that one and send money than the same thing from some random Ebay account (and people fall for those).

This is also why leaking 'trivial' data is important - in itself it's nothing, but add to lots of other 'trivial' things and it can build to a powerful attack. Just knowing someone's age can tilt the balance if you're trying to impersonate them, and just look at how many users have let slip that info in the forums.

[madires]

All of those types of offences require solid evidence that the person being accused of the crime was the person actually behind the keyboard. It's not good enough to say "it was your account, so therefore you're in trouble" and that kind of thing would be extraordinarily easy to disprove or introduce doubt. For example, the EEVblog forum stores your IP address alongside every post you make (but this information is only visible to yourself and moderators/admins).

Speaking from personal experience, investigating crimes like child exploitation on the internet can be extremely difficult. In Australian courts, it's not even good enough to rely on the IP address of the user, you need additional evidence on top of all of those types of records to say "this is the person that did the bad thing", you can't just assume.

Of course, innocent until proven guilty. On the other side is the public opinion on the person accused. Local media has reported multiple cases of destroyed reputations because of false allegations (child exploitation), causing social exclusion, loss of job, vandalism and more unpleasant experiences. People can be cruel.

[vad]

Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea!

What are they going to do with it? Knowing a password is useless if you don't know what it's the password to.

Stolen passwords can be added to ‘“password dictionaries” of known passwords. Such dictionaries are traded on darknet to hackers who use them for dictionary attacks.

Imagine you are a victim of infamous LastPass leak, and your vault with all your passwords to your banks, to websites that have your personal information (your shipping address at Amazon, your mobile phone number, your SSN, your W-2s from your employer’s payroll provider, … ) is now in hands of hundreds of hacker teams ranging from bored school kids to Russian military. They bought your vault on darknet, and all that stops them from taking a full advantage of passwords stored in the stolen LastPass vault is your master password that was used to encrypt the vault. You can either use your own imagination to picture what could happen to you if the hackers succeed in guessing the master password, or read fiction books and watch popular movies to get artistic picture.

Now, LastPass uses pretty strong AES-256 algorithm, and if you followed LastPasses advice carefully and had a very long random master password - you are relatively safe.

Your laptop most likely has hardware AES-256 acceleration. Modern Intel and AMD CPUs can decrypt AES-256 at speeds of order of magnitude of 10 GB/s. Serious hacker can have access to hardware that is several orders of magnitude faster than a modern laptop.

If your vault was 100KB long (thousands of passwords), hackers can apply brutal force, testing 100,000 passwords per second using a laptop, and maybe 10 million passwords per second using a farm of 100 servers.

If your memorized master password was 20 characters long, contained upper and lower caps, digits and special characters (96 ANSII characters), the attacker would have to try about 10e40 passwords before breaking the vault. This would take 10e33 seconds - longer than the age of the Universe.

However, if your master password ends up in the “password dictionary”, the job would become much easier. Huge dictionary of 1 billion passwords can be checked in few minutes, or even faster, because they probably do not have to decrypt the entire 100KB vault to test validity of each password ( depends on vault’s data structure).

You should not trust your passwords to anyone. Definitely not to some “reputable” password checking website. You do not know who is behind it, and even if you know the owner personally - the website can be hacked tomorrow, JavaScript altered, etc. You should not trust moderators of this forum - you probably do not even know their real names. With all respect, you should not even trust Dave when it comes to your cyber security.

In my opinion, the advice that was given by the OP was unprofessional. What’s even worse, the mistake was not corrected despite people pointed out the obvious risk of checking passwords online.

[madires]

More credential stuffing attacks are on the way. PayPal, sky.de, ...

[alexanderbrevig]

I'll remind you once again: logging in here you send the password.
Checking on HIBP, you do not.

Ok? Ok.

[nctnico]

Who cares if a forum account gets used by somebody else?

Your reputation on that site can  be used to leverage a scam. Often, security fails because some seemingly innocuous thing is compromised that leads to better (for the scammer) access. What if someone you've previously dealt with here, say, sends you a PM with a fantastic offer of 80% off something you're after? You're far more likely to fall for that one and send money than the same thing from some random Ebay account (and people fall for those).

That is a bit of a strawman argument. The first rule of great offers: if it is too good to be true, it usually isn't real. There is a sucker born every minute and as you already wrote yourself: people don't need to impersonate trust in order to lure suckers in.

I'll remind you once again: logging in here you send the password.

But only the password for this site.

Checking on HIBP, you do not.

Ok? Ok.

That depends entirely on whether HIBP website you type your password in, is the real website or a fake. Even this forum makes it easy to provide a fake link:
https://haveibeenpwned.com/

[PlainName]

The first rule of great offers: if it is too good to be true, it usually isn't real.

Yes, but imagine for a moment that it's a great deal but not an unbelievable one. Or even just a so-so deal. However, that's just one simple example and in this type of hack the first chink is used to open chinks elsewhere, leading to a chain of security failures. There's a classic example of a journo that got his Apple account wiped through a non-Apple related security breech. Although this was due to an email screwup, the same thing applies - it's simply persuading whoever needs to be persuaded that the writer of the messages is pukka when they are not. From small acorns... etc.

[asmi]

I recently started using unique emails for each website I want to register on by using Cloudflare's free email forwarding service. All you need for this is to register any domain (cost depends on a zone and registrar, it can be anywhere from a few bucks and all the way into many tens per year), and use Cloudflare for DNS (free!), and set up incoming email forwarding (again, free!). This way if you start getting spam, you can easily see the source of a leak, turn off forwarding for that email address and perhaps contact the owner of the website and let them know about the leak (there is a change that it was intential, but if you choose sites you hang on responsibly, it's quite low, in most cases it will be some kind of problem with the website).

[Marsha Ashley]

Edit by gnif: Post content removed, was a SPAM post

[Halcyon]

Checking your email addresses and passwords against known leaks is a great way to ensure your personal information is secure.

Anyone else smell bacon?

[magic]

Gender:    Female
Date Registered:    Yesterday at 15:05:47
Last Active:    Yesterday at 15:07:13

Guaranteed spam.

[MathWizard]

For the last time. NOBODY IS TELLING THEIR PASSWORD TO ANYONE!    The phrase that you seem to be stuck on "check your email address(s) and passwords against known leaks" doesn't mean that you have to enter your password. It is badly phrased in the post, I admit that. But that's not how the site works. It means you can check the site to see _if_ your credentials have been leaked.    I'm not going to waste time arguing and have to sadly admit that the site isn't perfect, due to people misunderstanding its purpose.

I hope they don't want to check my password on that site, but I did check my email, and NexusModManger got hacked. But yeah I don't want to check my password, LOL

[magic]

There seems to be another wave of those attacks, spam posts appeared in RF/ham subforum.

A few of you may have noticed some user accounts posting spam on the forum, where they previously seemed to make legitimate posts. These are different to the normal spammers who create new accounts, foolishly attempt to make them seem genuine but then end up posting spam.

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.

Just one question: on the forum's side, were all of those users compromised by means of email password recovery?
Or are they getting pwned by good old password=username or perhaps brute force / dictionary attacks? How well is this forum protected from that?

[pcprogrammer]

Yep, I reported two of them just now after checking the posts. Both are low post count posters but registered quite a while back. Also reported a couple a while back.

It's these pump up telegram crypto currency bullshit advertisements and I wonder if it is some bot doing the hacking and posting.

[Bud]

Dave just couple days ago said he cleared non-active accounts. Not sure how those two came back if they were registered long time ago.

[pcprogrammer]

I'm talking about one with 3 posts and another with 6 posts, and Dave only killed of 0 post members that have not been active in the last three months.

Check for yourself 

https://www.eevblog.com/forum/profile/?u=649576
https://www.eevblog.com/forum/profile/?u=102542

Edit: Simon redacted and locked such a post a couple of days ago. Also concerned a member like above.

[PlainName]

Could that be a new tactic? Register an account, make a couple of innocuous posts they leave it idle for long enough that no-one immediately suspects anything when it drops the payload because it's a long-time member.

[Monkeh]

Could that be a new tactic?

New? They've been doing it as long as I can remember.

[magic]

Answering my own question: there seems to be login rate limiting, 30s timeout on 6th failed attempt and 15 minutes after a dozen or so. Didn't try further. I wasn't able to login with correct PW during the timeout, so it seems effective.

Could that be a new tactic? Register an account, make a couple of innocuous posts they leave it idle for long enough that no-one immediately suspects anything when it drops the payload because it's a long-time member.

Like, 6 years idle? Where's the ROI, how do you convince customer to pay for it?

Yes, it happens, but such accounts make a few "innocent" posts and proceed to post ads within a few days. A common tactic they use is editing spam links into posts which nobody reads anymore, except for search engines. And those "innocent" spam posts are written by absolute ignorants, so you can see right away that it isn't somebody who cares about electronics at all. Something like "cool project bro" or paraphrase of an earlier comment made by someone else.

The accounts hijacked today have a history of on-topic original content, even if it was simple questions about ongoing projects.

edit
See replies 87, 88 here for a perfect example of crude spam attempt.

[pcprogrammer]

Could that be a new tactic? Register an account, make a couple of innocuous posts they leave it idle for long enough that no-one immediately suspects anything when it drops the payload because it's a long-time member.

Register and then wait >8 years to post your advert. That is a lot of patience 

[PlainName]

Maybe they have so many it took them that long to go around them all

[Halcyon]

There seems to be another wave of those attacks, spam posts appeared in RF/ham subforum.

A few of you may have noticed some user accounts posting spam on the forum, where they previously seemed to make legitimate posts. These are different to the normal spammers who create new accounts, foolishly attempt to make them seem genuine but then end up posting spam.

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.

Just one question: on the forum's side, were all of those users compromised by means of email password recovery?
Or are they getting pwned by good old password=username or perhaps brute force / dictionary attacks? How well is this forum protected from that?

I don't think they had their passwords reset, it's looking like a small number of users had their email address/password combo's released in a data breach (and they used the same password here).

I just cleaned up 2 more. Instead of banning the compromised users (if they appear to be legitimate based on their history), we're just changing their passwords so they have the opportunity to reset/recover them and re-join the forum.

[Halcyon]

It's that time again. After another recent major dump of leaked credentials from third-party data breaches, we've seen a few legitimate accounts compromised on this forum leading to spam.
Refer to my original post on how you can check your email accounts/passwords for compromise.

Of course, like last time, this will trigger some users to make baseless accusations on how this is a "bad idea", but I'd suggest cut through the noise for your own benefit.

[jpanhalt]

This past week, I had several exchanges with an electronics seller on ebay, satisfyelectronics (1.2 million sold).  I got a battery fuel gauge from him with absolutely no datasheet for his device, not the chip per se.  He responded that ebay wouldn't allow sellers to attach links and asked for my email.  Sounded suspicious, but like a fool and considering his sales number, I gave it to him.  He sent me a link to another site that supposedly had the schematic of the board and a code to access his store.  That site not only wanted my email, but my email password.  I finally saw the light and bailed.  I've had two "here's your invoice" and one "confirm your flights" phishing emails since then.  Those might not be related, bur its suspicious.

I haven't used ebay much in the past few years, but most of my experience, e.g., with stepperonline and American sellers, has been good.   

[Andy Chee]

For anyone who hasn't seen what forum spam looks like:



Note that if you click on the user profiles posting history, they seem to have made legitimate posts in the past, or they could be fake posts. 

So the moderators don't really know if they're hijacked accounts, or if the accounts were made for the purpose of spamming.

If they are hijacked accounts, that user should check other accounts they own for security breaches, especially if they stupidly used the same password and username as whatever they use on eevblog!

[Halcyon]

For anyone who hasn't seen what forum spam looks like:

(Attachment Link)

Note that if you click on the user profiles posting history, they seem to have made legitimate posts in the past, or they could be fake posts. 

So the moderators don't really know if they're hijacked accounts, or if the accounts were made for the purpose of spamming.

If they are hijacked accounts, that user should check other accounts they own for security breaches, especially if they stupidly used the same password and username as whatever they use on eevblog!

I run the registered email addresses through HIBP. They light up like a Christmas tree. Good chance they've used a weak/recycled/previously compromised password for their forum account.

[hneve]

 I agree with you. Cybersecurity must be prioritized, particularly in light of recent forum spamming events. It is crucial to check your passwords and email addresses for breaches. A secure password manager, like BitWarden or KeePass, also improves security. Additional protection may be added to your forum account by using 2FA/MFA. Use programs like mail tester to confirm the accuracy of your email addresses if you want even more certainty. Be proactive in protecting your digital identity and thwarting illegal access.