Check your email address(s) and passwords for cyber security breaches

[nctnico]

AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password.

Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.

The problem is, "unimportant" websites, like forums etc... form part of the low-hanging fruit attackers love and that comes down to people being lazy, re-using the same email addresses and/or passwords for more important services.

The latter is not a smart move ofcourse. Interestingly the article you linked to also contains a link to an article telling a password manager service was compromised due to a similar attack. At some point you can't fix stupid.

[madires]

But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway?

If a bad guy uses your forum account to slander someone, to post illegal content or sell drugs then you might get into trouble, despite you being innocent. And with the latest ideas of the EU commision to scan for illegal content this will be even exacerbated.

[Halcyon]

But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway?

If a bad guy uses your forum account to slander someone, to post illegal content or sell drugs then you might get into trouble, despite you being innocent. And with the latest ideas of the EU commision to scan for illegal content this will be even exacerbated.

All of those types of offences require solid evidence that the person being accused of the crime was the person actually behind the keyboard. It's not good enough to say "it was your account, so therefore you're in trouble" and that kind of thing would be extraordinarily easy to disprove or introduce doubt. For example, the EEVblog forum stores your IP address alongside every post you make (but this information is only visible to yourself and moderators/admins).

Speaking from personal experience, investigating crimes like child exploitation on the internet can be extremely difficult. In Australian courts, it's not even good enough to rely on the IP address of the user, you need additional evidence on top of all of those types of records to say "this is the person that did the bad thing", you can't just assume.

[mendip_discovery]

Who cares if a forum account gets used by somebody else?

Becuase to the average hacker its somewhere to share dodgy links and random rants of propaganda. But to the skilled one they can use it to advertise items for sale a very attractive price take the money and leave the original user with the reputation.

It also helps them confirm that a person has reused passwords before so go hunting for more places they may have used it. In our case it could be digikey to RS and there they can buy a load of stuff even using stolen cards and have it sent to a different address or even have someone call in and collect from your own house (remember reading about it once).

[PlainName]

Who cares if a forum account gets used by somebody else?

Your reputation on that site can  be used to leverage a scam. Often, security fails because some seemingly innocuous thing is compromised that leads to better (for the scammer) access. What if someone you've previously dealt with here, say, sends you a PM with a fantastic offer of 80% off something you're after? You're far more likely to fall for that one and send money than the same thing from some random Ebay account (and people fall for those).

This is also why leaking 'trivial' data is important - in itself it's nothing, but add to lots of other 'trivial' things and it can build to a powerful attack. Just knowing someone's age can tilt the balance if you're trying to impersonate them, and just look at how many users have let slip that info in the forums.

[madires]

All of those types of offences require solid evidence that the person being accused of the crime was the person actually behind the keyboard. It's not good enough to say "it was your account, so therefore you're in trouble" and that kind of thing would be extraordinarily easy to disprove or introduce doubt. For example, the EEVblog forum stores your IP address alongside every post you make (but this information is only visible to yourself and moderators/admins).

Speaking from personal experience, investigating crimes like child exploitation on the internet can be extremely difficult. In Australian courts, it's not even good enough to rely on the IP address of the user, you need additional evidence on top of all of those types of records to say "this is the person that did the bad thing", you can't just assume.

Of course, innocent until proven guilty. On the other side is the public opinion on the person accused. Local media has reported multiple cases of destroyed reputations because of false allegations (child exploitation), causing social exclusion, loss of job, vandalism and more unpleasant experiences. People can be cruel.

[vad]

Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea!

What are they going to do with it? Knowing a password is useless if you don't know what it's the password to.

Stolen passwords can be added to ‘“password dictionaries” of known passwords. Such dictionaries are traded on darknet to hackers who use them for dictionary attacks.

Imagine you are a victim of infamous LastPass leak, and your vault with all your passwords to your banks, to websites that have your personal information (your shipping address at Amazon, your mobile phone number, your SSN, your W-2s from your employer’s payroll provider, … ) is now in hands of hundreds of hacker teams ranging from bored school kids to Russian military. They bought your vault on darknet, and all that stops them from taking a full advantage of passwords stored in the stolen LastPass vault is your master password that was used to encrypt the vault. You can either use your own imagination to picture what could happen to you if the hackers succeed in guessing the master password, or read fiction books and watch popular movies to get artistic picture.

Now, LastPass uses pretty strong AES-256 algorithm, and if you followed LastPasses advice carefully and had a very long random master password - you are relatively safe.

Your laptop most likely has hardware AES-256 acceleration. Modern Intel and AMD CPUs can decrypt AES-256 at speeds of order of magnitude of 10 GB/s. Serious hacker can have access to hardware that is several orders of magnitude faster than a modern laptop.

If your vault was 100KB long (thousands of passwords), hackers can apply brutal force, testing 100,000 passwords per second using a laptop, and maybe 10 million passwords per second using a farm of 100 servers.

If your memorized master password was 20 characters long, contained upper and lower caps, digits and special characters (96 ANSII characters), the attacker would have to try about 10e40 passwords before breaking the vault. This would take 10e33 seconds - longer than the age of the Universe.

However, if your master password ends up in the “password dictionary”, the job would become much easier. Huge dictionary of 1 billion passwords can be checked in few minutes, or even faster, because they probably do not have to decrypt the entire 100KB vault to test validity of each password ( depends on vault’s data structure).

You should not trust your passwords to anyone. Definitely not to some “reputable” password checking website. You do not know who is behind it, and even if you know the owner personally - the website can be hacked tomorrow, JavaScript altered, etc. You should not trust moderators of this forum - you probably do not even know their real names. With all respect, you should not even trust Dave when it comes to your cyber security.

In my opinion, the advice that was given by the OP was unprofessional. What’s even worse, the mistake was not corrected despite people pointed out the obvious risk of checking passwords online.

[madires]

More credential stuffing attacks are on the way. PayPal, sky.de, ...

[alexanderbrevig]

I'll remind you once again: logging in here you send the password.
Checking on HIBP, you do not.

Ok? Ok.

[nctnico]

Who cares if a forum account gets used by somebody else?

Your reputation on that site can  be used to leverage a scam. Often, security fails because some seemingly innocuous thing is compromised that leads to better (for the scammer) access. What if someone you've previously dealt with here, say, sends you a PM with a fantastic offer of 80% off something you're after? You're far more likely to fall for that one and send money than the same thing from some random Ebay account (and people fall for those).

That is a bit of a strawman argument. The first rule of great offers: if it is too good to be true, it usually isn't real. There is a sucker born every minute and as you already wrote yourself: people don't need to impersonate trust in order to lure suckers in.

I'll remind you once again: logging in here you send the password.

But only the password for this site.

Checking on HIBP, you do not.

Ok? Ok.

That depends entirely on whether HIBP website you type your password in, is the real website or a fake. Even this forum makes it easy to provide a fake link:
https://haveibeenpwned.com/

[PlainName]

The first rule of great offers: if it is too good to be true, it usually isn't real.

Yes, but imagine for a moment that it's a great deal but not an unbelievable one. Or even just a so-so deal. However, that's just one simple example and in this type of hack the first chink is used to open chinks elsewhere, leading to a chain of security failures. There's a classic example of a journo that got his Apple account wiped through a non-Apple related security breech. Although this was due to an email screwup, the same thing applies - it's simply persuading whoever needs to be persuaded that the writer of the messages is pukka when they are not. From small acorns... etc.

[asmi]

I recently started using unique emails for each website I want to register on by using Cloudflare's free email forwarding service. All you need for this is to register any domain (cost depends on a zone and registrar, it can be anywhere from a few bucks and all the way into many tens per year), and use Cloudflare for DNS (free!), and set up incoming email forwarding (again, free!). This way if you start getting spam, you can easily see the source of a leak, turn off forwarding for that email address and perhaps contact the owner of the website and let them know about the leak (there is a change that it was intential, but if you choose sites you hang on responsibly, it's quite low, in most cases it will be some kind of problem with the website).

[Marsha Ashley]

Edit by gnif: Post content removed, was a SPAM post

[Halcyon]

Checking your email addresses and passwords against known leaks is a great way to ensure your personal information is secure.

Anyone else smell bacon?

[magic]

Gender:    Female
Date Registered:    Yesterday at 15:05:47
Last Active:    Yesterday at 15:07:13

Guaranteed spam.

[MathWizard]

For the last time. NOBODY IS TELLING THEIR PASSWORD TO ANYONE!    The phrase that you seem to be stuck on "check your email address(s) and passwords against known leaks" doesn't mean that you have to enter your password. It is badly phrased in the post, I admit that. But that's not how the site works. It means you can check the site to see _if_ your credentials have been leaked.    I'm not going to waste time arguing and have to sadly admit that the site isn't perfect, due to people misunderstanding its purpose.

I hope they don't want to check my password on that site, but I did check my email, and NexusModManger got hacked. But yeah I don't want to check my password, LOL

[magic]

There seems to be another wave of those attacks, spam posts appeared in RF/ham subforum.

A few of you may have noticed some user accounts posting spam on the forum, where they previously seemed to make legitimate posts. These are different to the normal spammers who create new accounts, foolishly attempt to make them seem genuine but then end up posting spam.

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.

Just one question: on the forum's side, were all of those users compromised by means of email password recovery?
Or are they getting pwned by good old password=username or perhaps brute force / dictionary attacks? How well is this forum protected from that?

[pcprogrammer]

Yep, I reported two of them just now after checking the posts. Both are low post count posters but registered quite a while back. Also reported a couple a while back.

It's these pump up telegram crypto currency bullshit advertisements and I wonder if it is some bot doing the hacking and posting.

[Bud]

Dave just couple days ago said he cleared non-active accounts. Not sure how those two came back if they were registered long time ago.

[pcprogrammer]

I'm talking about one with 3 posts and another with 6 posts, and Dave only killed of 0 post members that have not been active in the last three months.

Check for yourself 

https://www.eevblog.com/forum/profile/?u=649576
https://www.eevblog.com/forum/profile/?u=102542

Edit: Simon redacted and locked such a post a couple of days ago. Also concerned a member like above.

[PlainName]

Could that be a new tactic? Register an account, make a couple of innocuous posts they leave it idle for long enough that no-one immediately suspects anything when it drops the payload because it's a long-time member.

[Monkeh]

Could that be a new tactic?

New? They've been doing it as long as I can remember.

[magic]

Answering my own question: there seems to be login rate limiting, 30s timeout on 6th failed attempt and 15 minutes after a dozen or so. Didn't try further. I wasn't able to login with correct PW during the timeout, so it seems effective.

Could that be a new tactic? Register an account, make a couple of innocuous posts they leave it idle for long enough that no-one immediately suspects anything when it drops the payload because it's a long-time member.

Like, 6 years idle? Where's the ROI, how do you convince customer to pay for it?

Yes, it happens, but such accounts make a few "innocent" posts and proceed to post ads within a few days. A common tactic they use is editing spam links into posts which nobody reads anymore, except for search engines. And those "innocent" spam posts are written by absolute ignorants, so you can see right away that it isn't somebody who cares about electronics at all. Something like "cool project bro" or paraphrase of an earlier comment made by someone else.

The accounts hijacked today have a history of on-topic original content, even if it was simple questions about ongoing projects.

edit
See replies 87, 88 here for a perfect example of crude spam attempt.

[pcprogrammer]

Could that be a new tactic? Register an account, make a couple of innocuous posts they leave it idle for long enough that no-one immediately suspects anything when it drops the payload because it's a long-time member.

Register and then wait >8 years to post your advert. That is a lot of patience 

[PlainName]

Maybe they have so many it took them that long to go around them all