3.2 billion email passwords leaked

emphy

Limp Gawd
Joined
Aug 31, 2016
Messages
257
It's been nearly a decade since the last time the login name to my mail account had any similarity with my email address.
 
Joined
Mar 31, 2017
Messages
9
Two factor authentication is a must these days. My email is on the above list - I check my login history every week or so and there are so many attempts on it, i cannot even keep count. I never get a request that someone is trying to login and to accept it - so i assume they are just trying to brute force attack it. Email passwords are the most important thing to keep safe and change often. Once someone has access to it, they generally have access to all accounts linked to it. The thought of that alone is scary.
 

Armenius

Fully [H]
Joined
Jan 28, 2014
Messages
25,326
Two factor authentication is a must these days. My email is on the above list - I check my login history every week or so and there are so many attempts on it, i cannot even keep count. I never get a request that someone is trying to login and to accept it - so i assume they are just trying to brute force attack it. Email passwords are the most important thing to keep safe and change often. Once someone has access to it, they generally have access to all accounts linked to it. The thought of that alone is scary.
My email and password has been in 10 leaks, but it has never been compromised thanks to 2-factor. Still, I am sure to change it any time one of these stories comes out. It's too risky, as you say.
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
14,748
My email and password has been in 10 leaks, but it has never been compromised thanks to 2-factor. Still, I am sure to change it any time one of these stories comes out. It's too risky, as you say.
Yeah but take the mentality of the average person. No one wants to having to enter a code that was sent by text to their phone (one of the more common 2FA) every time they check their email. That said, I rarely check my email via the web although the rare occasions when I do it always thinks I'm logging in from a new computer (because the version of firefox changes more often than I change out of my pajamas these days!)
 

LukeTbk

[H]ard|Gawd
Joined
Sep 10, 2020
Messages
1,094
Yeah but take the mentality of the average person. No one wants to having to enter a code that was sent by text to their phone (one of the more common 2FA) every time they check their email. That said, I rarely check my email via the web although the rare occasions when I do it always thinks I'm logging in from a new computer (because the version of firefox changes more often than I change out of my pajamas these days!)
From what I understrood If they reuse the same phone or computer, they do not need to do it:
During sign-in, you can choose not to use 2-Step Verification again on that particular computer. From then on, that computer will only ask for your password when you sign in.
You'll still be covered, because when you or anyone else tries to sign in to your account from another computer, 2-Step Verification will be required.


One issue apparently (do not know how true or common) is hacker being able to know people phone number and pass for them.
 

LOCO LAPTOP

[H]F Junkie
Joined
May 4, 2006
Messages
11,209
Seems like my gmail got nailed. I do have 2FA enabled but my gmail is for sites/forums. Anything for purchases/banks is my other email account.
 

staknhalo

[H]ard|Gawd
Joined
Jun 11, 2007
Messages
1,483
The best password is a long winded non-sensical sentence you come up with yourself, spaces in the password between words and all.
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
14,748
The best password is a long winded non-sensical sentence you come up with yourself, spaces in the password between words and all.
Then one of two things happen... 1) You do difference sentences for every site you go to forgetting which site is which sentence and get locked out of your account after 5 wrong sentences or 2) You have sites that also require a letter and symbol.
 

sharknice

2[H]4U
Joined
Nov 12, 2012
Messages
2,411
It's fun reading some of the dumb stories you hear with this stuff. I remember one from a couple years ago where someone's baby monitor was "hacked" and a stranger was saying creepy stuff to their baby.

#1 There is no reason for a baby monitor to be connected to the internet. If you aren't home you aren't going to be able to do anything for the baby....
#2 It wasn't "hacked" at all. The person used compromised credentials on a list like this for their login.

Of course the media blamed the manufacturer. Even though they had warnings not to use the same username/password as you do for other accounts etc and proved the passwords were just taken off a compromised list.
The manufacturer updated their app and forced two factor authentication because their users were so stupid.
 

1_rick

[H]ard|Gawd
Joined
Feb 7, 2017
Messages
1,765
God bless you, Grandma Edna! Strong passwords just become hard to remember.

I hate stupid corporate passwords like t+eseTy_per as they are less secure and harder to remember than 'themailmanswhitepants69'.
Buy a keyboard that records macros. Store the password on the keyboard. Modern problems require modern solutions.
 

LukeTbk

[H]ard|Gawd
Joined
Sep 10, 2020
Messages
1,094
#1 There is no reason for a baby monitor to be connected to the internet. If you aren't home you aren't going to be able to do anything for the baby....
But you will be able to call the babysitter/wife/husband
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
14,748
It's fun reading some of the dumb stories you hear with this stuff. I remember one from a couple years ago where someone's baby monitor was "hacked" and a stranger was saying creepy stuff to their baby.

#1 There is no reason for a baby monitor to be connected to the internet. If you aren't home you aren't going to be able to do anything for the baby....
Baby monitors do more than just monitor audio, quite a few now do video as well and I'm sure it's much easier to go through wifi in order to send that video signal, also some do allow you to tilt, pan, zoom making things easier via wifi. Also can save cost by not having a receiver in the set as well.
 

sharknice

2[H]4U
Joined
Nov 12, 2012
Messages
2,411
Baby monitors do more than just monitor audio, quite a few now do video as well and I'm sure it's much easier to go through wifi in order to send that video signal, also some do allow you to tilt, pan, zoom making things easier via wifi. Also can save cost by not having a receiver in the set as well.

They don't need to connect to the internet to use wifi, or even your router to do that. I have one where the monitor directly connects to the camera with 2.4ghz wireless, the camera has tilt, zoom, night vision, two way communication, can play music, etc. They can also connect to your phone or tablet the same way using an app, without actually connecting to the internet.

Connecting it to the internet is just stupid. The person watching the baby is going to be in the home, and have the monitor. I've seen ones that claim they use AI to monitor your baby's sleeping and all sorts of stupid pointless things and even try to charge a subscription....
 

blandead

Limp Gawd
Joined
Nov 6, 2010
Messages
293
I’ve been harping on management to allow me to enforce stricter requirements for passwords for a while. Found most of them in the breach and confirmed their leaked credentials worked in a few places. Needless to say their accounts are now locked. I also suspect I won’t be getting next week off as planned.
How'd you check?
 

Lakados

2[H]4U
Joined
Feb 3, 2014
Messages
3,893
Most obvious thing is to look through the list of leaked credentials for email addresses in your domain, and then try to log in to a PC with that person's Windows login and the password from the list.
yep got right into most of their email accounts first try. Some I just needed to change the date at the end.

Apple has gone ahead and also informed users about sites that they have saved in keychain and its flagging those ones if they have been leaked, asking for people to change passwords. Most of my admin staff questioned me about that today.
 

1_rick

[H]ard|Gawd
Joined
Feb 7, 2017
Messages
1,765
Some I just needed to change the date at the end.
That's why I change the beginning. Modern problems require modern solutions.

(OK, I only did this with one account ever, but I got away with it for two and a half cycles of the alphabet.)
 

The Mad Atheist

[H]ard|Gawd
Joined
Mar 9, 2018
Messages
1,219
Well f me, one of mine was on the list.
Tho I didn't even bother read the whole thing if past combos are included.
 

socK

Supreme [H]ardness
Joined
Jan 25, 2004
Messages
4,131
Most obvious thing is to look through the list of leaked credentials for email addresses in your domain, and then try to log in to a PC with that person's Windows login and the password from the list.

If you're an Active Directory shop, it's easy to ask AD to validate arbitrary credentials. Couple lines of PowerShell.

Just be careful that you don't lock anyone out. Nothing like an internal password spray attack against yourself to start the day.
 

travm

Gawd
Joined
Feb 26, 2016
Messages
979
Follow up:
They have noticed their accounts are locked and understand why I did it. But now they want to take security to 11, I just wanted to enforce password expiry dates and maybe take it from 6 min to 8 min with some special characters and numbers and stuff. But no now they want all that and 2 factor, but half our staff refuse to own cellphones and generally hate tech, so now I’m sourcing RSA key fobs....
lol! Thats about right. I think that the snap reaction to the extreme on everything is a mental requirement to become a mid-high level manager at any company w/ 50+ employees. Its mind boggling.
 

Tsumi

[H]F Junkie
Joined
Mar 18, 2010
Messages
13,469
Well f me, one of mine was on the list.
Tho I didn't even bother read the whole thing if past combos are included.

It's an aggregate so it includes the past breaches. I just rely on Google to tell me if my passwords have been hacked or not.
 

Johnx64

Supreme [H]ardness
Joined
Apr 22, 2002
Messages
8,058
Seems like every year around tax time we get informed of massive data breaches and as a result delays on tax returns.
 

martinmsj

[H]ard|Gawd
Joined
Mar 3, 2005
Messages
1,581
Not sure if this is relevant. My iPhone just warned me a bunch of my passwords have been leaked recently.

HardForum was one of them. Already changed my password but I can't find the option to change passwords on EVGA.
 

cybereality

Supreme [H]ardness
Joined
Mar 22, 2008
Messages
7,054
Try clicking the forgot password button on the login screen, that should be an option.
 

martinmsj

[H]ard|Gawd
Joined
Mar 3, 2005
Messages
1,581
That is what I did.
I am curious how this all happened. At first I was worried that this was through one of my Windows machines because my Steam Login was also one of those compromised accounts. Moreover, my CA DMV and my CA EDD Gov info was also compromised; I only access those accounts through my Mac Mini or my iPad/iPhone.

Bah, this stinks.
 

Tsumi

[H]F Junkie
Joined
Mar 18, 2010
Messages
13,469
Did you use the same password across all those accounts? If not, how common of a password could they have been?

I would not be surprised if a government database was hacked.
 

Coldblackice

[H]ard|Gawd
Joined
Aug 14, 2010
Messages
1,132
They don't need to connect to the internet to use wifi, or even your router to do that. I have one where the monitor directly connects to the camera with 2.4ghz wireless
Ok, but then how is the manufacturer supposed to sell your data in that scenario?
 
Top