3.2 billion email passwords leaked

martinmsj

[H]ard|Gawd
Joined
Mar 3, 2005
Messages
1,580
Did you use the same password across all those accounts? If not, how common of a password could they have been?

I would not be surprised if a government database was hacked.

No to the same password across all those accounts. I have not found any sign of someone accessing these accounts, they just appeared in the leak according to Apple's Security Alert.

Notable things from the my experience:
  • The CA Edd and DMV were generated. The CA account I created to get my electric vehicle state rebate was not compromised which is also a Gov account.
  • The Best Buy Credit Card was one of the accounts and those passwords were not common (generated with short words, symbols, and numbers.) The interesting thing was there was an HRSAccount that I could not log into with the compromised information because the account did not exist. Took me a moment but with a recent free annual report credit report I realized this was the financial institution for the Best Buy credit before it was handled by Citi. It appears both my current and previous Best Buy credit card accounts were on there.
  • Steam, EVGA, and FPL for my Dad's place in Florida were short old old old 8 character passwords with numbers and letters and those were leaked.
Best Buy related credit information is the most eye opening as they got information on an account that doesn't exist anymore. Changed all to new generated passwords. EVGA, FPL and Best Buy still don't offer some kind of 2FA. Lucky for me I still opt to get all my paper statements and check them when I get them in the mail.
 
Last edited:

sharknice

2[H]4U
Joined
Nov 12, 2012
Messages
2,321
No to the same password across all those accounts. I have not found any sign of someone accessing these accounts, they just appeared in the leak according to Apple's Security Alert.

Notable things from the my experience:
  • The CA Edd and DMV were generated. The CA account I created to get my electric vehicle state rebate was not compromised which is also a Gov account.
  • The Best Buy Credit Card was one of the accounts and those passwords were not common (generated with short words, symbols, and numbers.) The interesting thing was there was an HRSAccount that I could not log into with the compromised information because the account did not exist. Took me a moment but with a recent free annual report credit report I realized this was the financial institution for the Best Buy credit before it was handled by Citi. It appears both my current and previous Best Buy credit card accounts were on there.
  • Steam, EVGA, and FPL for my Dad's place in Florida were short old old old 8 character passwords with numbers and letters and those were leaked.
Best Buy related credit information is the most eye opening as they got information on an account that doesn't exist anymore. Changed all to new generated passwords. Stream, EVGA, FPL and Best Buy still don't offer some kind of 2FA. Lucky for me I still opt to get all my paper statements and check them when I get them in the mail.

Steam has 2FA, you need to install the steam app on your phone and set it up there. The authentication part is called Steam Guard.


Kind of funny, last time I logged into the Steam app on my phone it made me enter the 2FA code, that the app I was logging into generates...
 

martinmsj

[H]ard|Gawd
Joined
Mar 3, 2005
Messages
1,580
Steam has 2FA, you need to install the steam app on your phone and set it up there. The authentication part is called Steam Guard.


Kind of funny, last time I logged into the Steam app on my phone it made me enter the 2FA code, that the app I was logging into generates...

Sorry, I had the Steam guard since day one.
 

Furious Nerd

2[H]4U
Joined
Sep 14, 2006
Messages
3,158
Looked up my ex's email address on https://haveibeenpwned.com/ and x.x for her, wow, a lot. She'd get so much spam in her email too and I offered to help her unsubscribe from all that crap and give her tips but she would just tell me it didn't bother her and doesn't have a problem deleting like 60 spam emails from her main inbox every morning :ROFLMAO: (seriously, part of her morning routine was deleting spam emails first thing in the morning in bed for 10 minutes) she also reused her one super simple password for EVERYTHING and just told me she didn't want to bother memorize a stronger password or more passwords despite explaining the risks to her. I don't get some people 🤦‍♂️

Only EatStreet for me from May 2019.
But here is what it says was compromised from EatStreet: Dates of birth, Email addresses, Genders, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses, Social media profiles ...................... :vomit:

Two factor authentication is a must these days. My email is on the above list - I check my login history every week or so and there are so many attempts on it, i cannot even keep count. I never get a request that someone is trying to login and to accept it - so i assume they are just trying to brute force attack it. Email passwords are the most important thing to keep safe and change often. Once someone has access to it, they generally have access to all accounts linked to it. The thought of that alone is scary.
I use 2FA in the form of YubiKey for my email. But it scares me if I lose the YubiKey someday. What then? I would hope email companies can help in this case if you send in an ID? But I suppose those can be photoshopped too

Using 2FA is secure but it's annoying if you use that on every single website
I only use 2FA on the most critical things (primary email, some financial stuff, Steam, I think that's it). For other regular websites IMO it's safe enough to just use a randomized password and a password manager. That way, if say [H] gets hacked, all the hackers would get is a gibberish password unique to this site only - I won't be affected. Definitely not worth the 2FA hassle for every site IMO

----

But what happens when a keylogger goes undetected, and able to capture the PW manager Master password? Then they have access to ALL your logins, all in one nice little spot. I have 2FA on my password manager too though but probably few do

Damn, all this security shit is scary. At any moment something catastrophic of yours could be hacked and flip your life and finances upside down in an instant and then GLHF
 
Last edited:

Youn

Supreme [H]ardness
Joined
Jan 22, 2007
Messages
5,741
Our IT director recommends we all use OneLogin, but I somehow feel uneasy about that... anyone have advice?
 

1_rick

[H]ard|Gawd
Joined
Feb 7, 2017
Messages
1,623
Social media profiles
I love how all these sites want to bolster their profiles by adding food toys social media accounts. No, random website, I'm not giving you my fb account. (And now we have extra reasons why it's a bad thing. )
 
Top