3.2 billion email passwords leaked

It's been nearly a decade since the last time the login name to my mail account had any similarity with my email address.
 
Two factor authentication is a must these days. My email is on the above list - I check my login history every week or so and there are so many attempts on it, i cannot even keep count. I never get a request that someone is trying to login and to accept it - so i assume they are just trying to brute force attack it. Email passwords are the most important thing to keep safe and change often. Once someone has access to it, they generally have access to all accounts linked to it. The thought of that alone is scary.
 
Two factor authentication is a must these days. My email is on the above list - I check my login history every week or so and there are so many attempts on it, i cannot even keep count. I never get a request that someone is trying to login and to accept it - so i assume they are just trying to brute force attack it. Email passwords are the most important thing to keep safe and change often. Once someone has access to it, they generally have access to all accounts linked to it. The thought of that alone is scary.
My email and password has been in 10 leaks, but it has never been compromised thanks to 2-factor. Still, I am sure to change it any time one of these stories comes out. It's too risky, as you say.
 
My email and password has been in 10 leaks, but it has never been compromised thanks to 2-factor. Still, I am sure to change it any time one of these stories comes out. It's too risky, as you say.
Yeah but take the mentality of the average person. No one wants to having to enter a code that was sent by text to their phone (one of the more common 2FA) every time they check their email. That said, I rarely check my email via the web although the rare occasions when I do it always thinks I'm logging in from a new computer (because the version of firefox changes more often than I change out of my pajamas these days!)
 
Yeah but take the mentality of the average person. No one wants to having to enter a code that was sent by text to their phone (one of the more common 2FA) every time they check their email. That said, I rarely check my email via the web although the rare occasions when I do it always thinks I'm logging in from a new computer (because the version of firefox changes more often than I change out of my pajamas these days!)
From what I understrood If they reuse the same phone or computer, they do not need to do it:
During sign-in, you can choose not to use 2-Step Verification again on that particular computer. From then on, that computer will only ask for your password when you sign in.
You'll still be covered, because when you or anyone else tries to sign in to your account from another computer, 2-Step Verification will be required.


One issue apparently (do not know how true or common) is hacker being able to know people phone number and pass for them.
 
Seems like my gmail got nailed. I do have 2FA enabled but my gmail is for sites/forums. Anything for purchases/banks is my other email account.
 
The best password is a long winded non-sensical sentence you come up with yourself, spaces in the password between words and all.
 
The best password is a long winded non-sensical sentence you come up with yourself, spaces in the password between words and all.
Then one of two things happen... 1) You do difference sentences for every site you go to forgetting which site is which sentence and get locked out of your account after 5 wrong sentences or 2) You have sites that also require a letter and symbol.
 
It's fun reading some of the dumb stories you hear with this stuff. I remember one from a couple years ago where someone's baby monitor was "hacked" and a stranger was saying creepy stuff to their baby.

#1 There is no reason for a baby monitor to be connected to the internet. If you aren't home you aren't going to be able to do anything for the baby....
#2 It wasn't "hacked" at all. The person used compromised credentials on a list like this for their login.

Of course the media blamed the manufacturer. Even though they had warnings not to use the same username/password as you do for other accounts etc and proved the passwords were just taken off a compromised list.
The manufacturer updated their app and forced two factor authentication because their users were so stupid.
 
God bless you, Grandma Edna! Strong passwords just become hard to remember.

I hate stupid corporate passwords like t+eseTy_per as they are less secure and harder to remember than 'themailmanswhitepants69'.
Buy a keyboard that records macros. Store the password on the keyboard. Modern problems require modern solutions.
 
#1 There is no reason for a baby monitor to be connected to the internet. If you aren't home you aren't going to be able to do anything for the baby....
But you will be able to call the babysitter/wife/husband
 
It's fun reading some of the dumb stories you hear with this stuff. I remember one from a couple years ago where someone's baby monitor was "hacked" and a stranger was saying creepy stuff to their baby.

#1 There is no reason for a baby monitor to be connected to the internet. If you aren't home you aren't going to be able to do anything for the baby....
Baby monitors do more than just monitor audio, quite a few now do video as well and I'm sure it's much easier to go through wifi in order to send that video signal, also some do allow you to tilt, pan, zoom making things easier via wifi. Also can save cost by not having a receiver in the set as well.
 
Baby monitors do more than just monitor audio, quite a few now do video as well and I'm sure it's much easier to go through wifi in order to send that video signal, also some do allow you to tilt, pan, zoom making things easier via wifi. Also can save cost by not having a receiver in the set as well.

They don't need to connect to the internet to use wifi, or even your router to do that. I have one where the monitor directly connects to the camera with 2.4ghz wireless, the camera has tilt, zoom, night vision, two way communication, can play music, etc. They can also connect to your phone or tablet the same way using an app, without actually connecting to the internet.

Connecting it to the internet is just stupid. The person watching the baby is going to be in the home, and have the monitor. I've seen ones that claim they use AI to monitor your baby's sleeping and all sorts of stupid pointless things and even try to charge a subscription....
 
I’ve been harping on management to allow me to enforce stricter requirements for passwords for a while. Found most of them in the breach and confirmed their leaked credentials worked in a few places. Needless to say their accounts are now locked. I also suspect I won’t be getting next week off as planned.
How'd you check?
 
Most obvious thing is to look through the list of leaked credentials for email addresses in your domain, and then try to log in to a PC with that person's Windows login and the password from the list.
yep got right into most of their email accounts first try. Some I just needed to change the date at the end.

Apple has gone ahead and also informed users about sites that they have saved in keychain and its flagging those ones if they have been leaked, asking for people to change passwords. Most of my admin staff questioned me about that today.
 
Some I just needed to change the date at the end.
That's why I change the beginning. Modern problems require modern solutions.

(OK, I only did this with one account ever, but I got away with it for two and a half cycles of the alphabet.)
 
Well f me, one of mine was on the list.
Tho I didn't even bother read the whole thing if past combos are included.
 
Most obvious thing is to look through the list of leaked credentials for email addresses in your domain, and then try to log in to a PC with that person's Windows login and the password from the list.

If you're an Active Directory shop, it's easy to ask AD to validate arbitrary credentials. Couple lines of PowerShell.

Just be careful that you don't lock anyone out. Nothing like an internal password spray attack against yourself to start the day.
 
Follow up:
They have noticed their accounts are locked and understand why I did it. But now they want to take security to 11, I just wanted to enforce password expiry dates and maybe take it from 6 min to 8 min with some special characters and numbers and stuff. But no now they want all that and 2 factor, but half our staff refuse to own cellphones and generally hate tech, so now I’m sourcing RSA key fobs....
lol! Thats about right. I think that the snap reaction to the extreme on everything is a mental requirement to become a mid-high level manager at any company w/ 50+ employees. Its mind boggling.
 
Well f me, one of mine was on the list.
Tho I didn't even bother read the whole thing if past combos are included.

It's an aggregate so it includes the past breaches. I just rely on Google to tell me if my passwords have been hacked or not.
 
Seems like every year around tax time we get informed of massive data breaches and as a result delays on tax returns.
 
Not sure if this is relevant. My iPhone just warned me a bunch of my passwords have been leaked recently.

HardForum was one of them. Already changed my password but I can't find the option to change passwords on EVGA.
 
That is what I did.
I am curious how this all happened. At first I was worried that this was through one of my Windows machines because my Steam Login was also one of those compromised accounts. Moreover, my CA DMV and my CA EDD Gov info was also compromised; I only access those accounts through my Mac Mini or my iPad/iPhone.

Bah, this stinks.
 
Did you use the same password across all those accounts? If not, how common of a password could they have been?

I would not be surprised if a government database was hacked.
 
They don't need to connect to the internet to use wifi, or even your router to do that. I have one where the monitor directly connects to the camera with 2.4ghz wireless
Ok, but then how is the manufacturer supposed to sell your data in that scenario?
 
Back
Top