• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Compromised Accounts

71dzXjZutDL._AC_UF894,1000_QL80_.jpg
 
trikat said:
Just to be clear "2FA Enabled" helps, but doesn't guarantee the seller is legit.
Yesterday I believe somebody said their account was taken over and the hacker enabled 2FA so they had trouble recovering it.
Keeping doing due diligence on FS/FT.
Click to expand...
I saw that. That means the hacker had his email password too I guess? Maybe he had only one password everywhere?
 
  • Like
Reactions: Ikasu
like this
Much better with the tag. Although I do believe just forcing 2FA might be the best option by far. Worth the hassle imo. But at least the 2FA tag will provide that info to peeps who live int he FS/T section...like myself...haha.
 
GoldenTiger said:
I saw that. That means the hacker had his email password too I guess? Maybe he had only one password everywhere?
Click to expand...
Yea. If the individual account owner was not too bright and used the same password for both the hacked site and his e-mail, would be the case. Not a surefire solution, but at least offers some additional protections. I honestly would prefer if we could force 2fa on everyone, try to log in, and pop up stating you have to have 2FA and go through the process of setting it up. Not sure if the forum software would allow it, but I believe it be needed considering the uptick in scams from hacked accounts.
 
Last edited:
Ikasu said:
Much better with the tag. Although I do believe just forcing 2FA might be the best option by far. Worth the hassle imo. But at least the 2FA tag will provide that info to peeps who live int he FS/T section...like myself...haha.
Click to expand...
And now people can see it so when our fs threads say it’s enabled a mod doesn’t have to check. Neat.
 
trikat said:
Yesterday I believe somebody said their account was taken over and the hacker enabled 2FA so they had trouble recovering it.
Click to expand...
I am not aware of this at all. As mentioned in the notification pop-up, none of the compromised accounts I have handled had 2FA enabled.
 
GoldenTiger said:
I saw that. That means the hacker had his email password too I guess? Maybe he had only one password everywhere?
Click to expand...
He was not aware. I reset it, not the person that had his PW. And again, 2FA was not turned on.
 
FrgMstr said:
I am not aware of this at all. As mentioned in the notification pop-up, none of the compromised accounts I have handled had 2FA enabled.
Click to expand...
I probably remembered incorrectly. Just going by memory since all the posts were deleted.

I forgot who the users were, but a FS thread was from a compromised user.
User was able to write the FS thread was a scam.
But that post was deleted by the hacker.
The user's friend posted their friend's account was compromised and couldn't get back in.
 
trikat said:
Just going by memory since all the posts were deleted.
Click to expand...
Just for the record, none of that posts were deleted. You just can't see those.

trikat said:
User was able to write the FS thread was a scam.
But that post was deleted by the hacker.
The user's friend posted their friend's account was compromised and couldn't get back in.
Click to expand...
That is not how it happened, at all.
 
It’s Frgmsters circus, and his monkeys.

I think compelling 2FA is not the way to go. Offering it, encouraging it via banner? Yes. Give that sparkle tag? Yes. Compel? (And I say this respectfully, as a non-stakeholder) That’s not the way to go.
 
I have an EVGA account too but use different passwords. I went and changed all my BOINC and forums passwords anyway since its been a long time.
 
LOL, they want us to use reddit.......
Reddit perma-banned my accounts for wrongthink.
EVGA should rebuilt their forums.
 
Nice flair FrgMstr. A good way to know if someone is more secure when dealing with transactions.

Though I will say that the tint of gray with the white text is bright spot in the mix of the dark theme. My eyes definitely need to adjust to it if that design is the set standard.
 
antok86 said:
crazy how many dont have 2FA enabled.
Click to expand...
It's not crazy at all. Literally the only reason this is even being pushed here is because a handful of users didn't follow the standard security advice of using different passwords for every site.

As early as 2021 the EVGA forum hack was being reported here, along with one of the first Hardforum user accounts being compromised as a result of the password reuse. Then in 2022 there were more reports here.

The other option would have been resetting everyone's password here so I can't fault the admin for going with the badge route to encourage use to protect users from scams here but it now means there's a distracting user badge for every single post as a result. Guess I'll just use Stylus on both desktop and mobile to hide them.
 
Okatis said:
It's not crazy at all. Literally the only reason this is even being pushed here is because a handful of users didn't follow the standard security advice of using different passwords for every site.

As early as 2021 the EVGA forum hack was being reported here, along with one of the first Hardforum user accounts being compromised as a result of the password reuse. Then in 2022 there were more reports here.

The other option would have been resetting everyone's password here so I can't fault the admin for going with the badge route to encourage use to protect users from scams here but it now means there's a distracting user badge for every single post as a result. Guess I'll just use Stylus on both desktop and mobile to hide them.
Click to expand...
Genuinely curious: what's your opposition to 2FA?
 
Thug Esquire said:
Genuinely curious: what's your opposition to 2FA?
Click to expand...
I have no issue if anyone wants to enable it. I use strong entropy random, unique passwords for every site and use 2FA for accounts that have high importance, where the friction of using 2FA and the threat model makes sense.

I don't consider my regular phone a trusted device nor do I leave TOTP 2FA management apps open or email accounts logged into at all times like some do, which means for any site I enable 2FA with the entire process requires multiple password logins, is time window limited and deliberately high friction.

My comment was about the obnoxious badge visible on every sub-board and the posters throwing shade on users without it. However I use Stylus everywhere so I've been able to hide the badge.



So let's look at a few actual threat models here.

1. Password reuse, where some other site database gets compromised and the attacker attempts the password on other sites, likely from looking up matching usernames online or via perhaps prior breaches that expose matching email addresses. Since passwords are typically hashed when stored the password would also have to be weak to bruteforcing (or else the site was storing them in plaintext, which is terrible).

2. If a user's system is compromised. If your system is compromised then it literally doesn't matter if one has 2FA as once logged in attacker can directly steal the cookies anyway, apart any number of other shenanigans (including any password managers, which many users I've seen use to store 2FA secrets/backup codes). Cookie stealing is a known security weakness and is often seen by malware targeting accounts. Chromium is only very recently in the process of testing system TPM-tied cookies that mitigate this issue but it hasn't even rolled out yet.

3. If the site (Hardforum) were hacked. It depends what what compromised. Some considerations are for TOTP-based 2FA how the secrets are stored. TOTP 2FA secrets necessarily have to be plaintext during authentication, unlike stored password hashes where only the hash of what the user has entered is compared at login. Idk how Xenforo handles TOTP secrets at rest. For email-based 2FA it's different since an attacker would require separate account access but regardless of what happens everyone's passwords would be reset anyway once it was discovered.

4. If an online password manager is compromised. This happened to LastPass: everyone's vaults were stolen. Some users only had a single PBKDF2 iteration, meaning that if their password didn't have enough inherent entropy their password was easily bruteforceable. Some users never even bothered changing their account passwords (I spoke with one such user) and just assumed that changing the LastPass master password was enough.



From everything posted it seems clear #1 is what has happened in this case. EVGA was hacked in 2021 and for the past 4 years various users on HF have seen accounts compromised as a result. Now 2FA is being encouraged so that users with bad security hygiene don't scam other users, which is great.

One downside for such users is depending on how Xenforo handles password resets it's possible that in the event their TOTP management gets lost (eg: phone lost/stolen) they may still require 2FA to change a password. If so then judging by a rather high number of user threads and posts I see here there are plenty of users with limited broader tech savvy-ness who likely won't have saved their 2FA backup codes.
 
Okatis said:
I have no issue if anyone wants to enable it. I use strong entropy random, unique passwords for every site and use 2FA for accounts that have high importance, where the friction of using 2FA and the threat model makes sense.

I don't consider my regular phone a trusted device nor do I leave TOTP 2FA management apps open or email accounts logged into at all times like some do, which means for any site I enable 2FA with the entire process requires multiple password logins, is time window limited and deliberately high friction.

My comment was about the obnoxious badge visible on every sub-board and the posters throwing shade on users without it. However I use Stylus everywhere so I've been able to hide the badge.



So let's look at a few actual threat models here.

1. Password reuse, where some other site database gets compromised and the attacker attempts the password on other sites, likely from looking up matching usernames online or via perhaps prior breaches that expose matching email addresses. Since passwords are typically hashed when stored the password would also have to be weak to bruteforcing (or else the site was storing them in plaintext, which is terrible).

2. If a user's system is compromised. If your system is compromised then it literally doesn't matter if one has 2FA as once logged in attacker can directly steal the cookies anyway, apart any number of other shenanigans (including any password managers, which many users I've seen use to store 2FA secrets/backup codes). Cookie stealing is a known security weakness and is often seen by malware targeting accounts. Chromium is only very recently in the process of testing system TPM-tied cookies that mitigate this issue but it hasn't even rolled out yet.

3. If the site (Hardforum) were hacked. It depends what what compromised. Some considerations are for TOTP-based 2FA how the secrets are stored. TOTP 2FA secrets necessarily have to be plaintext during authentication, unlike stored password hashes where only the hash of what the user has entered is compared at login. Idk how Xenforo handles TOTP secrets at rest. For email-based 2FA it's different since an attacker would require separate account access but regardless of what happens everyone's passwords would be reset anyway once it was discovered.

4. If an online password manager is compromised. This happened to LastPass: everyone's vaults were stolen. Some users only had a single PBKDF2 iteration, meaning that if their password didn't have enough inherent entropy their password was easily bruteforceable. Some users never even bothered changing their account passwords (I spoke with one such user) and just assumed that changing the LastPass master password was enough.



From everything posted it seems clear #1 is what has happened in this case. EVGA was hacked in 2021 and for the past 4 years various users on HF have seen accounts compromised as a result. Now 2FA is being encouraged so that users with bad security hygiene don't scam other users, which is great.

One downside for such users is depending on how Xenforo handles password resets it's possible that in the event their TOTP management gets lost (eg: phone lost/stolen) they may still require 2FA to change a password. If so then judging by a rather high number of user threads and posts I see here there are plenty of users with limited broader tech savvy-ness who likely won't have saved their 2FA backup codes.
Click to expand...
The badge is there at the request of frequent FSFT users. As noted, you don't have to see it anyways, so it is if no issue to you.
 
Well, now the folks with the EVGA password list are turning on 2FA on the compromised accounts. Saw that coming, still a good thing to have turned on. Funny thing, so I guess it is getting harder to make any money off folks here; the hackers are now sending me email to complain about their accounts being hacked. LOL

Please continue to report ANY accounts/posts that get on your radar that we need to give a look.
 
FrgMstr said:
Well, now the folks with the EVGA password list are turning on 2FA on the compromised accounts. Saw that coming, still a good thing to have turned on. Funny thing, so I guess it is getting harder to make any money off folks here; the hackers are now sending me email to complain about their accounts being hacked. LOL

Please continue to report ANY accounts/posts that get on your radar that we need to give a look.
Click to expand...
That’s pretty funny that they’re complaining now.
 
FrgMstr said:
Well, now the folks with the EVGA password list are turning on 2FA on the compromised accounts. Saw that coming, still a good thing to have turned on. Funny thing, so I guess it is getting harder to make any money off folks here; the hackers are now sending me email to complain about their accounts being hacked. LOL

Please continue to report ANY accounts/posts that get on your radar that we need to give a look.
Click to expand...

Wow.

I mean. I’ll give the hackers this: sure have some brassy ones to try to wrestle control away at that stage. Jeez.
 
Joust said:
Wow.

I mean. I’ll give the hackers this: sure have some brassy ones to try to wrestle control away at that stage. Jeez.
Click to expand...
Talking to someone now that is claiming their account way "hacked." Still have not given them control, just way too many red flags. I sent an email back and just got this:

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

host filtergroup.mxroute.com [x.x.x.x]

SMTP error from remote mail server after RCPT TO:<email>:

x.x.x.x <email>: Recipient address rejected:

Recipient email caught maliciously spamming website registrations today
 
Enabled 2FA a couple days ago, experience is much smoother than when I first enabled it, which I think was soon after it was first rolled out.
 
FrgMstr said:
Talking to someone now that is claiming their account way "hacked." Still have not given them control, just way too many red flags. I sent an email back and just got this:

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

host filtergroup.mxroute.com [x.x.x.x]

SMTP error from remote mail server after RCPT TO:<email>:

x.x.x.x <email>: Recipient address rejected:

Recipient email caught maliciously spamming website registrations today
Click to expand...
Is there a way to cross reference these accounts to their heatware email or something?
 
You must log in or register to reply here.
Back
Top