sfsuphysics Account was Compromised.

[FrgMstr]

He got in touch with us this morning, we looked at IPs etc. Also reached out to who was sold to yesterday to advise them.

Stay vigilant. And for God's sake, change your passwords if they were shared between here and EVGA forums.

 

[sfsuphysics]

Apparently was "sold" to a number of people according to my conversations, I sent everyone a message from the conversations I had in my inbox assuming he didn't delete any of them. So if you did send "me" money contact whatever financial institution you used and see if they can reverse the payments. I'm totally sorry this happened. My password here was not the same as my EVGA one though, it probably was from an older "you've been pwn'd list" or something.

 

[LFaWolf]

Why was 2FA or MFA not enabled at this point, given there have been many instances of compromised accounts?

 

[Deleted member 109755]

I think in order to sell on [H] it should be a requirement that 2FA be enabled.

2FA should be enabled everywhere regardless, but especially in instances where goods and money will be exchanged.

 

[LFaWolf]

I think in order to sell on [H] it should be a requirement that 2FA be enabled.

2FA should be enabled everywhere regardless, but especially in instances where goods and money will be exchanged.

I think the mods have stated in the past that is not possible to do (2FA just for FS/FT).

 

[GoldenTiger]

I think the mods have stated in the past that is not possible to do (2FA just for FS/FT).

Nor should it be done. I have never had a compromised account in over 30 years of using bbs, private dialup systems, and the internet. Change your passwords every so often and practice good system hygiene and it shouldn't happen to you either.

Also people really should beware of too good to be true deals and red flags in the hacker's post such as upgrading mulitple times in one day according to his multiple threads and heatware not mentioning this account as a valid one for sfsuphysics.

Not victim blaming but people are all too quick to send $600 via friends and family (no protection) to someone with broken English and self contradictions when that is a ridiculously out of the ordinary price for a non mined rtx 3080 for example. Be careful!

 

[undertaker2k8]

Wonder if it's the same group that struck last year, they are clearly smart enough to know exactly what may pass muster to get some folks to trust it. A $600 3080 is definitely not too suspicious in this market given what they fetch else where with fees on top, more believable than the $700 FHR 3070s late last year for sure.

 

[Nebulous]

I just changed my password. I've been using the same one since I joined in 2005

 

[kyang357]

Sorry to all affected. Hope you fellas can get your money back.

 

[Deleted member 109755]

I think the mods have stated in the past that is not possible to do (2FA just for FS/FT).

then do it site wide, everyone only stands to benefit from the increase in security

 

[DooKey]

Hopefully everyone who paid used Paypal G&S payment.

 

[travm]

then do it site wide, everyone only stands to benefit from the increase in security

Good way to ensure I never post here again.

 

[Deleted member 109755]

so whats the downside exactly?

 

[Nobu]

so whats the downside exactly?

Well if you don't have a device which can act as a second authenticator, then you cannot contribute to the site at all until you get one which can, even if you never use the fs/t forum.

If you lose access to your second authenticator, you lose access to the site until you figure out how to bypass or transfer to another device.

 

[Deleted member 109755]

*whoosh*

 

[kirbyrj]

Well if you don't have a device which can act as a second authenticator, then you cannot contribute to the site at all until you get one which can, even if you never use the fs/t forum.

If you lose access to your second authenticator, you lose access to the site until you figure out how to bypass or transfer to another device.

Umm...I just set up to e-mail me a code. It's generally not hard to check your e-mail on just about any device that's connected to the internet.

 

[bufodr_T]

Hopefully everyone who paid used Paypal G&S payment.

If i remember correctly they were asking for f&f.

 

[Nobu]

*whoosh*

Hah

 

[FrgMstr]

The last time we pushed a PW reset we lost half our active users. People don't like being told what to do.

That all said, if you do not properly protect yourself in a trade, which is quite easy, likely easier than 2FA every day compounded, and you get hosed, it is your fault. Let's face it, making a phone call is about all it takes to secure your trade.

 

[Okatis]

What did EVGA do following their hack btw, auto reset everyone's passwords or was it some manual user-initiated process?

Brief search doesn't return relevant results.

 

[LFaWolf]

What did EVGA do following their hack btw, auto reset everyone's passwords or was it some manual user-initiated process?

Brief search doesn't return relevant results.

EVGA enforced 2FA on every account.

 

[Deleted member 109755]

I'm not so sure the loss of security-averse users is a _bad_ thing.

What's worse, loss of users or continued bad reputation (and further loss of users) by doing nothing but fostering an insecure environment where it's _much_ easier to get ripped off?

Yeah, [H] isn't directly responsible for the scams that have happened, but by doing _nothing_ you're certainly not helping the situation.

Anything worth doing is worth doing right and anything worth doing is worth over-doing.

 

[legcramp]

Just force a sitewide password change everyday 90 days.

 

[Riddlinkidstoner]

Just force a sitewide password change everyday 90 days.

Mandating password changes every 90 days will just force users to slightly alter their passwords every 90 days, keeping it easy to remember such as Password1, Password2!, Password3!!, etc.

I would just recommend ensuring a strong password is created the first time or maybe a one time forced password update across the board. Also thanks for reminding me to update my password to something a lot more complex.

 

[kyang357]

I would just recommend ensuring a strong password is created the first time

THIS!

I use Brave to suggest and manage a random password unique for every site. If my PC/Brave is hacked, then I would be in trouble. I'm not entirely sure if this is safe but it's been working for me. :crossedfingers:

 

[longblock454]

strong password

How I generate passwords, never reused:

date +%s | sha256sum | base64 | head -c 24 ; echo

 

[FrgMstr]

If you don't like the way it is run, you can easily have your account deleted and it will solve all your problems with our system administration and policies. This is your queue to STFU and stop saying the same thing over and over.

 

[Nimisys]

I know it's not [H] place to enforce it, but seriously as a community we need to stop allowing the F&F payments as well as other forms that don't provide protection for both buyer and seller. I'm less inclined to purchase or sell to someone I don't know, haven't vetted (ie phone call) and wants a form of payment that offers minimal protection. That is just asking for a problem in order to save a a few bucks. We ought to be demanding better.

 

[LFaWolf]

I know it's not [H] place to enforce it, but seriously as a community we need to stop allowing the F&F payments as well as other forms that don't provide protection for both buyer and seller. I'm less inclined to purchase or sell to someone I don't know, haven't vetted (ie phone call) and wants a form of payment that offers minimal protection. That is just asking for a problem in order to save a a few bucks. We ought to be demanding better.

There is an increase in F&F payments since the IRS tax law reporting of >$600 through PayPal Goods and Services. You can always ask to pay the fees. If the seller says no, and you don't feel comfortable, walk away from the deal. Heatware is a way to mitigate the risks but it is not ideal. Any payments other than PayPal Goods and Services give you no protection whatsoever. If you cannot take the loss, don't do the deal.

 

[sfsuphysics]

There is an increase in F&F payments since the IRS tax law reporting of >$600 through PayPal Goods and Services.

So they report it to the IRS, no big deal, as long as you're not trying to scalp it up any selling of goods where no profit is made (i.e. selling at or below the original purchase price) is a non-taxable transaction. It's always good policy to keep a receipt of your purchase or copy of such and you're in the clear for any taxes on top of your sale, only needing to worry about PP fees.

 

[LFaWolf]

So they report it to the IRS, no big deal, as long as you're not trying to scalp it up any selling of goods where no profit is made (i.e. selling at or below the original purchase price) is a non-taxable transaction. It's always good policy to keep a receipt of your purchase or copy of such and you're in the clear for any taxes on top of your sale, only needing to worry about PP fees.

It is more of a hassle than a problem. Once they report it, I will need to keep a record of what I sold and when I bought it, and keep it for 3 years? (forgot how long I need to keep tax records, 3 or 7 years?) So much so that I would rather not sell anything high value and think twice before buying anything which I might have to sell later.

 

[Icecold]

There is also the issue of items from a long time ago that someone may not have purchase records for. I have an old AGP Geforce Ti4600 I've thought about posting for anybody that is setting up a retro gaming rig. Surely it would sell for less(inflation adjusted) than it did when it was new, but there's no way to prove what it had been purchased for and that I didn't just pull it out of some random junker PC with a $0 cost basis.

Previously when somebody requested F&F they would nearly always be fine with G&S if you paid the fee, but that no longer seems to be the case with a lot of sellers.

 

[Gideon]

I just wont buy anything with F&F, if they wont take payment any other way then they can keep it. Funny part is people think they are safe from reporting, but in reality Paypal stores all records of transactions, which can be demanded by the IRS.