Discord Password

[JuanMena]

Is this normal?

It's been 3 times in a week... 3 times!
Are they trying to convince me that I have to use he two factor authentication?

PS:
I know what you're thinking: no, I use passwords with over 20 characters among letters, characters and numbers.
The IP addresses are different these 3 times it's happened.
Yes, they're not my IP address. I've made sure of that.

 

[godreborn]

I've never encountered this email. I've been using discord since November of last year.

 

[JuanMena]

I've never encountered this email. I've been using discord since November of last year.

So, they're real attempts huh?
Okay... I don't use it anyways.

 

[godreborn]

So, they're real attempts huh?
Okay... I don't use it anyways.

Couldn't say. Have you ever used discord?

 

[JuanMena]

Couldn't say. Have you ever used discord?

Recently used it once or twice.
I was waiting for a message from someone so I've just opening it to see if they've replied.

But I've got this message today, on sunday and a week ago.

I've changed my password three times already and it's a different IP everytime (and different than mine)

 

[godreborn]

Recently used it once or twice.
I was waiting for a message from someone so I've just opening it to see if they've replied.

But I've got this message today, on sunday and a week ago.

I've changed my password three times already and it's a different IP everytime (and different than mine)

Maybe add the 2 step verification, then forget about it.

 

[JuanMena]

forget about it.

Yes, I don't use it really.

Will do when I start using it... if I ever use it that is.

Thanks mate.

 

[Alexander1970]

Yeah,actual there are many Assholes on the Road.....

A Friend of mine got this fake Austrian Post Information:



Facebook Accounts from 2 Friends where hacked this Week.....

 

[JuanMena]

Facebook Accounts from 2 Friends where hacked this Week.....

This is why I have multiple Google and Hotmail Accounts.
I use a different one for each forum/site.

Unfortunately, due to my bad habit of creating such difficult passwords (and me not remembering them) made me loose 3 Hotmail accounts and 1 Google account about 3 months ago.

I must make newer ones.

 

[KleinesSinchen]

This is why I have multiple Google and Hotmail Accounts.
I use a different one for each forum/site.

Good. Should be the default method anyway.

Unfortunately, due to my bad habit of creating such difficult passwords (and me not remembering them) made me loose 3 Hotmail accounts and 1 Google account about 3 months ago.

I must make newer ones.

Not exactly good. Store passwords in an encrypted container and back them up.
=======

Two factor authentication is a good idea for using any service. Just make sure the device receiving the codes doesn't get compromised.

 

[JuanMena]

Good. Should be the default method anyway.


Not exactly good. Store passwords in an encrypted container and back them up.
=======

Two factor authentication is a good idea for using any service. Just make sure the device receiving the codes doesn't get compromised.

To be honest that sounds like a lot of work hehe.

I think I'm fine though. I don't visit sketchy sites, and I rarely use the internet on my laptop (unless I need to download something)
So encrypting my files is a bit exaggerated (for me) I think I'm fine. Heck, if I even want to be 100% secure, I'd type my passwords with pen and paper in a notebook and type them each time I need to log in somewhere.
But again... I'm lazy (and I used to use this method years ago to be honest)
But once again... a bit exaggerated.

 

[Viri]

Just make sure you don't click a phishing attempt email. I get phishing emails all the time, mostly about my Netflix account being banned, because of closed credit card, even though I haven't paid for Netflix since 2015.

 

[KleinesSinchen]

To be honest that sounds like a lot of work hehe.

I think I'm fine though. I don't visit sketchy sites, and I rarely use the internet on my laptop (unless I need to download something)
So encrypting my files is a bit exaggerated (for me) I think I'm fine. Heck, if I even want to be 100% secure, I'd type my passwords with pen and paper in a notebook and type them each time I need to log in somewhere.
But again... I'm lazy (and I used to use this method years ago to be honest)
But once again... a bit exaggerated.

Of course security is work. In my opinion security and convenience contradict each other. You're not paranoid. But… I am. And: Yes, attackers have used cameras in compromised computers for reading passwords stored on paper.

To be honest my passwords are on the same computer I use for logging in – but encrypted in KeepassX. My main PC compromised would be almost jackpot for the attacker. Two factor authentication only really helps if a different devices receives the codes (and the main machine doesn't have access to the codes).

I have to rethink and improve my approach a bit, but generally the two-factor thing isn't easy to breach.

 

[JuanMena]

Just make sure you don't click a phishing attempt email. I get phishing emails all the time, mostly about my Netflix account being banned, because of closed credit card, even though I haven't paid for Netflix since 2015.

How could I know that these are phishing attempts?

When I click on Discord, I get the "Email and Password" boxes, after typing them, I get a "I'm not a Robot" cache button.
Then it tells me to check my Email to verify my account (which I verified years ago) and then I see these messages... that is the pic posted in Original Post.

Of course security is work. In my opinion security and convenience contradict each other. You're not paranoid. But… I am. And: Yes, attackers have used cameras in compromised computers for reading passwords stored on paper.

To be honest my passwords are on the same computer I use for logging in – but encrypted in KeepassX. My main PC compromised would be almost jackpot for the attacker. Two factor authentication only really helps if a different devices receives the codes (and the main machine doesn't have access to the codes).

I have to rethink and improve my approach a bit, but generally the two-factor thing isn't easy to breach.

Do you think it might be FireFox's fault?
I recently changed from Chrome to FireFox, and FireFox is not saving my log-in credentials. Even though I have the option enabled, but meh.

 

[hippy dave]

2FA all day every day

 

[SkittleDash]

Bit of a stretch but do you use a VPN?

 

[JuanMena]

2FA all day every day

¯\_(ツ)_/¯

Bit of a stretch but do you use a VPN?

Nop.

It's also not important. I hardly see myself using that site really.

 

[Takokeshi]

To be honest my passwords are on the same computer I use for logging in – but encrypted in KeepassX. My main PC compromised would be almost jackpot for the attacker. Two factor authentication only really helps if a different devices receives the codes (and the main machine doesn't have access to the codes).

This is not as bad as you'd think. Your main pc compromised via remote access is game over regardless of whether your password vault were stored on it or not.

If they have remote access, they can just access your logged in accounts directly from your own device. For the rest, they can just wait until you log in to extract passwords and otp and have their systems set up to automatically log in before you do.

2fa mainly protects against password reuse or weak password cracking, in situations where an attacker only has access to leaked databases or if they're trying to guess your password. If they have your device compromised though, no amount of 2fa can save you (save maybe for hardware 2fa, but even then, once you've logged in, they can just access directly through your own device.)

It goes without saying, but you've got to do all you can to keep your main devices secure. In @JuanMena's case, this could easily be a phishing email, but if it isn't... I'd be worried about how an attacker might be managing to steal a strong 20-character password every time it gets changed.

 

[JuanMena]

This is not as bad as you'd think. Your main pc compromised via remote access is game over regardless of whether your password vault were stored on it or not.

If they have remote access, they can just access your logged in accounts directly from your own device. For other things, they can just wait until you log in to extract passwords and otp and have their systems set up to automatically log in before you do.

2fa mainly protects against password reuse or weak password cracking, in situations where an attacker only has access to leaked databases or if they're trying to guess your password. If they have your device compromised though, no amount of 2fa can save you (save maybe for hardware 2fa, but even then, once you've logged in, they can just access directly through your own device.)

It goes without saying, but you've got to do all you can to keep your main devices secure. In @JuanMena's case, this could easily be a phishing email, but if it isn't... I'd be worried about how an attacker might be managing to steal a strong 20-character password every time it gets changed.

Yep, yep... specially the last part.

I've never had any security problems with Chrome. Again, recently changed to FireFox, and I keep bringing this because maybe it can't quite get my IP address and just takes any other around me.
Like the IP addresses it's shown me are around my own city. It's not like it's an IP from a different country, not even a different state.
Yet it's different from my IP.

Sometimes, GPS and Google Maps, as well as weather apps, sees my location in different places (but still in my city) and the same it's happening here. That's why I'm skeptical whether to take this seriously or not.

For the record, I haven't had any security problems with other sites... just Discord.

I'm thinking Discord nor FireFox are't quite getting my real IP and they just take any near me... like GPS/Maps/Weather apps does.

Could that be a possibility or am I being naive?

Also, if someone's target me directly... shouldn't I've already had problems with other accounts?

 

[Takokeshi]

I've never had any security problems with Chrome. Again, recently changed to FireFox, and I keep bringing this because maybe it can't quite get my IP address and just takes any other around me.

That's not how the internet works, no.

The email implies that you'd need to click Verify in the email in order to allow the login. Yet I don't think you've been needing to do this, correct?

Malicious third parties often can and will spoof their IP using proxies in an attempt to make it look like the login is coming from your location, either to trick the service into thinking that the login is trusted, or to trick the user into thinking that this is their own login attempt. They can't get your exact IP (not without compromising a device on your own network; not how the internet works), but they can often get one similar enough (blame all those insecure IoT devices that are littered all over the place, it's a real gold mine for botnets.)