New Spammers going after normal Accounts

[Smoker1]

Guessing some People had their Accounts Hacked by Spammers/Scammers. Recently in a Switch Cheat General Request, 2 Accounts (1 created in 2017, and 1 in 2013), Spammed close to the same the Message. Both Reported.

Suggest People Update their Passwords to reflect something harder for Criminals to get, such as (Do NOT use, just an example), P@$5w0Rd4m3 (Case Sensitive, 2 Numbers, 2 Lower, 2 Capital, 2 Special Character, minimum and 8+ Length).

 

[k0walski]

2FA + backup codes now, hardware keys in the future?

 

[SylverReZ]

I mentioned a similar instance to this in another thread.
https://gbatemp.net/threads/limitin...-we-also-need-more-staff.654452/post-10410238

Remember to turn on 2FA and create unique strong passwords, and not the same used for your other accounts.

All of the e-mails are 'temporary', and are linked to temp-mail(.)org. There are people out there who offer services to spam these forums, and even perform 'credential stuffing' attacks on members who have been here for way longer to advertise their crypto pyramid schemes.

View attachment 434279

 

[ModernSithLord]

I mentioned a similar instance to this in another thread.
https://gbatemp.net/threads/limitin...-we-also-need-more-staff.654452/post-10410238

Remember to turn on 2FA and create unique strong passwords, and not the same used for your other accounts.

Huge Facts!, With how many leaks occur nowadays you see users using the most simplistic passwords. Nothing extremely complex in many cases.

 

[Maid_Nanashi]

I think my old account was hacked ;/ I can't even get into it

 

[KleinesSinchen]

Hijacked accounts happen sometimes. Often the real users have been inactive for years and will never notice their account has been compromised.

It is a general problem. Without 2FA and with password re-usage this will happen all the time on pretty much all sites. Leaked database somewhere, bruteforce and dictionary attack, trying to login elsewhere with same e-mail and the cracked passwords.... and boom.

@Smoker1 Your example password (11 chars) gets estimated with 36.5 bit by IYPS.
It takes seconds to minutes to crack this type of password depending on hash function complexity and the compute power at the attacker's disposal.

80 to 90 bits of entropy are considered mostly safe for now. Use a six or seven word Diceware passphrase (the latter being just above 90 bit) -- and, no, correct horse battery staple, should not be part of it.

 

[SylverReZ]

Huge Facts!, With how many leaks occur nowadays you see users using the most simplistic passwords. Nothing extremely complex in many cases.

Data breaches this year has been wild, especially from the beginning of April.

Hijacked accounts happen sometimes. Often the real users have been inactive for years and will never notice their account has been compromised.

It is a general problem. Without 2FA and with password re-usage this will happen all the time on pretty much all sites. Leaked database somewhere, bruteforce and dictionary attack, trying to login elsewhere with same e-mail and the cracked passwords.... and boom.

@Smoker1 Your example password (11 chars) gets estimated with 36.5 bit by IYPS.
It takes seconds to minutes to crack this type of password depending on hash function complexity and the compute power at the attacker's disposal.

80 to 90 bits of entropy are considered mostly safe for now. Use a six or seven word Diceware passphrase (the latter being just above 90 bit) -- and, no, correct horse battery staple, should not be part of it.

And like many websites, your passwords should not be stored locally on the host; rather, they should be encrypted with a strong encryption, never to be opened with any attack vendor for that matter.

I think my old account was hacked ;/ I can't even get into it

Contact an admin or send yourself an e-mail recovery link. Otherwise, if you don't have access to your e-mail, there's nothing I can do about it.

 

[Smoker1]

Yeah, both my Parents got Letters in the Mail from 2 different Companies saying their Info was possibly Compromised because a Company had it, then got Breached. The hell they have their Info to begin with???? 1 thought.....Marketing, and Offer Spam.

 

[k0walski]

Well, I'll put my 50 cents here... Use password generators and LOCAL (not cloud) password storage (like KeepassX). Good entropy is around 200bits for a 32 symbol password (that's why password storage is needed). Just as an example of a really good password:

DWZ2Xr$N%zXTqTnjWoAKueX#msWZAV%7

200bit entropy.. Good luck cracking it.

 

[DinohScene]

If you suspect an account has been hijacked, please report said account.
This isn't a new problem unfortunately.

 

[ModernSithLord]

Data breaches this year has been wild, especially from the beginning of April.


And like many websites, your passwords should not be stored locally on the host; rather, they should be encrypted with a strong encryption, never to be opened with any attack vendor for that matter.


Contact an admin or send yourself an e-mail recovery link. Otherwise, if you don't have access to your e-mail, there's nothing I can do about it.

Breaches have been on the rise, especially with ransomware based attacks. I can't even imagine how many sites do not have an ssl license. Which is seriously a must nowadays.

 

[SylverReZ]

I am in a Discord server, with some people who host their own personal websites through Cloudflare and other alternative hosting services. But the worst part, is that they don't know good OPSEC or even know how to operate and service their websites in the first place, which leads them to get DDoS'd or hacked.

 

[Smoker1]

Well, I'll put my 50 cents here... Use password generators and LOCAL (not cloud) password storage (like KeepassX). Good entropy is around 200bits for a 32 symbol password (that's why password storage is needed). Just as an example of a really good password:

DWZ2Xr$N%zXTqTnjWoAKueX#msWZAV%7

200bit entropy.. Good luck cracking it.

Only problem is, what if you need to input it manually?

 

[SylverReZ]

Only problem is, what if you need to input it manually?

You mean how they figure out the password, or in what sense do you mean by that?

 

[Smoker1]

You mean how they figure out the password, or in what sense do you mean by that?

What if you need to get at a Account, you dont have the Password Saved , and have to enter it Manually?
Rough example: When I was in the Army, had to create a 8+ Character Password for Military Email Account with the specific Character Requirement. Some People wont be able to remember something like that, and it is created on a Military Computer to set up. What if you have to Log In, but dont remember what it is? Plus after like 3 Incorrect attempts, you are Locked Out for a certain length of time.

 

[Kioku]

Only problem is, what if you need to input it manually?

Password storage/manager. Copy & paste.

 

[k0walski]

Only problem is, what if you need to input it manually?

Oh, in such case one will have huge pain in ... fingers, but only once, I guess. That's why I stand with local password manager - one can put the encrypted database (for which, of course, one will need a password to unlock) on a USB stick (better to have at least one emergency copy), so it won't be kept all the time on the PC/laptop (in case of virus etc..., sudo rm -rf /, or else), and just do the db unlock, select a password to insert, insert it that's it. Nowadays, unfortunately, digital identity must be protected... by all means.

Post automatically merged: Jun 19, 2024

Not an ad, just a suggestion:
https://keepassxc.org/

 

[SylverReZ]

What if you need to get at a Account, you dont have the Password Saved , and have to enter it Manually?
Rough example: When I was in the Army, had to create a 8+ Character Password for Military Email Account with the specific Character Requirement. Some People wont be able to remember something like that, and it is created on a Military Computer to set up. What if you have to Log In, but dont remember what it is? Plus after like 3 Incorrect attempts, you are Locked Out for a certain length of time.

>What if you need to get at a Account, you dont have the Password Saved , and have to enter it Manually?
You'd be better off with a USB flash drive to store your passwords, or something like an external SSD for a backup. I don't like using local password managers tbh, but hey, that's entirely up to you. But, don't host your passwords online using an online password manager, as those tend to get more cyber attacks.

>What if you have to Log In, but dont remember what it is?
Reset your password if there's an option to do so. Be sure to update the password from your storage medium.

https://keepassxc(.)org/

Why not get it from the official site? That version has since been discontinued.
https://keepass.info/

 

[Smoker1]

Oh, in such case one will have huge pain in ... fingers, but only once, I guess. That's why I stand with local password manager - one can put the encrypted database (for which, of course, one will need a password to unlock) on a USB stick (better to have at least one emergency copy), so it won't be kept all the time on the PC/laptop (in case of virus etc..., sudo rm -rf /, or else), and just do the db unlock, select a password to insert, insert it that's it. Nowadays, unfortunately, digital identity must be protected... by all means.

Post automatically merged: Jun 19, 2024

Not an ad, just a suggestion:
https://keepassxc.org/

Yeah, would be better off if they put a end to Buying/Selling People's Information. Would be a start, and also make an example of these Identity Theft Criminals.

 

[SylverReZ]

Yeah, would be better off if they put a end to Buying/Selling People's Information. Would be a start, and also make an example of these Identity Theft Criminals.

You do realise that data brokers existed for ages. It should be note-worthy that whenever you read the terms of service on a website, that any data you send will be collected by "3rd-parties".