Hey, does anyone know of any recent password leaks?

Discussion in 'General Advice' started by witchknights, Dec 21, 2018.

  1. witchknights

    witchknights Bold Enchanter Defends The Fearful

    I just got a weird extortion spam email, and it had one of my passwords in it. It was one of those "I have a porn video of you and I got all your Facebook contacts! And keylogged your PC!" which I know is bullshit, but now I'm worried about a leak I didn't know about - it's my generic password for random sites. Have I missed any security breaches lately?
     
    • Witnessed x 1
  2. Firo

    Firo it's not heaven if all dogs don't go

    I'm not sure - have you checked haveIbeenpwned already?
     
    • Informative x 1
    • Useful x 1
  3. witchknights

    witchknights Bold Enchanter Defends The Fearful

    Oh, I had no idea there was a website for that. Thanks!
     
  4. witchknights

    witchknights Bold Enchanter Defends The Fearful

    Yeah, it's on Adobe, dropbox, a huge leak compilation, and tumblr of all places. Thanks, hellsite, for this huge spike in anxiety!
     
    • Witnessed x 3
    • Informative x 1
  5. Nobody's Home

    Nobody's Home I'm a Greg Coded Tom Girl

    Damn!
     
    • Agree x 1
  6. vuatson

    vuatson [delurks]

    Huh, apparently my login info got leaked from tumblr, 8tracks, and myspace (wtf?) but haveibeenpwned says that the specific breaches it got leaked in happened in 2013, 2017, and 2008 respectively.

    I must have been got in whatever recent leak happened too though, I just found that same extortion email in my spam folder (from the 12th, lol)

    I guess I should... change my password then? Or is it too late to bother? Using the same few passwords for everything has finally come back to bite me lol
     
    • Witnessed x 4
  7. vuatson

    vuatson [delurks]

    Google tells me of a tumblr bug that supposedly got fixed in October, but no more recent leaks than that. So either it’s extremely recent, or this is from that one leak a couple years ago?
     
  8. Firo

    Firo it's not heaven if all dogs don't go

    never too late to change your pass in places that matter! I personally don't really like the idea of using a password manager and I'm notoriously lazy, but I use a compromise of "not using the password I use for my email anywhere else and generally trying to keep important accs differently passworded".
     
    • Like x 1
  9. witchknights

    witchknights Bold Enchanter Defends The Fearful

    Does it ask you for 948 dollars on bitcoin?

    I have no idea when this could have happened honestly. My passwords for all the important things are different than the one they got so I'm not worried, but it's the password for literally everything else.
     
  10. Firo

    Firo it's not heaven if all dogs don't go

    honestly, old pass databases float around forever if you know where to look - chances are some enterprising panic phishermen got their claws on one and are now mass-spamming relying on most people not in fact changing their passes or knowing about old irrelevant breaches. it might mean nothing. but change passes in places that matter anyway
     
    Last edited: Dec 21, 2018
    • Agree x 4
  11. vuatson

    vuatson [delurks]

    It asked me for a thousand within 48 hours (again, on the 12th :P) and talked about the process of how they supposedly hacked me - oh, and it was sent from my email, or at least made to look that way. here’s a transcript:

    You may not know me and you are probably wondering why you are getting this e mail, right?

    I'm a hacker who cracked your devices a few months ago.

    I sent you an email from YOUR hacked account.

    I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean).

    While you were watching videos, your internet browser started out functioning as a RDP (Remote Control) having a keylogger which gave me accessibility to your screen and web cam.

    after that, my software program obtained all of your contacts and files.



    You entered a passwords on the websites you visited, and I intercepted it.



    Of course you can will change it, or already changed it.

    But it doesn't matter, my malware updated it every time.



    What did I do?



    I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam.

    Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)

    – Do not try to contact with me

    – Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.



    I guarantee you that I will not disturb you again after payment, as you are not my single victim. This is a hacker code of honor.



    Don’t be mad at me, everyone has their own work.

    exactly what should you do?



    Well, in my opinion, $1000 (USD) is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).



    My Bitcoin wallet Address:

    1CVkdrL8G1NjaTKw2JPXBiW86QgenJvhb8

    (It is cAsE sensitive, so copy and paste it)



    Important:

    You have 48 hour in order to make the payment. (I've a facebook pixel in this mail, and at this moment I know that you have read through this email message).

    To track the reading of a message and the actions in it, I use the facebook pixel.

    Thanks to them. (Everything that is used for the authorities can help us.)

    If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately.

    If you need evidence, reply with "Yes!" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.

    Looks like they just want people to panic and do what they say without thinking, really. I do use my email password on some other sites but not PayPal or anything like that... though probably on some sites that I’ve given financial info to for buying stuff, like steam or something. But my bank history looks just fine.
     
  12. witchknights

    witchknights Bold Enchanter Defends The Fearful

    Yep, some of the wording is different but that's the gist in the one I got too. I have that password in some online shopping that I should probably change just in case; it hadn't occurred to me that this could be an old list, and I have been using the same password for unimportant things since 2004, so /shrug emoji
     
  13. palindromordnilap

    palindromordnilap Well-Known Member

    Yeah, I should also note that anyone can send an e-mail from any address whether or not they do control it, it will probably trip some particularly good spam filters like Gmail's but otherwise the sender address is about as reliable as an actual letter's.
    I strongly recommend a password manager for people who don't have too much trouble with that - I've used LastPass before moving to KeePass which uses offline databases, but I'm not sure I'd recommend LastPass because there was some security fuckery a while back that made me trust it a lot less. Otherwise, if you need a strong but easily rememberable password, this is extremely useful (and at least some versions of KeePass have a generator for those built-in).
     
    • Informative x 3
  14. palindromordnilap

    palindromordnilap Well-Known Member

    Update: it's even more stupid than I thought. I just found out I received the same email on one of my old addresses, which was repeatedly leaked in data dumps.
    upload_2019-2-13_17-11-8.png
    So, this variant is in French, but more importantly: they didn't even try to make it look like it came from your own email address. The domain name is misspelled. At most, all they did was BCC the real one instead of putting in "To" so it's slightly less obvious.
     
  15. spockandawe

    spockandawe soft and woolen and writhing with curiosity

    A variant approach that can lower your personal reliance on keypass programs that my parents taught me is using the site name or url as the core for a unique site-by-site password system. Like, maybe you put two numbers as a prefix and capitalize the first letter of the name (or applying typing quirks works well for this too), maybe you add two question marks at the end, and then your tumblr password is 00Tumblr?? and your amazon password is 00Amazon??, and you'll get a system you can remember pretty easily.
     
    • Useful x 2
  16. palindromordnilap

    palindromordnilap Well-Known Member

    A problem with this would be that if one of your passwords is compromised, it's relatively easy for someone who's doing more than mass credential stuffing to figure out the pattern. There was actually an issue with this a while back when some French TV channel filmed their own studio, and accidentally showed a post-it with "email: [the email], password: thepasswordforyoutube" on it. Needless to say, fun stuff happened.
     
    • Winner x 1
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice