Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Mega password hijack
Old 08-06-2014, 07:01 AM   #1
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,406
Mega password hijack

From the NYT http://www.nytimes.com/2014/08/06/te...ials.html?_r=0

Quote:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
No word yet from any password managers.
__________________

__________________
MichaelB is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 08-06-2014, 08:23 AM   #2
Recycles dryer sheets
 
Join Date: May 2013
Posts: 61
Again?
*sighs*
*changes passwords*
__________________

__________________
footenote is offline   Reply With Quote
Old 08-06-2014, 10:19 AM   #3
Full time employment: Posting here.
 
Join Date: Sep 2012
Location: San Jose
Posts: 607
I've been trying to hit Hold Security's website all morning. According to the articles I've read, you can find out if your email address was part of the thefts.

But their website is unavailable, or running REAL slow to the point it doesn't work.

I suppose they're being slammed with visitors after this article came out.
__________________
LoneAspen is offline   Reply With Quote
Old 08-06-2014, 11:32 AM   #4
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,883
My mind is getting around the fact that there are more than a billion passwords in existence.

Looks like some password changing homework to do soon.

I wonder what does Edward Snowden have to say about this
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 08-06-2014, 11:51 AM   #5
Thinks s/he gets paid by the post
nash031's Avatar
 
Join Date: Jun 2013
Location: Coronado
Posts: 1,485
Note that there appears to be a fake Hold Security website with which you can register your name and email, then enter up to 11 passwords "bellow" with which they will determine if "you" security has been compromised. They swear that they won't get your passwords when you enter them, honest!

Just be careful what you enter online...
__________________
"So we beat to our own drummer in the sun;
We ask for nobody's permission to run.
I just wanna live in a world like that;
Now I'm gonna live in a world like that!" - World Like That, O.A.R.
nash031 is offline   Reply With Quote
Old 08-06-2014, 11:52 AM   #6
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,815
This sounds like it's more hype than substance to me.
__________________
sengsational is offline   Reply With Quote
Old 08-06-2014, 11:58 AM   #7
Recycles dryer sheets
 
Join Date: May 2013
Posts: 61
sengsational - Sounds legit to me: "At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."

I changed our financial website passwords this morning. Took only a few minutes. Not worried about my email or social passwords. Doubt a Russian hacker could make me look dumber on Twitter than I already do.
__________________
footenote is offline   Reply With Quote
Old 08-06-2014, 12:12 PM   #8
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,815
I'm just looking at the way the information was written-up on that Hold Security site. Reading between the lines, it looks to me like some hacker entity gathered up a bunch of credentials that have been collected from dinky web sites using SQL injection. I suspect the collection of these credentials spans years. SQL injection is as old as the hills, and big boys, like your bank, know how to protect against it. And this Hold Security looks like a mom and pop shop that is trying to make money (pay them $120 to see if your site was hacked).

Changing your password is always a good idea, but I'm not going to do it because of this flakey bit of news!
__________________
sengsational is offline   Reply With Quote
Old 08-06-2014, 12:20 PM   #9
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,406
I saw this news on Ars Technica, but they only referenced the NYT report and had nothing to add. It is strange, and there is a faint aroma of a PR effort. In hacking, however, I see no reason to give the benefit of the doubt to the status quo, previous major hacks have been acknowledged after reporting by third parties. If this is a new hack it will be soon confirmed.
__________________
MichaelB is online now   Reply With Quote
Old 08-06-2014, 12:28 PM   #10
Thinks s/he gets paid by the post
nash031's Avatar
 
Join Date: Jun 2013
Location: Coronado
Posts: 1,485
Based on the appearance of Hold Security's online app (cited in my post above), I wouldn't use it. If you're a professional organization, you don't have simple misspellings like that. I'm not taking their word for it... rather than check with their "30-day free trial," I'll just change my random passwords at my financial places tonight.
__________________
"So we beat to our own drummer in the sun;
We ask for nobody's permission to run.
I just wanna live in a world like that;
Now I'm gonna live in a world like that!" - World Like That, O.A.R.
nash031 is offline   Reply With Quote
Old 08-06-2014, 12:53 PM   #11
Full time employment: Posting here.
 
Join Date: Jul 2013
Posts: 567
Quote:
Originally Posted by sengsational View Post
I'm just looking at the way the information was written-up on that Hold Security site. Reading between the lines, it looks to me like some hacker entity gathered up a bunch of credentials that have been collected from dinky web sites using SQL injection. I suspect the collection of these credentials spans years. SQL injection is as old as the hills, and big boys, like your bank, know how to protect against it. And this Hold Security looks like a mom and pop shop that is trying to make money (pay them $120 to see if your site was hacked).

Changing your password is always a good idea, but I'm not going to do it because of this flakey bit of news!
Funny, I came to the same conclusion after a meeting with our CIO this morning who asked me to look into the details. Besides login credentials are stolen all the time (via key loggers, viruses, social engineering, phishing etc). It all seems like a hype to me (and great for the multi-factor authentication companies to push their products).
__________________
dvalley is offline   Reply With Quote
Old 08-06-2014, 02:05 PM   #12
Thinks s/he gets paid by the post
veremchuka's Avatar
 
Join Date: Oct 2010
Location: irradiated - too close to the nuclear furnace
Posts: 1,294
Who's Hold Security? No one ever has heard of them, oh wait NOW we have!

If that many userids/passwords were stolen (1.2B) it's going to take some time to use them. I'm careful about emails. Bottom line I'm not jumping through hoops every X days or Y weeks these announcements are released. My userids (when I can create them vs my email address being the site default) and passwords are all long and complex. My security/secret questions are total BS. Are they safe? I don't know. I don't store credit card info on any website rather I go through the annoyance of having to enter it and beside my cc companies won't hold me liable for fraud.

I have 3 financial institutions that I deem important, 2 for retirement investments both household names and an online bank. I could change those 3 but if I do I'll be back to doing it again before we have a full cycle of the moon. If they released the names of the institutions, companies et al then if effected I'd change them but they aren't so maybe I'm not effected.
__________________
veremchuka is offline   Reply With Quote
Old 08-06-2014, 02:24 PM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RunningBum's Avatar
 
Join Date: Jun 2007
Posts: 5,161
Quote:
Originally Posted by footenote View Post
sengsational - Sounds legit to me: "At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."

I changed our financial website passwords this morning. Took only a few minutes. Not worried about my email or social passwords. Doubt a Russian hacker could make me look dumber on Twitter than I already do.
I wouldn't be careless with your email account. If someone hacks into your email, they can then go into your other accounts and use the Forgot Password option to have a new password or activation link sent to that email account, and now they are into your other accounts.

Whether this is legit or not, I'm not sure, but I did change my email and financial institution accounts today. Better safe than sorry.
__________________
RunningBum is offline   Reply With Quote
Old 08-06-2014, 03:21 PM   #14
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,315
Here is Kreb's take on the matter. IMHO, he is an authoritative source.

Q&A on the Reported Theft of 1.2B Email Accounts €” Krebs on Security

Regarding the person who runs Hold Security he states:

Quote:
I’ve known Hold Security’s Founder Alex Holden for nearly seven years. Coincidentally, I initially met him in Las Vegas at the Black Hat security convention (where I am now). Alex is a talented and tireless researcher, as well as a forthright and honest guy.
Quote:
Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 08-06-2014, 03:49 PM   #15
Recycles dryer sheets
 
Join Date: May 2013
Posts: 61
RunningBum - Excellent point.
*sighs*
*changes email passwords*

Chuckanut - Agree, Hold Security is legit. Plus NYTimes claims they had independent experts verify the claim.

I'd rather change passwords than not change them and then wake up tomorrow to see that Vanguard userid/pwords were compromised...
__________________
footenote is offline   Reply With Quote
Old 08-06-2014, 03:51 PM   #16
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,672
Quote:
Originally Posted by sengsational View Post
I'm just looking at the way the information was written-up on that Hold Security site. Reading between the lines, it looks to me like some hacker entity gathered up a bunch of credentials that have been collected from dinky web sites using SQL injection. I suspect the collection of these credentials spans years. SQL injection is as old as the hills, and big boys, like your bank, know how to protect against it. And this Hold Security looks like a mom and pop shop that is trying to make money (pay them $120 to see if your site was hacked).

Changing your password is always a good idea, but I'm not going to do it because of this flakey bit of news!
I like your attitude!

I change my financial passwords once per year. If you suddenly see Lsbcal with misspellings and Russian sounding English mis-phrasings, you know I've been hacked.

As they said in one memorable movie, "Russians coming, please to get from street!"
__________________
Lsbcal is offline   Reply With Quote
Old 08-06-2014, 04:39 PM   #17
Thinks s/he gets paid by the post
veremchuka's Avatar
 
Join Date: Oct 2010
Location: irradiated - too close to the nuclear furnace
Posts: 1,294
So I read this article Q&A on the Reported Theft of 1.2B Email Accounts — Krebs on Security and it seems that the theft is of email userids and passwords not from companies or financial institutions. As noted in the article, if you use your email userid and/or password in other places you are in deeper trouble than if you use unique one for all places. Of course we all know that and hopefully follow that. So maybe changing your email password is prudent, I don't think I can change my userid as it is my email address.
__________________
veremchuka is offline   Reply With Quote
Old 08-06-2014, 04:46 PM   #18
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,315
Quote:
Originally Posted by veremchuka View Post
So I read this article Q&A on the Reported Theft of 1.2B Email Accounts — Krebs on Security and it seems that the theft is of email userids and passwords not from companies or financial institutions. As noted in the article, if you use your email userid and/or password in other places you are in deeper trouble than if you use unique one for all places. Of course we all know that and hopefully follow that. So maybe changing your email password is prudent, I don't think I can change my userid as it is my email address.

The issue with email is that many sites allow a password change with a simple email message. If they have your email they can change your password.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 08-06-2014, 05:12 PM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,449
On that Krebs article - READ THE COMMENTS!

There is more going on than meets the eye. Layers of "spin" it seems.

But I have noticed an uptick in email spam using names of people I know, even though this "announcement" is really talking about data accumulated over years.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is offline   Reply With Quote
Old 08-06-2014, 05:57 PM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,883
Quote:
Originally Posted by veremchuka View Post
... As noted in the article, if you use your email userid and/or password in other places you are in deeper trouble than if you use unique one for all places. .
Hopefully this hacker incident is a wake up call for sites to stop using the email as a user id.

I like how some bank and credit card sites allow the changing of the userid. That came in very handy when my computer encountered a keylogger a few years back.
__________________

__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MEGA Health and Life Insurance Co. CybrMike Health and Early Retirement 4 03-31-2007 09:37 PM
Mega Corp blocks forum... Texas Proud Other topics 11 09-21-2006 11:46 AM
Working for a Mega Corp sounds interesting, am I nuts? saluki9 Young Dreamers 45 07-03-2006 11:59 AM
Political hijack of Xpcommon's introduction MRGALT2U Other topics 30 02-12-2006 12:52 PM
Retire from mega corp america MattInAustin Life after FIRE 41 02-06-2005 06:30 AM

 

 
All times are GMT -6. The time now is 07:51 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.