All of the breaches are, especially these compilation ones. I switched email addresses back in 2016, and despite having accounts basically everywhere, my newer account has never showed up in a breach. Even the email address I used primarily for new accounts years before that hasn't shown up in any. Only my original created-in-2006 Gmail account ends up in breach lists.
On the topic of old email addresses, make sure your old email provider doesn't release your email address after so many years / months. This is a common way to get access to accounts by creating a new email account with the same address as an expired address and then using an email-based password reset to gain access to the account. Happened to my wife with an old email address from high school.
My understanding is that as of now, Google never permits account name reuse. That being said, I keep all of my old accounts, even if I don't use them anymore. I do check Gmail occasionally for emails which trickle in from time to time.
This is really a big problem since one is forced to keep old addresses active and around. But your email provider, even if it’s a paid service, may have stupid policies to recycle addresses very soon and may not make exceptions for you.
Posteo.de recycles deleted email addresses/aliases in three months. Fastmail is also similar and recycles them within three months or so. Same goes for Mailbox.org. All these paid services are pathetic in this regard.
Runbox.com (which I don’t use) is the only paid email service that clearly states that it never ever recycles email addresses, just like Gmail and Yahoo Mail don’t do either.
I’d like to know about privacy focused paid email services that have a clear policy of not recycling addresses.
Ideally if you're paying for email as it is, you should probably be in the custom domain space. FastMail may be able to reuse my FastMail address, but my FastMail address is tied to very little, since I use a custom domain, that they can't keep.
Of course, as a reminder: This means you have to keep your custom domain, or else someone can register it after it expires and make any emails they want on it. But if you have a domain personal to you that you've used as part of your email address, you should probably keep it forever anyways.
I lost the password to the @hotmail.com address I used for Myspace, and wanted so desperately to delete the account. Last year, just on a whim, I tried to register it and they actually let me.
Turns out it wasn't the email I used on Myspace.
Also, is Myspace back? Somehow my profile and pictures are on there again, but I thought they removed personal profiles years ago?
In all seriousness, the reason why this and several collections roughly as large as it went for $45 on the market is precisely that it must not be that useful anymore. If it truly were a skeleton key to the world it would not be going for $45.
I'm abundantly positive there's still a lot of perfectly valid login credentials in there, but the trick is finding them without also triggering rate limiting detection now.
I'm not aware of the specifics of the dark market, but from a marketing perspective selling something for cheap makes it easier to sell volume. Perhaps the guy who did the hack didn't want to go into the trouble of finding the one bidder who would give him top dollars, not to mention the dangers a contact like that might include. It's easier to find 1k buyers for $45 than one for $45k.
There isn't a "the guy" who did "the hack"; this is an aggregate compilation of a series of low-quality elements that have mostly lost their market value. It's the computer security equivalent of this: https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-Dig... 50 low-value movies for $11.99. Note the distinction between "low value" and "no value". Yes, you might find something you like in there, as some of the reviewers did, but the economic value of this stuff has passed.
My point is that the market value has been lost because there actually is some churn in passwords and accounts. If 99% of the credentials in this hack still worked, it would not be getting sold at this price at all; it would be selling something worth tens or hundreds of thousands, if not millions to the right buyer, for You Pay Only $44.99. Not gonna happen. It can't be worth all that much to most buyers if that's all they're selling it for.
Or it's just so widespread that it's worthless, although I'd suggest in that case that we'd have heard about it earlier. Have I Been Pwned actually has some hookups in that world.
Sure, but let's not forget that there are e-mails in there too. $45 for 750M e-mail addresses doesn't sound like a bad deal. Perhaps whoever compiled that list is aiming at spammers and that's why he's selling cheap to get volume.
> It's the computer security equivalent of this: https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-Dig.... 50 low-value movies for $11.99. Note the distinction between "low value" and "no value". Yes, you might find something you like in there, as some of the reviewers did, but the economic value of this stuff has passed.
So the seller shows a screenshot with browser tabs, a date and a time. One of the tabs is really very specific, looking at a particular disqus profile.
I'm not familiar with Windows; is there anything in the screenshot to suggest its torbrowser or anything like that?
Presumably the miscreant's ISP and e.g. the Russian government can guess real easy whom generated that screenshot...?
Of course what they'd do with that info is anyone's guess. It could well not be an offence to sell collections of passwords, if in deed its even an offence to hack those passwords in the first place.
In the screenshot [0] there is also a tab viewing someone's Disqus profile, and you can also see the time and date. I think the suggestion was there may be ways to track down who the hacker is based on this. Of course he could very well be using a VPN (highly likely). Or at the very least a public/free WiFi, although in Russia you have to register with a phone number to access them.
It addresses that in the article: "...notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1"
Sooo this is either a screenshot of Sanixer's machine or of someone who has access to his entire trove. Clearly not the author's.
I see the mega.nz handle "Louren KINGUR" with avatar, and the same person's Google account avatar with no username. I did an image search on this latter one and came up empty handed, but maybe someone with more finesse could find him this way.
In a blog post some time back Troy mentioned that he will not pay for files on principal, because he doesn't need to financially support black hats/thieves/criminals and most of the "best" files themselves get stolen or breached (because thieves will be thieves).
I think it is a reasonable position not to pay for these files, if the money is just going to encourage the creation of more of them.
In the first image with the telegram id the other id is for discord. I don't recall discord being e2e encrypted so that is an interesting choice to offer. Especially since discord is known to have access to all data since they regularly remove chats/servers that don't follow their tos.
That would explain why HIBP told me my account was in the breach, but I couldn't find a specific password within his Password Checker--the breach is probably from before I switched to a password manager and rotated all of my passwords.
Since a few weeks ago I receive spam emails threatening me with an old password I no longer use. I wonder if it's related to this collection. It starts with:
> I am well aware [old password I think I swapped out everywhere, but definitely in all important places, when I started to use random keepass pws two years ago] is your pass words. Lets get straight to the point. None has compensated me to check about you. You don't know me and you're most likely wondering why you are getting this e-mail?
He continues to tell me my computer was hacked using that password, he downloaded my contacts, recorded me watching porn and now threatens me to send that video to all my contacts. Of course unless I send him bitcoins for about $1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM
I got multiple of these emails in my spam folder since December. The password comes most likely from the Heroes of Newerth leak back in 2014!
It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins. This is a real threat these collections create. To be honest I feel uneasy about this email though I'm 100% sure this password is not used for anything important since about two years ago. I can't imagine how someone with a current password and no security/compsci knowledge at all would feel.
I unfortunately deleted all but the last of this emails, so I wonder if he reuses the same bitcoin address and it can be easily blacklisted by authorities. If he is smart he generates a different address for every single email.
I've received the same emails, for livejournal accounts. They seem to reuse bitcoin addresses. Bitcoin blockchain explorers show that the addresses are recently created, and that people have sent them money.
At a coffee shop on the campus of my nearby university there's a bitcoin machine with a piece of paper above it outlining bitcoin scams. Coinbase really should follow suit with the standard "The IRS, FBI, Jesus will never ask you to send them bitcoin..."
My local grocery store has a sign above the gift cards reminding people that government entities and utility companies will never ask for payment in gift cards. If they can manage a warning, I would hope Bitcoin sites could have a disclaimer somewhere...
I had exactly that email. I can't remember where the password was from, but it seems to be in old format that I used to use maybe 10 years back, if not more.
Just watched this episode. I didn't take that "revelation" at the end to mean he actually did that. Saw it as just the final "lulz" move in the trolling.
As an embellishment by the trolls, it would probably move any authority figures from a position of "let's figure out who got this dumb kid mixed up in these terrible things" to stony indifference and something closer to "serves him right." It also alienates him from his family so he has nobody in his corner any more.
Consider your own reaction as a viewer. Think about the other person who was involved in the last task of the episode. Did you feel any sympathy for him?
Email a million addresses and you'll wind up hitting a few who've been browsing child porn, or something they'd find highly embarrassing if their parents/spouse/SO found out.
As with other scams that can be initiated at scale, you don't need a 50% conversion rate. 0.01% probably suits just fine.
A conversion rate of 0.01% on 700 million addresses and a ~$1000 demand makes you 70million dollar. That's a lot of money for just sending 700 million emails.
I think among younger people watching porn is a given. It's ubiquitous, especially as production of pornographic media has exploded in the last decade. People post their nude selfies online for fun and seem to be fine. I've seen people I know post their photos on their personal Instagrams. At some point there must be diminishing returns for would-be blackmailers.
Right!? If some random unknown contact sends me a salacious video of one of my actual contacts, my one and only question is to the unknown contact asking why they're sending this to me.
There is a pretty cool keepass plugin [1] that generates randomly generated readable passwords based on a dictionary with definitions of nouns, verbs and adjectives and multiple patterns to create short sentences.
Even if the dictionary and patterns are known by an attacker, this still has very good entropy on ~16 characters long sentences. For usernames you can easily just go down to the minimum (around 6-10).
I find this superior to random values in a lot of places as it's easily readable and it's also easily typeable, when copy-paste doesn't work.
If you're using a password manager to randomly generate long, secure passwords, the email address shouldn't matter much. The only potential issue would be social engineering to gain access to the account, but seeing how most people use the same email everywhere, I would think you'd have to a potential target for that to be of concern.
I don't disagree with providing unique emails to various services, I just don't think that _randomstring_@your-domain.com is better than myspace@your-domain.com than. I actually think it's worse, since it's more difficult to identify when an email is coming from the wrong place. If I get an email to myspace@domain.com and it's not from MySpace, I know right away. That's not as immediately obvious if I get an email to a random string.
But how will I guess my email when I do want to reconnect with my account? I see why obfuscation (well, anything to avoid predictability, up to that random hex) is advisable, but the convenience trade-off is real.
> If you do that out of memory, you are most likely re-using passwords.
How does that follow? It still adds value to use aliases that identify the site where they're used, because then you don't need to do a hashtable lookup to see where your mail is coming from.
Re-using passwords with a unique login would indeed be stupid because it would not only be weak against attackers but also have terrible ergonomics: it's usually much easier to regain access after forgetting the password than to regain access after forgetting the login. Source: I often forget both of them.
What I and many others do is reuse not a password, but reuse a password formula (in my case with slight but easily memorable variations depending on importance, or if forced by stupid password rules). If you saw a dozen of my email/password combinations in the clear you would be able to reverse engineer the rules and then guess combinations for arbitrary sites almost as good as me. It's a calculated risk, just like trusting a password manager is a calculated risk. Right now I consider password managers the better trade-off, but still only slightly better, by a margin small enough to make it not worthwhile to invest in a habit change. If the "formula" I happen to use was just a little harder to reverse engineer than it sadly is I would consider it strictly safer than password managers.
I tried it on MySpace and it didn't work. Nor could I figure out what did work or what my account even is/was. I suspect MySpace has removed inactive users, though, possibly due to issues like this.
I've had the same one to nexus@ mydomain which I suspect I used when I was doing phone dev on a forum or manufacturers website. I'd love to know which site it was that leaked.
The best defense, just in case one of these cases turns out to be legit, is to send a video of myself watching porn to all my contacts preemptively. Take out their leverage, you know?
Personal anecdote; having your most embarrassing moments broadcast widely is good at filtering out all but your real friends. You might even find out some folks are way more understanding than you ever expected.
This reminds me of the time I experimented with screen recording for self-analysis and productivity. It sometimes captured things I didn't want on video, but I forgot to turn off the recorder while I was deleting the footage. So I ended up with footage of me trying to cover up embarrassing footage.
This was a requirement in a Speech course I took during community college. Each of my speeches was recorded while I gave it to the class. After each one, I had to watch the recording and write a short paper that analyzed the physical presentation that I gave including my ticks/mannerisms/etc.
> It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins
I've had 3 web clients contact me that received these. One called the local police, and an IT guy, two bought new computers, and one I never hard back from.
Oh. Been getting these for a while. So those are actual passwords I used. I was wondering how stupid the whole thing was telling people some random string is their old password.
All the ones I've had so far have been sent to throwaway addresses with the password "monkey", so I instantly know the info comes from site I don't care about, that I probably haven't used for years.
I've been receiving similar emails for a long time (probably more than a year) with my old Linkedin account password that was part of the 2012 breach. I don't even have a LinkedIn account anymore and I know that I haven't used the password anywhere else since it was randomly generated for that website by my password manager.
So I can confirm that scammers seem to leverage password dumps that way. It's quite clever I suppose, if I used the same password everywhere (as many people seem to do) I'd definitely be worried.
Another data point: I get those to an email that was exclusively used on one insecure message board, but not only with the actual password that I had been using there, but also with a number of comically mangled variations thereof, and with some completely unrelated passwords (not mine). Apparently the data has been compiled from many different sources that went through various stages of bitrot from changing hands repeatedly, possibly with deliberate cutting to inflate numbers.
(oh, and also myspace, some identities are just meant to be stolen I guess...)
I've gotten, and still get, these kinds of emails daily for months. Sometimes in groups of 3. The bitcoin address is not the same as the one you linked.
I think it's interesting that they're trying to get non-technical people who would fall for this kind of thing to buy bitcoins and then send them. Like the number of people who would believe this, have a thousand dollars on hand, and be able to buy and send bitcoins is probably tiny.
> Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.
I just got one with nearly the same wording. "I am aware [old password] is your passphrases. Lets get directly to point..." sent from 202.140.33.240 using the spoofed email address oo@r.com.
The bitcoin address is different: 1ELzee2T9Wd5YPTYhWbWD3xK7xB5tJ94J4
I’ve checked into some of these wallets and some of the early ones (I started receiving these several months ago) had $10k-$16k worth in deposits. And then some have none.
I received 6 of these emails from October through December. They're all similar, but contain slightly different subject and body text. They refer to the same password I haven't used in a decade, although at that time I used it on a number of services, so I'm unsure of the source.
They all talk about having access to my computer, a recording of me watching porn, and threaten to send it to my contacts unless I send 700-850 USD to a Bitcoin address. The payment amounts and Bitcoin address is different in each of the emails.
> If he is smart he generates a different address for every single email.
1) I don't think it's one person, I've received multiple of these with different wording. At the least I think there are a bunch of copycats out there.
2) I received an initial batch of six to a few different mail addresses, and across about six different emails there was one bitcoin address used in four of them. I took a look on blockchain.info and a couple of payments of about the asked amount had gone through it in the previous few days.
What bugs me is that this is actual, criminal extortion on a large scale. Where are law enforcement?
They don't reuse wallets that I've ever seen, and I've been getting spates of these off and on for a few years now, since TVTropes (what? I had some time on my hands!) got owned.
Interestingly, the dollar amount of the attempted extortion has gone up more or less monotonically throughout; the first ones I got were looking for something like $200.
I had exactly the same. I ignored them, then, more interestingly, they started coming with the first character of the password missing, like a kind of digital entropy. Reminds me of the fantastic Alvin Lucier audio piece "I Am Sitting In A Room": https://en.wikipedia.org/wiki/I_Am_Sitting_in_a_Room
I got a dozen of these mails all from different addresses, each with a different wallet address. I checked each wallet and no transactions were made to those either, so it doesn't seem so fruitful.
Interestingly, I also did play heroes of newerth so I guess that you're right on that notion.
Another fun fact, each time my password was mentioned, it was missing the first letter.
>Another fun fact, each time my password was mentioned, it was missing the first letter.
I get an old password in these kinds of emails that has been stripped of case, the capitalization I used is not what what I received. Still, the first was was attention grabbing, even if I've long moved on from that password to a password manager with a randomly generated password for each site.
I have received a few of these as well (all displaying the same password). Because I use a unique, random password for every site, it was just a matter of finding it my password manager. In my case, it was an old one from a forum breech several years ago (not in any way related to porn).
It's clear that someone has made a business model out of this, and it doesn't matter what the password is actually from. For people that don't use unique passwords, they can't say if there is anything behind the threat.
Remember to always use unique passwords for every site!
This is a new variant of the porn-blackmail scam, I've been receiving similar E-mails since 2017 after the Bitcoin fever. I guess the scammers have gotten their inspiration from watching Black Mirror since then.
Yeah, I started getting those a few weeks back as well. The password is my old intranet password from my elementary school, funnily enough. I sent their admin an email about it, but I've heard nothing back so w/ev.
I've received around a dozen of these, all with different bitcoin addresses. All of them came from a Linkedin breach a few years ago. (I know that because I use different email addresses and passwords on every site, and these all came to my Linkedin-associated address and claimed to have stolen my [unused for years] Linkedin password.)
I can't remember if it was haveibeenpwned.com or some other site, but I seem to recall once a few years ago checking my email on a site which also showed you the first two characters of the password which had been compromised. Maybe it has since been discontinued because of security concerns, but I found it really useful at the time because it let me know that the leaked password was an old one that I hadn't used in years.
I know best practice is to immediately change your password regardless, but with the increasing frequency of these kinds of breaches and the reuse and recombination of old lists, how long will it be before emails from leak notification sites like haveibeenpwned start becoming so frequent that people start ignoring them? I am already more guilty of that than I'd like to admit, even though I should know better.
I know there are various places you can check a given password against known leak lists, but it makes me really uncomfortable typing my password into anyplace which is not a password manager or the site it's used for - enough that I want to change it afterwards anyway.
I already hear the arguments that none of this matters if you follow best practices, which are not wrong, but I've always gone with the option which is as secure as possible without being overly burdensome, and I'm sure I'm not the only one.
I was so sure it was haveibeenpwned.com that showed the password as well, but alas they do not, at least not for the last two years.
The way I use to recognize which service has been compromised is using unique email addresses. Most providers let you do either a catchall address, or xyz+alias@provider.com, meaning you should have a user+hn@domain.com for your Hacker News user account. Makes both knowing which services has been hacked easy, but also who sells your contact information to spammers easy! :)
haveibeenpwned has an api to check your password against their known list that only requires to send the first 5 characters of the sha-1 hash: https://api.pwnedpasswords.com/range/5407a.
That interactive javascript checker on their site also uses that API, so in theory HIBP doesn't get sent a copy of your password.
A couple of weeks ago I spun up a little clone with slightly-simpler javascript, just in case HIBP starts serving malicious javascript: https://safepasswordchecker.hashbase.io/
Feel free to download the site and javascript for a static copy. Or reuse or modify and reshare as you like, as long as you're not malicious.
Edit: This site was made with Beaker Browser (https://beakerbrowser.com), which is rad, and you should check it out. Feel free to download / fork this site.
You CAN check breached passwords here: https://haveibeenpwned.com/Passwords, if it's a common password it doesn't mean that it's necessarily your account that's been compromised.
After the Ashley Madison hack, haveibeenpwned still had not instituted blinding so you could check, for example, if your co-workers or boss has an account there, assuming they were follish enough to use their widely-known personal or employer email addresses (the latter being shockingly common for lifer-types st big companies like HP and Cisco).
One of my co-workers ended up getting revealed this way to his then-wife; it wasn’t really a happy marriage up to that point but that was the last straw.
Haveibeenpwned has since gated access to the reports which is good....
I was terrified of my old email being compromised because somebody tried logging into it from Windows (I don't use Windows) and because I had an identity theft scare a month back. What I'm doing going forward is having a personal email acct I don't give out (with 2FA thru U2F), and creating burner GMail accounts that forward emails to that email using POP3. I'm already pwned because I use my personal email for a lot of things, but I like to think it keeps my attack surface minimal.
Adding a bit of security on the identification side (usernames/emails) isn't completely useless, but the focus should be on securing authentication. I.e. never use a password twice and add 2FA to everything even vaguely important to you.
With password managers that's also way easier than managing a lot of email accounts.
I use Bitwarden, password autogen, and 2FA to manage those too, though I'm not fully migrated over yet (still have a lot of weak duplicate passwords). My problem is the older services I have to use that don't support 2FA.
In all honesty, it's probably not worth worrying about. The implementation of 2FA you're referring to here is just adding a 2nd secret, with a small twist of having time component.
There are very few scenarios where your (high entropy) password would be compromised in a way that wouldn't also lead to the discovery of at least 1 functional 2FA code.
1) Website is breached. If they can get the account password hashes, chances are they're going to get the TOTP seeds as well.
2) You're phished. Your attacker passes through your credentials (scraping the password along the way), and they get a functional session token. With most services, you can turn off 2FA just by reconfirming the account password.
3) Your password manager is breached. 'nuff said.
The push behind 2FA isn't so much because high entropy passwords are vulnerable (except in a phishing context, but there TOTP is equally vulnerable) -- the momentum behind 2FA is because we can't convince people to stop using '123456' as a password.
I’ve been robbed six times, including once where one third of my money disappeared. I agree with you that security is only as strong as its weakest link. I just take emotional comfort in doing everything I can to make myself more prickly and less vulnerable.
Yeah I knew this when I got the haveibeenpwned email about it. Just brushed it off with a "oh, that password is making the rounds again." The password in question was compromised something like 5+ years ago.
Having a 20 character password in a vault and 2FA is a great piece of mind now. I don't even have to bother looking into it.
I think they are also trying to use the same credentials to log in to accounts. I got an email from Epic Game saying there are too many failed login attempts, so it was suspended. Ironically, I don't even remember having one. So I logged into the account and made sure there none of the information on there were personal.
Did you click on the link in the email to log in? That's another one to be aware of, fake clone websites linked to fake emails purporting to be from the company.
Always go directly to the site using your bookmarks or typing it in, or at least remember to check the url before you click it.
Actually, they only offered a link for enabling 2FA, And yea, I typed the website in. I have a fake name on the account, and I don't have any payment info on there since I'm not playing any of their games. Now I really have to just think of a constant false name when registering accounts.
Yeah, somebody signed into my Netflix account that I reactivated after years and years of inactivity. It was the only site that was using a really old password that's in this breach.
I believe their upcoming HW will have support for NFC, but at this time iOS will not support NFC as MFA, though of course YK would love Apple to support them.
Correction: Looks like YK is saying iOS does support YK as MFA via NFC[1]
If anyone had a chance of getting Apple to approve NFC for MFA, it’s Yunikey. But I wouldn’t hold my breathe just yet and would plan on the lightening one.
Note that you will want to own at least two and enroll both of them to properly lock down a service so that it doesn't need some plan B. The reason is that obviously if it's locked down to a single U2F Security Key and that key breaks or is lost you're screwed.
Google's programme aimed at high risk people (e.g. journalists covering government corruption) specifically aims to leave you in a position where so long as you have control over the physical devices your secrets are safe, and if the devices are destroyed then your account is irrevocably lost and too bad. Doing that with just one key is asking for trouble.
If you're just dipping your toe in the water, buying one key and having your plan B be a bunch of one time codes written in the back of a diary in your locked desk drawer makes sense, and if you're mostly just interested in the cool technology and not worried about security then going to a Key with Google Authenticator as plan B is fine too.
But if you want this to solve all your problems as advertised, buy two keys.
Thanks that’s good advice. Is the idea your token is synced across both devices? Or you have two separate tokens that allow you to authenticate? I’ve only set up a mobile based authenticator per account before...
Ordinary Security Keys can't be synchronised so to as to be interchangeable. A good U2F/ WebAuthn implementation lets you enroll several of them and use any each time you sign in. So yeah, separate tokens, any of them works.
It's pretty different from authenticator apps, it can be much more convenient (no trying to quickly type in six digit numbers) but it's kinda expensive for now.
Ordinary Security Keys only know how to do exactly one thing, prove that they're still the same Security Key that they were the last time. They can't even prove which one they are in particular (most can prove which model they are, because a bank or something might be like "Ooh, we like this technology but we insist you use Bank of America brand Keys..." but they don't even know like a "serial number" or anything). This is deliberate - it allows the strongest possible privacy guarantees while still delivering a useful security function. The Firefox implementation lets you pick "No" when sites ask which model it is - I always do, none of their bloody business, it's a Security Key, eat it.
When you "enroll" a Key the site gets back a "cookie" (not an HTTP cookie) that is only useful to identify that site to that Security Key; a Elliptic Curve public key; and a signature proving the Key knows the corresponding private key and was enrolling with this specific web site. The site puts those somewhere (presumably a database table) ready to use them when you log in subsequently.
When you need to log in, the site gets its list of all the keys you've enrolled and says "OK, here are the cookies for some keys you enrolled, prove you still have one". If you have one of these keys it can find its cookie among the set, and it knows the private key that goes with that cookie, so it can sign a new message saying "Hi, this is still me, signing in to $domain right $now" and the site verifies that with the public key.
In principle the Security Key could be keeping a big database of every site it has enrolled with and the cookies used versus private keys. In practice what it does is make a random new private key each time it enrolls, encrypt the private key and put the result in the cookie. Only it knows how to decrypt the cookie, so there's no danger from this approach.
Thanks, I'm going to buy more than one for backup and use the multi-key approach. Appreciate the long explanation. I've been meaning to set this up for years.
This should be standard practice taught to kids in school! Especially considering their whole life is digital now.
I saw that Linux's full disk encryption supports Yubikey as well as Gnome login screens which is neat.
Fwiw I just received some solo keys after backing their kickstarter. Unfortunately the firmware doesn't yet support key storage, but it should be comming. I think it looks like an interesting alternative to nitrokey in the open source space. They have usba and usbc variants, and are working on nfc ("solo tap") variant:
This has been the event that has finally convinced my wife to use a password manager. I'm torn between bitwarden and 1Password though. Anyone care to weigh in on the options? My biggest concern with BitWarden is the lack of automated testing
edit - just fyi, Bitwarden responded on github last month with a plan to add some testing, and I think some of their code does use automated testing. They have issues on GitHub tracking it :)
Bitwarden is nice from a user perspective. I'm a former 1password user and switched because I felt that things in the 1password world moved slowly, even though it costs more than Bitwarden. Bitwarden being open source and audited also helps a lot for trusting it, even if it isn't perfect.
1password has a rock solid UX that looks pretty. Bitwarden is more practical imo. I prefer the latter these days. Guessing the 1password iOS app is probably better than what Bitwarden offers, but I don't know, because I use an Android phone, and I prefer Bitwarden on Android.
I use bitwarden personally and I like it a lot. I was using Dashlane previously and the ubuntu UX was awful (strictly browser extension, missing features, etc).
I'm only nervous about Bitwarden because of the lack of automated testing. Apparently at least one closed-source one apparently does not test either, possibly <edit: my memory is too fuzzy to name anything> but please don't quote me on that since my memory is fuzzy.
See my note above about Bitwarden adding tests though
I've used KeePass and one issue I do take with it is the UX. Bitwarden and 1password feel like cohesive apps and have good integration with many platforms. For KeePass I felt uneasy about some of the ports of it. There's a lot of good ones on desktop, less so on mobile.
Syncing is also a thing I prefer 1password and Bitwarden for. They both have cloud syncing by default. Some won't want that but I definitely do.
I used to recommend LastPass but I had to stop recommending it based on their responses to issues including security issues. You can see some instances on the Mozilla bug tracker. It also has had a bad track record with security issues. There was an RCE on the browser extensions in 2017.
Naive soul here, but is it really wise to type live passwords into someone's site that ostensibly is looking for matches with its existing database? That seems awfully trusting.
The reasoning given is: if you're aware it's a bad idea, great! Don't do it. If you don't yet know it's a bad idea, and do it, you'll see how many places it has already been leaked, and hopefully start using different passwords, and a password manager ...
It trains average/non-IT people to enter their password on websites to “check”. If scammers start setting up mock websites that ask you to enter your password to see if your account was hacked, people will fall for it because they have been trained by white-hats that this is an acceptable practice.
Re-released as a scare tactic to get people to buy 1password? (I hate to sound cynical, because really it's a great way to get people to look into password managers if it was a marketing scheme)
176 comments
[ 4.4 ms ] story [ 125 ms ] threadPosteo.de recycles deleted email addresses/aliases in three months. Fastmail is also similar and recycles them within three months or so. Same goes for Mailbox.org. All these paid services are pathetic in this regard.
Runbox.com (which I don’t use) is the only paid email service that clearly states that it never ever recycles email addresses, just like Gmail and Yahoo Mail don’t do either.
I’d like to know about privacy focused paid email services that have a clear policy of not recycling addresses.
Of course, as a reminder: This means you have to keep your custom domain, or else someone can register it after it expires and make any emails they want on it. But if you have a domain personal to you that you've used as part of your email address, you should probably keep it forever anyways.
Turns out it wasn't the email I used on Myspace.
Also, is Myspace back? Somehow my profile and pictures are on there again, but I thought they removed personal profiles years ago?
I'm abundantly positive there's still a lot of perfectly valid login credentials in there, but the trick is finding them without also triggering rate limiting detection now.
My point is that the market value has been lost because there actually is some churn in passwords and accounts. If 99% of the credentials in this hack still worked, it would not be getting sold at this price at all; it would be selling something worth tens or hundreds of thousands, if not millions to the right buyer, for You Pay Only $44.99. Not gonna happen. It can't be worth all that much to most buyers if that's all they're selling it for.
Or it's just so widespread that it's worthless, although I'd suggest in that case that we'd have heard about it earlier. Have I Been Pwned actually has some hookups in that world.
They should call it "Amazon Subprime".
I'm not familiar with Windows; is there anything in the screenshot to suggest its torbrowser or anything like that?
Presumably the miscreant's ISP and e.g. the Russian government can guess real easy whom generated that screenshot...?
Of course what they'd do with that info is anyone's guess. It could well not be an offence to sell collections of passwords, if in deed its even an offence to hack those passwords in the first place.
I don't think it's from the seller - looks like it was taken by the author of this article.
[0] https://krebsonsecurity.com/wp-content/uploads/2019/01/sanix...
I see the mega.nz handle "Louren KINGUR" with avatar, and the same person's Google account avatar with no username. I did an image search on this latter one and came up empty handed, but maybe someone with more finesse could find him this way.
I think it is a reasonable position not to pay for these files, if the money is just going to encourage the creation of more of them.
> I am well aware [old password I think I swapped out everywhere, but definitely in all important places, when I started to use random keepass pws two years ago] is your pass words. Lets get straight to the point. None has compensated me to check about you. You don't know me and you're most likely wondering why you are getting this e-mail?
He continues to tell me my computer was hacked using that password, he downloaded my contacts, recorded me watching porn and now threatens me to send that video to all my contacts. Of course unless I send him bitcoins for about $1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM
I got multiple of these emails in my spam folder since December. The password comes most likely from the Heroes of Newerth leak back in 2014!
It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins. This is a real threat these collections create. To be honest I feel uneasy about this email though I'm 100% sure this password is not used for anything important since about two years ago. I can't imagine how someone with a current password and no security/compsci knowledge at all would feel.
I unfortunately deleted all but the last of this emails, so I wonder if he reuses the same bitcoin address and it can be easily blacklisted by authorities. If he is smart he generates a different address for every single email.
I find it difficult to reconcile someone tech savey enough to use bitcoin falling for a scam of this nature.
On the otherhand, it might explain a lot about the crypto space!
> You will make the payment by Bitcoin (if you do not know this, search 'how to buy bitcoin' in Google).
The top result is from coinbase [1]. I would say everyone capable of online banking is capable of following these steps.
[1] https://www.coinbase.com/buy-bitcoin
It’s as easy to assume that a world in which crypto is a trusted, common method of value transfer benefits them if they’re a leader in that space.
What a damning position to be in, in 2019.
As an embellishment by the trolls, it would probably move any authority figures from a position of "let's figure out who got this dumb kid mixed up in these terrible things" to stony indifference and something closer to "serves him right." It also alienates him from his family so he has nobody in his corner any more.
Consider your own reaction as a viewer. Think about the other person who was involved in the last task of the episode. Did you feel any sympathy for him?
I remember specifically thinking "well, embarrassing sure, but everybody does it, oh well"
Why rob a bank just for some embarrassment?
As with other scams that can be initiated at scale, you don't need a 50% conversion rate. 0.01% probably suits just fine.
Makes me think I need a better strategy on the username side to not leak that info.
Even if the dictionary and patterns are known by an attacker, this still has very good entropy on ~16 characters long sentences. For usernames you can easily just go down to the minimum (around 6-10).
I find this superior to random values in a lot of places as it's easily readable and it's also easily typeable, when copy-paste doesn't work.
[1] https://bitbucket.org/ligos/readablepassphrasegenerator/wiki...
http://github.com/evidlo/passhole
- if they start sending you spam you can severe their capacity to contact you by deleting the alias
- if they give your contact to a third party, you know from the alias who leaked your email address
- if you see an email on a data breach like this one, you know immediately which website got hacked
- it makes it really hard to correlate your identity across two websites
How does that follow? It still adds value to use aliases that identify the site where they're used, because then you don't need to do a hashtable lookup to see where your mail is coming from.
What I and many others do is reuse not a password, but reuse a password formula (in my case with slight but easily memorable variations depending on importance, or if forced by stupid password rules). If you saw a dozen of my email/password combinations in the clear you would be able to reverse engineer the rules and then guess combinations for arbitrary sites almost as good as me. It's a calculated risk, just like trusting a password manager is a calculated risk. Right now I consider password managers the better trade-off, but still only slightly better, by a margin small enough to make it not worthwhile to invest in a habit change. If the "formula" I happen to use was just a little harder to reverse engineer than it sadly is I would consider it strictly safer than password managers.
This would be a nightmare for basically anyone.
Boy do those nervous ticks appear obvious at 2x. By the end you just want to scream out to yourself “stop touching your ear!”.
Edit: We each brought in our own VHS tape (this was 2010-2011) on presentation day and https://www.svcc.edu/employees/directory/pa-fulfs/index.html would swap them in/out for each speech. Good memories... :)
I've had 3 web clients contact me that received these. One called the local police, and an IT guy, two bought new computers, and one I never hard back from.
So I can confirm that scammers seem to leverage password dumps that way. It's quite clever I suppose, if I used the same password everywhere (as many people seem to do) I'd definitely be worried.
(oh, and also myspace, some identities are just meant to be stolen I guess...)
https://imgur.com/a/kMylZ64
Buying bitcoin is actually pretty easy and they help you figure it out in the email as I already commented here https://news.ycombinator.com/item?id=18939713
> Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.
The subject of the email was a previous password I've used and they sent it "from my domain" (not really my domain, you know how it is).
The bitcoin address is different: 1ELzee2T9Wd5YPTYhWbWD3xK7xB5tJ94J4
Looks like the scam worked a couple times so far: https://www.blockchain.com/btc/address/1ELzee2T9Wd5YPTYhWbWD...
They all talk about having access to my computer, a recording of me watching porn, and threaten to send it to my contacts unless I send 700-850 USD to a Bitcoin address. The payment amounts and Bitcoin address is different in each of the emails.
1) I don't think it's one person, I've received multiple of these with different wording. At the least I think there are a bunch of copycats out there.
2) I received an initial batch of six to a few different mail addresses, and across about six different emails there was one bitcoin address used in four of them. I took a look on blockchain.info and a couple of payments of about the asked amount had gone through it in the previous few days.
What bugs me is that this is actual, criminal extortion on a large scale. Where are law enforcement?
Interestingly, the dollar amount of the attempted extortion has gone up more or less monotonically throughout; the first ones I got were looking for something like $200.
Interestingly, I also did play heroes of newerth so I guess that you're right on that notion.
Another fun fact, each time my password was mentioned, it was missing the first letter.
I get an old password in these kinds of emails that has been stripped of case, the capitalization I used is not what what I received. Still, the first was was attention grabbing, even if I've long moved on from that password to a password manager with a randomly generated password for each site.
It's clear that someone has made a business model out of this, and it doesn't matter what the password is actually from. For people that don't use unique passwords, they can't say if there is anything behind the threat.
Remember to always use unique passwords for every site!
I know best practice is to immediately change your password regardless, but with the increasing frequency of these kinds of breaches and the reuse and recombination of old lists, how long will it be before emails from leak notification sites like haveibeenpwned start becoming so frequent that people start ignoring them? I am already more guilty of that than I'd like to admit, even though I should know better.
I know there are various places you can check a given password against known leak lists, but it makes me really uncomfortable typing my password into anyplace which is not a password manager or the site it's used for - enough that I want to change it afterwards anyway.
I already hear the arguments that none of this matters if you follow best practices, which are not wrong, but I've always gone with the option which is as secure as possible without being overly burdensome, and I'm sure I'm not the only one.
The way I use to recognize which service has been compromised is using unique email addresses. Most providers let you do either a catchall address, or xyz+alias@provider.com, meaning you should have a user+hn@domain.com for your Hacker News user account. Makes both knowing which services has been hacked easy, but also who sells your contact information to spammers easy! :)
Edit: actually, using random passwords from a manager, you should be able to identify it through https://haveibeenpwned.com/Passwords
You get a list of corresponding hash suffixes and check if yours is there. https://haveibeenpwned.com/api/v2/#SearchingPwnedPasswordsBy...
A couple of weeks ago I spun up a little clone with slightly-simpler javascript, just in case HIBP starts serving malicious javascript: https://safepasswordchecker.hashbase.io/
Feel free to download the site and javascript for a static copy. Or reuse or modify and reshare as you like, as long as you're not malicious.
Edit: This site was made with Beaker Browser (https://beakerbrowser.com), which is rad, and you should check it out. Feel free to download / fork this site.
One of my co-workers ended up getting revealed this way to his then-wife; it wasn’t really a happy marriage up to that point but that was the last straw.
Haveibeenpwned has since gated access to the reports which is good....
With password managers that's also way easier than managing a lot of email accounts.
There are very few scenarios where your (high entropy) password would be compromised in a way that wouldn't also lead to the discovery of at least 1 functional 2FA code.
1) Website is breached. If they can get the account password hashes, chances are they're going to get the TOTP seeds as well.
2) You're phished. Your attacker passes through your credentials (scraping the password along the way), and they get a functional session token. With most services, you can turn off 2FA just by reconfirming the account password.
3) Your password manager is breached. 'nuff said.
The push behind 2FA isn't so much because high entropy passwords are vulnerable (except in a phishing context, but there TOTP is equally vulnerable) -- the momentum behind 2FA is because we can't convince people to stop using '123456' as a password.
Would be curious to learn more about how it happened, to see if there are any learnings for myself to improve operational security.
Having a 20 character password in a vault and 2FA is a great piece of mind now. I don't even have to bother looking into it.
Always go directly to the site using your bookmarks or typing it in, or at least remember to check the url before you click it.
Along with the traditional diet and exercise spiel that lasts a month, only 12 days left on most of my new years resolutions!
I noticed that they don't have any usb-c + NFC options.
Correction: Looks like YK is saying iOS does support YK as MFA via NFC[1]
[1]https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-...
https://www.yubico.com/2019/01/yubico-launches-the-security-...
Google's programme aimed at high risk people (e.g. journalists covering government corruption) specifically aims to leave you in a position where so long as you have control over the physical devices your secrets are safe, and if the devices are destroyed then your account is irrevocably lost and too bad. Doing that with just one key is asking for trouble.
If you're just dipping your toe in the water, buying one key and having your plan B be a bunch of one time codes written in the back of a diary in your locked desk drawer makes sense, and if you're mostly just interested in the cool technology and not worried about security then going to a Key with Google Authenticator as plan B is fine too.
But if you want this to solve all your problems as advertised, buy two keys.
It's pretty different from authenticator apps, it can be much more convenient (no trying to quickly type in six digit numbers) but it's kinda expensive for now.
Ordinary Security Keys only know how to do exactly one thing, prove that they're still the same Security Key that they were the last time. They can't even prove which one they are in particular (most can prove which model they are, because a bank or something might be like "Ooh, we like this technology but we insist you use Bank of America brand Keys..." but they don't even know like a "serial number" or anything). This is deliberate - it allows the strongest possible privacy guarantees while still delivering a useful security function. The Firefox implementation lets you pick "No" when sites ask which model it is - I always do, none of their bloody business, it's a Security Key, eat it.
When you "enroll" a Key the site gets back a "cookie" (not an HTTP cookie) that is only useful to identify that site to that Security Key; a Elliptic Curve public key; and a signature proving the Key knows the corresponding private key and was enrolling with this specific web site. The site puts those somewhere (presumably a database table) ready to use them when you log in subsequently.
When you need to log in, the site gets its list of all the keys you've enrolled and says "OK, here are the cookies for some keys you enrolled, prove you still have one". If you have one of these keys it can find its cookie among the set, and it knows the private key that goes with that cookie, so it can sign a new message saying "Hi, this is still me, signing in to $domain right $now" and the site verifies that with the public key.
In principle the Security Key could be keeping a big database of every site it has enrolled with and the cookies used versus private keys. In practice what it does is make a random new private key each time it enrolls, encrypt the private key and put the result in the cookie. Only it knows how to decrypt the cookie, so there's no danger from this approach.
This should be standard practice taught to kids in school! Especially considering their whole life is digital now.
I saw that Linux's full disk encryption supports Yubikey as well as Gnome login screens which is neat.
https://solokeys.com/
https://github.com/solokeys/solo
https://www.amazon.com/Solo-Two-Factor-Authentication-USB-Tr...
https://solokeys.com/en/start/faq/
"Can I use Solo for OpenGPG or Ssh? Not yet
Can I use Solo to store passwords? Not yet."
edit - just fyi, Bitwarden responded on github last month with a plan to add some testing, and I think some of their code does use automated testing. They have issues on GitHub tracking it :)
1password has a rock solid UX that looks pretty. Bitwarden is more practical imo. I prefer the latter these days. Guessing the 1password iOS app is probably better than what Bitwarden offers, but I don't know, because I use an Android phone, and I prefer Bitwarden on Android.
I'm only nervous about Bitwarden because of the lack of automated testing. Apparently at least one closed-source one apparently does not test either, possibly <edit: my memory is too fuzzy to name anything> but please don't quote me on that since my memory is fuzzy.
See my note above about Bitwarden adding tests though
Syncing is also a thing I prefer 1password and Bitwarden for. They both have cloud syncing by default. Some won't want that but I definitely do.
You CAN make mistakes with KeePass. You pretty much can’t make mistakes with a service.
I’ve set about 100 people up on LastPass including my mom. I recommend it as a very good thing normal people will actually use.
That's why I recommend LastPass.
The consumer facing feature is entering your email address.
He describes the security measures behind the process here:
https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
Of course, it all still boils down to how much you trust the guy, the approach, etc etc.